Tuesday, June 02, 2009

Master Lock Pickers and the Security Mirage

If you ever doubted that the lock on your door was in place to keep out the kids, doubt no more. This fascinating article details one of the world's top lock pickers.


The Ultimate Lock Picker Hacks Pentagon, Beats Corporate Security for Fun and Profit


A good friend of mine has been picking locks as a hobby most of his life. This is a skill that can be learned by any bright, patient person.


It's a safe bet there are more people around who know how to pick locks than there are people getting paid to rethink the lock and key.



Posted by Gary W. Longsine at 3:50 PM 0 comments Links to this post
Labels: , ,

Monday, May 18, 2009

on cyber warfare, China, Kylin

Yes, the Washington Times is not exactly a premier source of security information, but with analysis and reporting like this, who needs enemies? Two fascinating tidbits from this article: China blocks U.S. from cyber warfare.

The first is an absolutely classic Freudian slip:

U.S. offensive cyberwar capabilities have been focused on getting into Chinese government and military computers outfitted with less secure operating systems like those made by Microsoft Corp. (This observation isn't attributed in the article.)


That ought to have you rolling on the floor, laughing, until you realize that these are the very same "less secure operating systems like those made by Microsoft Corp." which the bureaucrats at every level of Federal, State, and local governance in the U.S. has been "standardizing" on. Then your sphincters pucker.

The point of the article is that the Chinese have developed and deployed their own operating system and "hardened" CPU architecture to run it on, and have been deploying it on Chinese government and military systems, rendering substantial portions of the the U.S. strategy for cyber counter-attack irrelevant. Various security "experts" testified before Congress to raise some alarms.

Perhaps it's just poor reporting, but these crack security experts seem to be under the impression that this Kylin thing is mysterious, and don't seem to have noticed that Kylin appears to be a hardened version of FreeBSD (an open source operating system), and that you can apparently download versions of it with a quick google search (see: Some random blogger with links to Kylin iso images.)

Which makes the next bit from this article even more amusing. This statement is attributed to Kevin G. Coleman, but this is the Washington Times, who knows if poor Mr. Coleman actually said any such thing this silly:

U.S. operating system software, including Microsoft, used open-source and offshore code that makes it less secure and vulnerable to software "trap doors" that could allow access in wartime, he explained


Of course, no real security expert would ever mean to imply that Microsoft's security issues were primarily, or even in any meaningful way at all, based on open-source software. Microsoft has used tiny amounts of BSD code in their network stack, but Microsoft's security problems are of their own, proprietary making, and everyone who can spell CISSP or SANS knows that.

The take home lessons:
  1. do a google search before you try to panic the Congress, and

  2. if FreeBSD derivatives can be secured such that people panic when China deploys them, maybe U.S. government agencies ought to re-think their obsession and love affair with the less secure Microsoft systems, with which they have been utterly failing to protect U.S. Government assets, secrets, and infrastructure, according to other testimony reported in this and other articles, and perhaps
  3. rather than inciting panic, somebody ought to be downloading those ISO images, installing Kylin, and running some automated tools against its network services, looking for buffer overflow exploits.



Posted by Gary W. Longsine at 9:45 PM 0 comments Links to this post
Labels: , , , , , , , , , , , , ,

Saturday, October 25, 2008

Gimmiv worm strikes Windows

That didn't take long, did it? Apparently Microsoft released their "out of band" patch in a hurry because they had already seen exploits "in the wild" for this defect. They guessed a worm couldn't be far behind, and they were right.

Gimmiv: New worm feeds on latest Microsoft bug

The cycle of patching will never fix this problem. If you are a CIO or manager of an enterprise or government network which has been hit by new worms this week, contact Intrinsic Security to discuss FireBreak AntiWorm. Worms are detected instantly and trapped without signatures.
Posted by Gary W. Longsine at 9:21 PM 0 comments Links to this post
Labels: , , , , , , , , ,

Thursday, October 23, 2008

Microsoft's "Out of Band" Security Bulletin

Microsoft plans to issue an "out of band" patch today, e.g. a patch released on a day other than "Patch Tuesday".
Microsoft Security Bulletin Advance Notification

Thw defect, which hasn't been publicly described just yet, apparently exists in every version of Windows that anyone who is likely to patch anything actually uses:

  • Windows 2000,

  • Windows XP,

  • Windows Server 2003,

  • Windows Server 2008, and

  • Windows Vista.



Microsoft describes this update as "critical" which means they know it can be remotely exploited without user intervention (and without exploit chaining, which they don't yet consider to be critical.)


Posted by Gary W. Longsine at 10:16 AM 0 comments Links to this post
Labels: , , , , , , , , , ,

Thursday, August 07, 2008

DNS flaws expose many services (exploit chaining with old defects)

The flaws discovered in DNS recently by Dan Kaminsky have existed for years. He linked several of them together, a concept known as "exploit chaining" to reveal a much more serious flaw. His technique makes it possible to hijack and misdirect a user's web browser to a malicious web site, even in cases where the user types the correct URL. '

That, of course, completely makes a fool of Verisign's Ken Silva, chief technology officer, who's been running around to the press saying irresponsible if not utterly foolish things like:
"We have anticipated these flaws in DNS for many years and we have basically engineered around them."


Kudos to Mr. Kaminsky, for working in private with the major vendors of DNS server software, who had patches ready to go before the flaw was announced. This kept the script kiddies from having a field day with the vulnerabilities, which were endemic to nearly all DNS servers.

Apparently there remain some issues not yet addressed, as the vendors focused initially on HTTP and web browsers.

Net address bug worse than feared

DNS attacks are not new but Mr Kaminsky is credited with discovering a way to link some widely known weaknesses in the system so that the attack now takes seconds instead of days or hours.


"Quite frankly, all the pieces of this have been staring us in the face for decades," said Paul Vixie, president of the Internet Systems Consortium, a non-profit that makes the software run by many of the world's DNS servers.






Posted by Gary W. Longsine at 1:42 PM 0 comments Links to this post
Labels: , , , , , , , , , , , , , , , , ,

Wednesday, July 30, 2008

Secrets, Lies, and Email Passwords

British hacker Gary McKinnon apparently was able to crack over 90 computer systems at various government agencies of the United States, including NASA, the U.S. Army, the U.S. Air Force, and the Department of Defense in 2001 and 2002. He was apparently hunting for secrets about aliens. No, he wasn't searching for illegal immigrants, but rather, aliens from outer space. He believed that the U.S. government was hiding evidence that these aliens exist, and maybe hiding materials and bodies of dead aliens, as well.

I hope that if he's extradited and then tried, the judge goes easy on him. Yes, he's guilty of embarrassing several U.S. government agencies by breaking into their computer systems and rifling through data. It shouldn't have been so easy for him to do.

The layers of management who didn't take network and information system security seriously until 9/11 will not be on trial, and they certainly bear partial responsibility for contributing to this problem. Mr. McKinnon wasn't the only person to break into many computer systems at these (and other) agencies during the late 1990s and early 2000s, he just happens to be one of the very, very few who were caught.

One could say that Mr. McKinnon is a victim here, too, as well as a perpetrator. That is to say, he's a victim of a free market in, and cottage industry of, ideas about conspiracy. Yeah, there probably are some government conspiracies. It's a big, big government that has done some embarrassing things they would like to hide. Most of those things are probably mundane. Hiding the bodies of aliens that crash landed in Roswell, New Mexico, is not likely to be among them. He should have been reading the Bad Astronomy blog.

Phil Plait (Bad Astronomer) on UFOs

Phil Plait's Bad Astronomy: Rebuttal to a Bad Boook Review from a UFO, uhm, enthusiast

Apparently Mr. McKinnon was caught because some action of his was traced back to the email account of his girlfriend.

Alleged Pentagon hacker loses extradition appeal
"McKinnon has acknowledged accessing the computers, but he disputes the reported damage and said he did it because he wanted to find evidence that America was concealing the existence of aliens.

He was caught in 2002 after some of the software used in the attacks was traced back to his girlfriend's e-mail account."


If there is a lesson to be learned here, it's probably this: If your Significant Other is a UFO hunting nut job and a computer whiz, don't let him or her know your passwords, change them regularly, and for good measure, use a Macintosh.

Posted by Gary W. Longsine at 10:52 AM 0 comments Links to this post
Labels: , , , , , , , , ,

Saturday, February 23, 2008

Hands-on SQL Injection - Show me!

Security training for application developers is an under-funded activity in most of the organizations that build software. Fixing security defects in custom applications remains an underfunded activity, even after defects are identified. Why does this continue to be the case?

It can be easier to find defects for a customer in a security penetration test than it is to convince the customer that the problem is serious enough to fix. Sometimes this is because the incentives are messed up. I'm not the only person who has observed that the Federal Information Security Management Act (FISMA) seem to have given Federal agencies a much higher incentive to find problems and write lengthy, complicated reports on those problems, than to fix them.

Other times, managers may not understand the technical details of various vulnerabilities, or may be interested in a certain category of defects, while wearing blinders to other types of defects, particularly outside their comfort zone. If the manager is familiar with viruses and worms from their experiences running their PC at home, then they might understand and be more interested in network configuration defects. This might come at the expense of less attention to application design or coding defects, like those that expose an application to SQL Injection attacks.

Occasionally the problem, unfortunately, is a more active dismissal of some threats. People sometimes say things along the lines of, "if I don't understand it, it must be too difficult to exploit in practice, so it can't be much of a real risk." I've even heard managers lambast their security advisers while trying to look cool, tossing in the MTV phrase, "Keep It Real". Well, folks, I hate to be the one to break it to you, but even allegedly unscripted reality television is sometimes scripted. Just like exploits to complicated security defects.

It only takes one person with the right combination of skills and maliciousness to write an exploit, and give it away. Suddenly the exploit is "zero cost" for the next attacker, and the flood of attackers after that.

Exploits are "scalable" in this sense, or, as an economist or MBA might say, the marginal cost of each additional use of an exploit, after it is developed, approaches zero arbitrarily close.

We see this pattern clearly in remotely exploitable buffer overflows, which might not be noticeably exploited for years after a product ships, and for months after the defect is discovered and publicized. Then, "suddenly" an exploit pops up. Within days there are dozens of worm or botnet variants exploiting the same defect. (We'll ignore for now the issue that some defects actually were exploited before the defect was publicized.) The same pattern applies to other types of defects that may not be exploited with quite the same high visibility. This type of scalability is inherent in software.

If you're having trouble convincing your manager do devote resources to sanitizing your web facing application, or having trouble getting a budget to train your developers in secure coding techniques, consider sharing some of these links with your manager.

This first one is a very clever web article by Gustavo Duarte, which demonstrates the attack using a simple online application built into the essay. Here you can see both the ease with which such defects can be exploited, and the relative complexity of the issues facing the defender.
Hands-on SQL Injection

Here is some additional information on SQL Injections.
SQL Injection Attacks by Example



Finally, here's an amusing cartoon that you can use to bring up the subject again, if you were given the smack down last time.
Exploits of a Mom (Little Bobby Drop Tables)
Posted by Gary W. Longsine at 7:28 PM 1 comments Links to this post
Labels: , , , , ,
Subscribe to: Posts (Atom)