Monday, August 17, 2009

Bourne Incrimination - bio identity theft, the next big problem

It was only a matter of time before it became possible to create fake DNA evidence. That time is now.


DNA Evidence Can be Fabricated [New York Times]


Think it's bad when somebody steals your identity, drains your bank account, and spends thousands of dollars on credit cards they opened with your name on it? This run of the mill identity theft can cost you thousands of dollars, and many years to clean up. It pales in comparison to what will happen if biometric data becomes commonly used as proof of identity. Sometimes also called bio-print (like fingerprint) or bio-identity mechanisms, such things as retina scans and fingerprint scans are already in use, or even common use. DNA scans are likely to become possible several years from now, as the technology to read DNA is evolving rapidly. An entire genome can be sequenced by three people and equipment costing a few hundred thousand dollars, in a very short period of time, several days. When it become possible to read DNA in more or less real time, people will undoubtedly clamor to use it as an identity mechanism, for bank access, for voting, and who knows what else.


Even (or perhaps long, if you doubt that day is near) before that's possible, databases will be filled with your DNA sequences, because it will be valuable to you and your doctor. Unless we get unexpectedly better at protecting data, those databases will be protected by the same organizations, people, and technologies which today fail to protect your simple text based identity -- your name, date of birth, social security number, address, and phone number.


With current technology, you can engineer a crime scene. You can make it look like a specific, innocent person committed a homicide, for example. The technology required to do so remains expensive, but it's well within the reach of governments, and the capabilities of research labs.


If you're writing the next hollywood script for Jason Bourne or James Bond, keep your eye on this stuff. It's moving faster than Hollywood.



Posted by Gary W. Longsine at 11:45 PM 0 comments Links to this post
Labels: , , , , , , , , , , , ,

Tuesday, June 02, 2009

Master Lock Pickers and the Security Mirage

If you ever doubted that the lock on your door was in place to keep out the kids, doubt no more. This fascinating article details one of the world's top lock pickers.


The Ultimate Lock Picker Hacks Pentagon, Beats Corporate Security for Fun and Profit


A good friend of mine has been picking locks as a hobby most of his life. This is a skill that can be learned by any bright, patient person.


It's a safe bet there are more people around who know how to pick locks than there are people getting paid to rethink the lock and key.



Posted by Gary W. Longsine at 3:50 PM 0 comments Links to this post
Labels: , ,

Monday, May 18, 2009

on cyber warfare, China, Kylin

Yes, the Washington Times is not exactly a premier source of security information, but with analysis and reporting like this, who needs enemies? Two fascinating tidbits from this article: China blocks U.S. from cyber warfare.

The first is an absolutely classic Freudian slip:

U.S. offensive cyberwar capabilities have been focused on getting into Chinese government and military computers outfitted with less secure operating systems like those made by Microsoft Corp. (This observation isn't attributed in the article.)


That ought to have you rolling on the floor, laughing, until you realize that these are the very same "less secure operating systems like those made by Microsoft Corp." which the bureaucrats at every level of Federal, State, and local governance in the U.S. has been "standardizing" on. Then your sphincters pucker.

The point of the article is that the Chinese have developed and deployed their own operating system and "hardened" CPU architecture to run it on, and have been deploying it on Chinese government and military systems, rendering substantial portions of the the U.S. strategy for cyber counter-attack irrelevant. Various security "experts" testified before Congress to raise some alarms.

Perhaps it's just poor reporting, but these crack security experts seem to be under the impression that this Kylin thing is mysterious, and don't seem to have noticed that Kylin appears to be a hardened version of FreeBSD (an open source operating system), and that you can apparently download versions of it with a quick google search (see: Some random blogger with links to Kylin iso images.)

Which makes the next bit from this article even more amusing. This statement is attributed to Kevin G. Coleman, but this is the Washington Times, who knows if poor Mr. Coleman actually said any such thing this silly:

U.S. operating system software, including Microsoft, used open-source and offshore code that makes it less secure and vulnerable to software "trap doors" that could allow access in wartime, he explained


Of course, no real security expert would ever mean to imply that Microsoft's security issues were primarily, or even in any meaningful way at all, based on open-source software. Microsoft has used tiny amounts of BSD code in their network stack, but Microsoft's security problems are of their own, proprietary making, and everyone who can spell CISSP or SANS knows that.

The take home lessons:
  1. do a google search before you try to panic the Congress, and

  2. if FreeBSD derivatives can be secured such that people panic when China deploys them, maybe U.S. government agencies ought to re-think their obsession and love affair with the less secure Microsoft systems, with which they have been utterly failing to protect U.S. Government assets, secrets, and infrastructure, according to other testimony reported in this and other articles, and perhaps
  3. rather than inciting panic, somebody ought to be downloading those ISO images, installing Kylin, and running some automated tools against its network services, looking for buffer overflow exploits.



Posted by Gary W. Longsine at 9:45 PM 1 comments Links to this post
Labels: , , , , , , , , , , , , ,

Saturday, October 25, 2008

Gimmiv worm strikes Windows

That didn't take long, did it? Apparently Microsoft released their "out of band" patch in a hurry because they had already seen exploits "in the wild" for this defect. They guessed a worm couldn't be far behind, and they were right.

Gimmiv: New worm feeds on latest Microsoft bug

The cycle of patching will never fix this problem. If you are a CIO or manager of an enterprise or government network which has been hit by new worms this week, contact Intrinsic Security to discuss FireBreak AntiWorm. Worms are detected instantly and trapped without signatures.
Posted by Gary W. Longsine at 9:21 PM 0 comments Links to this post
Labels: , , , , , , , , ,

Thursday, October 23, 2008

Microsoft's "Out of Band" Security Bulletin

Microsoft plans to issue an "out of band" patch today, e.g. a patch released on a day other than "Patch Tuesday".
Microsoft Security Bulletin Advance Notification

Thw defect, which hasn't been publicly described just yet, apparently exists in every version of Windows that anyone who is likely to patch anything actually uses:

  • Windows 2000,

  • Windows XP,

  • Windows Server 2003,

  • Windows Server 2008, and

  • Windows Vista.



Microsoft describes this update as "critical" which means they know it can be remotely exploited without user intervention (and without exploit chaining, which they don't yet consider to be critical.)


Posted by Gary W. Longsine at 10:16 AM 0 comments Links to this post
Labels: , , , , , , , , , ,

Thursday, August 07, 2008

DNS flaws expose many services (exploit chaining with old defects)

The flaws discovered in DNS recently by Dan Kaminsky have existed for years. He linked several of them together, a concept known as "exploit chaining" to reveal a much more serious flaw. His technique makes it possible to hijack and misdirect a user's web browser to a malicious web site, even in cases where the user types the correct URL. '

That, of course, completely makes a fool of Verisign's Ken Silva, chief technology officer, who's been running around to the press saying irresponsible if not utterly foolish things like:
"We have anticipated these flaws in DNS for many years and we have basically engineered around them."


Kudos to Mr. Kaminsky, for working in private with the major vendors of DNS server software, who had patches ready to go before the flaw was announced. This kept the script kiddies from having a field day with the vulnerabilities, which were endemic to nearly all DNS servers.

Apparently there remain some issues not yet addressed, as the vendors focused initially on HTTP and web browsers.

Net address bug worse than feared

DNS attacks are not new but Mr Kaminsky is credited with discovering a way to link some widely known weaknesses in the system so that the attack now takes seconds instead of days or hours.


"Quite frankly, all the pieces of this have been staring us in the face for decades," said Paul Vixie, president of the Internet Systems Consortium, a non-profit that makes the software run by many of the world's DNS servers.






Posted by Gary W. Longsine at 1:42 PM 0 comments Links to this post
Labels: , , , , , , , , , , , , , , , , ,

Wednesday, July 30, 2008

Secrets, Lies, and Email Passwords

British hacker Gary McKinnon apparently was able to crack over 90 computer systems at various government agencies of the United States, including NASA, the U.S. Army, the U.S. Air Force, and the Department of Defense in 2001 and 2002. He was apparently hunting for secrets about aliens. No, he wasn't searching for illegal immigrants, but rather, aliens from outer space. He believed that the U.S. government was hiding evidence that these aliens exist, and maybe hiding materials and bodies of dead aliens, as well.

I hope that if he's extradited and then tried, the judge goes easy on him. Yes, he's guilty of embarrassing several U.S. government agencies by breaking into their computer systems and rifling through data. It shouldn't have been so easy for him to do.

The layers of management who didn't take network and information system security seriously until 9/11 will not be on trial, and they certainly bear partial responsibility for contributing to this problem. Mr. McKinnon wasn't the only person to break into many computer systems at these (and other) agencies during the late 1990s and early 2000s, he just happens to be one of the very, very few who were caught.

One could say that Mr. McKinnon is a victim here, too, as well as a perpetrator. That is to say, he's a victim of a free market in, and cottage industry of, ideas about conspiracy. Yeah, there probably are some government conspiracies. It's a big, big government that has done some embarrassing things they would like to hide. Most of those things are probably mundane. Hiding the bodies of aliens that crash landed in Roswell, New Mexico, is not likely to be among them. He should have been reading the Bad Astronomy blog.

Phil Plait (Bad Astronomer) on UFOs

Phil Plait's Bad Astronomy: Rebuttal to a Bad Boook Review from a UFO, uhm, enthusiast

Apparently Mr. McKinnon was caught because some action of his was traced back to the email account of his girlfriend.

Alleged Pentagon hacker loses extradition appeal
"McKinnon has acknowledged accessing the computers, but he disputes the reported damage and said he did it because he wanted to find evidence that America was concealing the existence of aliens.

He was caught in 2002 after some of the software used in the attacks was traced back to his girlfriend's e-mail account."


If there is a lesson to be learned here, it's probably this: If your Significant Other is a UFO hunting nut job and a computer whiz, don't let him or her know your passwords, change them regularly, and for good measure, use a Macintosh.

Posted by Gary W. Longsine at 10:52 AM 0 comments Links to this post
Labels: , , , , , , , , ,
Subscribe to: Posts (Atom)