tag:blogger.com,1999:blog-131780362024-03-05T01:00:47.043-05:00antiwormThe <a href="http://intrinsicSecurity.com">Intrinsic Security</a> blog. <br>Sharing ideas and protecting networks from worms, malware, and botnets with intrusion suppression technology.Gary W. Longsinehttp://www.blogger.com/profile/05653813520423954538noreply@blogger.comBlogger54125tag:blogger.com,1999:blog-13178036.post-69847285764782798882018-02-27T16:23:00.001-05:002018-02-27T16:23:09.515-05:00Splunk acquires Phantom Cyber<div dir="ltr" style="text-align: left;" trbidi="on">
I hope it doesn't come across as too cynical, the observation that most acquisitions in the tech domain fail to produce anything useful and often as not wind up killing a promising upstart technology, even if only by accident.<br />
<br />
I have hope for this one, though. Splunk strikes me as a likely exception. This acquisition of fresh ideas and talent might breathe new life into a solid, if somewhat staid, security company.<br />
<br />
<a href="https://techcrunch.com/2018/02/27/splunks-data-analytics-gets-a-security-boost-with-350-million-acquisition-of-phantom-cyber/">Splunk’s data analytics gets a security boost with $350 million acquisition of Phantom Cyber</a></div>
Gary W. Longsinehttp://www.blogger.com/profile/05653813520423954538noreply@blogger.com0tag:blogger.com,1999:blog-13178036.post-35908905395297261972015-05-28T21:28:00.002-05:002015-05-28T21:54:37.408-05:00Jailbreaking iOS is a Dead Man Walking<div dir="ltr" style="text-align: left;" trbidi="on"><br />
<p><a href="http://9to5mac.com/2015/05/22/ios-9-os-x-10-11-to-bring-quality-focus-smaller-apps-rootless-security-legacy-iphoneipad-support/">Rumor has it</a> that Apple will include a new security feature (possibly known to the developers in Apple as "Rootless") in the upcoming releases iOS 9 and OS X 10.11. Although details are sparse, it looks like Apple may have implemented what other UNIX systems call "namespaces" (See this nice discussion of <a href="https://lwn.net/Articles/531114/">namespaces on Linux</a>).<br />
</p><p>Most of the public speculation about the rumor concerns <a href="http://www.ibtimes.co.uk/apples-new-rootless-security-system-makes-ios-9-jailbreaking-impossible-1502662">a possible end to jailbreaking</a>, a sport which has fallen on hard times with successful jailbreaks coming fewer and farther between. Since the defects which enable jailbreaking are inherently open to malware, Apple's ongoing efforts to find and fix these bugs with the LLVM/Clang compiler's ever-more-diligent static analyzer make it harder for the jailbreak community to find a toehold. <br />
</p><p>However, a namespaces-like security architecture might fix one of the biggest issues that leads people to desire a jailbroken iPhone. When iOS was created, the system extension features were locked down to Apple-only development, in order to (dramatically) improve the security posture of the iOS devices. This strategy, in combination with other features like digital signatures on third-party software, has been successful, too. Malware on iOS is essentially non-existent (although there has been at least one interesting bit of malware discovered <a href="http://www.ibtimes.co.uk/ios-jailbreak-adthief-malware-found-hijacking-ad-revenue-75000-infected-devices-1461383">on jailbroken iOS devices</a>). The trade-off is that third party developers cannot extend the system, as they can on the Mac. <br />
</p><p>With an operating system kernel architecture based on namespaces (or something like it) Apple would be in a position to begin relaxing the restrictions, allowing developers to build plugins which extend basic iOS services—at which point there's very little remaining incentive to jailbreak a device. Don't expect plugins on iOS right away, though. Apple is likely to test out the robustness and iron the wrinkles out on the smaller pool of OS X devices, before re-introducing something like plugins and system extensions on iOS the following year. <br />
</p><p>If the new Rootless features are indeed based on namespaces, there will be other benefits, aside from improved security of the system, such as improved performance of virtualization systems running on OS X and native support for cloud services platforms and tools like Docker. Since Apple is one of the largest cloud services vendors in the world, this sort of improvement to OS X seems even a little overdue. <br />
</p><p>Another interesting possibility: SVA (see their site: <a href="http://safecode.cs.illinois.edu/sva.html">Secure Virtual Architecture</a>), a memory safety approach that's basically been a research project for years, emerging from the same community as LLVM/Clang. Maybe Rootless is an SVA-like implementation?<br />
</p><p>WWDC 2015 is right around the corner. If there's a kernel of truth in the "Rootless" rumors, perhaps Jailbreaking is dead. If so, it's probably a cause for celebration, rather than mourning. Long live Rootless secure system extensions. <br />
</p><br />
</div>Gary W. Longsinehttp://www.blogger.com/profile/05653813520423954538noreply@blogger.com0tag:blogger.com,1999:blog-13178036.post-67344481646246550902011-03-19T02:06:00.000-05:002011-03-19T02:13:28.201-05:00RSA, Security Division of EMC, Hacked<div class="iblogger-figure iblogger-right iblogger-third" style="max-width: 640px; min-width: 5.5em"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdyzBZfYePHO9ccnR90QH6T2gQ7nrvkFBGG9AxZ4BUrrUim1B5h_rMtY6Q4DfcLHUfn9nqBtN6LVzYyHwBEnc5LO_i3LTJ_EjP-BdaXXmiY8OdZsCjFEf51rrHC_dBL0QjvkZWqw/" rel="lightbox"><img src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdyzBZfYePHO9ccnR90QH6T2gQ7nrvkFBGG9AxZ4BUrrUim1B5h_rMtY6Q4DfcLHUfn9nqBtN6LVzYyHwBEnc5LO_i3LTJ_EjP-BdaXXmiY8OdZsCjFEf51rrHC_dBL0QjvkZWqw/" style="max-width: 640px; max-height: 640px" border="1" alt="This was not RSA's lucky day." title="Snake Eyes" /></a><p class="iblogger-caption">This was not RSA's lucky day.</p></div><div class="iblogger-post">This will be one to keep an eye on. <br/><br/><a href="http://www.physorg.com/news/2011-03-emc-anti-hacking-division-hacked.html" target="new">RSA Hacked by automated attack</a></div><div class="iblogger-footer"><p>[Posted with <a href="http://illuminex.com/iBlogger/index.html">iBlogger</a> from my iPhone]</p></div>
Gary W. Longsinehttp://www.blogger.com/profile/05653813520423954538noreply@blogger.com0tag:blogger.com,1999:blog-13178036.post-69757003116943790552010-03-03T15:44:00.001-05:002010-03-03T15:48:35.258-05:00SQL Injection - So Easy, Your Server is Already Cracked<p>In a simple demonstration, a hapless team discovers the truth. "Your server is vulnerable. It's already been cracked. Oh, and by the way, it's already distributing malware for a botnet."<br /></p>
<p><a href="http://www.communities.hp.com/securitysoftware/blogs/rafal/archive/2010/02/25/a-big-case-of-oops.aspx" title="Server Compromise Discovered During Demo (SQL Injection)">A Big Case of Oops!</a></p>
<p>Attitude of management in many organizations is one of the biggest barriers to improved security on the internet. People simply don't want to believe that their systems are vulnerable. Denial is pervasive, and affects organizations from the biggest of the Fortune 500 or Federal government agencies, down to modestly sized companies, local governments, and non-profit corporations.</p>
<p>The attitude of the unnamed client described at the "Following the White Rabbit" blog (link above) is all too common. I suspect that an underlying cause is that people want to believe several things that worked pretty well from an evolutionary perspective, but don't work very well on the internet. When everybody around is a bunch of cave dwellers, consumed entirely with finding food, the marginal difference between the capabilities of "our team" and "the other guys" might be pretty modest, or easy to assess (e.g. "there's five of us, and ten of them... <i>run away</i>!") In fact, even considering the industrialized history of the world, we don't have much experience with the type of scalability that a virtual, software driven environment can provide to an attacker.<br /></p>
<p>Consequently, when faced with a vague potential threat from "the internet", people tend to default to reptillian brain denial.</p>
<p><i><b>"These vulnerabilities and exploits look complicated. It's not very likely that anybody could actually exploit them."</b></i></p>
<p>They might look complicated to you, a manager, or even a programmer (depending on your particular skill set, which typically won't include "cracking").</p>
<p>They look like a modest engineering or programming exercise, to the people who routinely crack computers for a living. There are toolkits and sample code and it isn't very difficult to build a test bench and try permutations over and over until the crack works.</p>
<p><b><i>"Our team isn't that stupid. We wouldn't build and deploy a system that can be easily hacked."</i></b></p>
<p>Your site doesn't need to be easily crackable, merely crackable. Some exploits require knowledge of assembly language, SQL, C, C++, and some other specific combination of arcane skills with Internet Explorer, Microsoft Windows, Apache, SQL Server, MySQL, and so forth.</p>
<p>Once somebody with the proper combination of skills has developed the exploit, and shared it with the world, your site could be cracked by somebody with little more programming proficiency than a typical user of IRC (Internet Relay Chat), perhaps someone who needed only drag-and-drop proficiency with a mouse.</p>
<p><b><i>"Nobody is that interested in hacking us."</i></b></p>
<p>You might be boring, yes. You might have no secrets. But you do have something interesting to them: a computer with a full time internet connection running a web server, and people who visit your web site (sometimes they just want to use your site to spread their botnet to your customers). Furthermore, the bad guys don't know that you don't have any secrets, until they've finished perusing your hard drives and data bases.</p>
<p>Finally, there's the typical denial offered by individual people, when pondering the vulnerability of their own workstation:</p>
<p><b><i>"I don't surf to bad web sites, so I won't get a virus (trojan, rootkit, botnet, worm or other malware) on my computer!"</i></b></p>
<p>You don't need to point a web browser to a "bad" web site to be victimized by a browser-crawlback. The malware that gets onto your computer may also start poking around your company's internal network, and find ways to exploit or infect systems that don't "surf to a bad web site" or any other web site, at all.</p><br />
The moral of this story is that we cannot afford to live in a state of denial about the importance of application, network and computer systems security. Enterprises, large and small, need to take the security of their web sites, applications, and internal systems more seriously. The bad guys are kicking your butts. They're stealing your data, and you don't even know it. They're using your systems to spread botnets to your customers.<br />
<br />
Gary W. Longsinehttp://www.blogger.com/profile/05653813520423954538noreply@blogger.com1tag:blogger.com,1999:blog-13178036.post-71671609497501594482010-03-02T15:48:00.001-05:002010-03-02T15:48:42.857-05:00Quantum Phishing: email is dead<p>Phishing has matured. The bad guys are now so adept at mimicking the actual emails sent by PayPal, that PayPal support apparently cannot tell the actual PayPal email apart from the Phishing emails.</p>
<p><a href="http://www.theregister.co.uk/2009/12/04/paypal_phishing_false_alarm/" title="PayPal support cannot distinguish between actual PayPal email, and phishing email">PayPal mistakes own email for phishing attack</a> [The Register]</p>
<p><a href="http://www.eset.com/threat-center/blog/2009/12/03/paypal-admits-to-phishing-users" title="PayPal admits to phishing users">PayPal admits to Phishing Users</a> [eset.com]</p>
<p>I've wondered for years why the phishing emails were often so terribly lame. The ideal strategy would seem to be to read some actual emails from the intended target, and mimmic those as closely as possible. The traditional excuse offered by the security community is that the emails appear often to be generated by people who speak English as a second language, but that doesn't seem like it would be such a limiting factor, given the ease with which the translations could be corrected, even anonymously, using clever internet tricks, even fairly simple ones.</p>
<p>The real answer seemed to be that the text content of the email didn't much matter, as people don't read them very carefully. It appears to be from their bank. It's got a link. It says to fix your login. Click!</p>
<p>The competitive pressure, both from education efforts which make the population of victims more sensitive to potential identity theft, and from other Phishers seeking to exploit the same population of potential victims, seems to be forcing the emails to evolve to more closely resemble the target company's web site and actual emails. Witness the inevitable result: technical support can't tell the Phishing email from the actual company-generated email contact with their customer base.</p>
<p>Non-authenticated email is a zombie: un-dead, walking.</p>
Gary W. Longsinehttp://www.blogger.com/profile/05653813520423954538noreply@blogger.com0tag:blogger.com,1999:blog-13178036.post-55413352123633493902009-08-17T23:45:00.001-05:002009-08-17T23:45:58.806-05:00Bourne Incrimination - bio identity theft, the next big problem<p>It was only a matter of time before it became possible to create fake DNA evidence. That time is now.</p>
<p><a href="http://www.nytimes.com/2009/08/18/science/18dna.html" title="DNA Evidence Can Be Fabricated">DNA Evidence Can be Fabricated</a> [New York Times]</p>
<p>Think it's bad when somebody steals your identity, drains your bank account, and spends thousands of dollars on credit cards they opened with your name on it? This run of the mill identity theft can cost you thousands of dollars, and many years to clean up. It pales in comparison to what will happen if biometric data becomes commonly used as proof of identity. Sometimes also called bio-print (like fingerprint) or bio-identity mechanisms, such things as retina scans and fingerprint scans are already in use, or even common use. DNA scans are likely to become possible several years from now, as the technology to read DNA is evolving rapidly. An entire genome can be sequenced by three people and equipment costing a few hundred thousand dollars, in a very short period of time, several days. When it become possible to read DNA in more or less real time, people will undoubtedly clamor to use it as an identity mechanism, for bank access, for voting, and who knows what else.</p>
<p>Even (or perhaps long, if you doubt that day is near) before that's possible, databases will be filled with your DNA sequences, because it will be valuable to you and your doctor. Unless we get unexpectedly better at protecting data, those databases will be protected by the same organizations, people, and technologies which today fail to protect your simple text based identity -- your name, date of birth, social security number, address, and phone number.</p>
<p>With current technology, you can engineer a crime scene. You can make it look like a specific, innocent person committed a homicide, for example. The technology required to do so remains expensive, but it's well within the reach of governments, and the capabilities of research labs.</p>
<p>If you're writing the next hollywood script for Jason Bourne or James Bond, keep your eye on this stuff. It's moving faster than Hollywood.</p>
Gary W. Longsinehttp://www.blogger.com/profile/05653813520423954538noreply@blogger.com1tag:blogger.com,1999:blog-13178036.post-66741563609829067282009-06-02T15:50:00.001-05:002009-06-02T15:50:02.636-05:00Master Lock Pickers and the Security Mirage<p>If you ever doubted that the lock on your door was in place to keep out the kids, doubt no more. This fascinating article details one of the world's top lock pickers.</p>
<p><a href="http://www.wired.com/techbiz/people/magazine/17-06/ff_keymaster" title="wired on Tobias, the lock picker">The Ultimate Lock Picker Hacks Pentagon, Beats Corporate Security for Fun and Profit</a></p>
<p>A good friend of mine has been picking locks as a hobby most of his life. This is a skill that can be learned by any bright, patient person.</p>
<p>It's a safe bet there are more people around who know how to pick locks than there are people getting paid to rethink the lock and key.</p>
Gary W. Longsinehttp://www.blogger.com/profile/05653813520423954538noreply@blogger.com0tag:blogger.com,1999:blog-13178036.post-22702625424084520022009-05-18T21:45:00.001-05:002013-10-04T01:36:10.663-05:00on cyber warfare, China, KylinYes, the Washington Times is not exactly a premier source of security information, but with analysis and reporting like this, who needs enemies? Two fascinating tidbits from this article: <a href="http://washingtontimes.com/news/2009/may/12/china-bolsters-for-cyber-arms-race-with-us/">China blocks U.S. from cyber warfare</a>.<br />
<br />
The first is an absolutely classic Freudian slip:<br />
<br />
<blockquote><em>U.S. offensive cyberwar capabilities have been focused on getting into Chinese government and military computers outfitted with less secure operating systems like those made by Microsoft Corp. (This observation isn't attributed in the article.) </em></blockquote><br />
<br />
That ought to have you rolling on the floor, laughing, until you realize that these are the very same "less secure operating systems like those made by Microsoft Corp." which the bureaucrats at every level of Federal, State, and local governance in the U.S. have been "standardizing" on. Then your sphincters pucker. <br />
<br />
The point of the article is that the Chinese have developed and deployed their own operating system and "hardened" CPU architecture to run it on, and have been deploying it on Chinese government and military systems, rendering substantial portions of the the U.S. strategy for cyber counter-attack irrelevant. Various security "experts" testified before Congress to raise some alarms. <br />
<br />
Perhaps it's just poor reporting, but these crack security experts seem to be under the impression that this Kylin thing is mysterious, and don't seem to have noticed that Kylin appears to be a hardened version of FreeBSD (an open source operating system), and that you can apparently download versions of it with a quick google search (see: <a href="http://www.honeytechblog.com/downlod-kylin-operating-system-by-chinaqingbo-wu/" title="Kylin ISO downloads">Some random blogger with links to Kylin iso images</a>.)<br />
<br />
Which makes the next bit from this article even more amusing. This statement is attributed to Kevin G. Coleman, but this is the Washington Times, who knows if poor Mr. Coleman actually said any such thing this silly:<br />
<br />
<blockquote><em>U.S. operating system software, including Microsoft, used open-source and offshore code that makes it less secure and vulnerable to software "trap doors" that could allow access in wartime, he explained</em></blockquote><br />
<br />
Of course, no real security expert would ever mean to imply that Microsoft's security issues were primarily, or even in any meaningful way at all, based on open-source software. Microsoft has used tiny amounts of BSD code in their network stack, but Microsoft's security problems are of their own, proprietary making, and everyone who can spell CISSP or SANS knows that.<br />
<br />
The take home lessons: <ol><li>do a google search before you try to panic the Congress, and</li>
<li>if FreeBSD derivatives can be secured such that people panic when China deploys them, maybe U.S. government agencies ought to re-think their obsession and love affair with the less secure Microsoft systems, with which they have been utterly failing to protect U.S. Government assets, secrets, and infrastructure, according to other testimony reported in this and other articles, and perhaps<br />
</li>
<li>rather than inciting panic, somebody ought to be downloading those ISO images, installing Kylin, and running some automated tools against its network services, looking for buffer overflow exploits.</li>
</ol><br />
<br />
Gary W. Longsinehttp://www.blogger.com/profile/05653813520423954538noreply@blogger.com1tag:blogger.com,1999:blog-13178036.post-19235037183627030362008-10-25T21:21:00.001-05:002008-10-25T21:21:14.557-05:00Gimmiv worm strikes WindowsThat didn't take long, did it? Apparently Microsoft released their "out of band" patch in a hurry because they had already seen exploits "in the wild" for this defect. They guessed a worm couldn't be far behind, and they were right.
<a href="http://www.nytimes.com/external/idg/2008/10/24/24idg-New-worm-feeds.html?em" title="Bimmiv work strikes Windows">Gimmiv: New worm feeds on latest Microsoft bug</a>
The cycle of patching will never fix this problem. If you are a CIO or manager of an enterprise or government network which has been hit by new worms this week, <a href="http://intrinsicSecurity.com/aboutus/contact-us/" title="Contact Intrinsic Security">contact Intrinsic Security</a> to discuss FireBreak AntiWorm. Worms are detected instantly and trapped without signatures.
Gary W. Longsinehttp://www.blogger.com/profile/05653813520423954538noreply@blogger.com0tag:blogger.com,1999:blog-13178036.post-59361572091694267842008-10-23T10:16:00.001-05:002008-10-23T10:16:41.187-05:00Microsoft's "Out of Band" Security BulletinMicrosoft plans to issue an "out of band" patch today, e.g. a patch released on a day other than "Patch Tuesday".
<a href="http://www.microsoft.com/technet/security/bulletin/ms08-oct.mspx" title="microsoft notifies customers that wormable exploit exists">Microsoft Security Bulletin Advance Notification</a>
Thw defect, which hasn't been publicly described just yet, apparently exists in every version of Windows that anyone who is likely to patch anything actually uses:
<ul>
<li>Windows 2000,</li>
<li>Windows XP, </li>
<li>Windows Server 2003,</li>
<li>Windows Server 2008, and </li>
<li>Windows Vista.</li>
</ul>
Microsoft describes this update as "critical" which means they know it can be remotely exploited without user intervention (and without exploit chaining, which they don't yet consider to be critical.)
Gary W. Longsinehttp://www.blogger.com/profile/05653813520423954538noreply@blogger.com0tag:blogger.com,1999:blog-13178036.post-78275303805672361442008-08-07T13:42:00.001-05:002008-08-07T13:44:02.443-05:00DNS flaws expose many services (exploit chaining with old defects)The flaws discovered in DNS recently by Dan Kaminsky have existed for years. He linked several of them together, a concept known as "<a hre="http://antiworm.blogspot.com/2004/07/exploit-chaining-virus-worm-and.html">exploit chaining</a>" to reveal a much more serious flaw. His technique makes it possible to hijack and misdirect a user's web browser to a malicious web site, even in cases where the user types the correct URL. '<br /><br />That, of course, completely makes a fool of Verisign's Ken Silva, chief technology officer, who's been running around to the press saying irresponsible if not utterly foolish things like: <br /><blockquote>"We have anticipated these flaws in DNS for many years and we have basically engineered around them."</blockquote><br /><br />Kudos to Mr. Kaminsky, for working in private with the major vendors of DNS server software, who had patches ready to go before the flaw was announced. This kept the script kiddies from having a field day with the vulnerabilities, which were endemic to nearly all DNS servers. <br /><br />Apparently there remain some issues not yet addressed, as the vendors focused initially on HTTP and web browsers. <br /><br /><blockquote><a href="http://news.bbc.co.uk/2/hi/technology/7546557.stm" title="DNS flaw saga continues ">Net address bug worse than feared</a><br /><br />DNS attacks are not new but Mr Kaminsky is credited with discovering a way to link some widely known weaknesses in the system so that the attack now takes seconds instead of days or hours.<br /><br /><br />"Quite frankly, all the pieces of this have been staring us in the face for decades," said Paul Vixie, president of the Internet Systems Consortium, a non-profit that makes the software run by many of the world's DNS servers.</blockquote><br /><br /><br /><br /><br />
Gary W. Longsinehttp://www.blogger.com/profile/05653813520423954538noreply@blogger.com0tag:blogger.com,1999:blog-13178036.post-7956545108155349732008-07-30T10:52:00.001-05:002008-07-30T10:52:51.486-05:00Secrets, Lies, and Email PasswordsBritish hacker Gary McKinnon apparently was able to crack over 90 computer systems at various government agencies of the United States, including NASA, the U.S. Army, the U.S. Air Force, and the Department of Defense in 2001 and 2002. He was apparently hunting for secrets about aliens. No, he wasn't searching for illegal immigrants, but rather, aliens from outer space. He believed that the U.S. government was hiding evidence that these aliens exist, and maybe hiding materials and bodies of dead aliens, as well.
I hope that if he's extradited and then tried, the judge goes easy on him. Yes, he's guilty of embarrassing several U.S. government agencies by breaking into their computer systems and rifling through data. It shouldn't have been so easy for him to do.
The layers of management who didn't take network and information system security seriously until 9/11 will not be on trial, and they certainly bear partial responsibility for contributing to this problem. Mr. McKinnon wasn't the only person to break into many computer systems at these (and other) agencies during the late 1990s and early 2000s, he just happens to be one of the very, very few who were caught.
One could say that Mr. McKinnon is a victim here, too, as well as a perpetrator. That is to say, he's a victim of a free market in, and cottage industry of, ideas about conspiracy. Yeah, there probably are some government conspiracies. It's a big, big government that has done some embarrassing things they would like to hide. Most of those things are probably mundane. Hiding the bodies of aliens that crash landed in Roswell, New Mexico, is not likely to be among them. He should have been reading the Bad Astronomy blog.
<a href="http://www.youtube.com/watch?v=c75N4reUpHs" title="Phil Plait on UFOs">Phil Plait (Bad Astronomer) on UFOs</a>
<a href="http://www.badastronomy.com/book/uforebuttal.html" title="Phil Plait rebuttal to a book review">Phil Plait's Bad Astronomy: Rebuttal to a Bad Boook Review from a UFO, uhm, enthusiast</a>
Apparently Mr. McKinnon was caught because some action of his was traced back to the email account of his girlfriend.
<blockquote><a href="http://www.cnn.com/2008/WORLD/europe/07/30/uk.hacker.ap/index.html" title="British hacker Gary McKinnon was hunting for UFOs">Alleged Pentagon hacker loses extradition appeal</a><br />"McKinnon has acknowledged accessing the computers, but he disputes the reported damage and said he did it because he wanted to find evidence that America was concealing the existence of aliens.
He was caught in 2002 after some of the software used in the attacks was traced back to his girlfriend's e-mail account."</blockquote>
If there is a lesson to be learned here, it's probably this: If your Significant Other is a UFO hunting nut job and a computer whiz, don't let him or her know your passwords, change them regularly, and for good measure, use a Macintosh.
Gary W. Longsinehttp://www.blogger.com/profile/05653813520423954538noreply@blogger.com0tag:blogger.com,1999:blog-13178036.post-78650344825664028282008-02-23T19:28:00.001-05:002008-02-23T19:52:54.401-05:00Hands-on SQL Injection - Show me!Security training for application developers is an under-funded activity in most of the organizations that build software. Fixing security defects in custom applications remains an underfunded activity, even after defects are identified. Why does this continue to be the case?
It can be easier to find defects for a customer in a security penetration test than it is to convince the customer that the problem is serious enough to fix. Sometimes this is because the incentives are messed up. I'm not the only person who has observed that the <a href="http://en.wikipedia.org/wiki/Federal_Information_Security_Management_Act_of_2002%23Issues_With_FISMA">Federal Information Security Management Act (FISMA)</a> seem to have given Federal agencies a much higher incentive to find problems and write lengthy, complicated reports on those problems, than to fix them.
Other times, managers may not understand the technical details of various vulnerabilities, or may be interested in a certain category of defects, while wearing blinders to other types of defects, particularly outside their comfort zone. If the manager is familiar with viruses and worms from their experiences running their PC at home, then they might understand and be more interested in network configuration defects. This might come at the expense of less attention to application design or coding defects, like those that expose an application to <a href="http://en.wikipedia.org/wiki/SQL_injection">SQL Injection</a> attacks.
Occasionally the problem, unfortunately, is a more active dismissal of some threats. People sometimes say things along the lines of, "if I don't understand it, it must be too difficult to exploit in practice, so it can't be much of a <i>real</i> risk." I've even heard managers lambast their security advisers while trying to look cool, tossing in the MTV phrase, "Keep It Real". Well, folks, I hate to be the one to break it to you, but <a href="http://www.realitytvworld.com/news/how-real-is-the-simple-life-2082.php">even allegedly unscripted reality television is sometimes scripted</a>. Just like exploits to complicated security defects.
It only takes <i>one</i> person with the right combination of skills and maliciousness to write an exploit, and give it away. Suddenly the exploit is "zero cost" for the next attacker, and the flood of attackers after that.
Exploits are "scalable" in this sense, or, as an economist or MBA might say, the marginal cost of each additional use of an exploit, after it is developed, approaches zero arbitrarily close.
We see this pattern clearly in remotely exploitable buffer overflows, which might not be noticeably exploited for years after a product ships, and for months after the defect is discovered and publicized. Then, "suddenly" an exploit pops up. Within days there are dozens of worm or botnet variants exploiting the same defect. (We'll ignore for now the issue that some defects actually were exploited before the defect was publicized.) The same pattern applies to other types of defects that may not be exploited with quite the same high visibility. This type of scalability is inherent in software.
If you're having trouble convincing your manager do devote resources to sanitizing your web facing application, or having trouble getting a budget to train your developers in secure coding techniques, consider sharing some of these links with your manager.
This first one is a very clever web article by Gustavo Duarte, which demonstrates the attack using a simple online application built into the essay. Here you can see both the ease with which such defects can be exploited, and the relative complexity of the issues facing the defender.
<a href="http://duartes.org/gustavo/articles/Hands-on-Sql-Injection.aspx">Hands-on SQL Injection</a>
Here is some additional information on SQL Injections.
<a href="http://unixwiz.net/techtips/sql-injection.html">SQL Injection Attacks by Example</a>
Finally, here's an amusing cartoon that you can use to bring up the subject again, if you were given the smack down last time.
<a href="http://xkcd.com/327/">Exploits of a Mom (Little Bobby Drop Tables)</a>
Gary W. Longsinehttp://www.blogger.com/profile/05653813520423954538noreply@blogger.com1tag:blogger.com,1999:blog-13178036.post-78571589189927723362008-02-15T14:57:00.004-05:002008-02-15T15:16:31.799-05:00Microsoft Fingerprint Reader - The Fine Print<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwZfQjSKHCfpVRIw97LbB_QZwW342587p2dT3b3-gNYRXkRxBDn7mCDbTJQuVCvfApf_q_47zsP-VPAJtrLx9A4CARzeose1viQ9m_iCH3t2XDqefqlbXr0NHcgXSEsL8V1DwrPA/s1600-h/ms-fingerprint-reader.jpg"><img style="float:right; margin:0 0 10px 10px;cursor:pointer; cursor:hand;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwZfQjSKHCfpVRIw97LbB_QZwW342587p2dT3b3-gNYRXkRxBDn7mCDbTJQuVCvfApf_q_47zsP-VPAJtrLx9A4CARzeose1viQ9m_iCH3t2XDqefqlbXr0NHcgXSEsL8V1DwrPA/s320/ms-fingerprint-reader.jpg" border="0" alt="" id="BLOGGER_PHOTO_ID_5167300755807181554" /></a><br />If you haven't noticed, somehow lately computer keyboards and laptops in the Windows PC world are sporting a little pad for reading fingerprints.<br /><br />Notice the fine print at the bottom of this page, which I'll quote here in case it goes away:<br /><br /><a href="http://www.microsoft.com/hardware/mouseandkeyboard/features/fingerprint.mspx">Microsoft Fingerprint Reader</a><br /><blockquote>"The Fingerprint Reader should not be used for protecting sensitive data such as financial information, or for accessing corporate networks. We continue to recommend that you use a strong password for these types of activities."</blockquote><br /><br />Why do you suppose Microsoft and all those hardware makers would go to all the trouble to add a fingerprint reader to laptops and keyboards, and then advise you not to use it?<br /><br />Probably because they know something that the average consumer probably doesn't: these devices can be spoofed.<br /><br />It's only a matter of time before there are clear, step by step instructions available on the internet for lifting a fingerprint and applying it to a model finger for spoofing purposes. Heck, there might be some online now, and I just haven't seen it yet.<br /><br /><a href="http://www.washjeff.edu/users/ahollandminkley/Biometric/index.html">Biometric Devices and Fingerprint Spoofing</a><br /><br /><a href="http://www.optel.pl/top.htm">Faking fingerprint readers (or other biometric devices)</a> - a collection of links and papers<br /><br /><a href="http://www.schneier.com/blog/archives/2005/09/fingerprint-loc.html">Failure of fingerprint locking system in prison in 2005</a><br /><br /><br />If you think about these things for a minute, you would never touch one without wearing a glove. Where is the digital fingerprint stored? That's right, on the same rootkit infested Windows PC prone to worm and virus attack.<br /><br />Will rootkits soon be intercepting the fingerprint data and adding that to your stolen profile information in that giant hacker database in the sky? You can bet they will, because you can be assured that not everybody read the fine print. These devices are so common on laptops now that there are undoubtedly some juicy bank accounts "protected" by the Microsoft Fingerprint Reader.<br /><br />The bad guys will have your biometric data in a database long before the FBI gets it done, because the bad guys do all this stuff with the lowest possible overhead. They just add another routine to their worm / virus / trojan / rootkit package and it flows out to all the zombie pc systems on the net that day. Since their data flows are mostly encrypted now-a-days, it might already be happening and we just haven't proven it yet.<br /><br />Friends don't let friends use fingerprint readers. At least not today, when they are so clearly pandering a false, and perhaps even criminally negligent, sense of security. The people selling these things ought to know better. Oh, that's right. They do know better. Hence the fine print.<div><br /></div><div>--</div><div>NOTE: Thanks to my good friend Joe S. in Tucson, Arizona for asking me, "would you touch one of these without a glove?"</div>Gary W. Longsinehttp://www.blogger.com/profile/05653813520423954538noreply@blogger.com3tag:blogger.com,1999:blog-13178036.post-14951565983433048622008-02-14T02:57:00.002-05:002008-02-15T17:25:33.865-05:00Rogue DNSI haven't seen the original paper, but this article claims that researchers at Google and Georgia Institute of Technology estimate that there are 68,000 rogue DNS servers on the net.
<a href="http://www.physorg.com/news122144025.html">Use of Rogue DNS Servers on Rise</a>
Rogue DNS is one of the services provided by the zillions of malware, virus, worm, and rootkit infested zombie PC systems on the internet at any given time. The interesting part of this trick is that zombie PC systems might get "cleaned up" after an infestation has been detected, but their DNS configuration might (OK, probably does in nearly every case) remain pointing to a rogue DNS server, which occasionally, but not always, provides fraudulent data back to requesting clients. This is yet another reason why infested PC systems must be re-installed from clean original media whenever possible, in case you didn't have enough reasons already.
The paper:
Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority
David Dagon, Chris Lee, Wenke Lee - Georgia Institute of Technology; Niels Provos - Google Inc.
was presented today at the annual <a href="http://www.isoc.org/isoc/conferences/ndss/08/">Network and IT Systems Symposium: NDSS 2008</a>.
Better get cracking on DNSSec.
<a href="http://dnssec.net/">DNSSEC - DNS Security Extensions</a> Gary W. Longsinehttp://www.blogger.com/profile/05653813520423954538noreply@blogger.com0tag:blogger.com,1999:blog-13178036.post-90056339859050211512008-02-11T17:12:00.002-05:002008-02-15T15:20:49.933-05:00Swatting - 911 and telephony systems are defectiveSeveral publications are running stories this week about <a href="http://en.wikipedia.org/wiki/Swatting">Swatting</a>, an extension of a prank phone call, which has the aim of eliciting response from emergency response teams, including SWAT (Special Weapons and Tactics) teams. The prank calls are made to 911 operators, who are tricked into dispatching SWAT, police, or other response units on the basis of false information. Obviously social engineering is peformed as well, operators are told of bomb threats, killings or hostages. According to some accounts, some type of caller id spoofing might be used in some of the Swatting calls, which have been directed at 911 operators in over 60 cities by the five people arrested thus far.
Several stories make a point to state that 911 systems are not defective, such as this otherwise excellent story, <a href="http://www.youtube.com/watch?v=LYAoPyyWYjQ&feature=related">Swatting - a dangerous new game</a> by KSBW TV in California which reports that the masochistic pranksters are not "exploiting any real technical flaws in the 911 system" and that these systems "are actually OK". It isn't necessary to know the intimate details to make a pretty safe bet that serious defects in the security of these systems do exist.
Many of the calls were apparently placed using the assistance of computer systems, and the 911 operators were led to believe that the calls were local, despite their origin hundreds of miles away. That sure waddles and quacks like a defect. It's certainly possible that the defects exploited are in the underlying telephony systems, such as the Caller ID system, and not in the 911 system itself. However, if it can result in the 911 operator being unable to reliably determine the local vs. non-local origin of the call, it's a defect directly relevant to the 911 system as a functioning whole, and certainly a defect with the potential of being significantly reduced or eliminated, given some thought and effort.
See this Wikipedia article for more information about <a href="http://en.wikipedia.org/wiki/Caller_ID_spoofing">Caller ID Spoofing</a>.
According to widely publicized accounts, FBI agent Kevin Kolbye in Dallas indicated that Swatting seems at present to be a game played for bragging rights. The FBI and the Justice Department arrested and indicted folks a few months ago in Dallas, and made another announcement today.
<a href="http://dallas.fbi.gov/dojpressrel/pressrel07/fraud113007.htm">DOJ - Swatters plead guilty to conspiracy</a>
<a href="http://www.upi.com/NewsTrack/Top_News/2008/02/04/fbi_catches_five_swatters/7930/">FBI Catches Five Swatters</a>
Swatting has the potential to be much more dangerous. As it stands, innocent people might be killed if they open their door to investigate suspicious noises with a weapon in their hand.
It's a very short step from Swatting as a misguided or perverted game, to Swatting as a Denial of Service attack on emergency response units. A terrorist attack or other illicit activity might be coordinated with Swatting attacks, designed to slow response to the actual emergency, and thereby maximize damage, injury, and death from the attack, or increase the chances of a successful heist.
I'm reminded of a scene from the movie Air Force One, where POTUS (President of the United States) played by Harrison Ford, must use an ordinary phone line to call into the White House from an "outside" line into the public switchboard. The operator doesn't believe it is the POTUS and he finally convinces her not of his identity, but to run her "standard" security procedure and trace the call, which works in record time and reveals that he is in fact calling from Air Force One. In our current telephony universe, things don't always work quite that smoothly. Imagine how much more difficult 911 calls would be, if you needed to convince the operator of your identity, location, and the fact that the emergency was real, before assistance was dispatched.
Some of my colleagues design and build 911 systems. Undoubtedly Swatting will soon join the ranks of all-too-familiar terms in the field of information security.Gary W. Longsinehttp://www.blogger.com/profile/05653813520423954538noreply@blogger.com1tag:blogger.com,1999:blog-13178036.post-17453867081928030002007-06-16T12:24:00.000-05:002007-08-25T16:16:34.129-05:00Now Fear This: Phishers learn to craft a better spam emailPhishers appear to be using techniques learned from the targeted advertising industry. Security professionals have long wondered why phishing emails are, in general, so poorly crafted, and why they don't use a handful of basic techniques which would undoubtedly improve their hit rate, and lead to increased revenue generation from phishing. In the "Today @ PC World blog, Erik Larkin discusses an email which alarms the PC World analysts (see: <a href="http://blogs.pcworld.com/staffblog/archives/004662.html">Threat Alert: Sophisticated E-mail Attacks Spread</a> [PC World]). The email arrived with a well crafted text body which passed the usual "first glance" tests for spam or phishing: bad spelling, bad grammar, incorrect addressee name, mis-matched sender. It appeared to be a boring business email with a word document attached.
Security researchers have known for many years that phishers typically don't employ a handful of techniques which would pretty clearly boost their success rates, techniques which are not entirely unknown in the related adware "industry". Today the following ideas might seem obvious, but it has only been recently that phishers show signs of interest in these techniques.
<ol><li>Copy editing text and documents
Spam and phishing emails often contain many awkward phrases and other flaws which alert the intended victim that "something is amiss". Security researchers have long suspect that the simple step of using a word processor to perform spell checking and grammar checking the text of a phishing email would significantly increase the "hit rate" because many recipients cite poor grammar and spelling as the primary tip-off.</li><li>Matching the correct name to an email address for the recipient
Your email might be: "john.q.public@example.com"
but phishers and spammers will address their email to: "Sarah <john.q.public@example.com>"
rather than to the obvious: "John Q. Public <john.q.public@example.com>"</li><li>Internal consistency within the email of the spoofed sender
Spam and phishing often don't appear to be "From:" the same person who signed the bottom of the email.</li><li>Using modern software development tools and techniques to target their population of intended victims
Phishers often spam many millions of people with the same email. This allows anti-spam software both sufficient time and sufficient odds to capture, analyze, and block many, even the vast majority of those emails. If instead, phishers sent Wells Fargo phishing emails only to known Wells Fargo customers, then the time it takes to capture the emails goes up, and the number of potentially profitable victims (those with Wells Fargo accounts to be drained) who are reached in the critical first few days goes up, perhaps by a lot. Phishers and spammers have access to a great deal of data. They could use that data with the help of some custom software such as a web crawler, a few plugins to their existing bot, virus, and worm code, and a database, to dramatically improve their ability to target their phishing emails.</li></ol>Security researchers have pondered these issues for several years. Some of these steps are relatively simple, particularly as compared to some of the technical aspects of developing and managing a botnet without getting caught. Why don't phishers employ them?
The answer, it has been thought, is simply that it wasn't necessary. Phishers were seeing a high enough hit rate and making enough money using their primitive spamming techniques. Spam was cheap to send, so sending millions of spam each time didn't cost them any more than sending a hundred spam. However, the techniques above required an expensive investment in software development.
Once spam filtering became good enough, it was thought, phishers would probably see a hit to their income, and find it necessary to start improving these other aspects of their phishing systems.
That time seems to have arrived. The big web mail providers, with a fire lit under them by competition from Google, have finally started to get better at spam filtering. Google and others are letting their users easily flag spam that does get through, and automatically feeding that back into their spam filters, thus protecting other users from spam and phishing.
This has apparently spurred some spammers and phishers to start developing more advanced techniques for targeted spamming.
Those techniques will include various ways to phish for the raw data which they can use to help map to other data already in their possession or collected in other ways. Phishers already have mountains of credit card numbers, stolen in various ways online, from compromised web servers like the recent TJX / TJMaxx incident, for example, but they may lack other details which make those numbers useful.
Here is one recent example of such a data phishing email, and probably related scam, which I received in my inbox this morning. It made it past a few layers of very effective spam filtering.
As you can see, the spelling and grammar of the email are not bad. Native speakers of English can pick out a few minor flaws, the most egregious of which I've noted by placing the correction in [] brackets immediately following the error. In general, however, this email is better crafted than many.
<blockquote><hr />Attn:
American Deaf Network has several projects planned and in the process, we [in process. We] also work along side National Organizations to build safer communities for those affected in these rural areas.
American Deaf Network receives donations on a daily basses from all over the world. We are seeking your assistance to work for the foundation and get paid. We do not require your full time or effort
All you will need to do is to receive donations on behalf of the foundation. Donation comes in Checks and Money Orders.
You will be paid a montly salary of $1,105.00. Please get back at us [get back to us] indicating your interest on making the world a better place for the deafs [the deaf].
Send us the following information to immidiately process your application.
First Name.
Last Name.
Address.
Contact Phone
Make sure you send the requested information to the below email.
american_deaf2007@excite.com
Have a nice day.
American Deaf Network
30045 Alicia Parkway
#150 Laguna Niguel,
CA 92677 USA]<hr /></blockquote>The first thing I did upon receiving this was wonder if there was an organization silly enough to send out such an email. I thought it unlikely, but certainly not impossible. I Googled "American Deaf Network", and found only one reference to it, declaring it to be a scam, as suspected.
These two examples, from PC World and above, are undoubtedly the tip of what will be an iceberg of more sophisticated and polished phishing email scams.
This is a new cycle in the phishing arms race.
Additional details on the "proforma-invoice.doc email can be found here: <a href="http://www.avinti.com/proforma-invoice-malware.html">Avinti Security Briefing: Proforma Invoice</a> [Avinti.com].
<!-- technorati tags start --><p style="text-align:right;font-size:10px;">Technorati Tags: <a href="http://www.technorati.com/tag/adware" rel="tag">adware</a>, <a href="http://www.technorati.com/tag/antivirus" rel="tag">antivirus</a>, <a href="http://www.technorati.com/tag/antiworm" rel="tag">antiworm</a>, <a href="http://www.technorati.com/tag/botnets" rel="tag">botnets</a>, <a href="http://www.technorati.com/tag/credit%20cards" rel="tag">credit cards</a>, <a href="http://www.technorati.com/tag/data%20broker" rel="tag">data broker</a>, <a href="http://www.technorati.com/tag/data%20loss" rel="tag">data loss</a>, <a href="http://www.technorati.com/tag/data%20security" rel="tag">data security</a>, <a href="http://www.technorati.com/tag/debit%20card" rel="tag">debit card</a>, <a href="http://www.technorati.com/tag/malware" rel="tag">malware</a>, <a href="http://www.technorati.com/tag/phishing" rel="tag">phishing</a>, <a href="http://www.technorati.com/tag/rootkit" rel="tag">rootkit</a>, <a href="http://www.technorati.com/tag/virus" rel="tag">virus</a>, <a href="http://www.technorati.com/tag/worm" rel="tag">worm</a></p><!-- technorati tags end -->Gary W. Longsinehttp://www.blogger.com/profile/05653813520423954538noreply@blogger.com0tag:blogger.com,1999:blog-13178036.post-45227336848740098992007-06-15T10:22:00.000-05:002007-06-15T10:24:53.001-05:00Identity Theft with a happy ending, sorta.The San Francisco Chronicle has an interesting tale describing how <a href="http://sfgate.com/cgi-bin/article.cgi?f=/c/a/2007/06/15/IDTHEFT.TMP">identity theft victim Karen Lodrick recognized a woman who had been using her stolen identity</a> in line at a Starbucks. She called 911 and pursued the woman, who was arrested, tried, convicted, and sentenced to time already served (44 days) plus probation.
I'm curious about one of the details, however. Ms. Lodrick and apparently the police believe that her identity was stolen when the perpetrator stole unsolicited bank cards which "she had not requested". Were these unsolicited accounts? Probably not. They are described as "debit/credit cards" and other details of the story indicate that the cards were used to extract cash (or equivalent) from her accounts. Banks routinely send renewal cards to account holders. The term "unsolicited" in this context is typically not used to describe this situation. If the bank sent her a debit/credit card for an account that she didn't want such a card for, then the bank needs to evaluate its policies.
<!-- technorati tags start --><p style="text-align:right;font-size:10px;">Technorati Tags: <a href="http://www.technorati.com/tag/Banks" rel="tag">Banks</a>, <a href="http://www.technorati.com/tag/fraud" rel="tag">fraud</a>, <a href="http://www.technorati.com/tag/debit card" rel="tag">debit card</a>, <a href="http://www.technorati.com/tag/credit card" rel="tag">credit card</a>, <a href="http://www.technorati.com/tag/identity theft" rel="tag">identity theft</a>, <a href="http://www.technorati.com/tag/Karen Lodrick" rel="tag">Karen Lodrick</a>, <a href="http://www.technorati.com/tag/police" rel="tag">police</a></p><!-- technorati tags end -->Gary W. Longsinehttp://www.blogger.com/profile/05653813520423954538noreply@blogger.com1tag:blogger.com,1999:blog-13178036.post-33369664579979125502007-04-26T11:35:00.000-05:002007-04-26T11:41:01.576-05:00Class action bank lawsuit against TJX: When the levee breaksWell this may have seemed inevitable, but the uneasy truce between retail vendors and merchant banks (credit card providers) has broken. Banks are gearing up a massive class action suit against TJX, the parent company of TJ Maxx, which recently revealed the shocking extent of the break-in which resulted in the theft of 45 million credit card numbers and other data from their network. Forty million credit card numbers were stolen over a period of two years or more by crackers who had extensive access to systems handling sensitive data throughout that time. Investigations of consumer fraud revealed a pattern of exposure at TJ Maxx stores, leading in turn to discovery of the break-in. <br /><br /><a href="http://www.informationweek.com/news/showArticle.jhtml?articleID=199201456">Banks Hit TJ Maxx Owner With Class-Action Law Suit</a><br /><br />This is an interesting decision on the part of the banks, as the financial industry may one day find themselves on the receiving end of similar class action law suits brought about by other banks or consumer groups when data theft can be traced back to their own security foibles. <br /><br />In fact, the TJX event became the largest on record to date by displacing the 2005 cracking of CardSystems Solutions, a credit card transaction processing company who suffered a network intrusion which exposed 40 million credit card accounts. (<a href="http://www.nytimes.com/2005/06/22/technology/22cards.html?ex=1177732800&en=e371c36debf1544e&ei=5070">Regulators Start Inquiry in Data Loss</a>)<br /><br /><br /><blockquote><br />If it keeps on rainin' levee's goin' to break <br />If it keeps on rainin' levee's goin' to break <br />When The Levee Breaks, got no place to stay. <br />-- Led Zeppelin<br /></blockquote><br /><br /><br />
<!-- technorati tags start --><p style="text-align:right;font-size:10px;">Technorati Tags: <a href="http://www.technorati.com/tag/antivirus" rel="tag">antivirus</a>, <a href="http://www.technorati.com/tag/antiworm" rel="tag">antiworm</a>, <a href="http://www.technorati.com/tag/fraud" rel="tag">fraud</a>, <a href="http://www.technorati.com/tag/malware" rel="tag">malware</a>, <a href="http://www.technorati.com/tag/class action" rel="tag">class action</a>, <a href="http://www.technorati.com/tag/TJX" rel="tag">TJX</a>, <a href="http://www.technorati.com/tag/TJ Maxx" rel="tag">TJ Maxx</a>, <a href="http://www.technorati.com/tag/banks" rel="tag">banks</a>, <a href="http://www.technorati.com/tag/rootkit" rel="tag">rootkit</a>, <a href="http://www.technorati.com/tag/credit cards" rel="tag">credit cards</a>, <a href="http://www.technorati.com/tag/identity theft" rel="tag">identity theft</a>, <a href="http://www.technorati.com/tag/spyware" rel="tag">spyware</a>, <a href="http://www.technorati.com/tag/SSN" rel="tag">SSN</a>, <a href="http://www.technorati.com/tag/virus" rel="tag">virus</a>, <a href="http://www.technorati.com/tag/worm" rel="tag">worm</a>, <a href="http://www.technorati.com/tag/zero day worm" rel="tag">zero day worm</a></p><!-- technorati tags end -->Gary W. Longsinehttp://www.blogger.com/profile/05653813520423954538noreply@blogger.com0tag:blogger.com,1999:blog-13178036.post-1162847108625221732006-11-06T15:57:00.000-05:002006-11-06T18:48:45.480-05:00Punchscan voting systemThere has been a great deal of discussion about voting systems in the security community following the well documented problems with electronic voting systems in recent American elections, notably those of 2000 and 2004. A new system promises dramatic improvements in the security of voting systems. The <a href="http://punchscan.org/index.php">Punchscan voting system</a> looks like a big step in the right direction.
For background information, see this primer by Bruce Schneier on <a href="http://www.schneier.com/blog/archives/2004/11/the_problem_wit.html">The Problem with Electronic Voting Machines</a>.
To strike an even bigger blow for democracy, the Punchscan system should be extended so that it can support <a href="http://en.wikipedia.org/wiki/Instant-runoff_voting">Instant Runoff Voting (aka Ranked Choice Voting)</a>.
<!-- technorati tags start --><p style="text-align:right;font-size:10px;">Technorati Tags: <a href="http://www.technorati.com/tag/democracy" rel="tag">democracy</a>, <a href="http://www.technorati.com/tag/election" rel="tag">election</a>, <a href="http://www.technorati.com/tag/encryption" rel="tag">encryption</a>, <a href="http://www.technorati.com/tag/punchscan" rel="tag">punchscan</a>, <a href="http://www.technorati.com/tag/voting" rel="tag">voting</a></p><!-- technorati tags end -->Gary W. Longsinehttp://www.blogger.com/profile/05653813520423954538noreply@blogger.com0tag:blogger.com,1999:blog-13178036.post-1151620054948521222006-06-29T17:22:00.000-05:002006-06-29T17:36:34.740-05:00tip of the data loss iceberg: worms == automated large scale intrusions Recently there have been a spate of incidents in which U.S. federal government agencies reported data theft or loss, particularly data which could result in identity theft. The losses include the contact information and social security numbers of, literally, millions of federal employees and contractors. Most of these recent incidents were the result of stolen laptop hardware, USB Key fobs, or other computer hardware, although at least two involved unspecified intrusions (electronic theft of the data following a break-in to an online system).
In the past several months, as the reports of stolen servers, hard drives, laptops, and USB key fobs have mounted, I've only seen two disclosed instance of an intrusion (in one case apparently targeted) which resulted in the theft of identity data concerning 1,502 people at the Department of Energy: <a href="http://www.gcn.com/print/25_16/41047-1.html">Energy ups security efforts after loss of employee data</a> and 26,000 people at the Department of Agriculture: <a href="http://www.securityfocus.com/brief/235">U.S. Department of Agriculture hacked</a>. Despite the sparse reports of such intrusions, we know that government PC systems are not uniquely protected from these threats.
Although it hasn't been reported, there is ample reason to believe that significant data loss has also occurred over the past several years through worm, botnet, spyware, trojan and rootkit infestations. Such malware routinely scans the infected PC and mounted network drives or shares and uploads files and data into the arms of organized crime. This type of loss is harder for organizations to detect and remains underreported as a result. However, it has has undoubtedly resulted in many more exposures of similar magnitude than have theft of laptops.
Many tens of thousands of computers in government agencies are infected with worms, bots, adware, spyware, viruses, trojans, and rootkits every year. The infection rates of many government agencies are not radically different from private industry.
Why do we see so few reports about data loss from these types of large scale intrusions?
The difference is that when a laptop is stolen, a bit of government-owned equipment goes missing. This produces a few unique circumstances that malware infections don't produce. Missing hardware:
<ul>
<li> can't be ignored due to strict property accounting requirements,</li>
<li> can't be denied due to the loss of a physical device,</li>
<li> and is more easily understood by all levels of oversight and management.</li>
</ul>
If hardware went missing, and bad guys have the hardware, they have the data that was on the hardware, too. People understand that.
Malware infections on the other hand (really, these are often large scale intrusions) are complex, involving many layers of abstraction. Just mitigating the spread and cleaning up often consumes all available resources of a given IT shop, and when the cleanup is over, they are crushed under the catch-up load of the regular duties which were postponed to battle the worm, bot or other malware. Analysis is often limited to finding and plugging the security hole that let the malware in. Few organizations have the ability to demonstrate conclusively that a worm uploaded files to a remote server. Worms and botnets have begun using encrypted tunnels, so even if organizations have the ability today, it won't be effective for very much longer.
We were able to uncover evidence of a large scale intrusion at a customer last year. It was clear that from the earliest moments of the outbreak remote attackers were under direct control of the infected PC systems on our Federal client's network. It was also clear that the techniques used were well-honed. Our client faced several variants of a particular worm within a short span of time, and one of those variants had a defect. Were it not for the defect, there would have been no direct evidence. Most of the time with automated large scale intrusions like worms and botnets, it's very easy for weary IT staff to assume that no real damage was done. The complexity of the attacks makes it easy for management and oversight to ignore the problem, too.
Many tens of thousands of infected PC systems are cleaned up each year on government networks. Those systems include servers and desktop and laptop computers with large amounts of valuable and sensitive data. The organizations performing the cleanup are understaffed and overworked and typically don't have the skills, processes, tools, and budgeted time in place to analyze the data loss which occurred.
Consequently, the problem is even bigger than it seems from the recent headlines.
<!-- technorati tags start --><p style="text-align:right;font-size:10px;">Technorati Tags: <a href="http://www.technorati.com/tag/adware" rel="tag">adware</a>, <a href="http://www.technorati.com/tag/antivirus" rel="tag">antivirus</a>, <a href="http://www.technorati.com/tag/antiworm" rel="tag">antiworm</a>, <a href="http://www.technorati.com/tag/data loss" rel="tag">data loss</a>, <a href="http://www.technorati.com/tag/data security" rel="tag">data security</a>, <a href="http://www.technorati.com/tag/identity theft" rel="tag">identity theft</a>, <a href="http://www.technorati.com/tag/malware" rel="tag">malware</a>, <a href="http://www.technorati.com/tag/rootkit" rel="tag">rootkit</a>, <a href="http://www.technorati.com/tag/security" rel="tag">security</a>, <a href="http://www.technorati.com/tag/spyware" rel="tag">spyware</a>, <a href="http://www.technorati.com/tag/worm" rel="tag">worm</a>, <a href="http://www.technorati.com/tag/zero day worm" rel="tag">zero day worm</a></p><!-- technorati tags end -->Gary W. Longsinehttp://www.blogger.com/profile/05653813520423954538noreply@blogger.com0tag:blogger.com,1999:blog-13178036.post-1151509672446985602006-06-28T10:42:00.000-05:002006-06-29T16:57:25.920-05:00OMB laptop security guidelines: implications for transparency in government?Within a few years it's possible that encryption will be the norm in government data storage, and probably large organizations, too. The historical inevitability of this process was given a boost recently. The OMB has provided guidance requiring Federal agencies to take the security of desktop and laptop systems more seriously (see: <a href="http://www.washingtonpost.com/wp-dyn/content/article/2006/06/27/AR2006062700540.html">OMB Sets Guidelines for Federal Employee Laptop Security</a>)in the wake of recent disclosure of several massive losses of data which could lead to identity <a href="http://www.consumer.gov/idtheft/">identity theft</a>.
Here are a few stories describing recent incidents which have prompted the concern and gained the attention of the OMB:
<a href="http://www.washingtonpost.com/wp-dyn/content/article/2006/06/23/AR2006062301493.html">Navy Finds Data on Thousands of Sailors on Web Site</a>
<a href="http://www.theregister.co.uk/2006/04/18/afghan_market_security_breach/">Afghan market sells US military flash drives</a>
<a href="http://www.foxnews.com/story/0,2933,200724,00.html?sPage=business.foxnews/pe">FTC Loses Personal Data on Identity-Theft Suspects</a>
<a href="http://www.theregister.co.uk/2006/05/23/va_data_security_breach/">US veterans' data exposed after burglary</a>
<a href="http://www.securityfocus.com/news/11393">Veterans Affairs warns of massive privacy breach</a>
<a href="http://www.foxnews.com/story/0,2933,199465,00.html">Officials: Veterans Affairs Department Ignored Repeated Warnings on Data Security</a>
<a href="http://www.firstgov.gov/veteransinfo.shtml">Latest Information on Veterans Affairs Data Security</a>
Additional background reading on the recent OBM security guidance: <a href="http://www.gcn.com/print/23_15/26276-1.html">OMB targets desktop hole in cybersecurity</a>
Before we leap headlong into encrypting everything in the government, however, we should really ponder the technology and its other implications. Earlier this week, President Bush chastised the North Koreans, who have been preparing to test an ICBM (Intercontinental Ballistic Missile), saying that it is worrisome that a "<a href="http://www.globalsecurity.org/wmd/library/news/dprk/2006/dprk-060621-voa01.htm">non-transparent regime</a>" is developing such a capability. Transparency in government is a valued characteristic of modern democratic governments.
Consider, however, that even in a modern democracy there exists a tension between disclosure and transparency on the one hand, and the desire of government organizations to restrict information flow for a variety of purposes on the other. Also this week, the disclosure of further domestic spying activity highlights that very issue.
More directly, even one of the agencies hit by recent data theft ran aground on the sand bar of public relations spin control run amok: <a href="http://edition.cnn.com/2006/US/05/23/vets.data/">Source: Theft of vets' data kept secret for 19 days</a>.
At least some organizations will opt to encrypt most data in most databases, most documents, and most filesystems, because it will be easier and cheaper to comply with directives like this by defaulting to encrypted storage for everything than it will be to analyze this mountain of content to determine if it should be encrypted or not. (Most of the stolen data that upsets people is personnel data, which is "sensitive but unclassified," for example.)
Although this may help prevent massive loss of data as seen recently, it might also reduce transparency in government. It may well be legitimately more difficult and expensive to satisfy a FOIA (Freedom of Information Act) request for organizations which rely on office documents and distributed (ad-hoc) content creation and storage. Most policy setting organizations do exactly that.
The recent OBM guidance is a welcome step in helping to limit the damage. (It should also be noted that encrypted storage doesn't completely solve this problem, as people tend to leave passwords laying about in plain text files to help them access their protected data, and passwords can be cracked with common tools, given sufficient CPU power and time to perform the crack.)
Congress should consider the implications of encryption as a response to data theft problems upon the desirable characteristic of transparency in governance, and should attempt to mitigate the potential damage to transparency before it occurs. They might require that all encrypted archvies be searchable, for example, similar to the way email applications search encrypted mail files. Some thought on this issue would undoubtedly produce a few basic guidelines which would help preserve transparency in governance.
<!-- technorati tags start --><p style="text-align:right;font-size:10px;">Technorati Tags: <a href="http://www.technorati.com/tag/Afghanistan" rel="tag">Afghanistan</a>, <a href="http://www.technorati.com/tag/arms control" rel="tag">arms control</a>, <a href="http://www.technorati.com/tag/Army" rel="tag">Army</a>, <a href="http://www.technorati.com/tag/data loss" rel="tag">data loss</a>, <a href="http://www.technorati.com/tag/data security" rel="tag">data security</a>, <a href="http://www.technorati.com/tag/encryption" rel="tag">encryption</a>, <a href="http://www.technorati.com/tag/identity theft" rel="tag">identity theft</a>, <a href="http://www.technorati.com/tag/North Korea" rel="tag">North Korea</a>, <a href="http://www.technorati.com/tag/OMB" rel="tag">OMB</a>, <a href="http://www.technorati.com/tag/rootkit" rel="tag">rootkit</a>, <a href="http://www.technorati.com/tag/security" rel="tag">security</a>, <a href="http://www.technorati.com/tag/spyware" rel="tag">spyware</a>, <a href="http://www.technorati.com/tag/transparency" rel="tag">transparency</a>, <a href="http://www.technorati.com/tag/Trojan" rel="tag">Trojan</a>, <a href="http://www.technorati.com/tag/USB" rel="tag">USB</a>, <a href="http://www.technorati.com/tag/USDA" rel="tag">USDA</a>, <a href="http://www.technorati.com/tag/veterans affairs" rel="tag">veterans affairs</a>, <a href="http://www.technorati.com/tag/virus" rel="tag">virus</a>, <a href="http://www.technorati.com/tag/worm" rel="tag">worm</a></p><!-- technorati tags end -->Gary W. Longsinehttp://www.blogger.com/profile/05653813520423954538noreply@blogger.com0tag:blogger.com,1999:blog-13178036.post-1150519600728040022006-06-16T23:42:00.000-05:002006-06-26T15:34:19.943-05:00Microsoft Excel exploit: Let's be careful out there?A new zero-day exploit of Microsoft Excel has me pondering a standard bit of security advice, "be careful what you click." This <a href="http://en.wikipedia.org/wiki/Meme">meme</a> survives to be repeated at nearly every outbreak, yet it simply isn't very effective.
You've probably seen a story or blog post about this already, but in case you haven't here's the alert from the Microsoft technet blog which got me thinking:
<blockquote><a href="http://blogs.technet.com/msrc/default.aspx">Reports of new vulnerability in Microsoft Excel</a><br />" In order for this attack to be carried out, a user must first open a malicious Excel document that is sent as an email attachment or otherwise provided to them by an attacker. (note that opening it out of email will prompt you to be careful about opening the attachment) So remember to be very careful opening unsolicited attachments from both known and unknown sources."</blockquote>
Many online article and blog postings repeated this advice, unquestioningly. Some folks even praised it, including the respected security professional Brian Krebs. In his post about the issue at the <a href="http://blog.washingtonpost.com/securityfix/">Security Fix</a> blog, he says it's "always good advice" that one be very careful opening unsolicited attachments.
Recently similar advice was given to users of various Instant Messaging systems, as a "worm" affected users of Yahoo's system. In fact, the "worm" required the user to click it, meaning that its spread couldn't possibly achieve the "every vulnerable machine got hit" levels of a real automatically propagating network worm.
However, these Instant Message viruses and email viruses can affect large numbers of systems in a short amount of time. A year or so ago I saw an outbreak of an email virus hit 1.5% of the systems at a large customer. It hit so many people (over 500) so fast (within an hour or two) that we at first thought it was exploiting an automatic execution hole in the email client. In fact, it had just been a little more clever than average at social engineering—tricking people to click it.
I briefly interviewed a few of the victims, some of whom were trained IT professionals, who spent a lot of time during the course of the year explaining to users that they shouldn't click unexpected attachments. Well, the virus in question was somewhat clever. It nearly always appeared to be from someone you know. It sent an attachment which appeared to be a spreadsheet (it was instead an executable virus). It used cleverly mundane subject lines.
Nearly all of the victims had received a virus pretending to be a spreadsheet which appeared to be from someone that they regularly receive a spreadsheets from via email.
How careful must people be? Scanning a file first wouldn't have protected the victim against zero-day threats like the current Excel threat.
We give the same advice to people about web surfing. Be careful where you surf, be careful what you click. It doesn't work there, either. Corporate and home PCs alike see anywhere from 1% to 20% ambient levels of adware and spyware infestation.
But the web is a treasure trove of useful and wonderful things you might never discover if, sometimes, you don't click with essentially reckless abandon.
The sentiment is pure, but most users are not able to easily tell what to click from what to avoid. Only the most rudimentary of email viruses or phishing can most people filter out at a glance.
I've given this advice myself many times, trying to carefully explain how to tell good from bad emails, and good from bad free downloads. I think in general the advice hasn't been helpful to most people most of the time. High levels of ongoing infestation from adware and spyware, widespread damage from Instant Message "worms" and rampant identity theft all tell us that the advice isn't working.
<!-- technorati tags start --><p style="text-align:right;font-size:10px;">Technorati Tags: <a href="http://www.technorati.com/tag/adware" rel="tag">adware</a>, <a href="http://www.technorati.com/tag/antivirus" rel="tag">antivirus</a>, <a href="http://www.technorati.com/tag/antiworm" rel="tag">antiworm</a>, <a href="http://www.technorati.com/tag/identity theft" rel="tag">identity theft</a>, <a href="http://www.technorati.com/tag/malware" rel="tag">malware</a>, <a href="http://www.technorati.com/tag/security" rel="tag">security</a>, <a href="http://www.technorati.com/tag/spyware" rel="tag">spyware</a>, <a href="http://www.technorati.com/tag/virus" rel="tag">virus</a>, <a href="http://www.technorati.com/tag/Windows" rel="tag">Windows</a>, <a href="http://www.technorati.com/tag/worm" rel="tag">worm</a>, <a href="http://www.technorati.com/tag/zero day worm" rel="tag">zero day worm</a></p><!-- technorati tags end -->Gary W. Longsinehttp://www.blogger.com/profile/05653813520423954538noreply@blogger.com1tag:blogger.com,1999:blog-13178036.post-1149832593237774552006-06-09T00:51:00.000-05:002006-06-26T16:08:06.776-05:00Beware of Your AuditorsSecurity Auditors can be a clever lot, sometimes a bit too clever. You really need to have someone on staff looking over their shoulder throughout the entire audit, from planning through probing, and reporting. If you don't have someone on staff qualified to watch them, you need an independent consultant. A very sharp generalist would do, but someone experienced in security would be better. Basically you need a check and balance system in place, to keep stories like the following from happening to your organization.
First the context. The auditors created a custom Trojan, planted it in amidst various other files on USB drives, and seeded them in parking lots and areas of the client's work area where they would likely be discovered by customers. Which, of course, they were. Here's what they say about the experience:
<a href="http://www.darkreading.com/document.asp?doc_id=95556&WT.svl=column1_1">Social Engineering, the USB Way</a>
<blockquote><em>I had one of my guys write a Trojan that, when run, would collect passwords, logins and machine-specific information from the user’s computer, and then email the findings back to us.
...
I immediately called my guy that wrote the Trojan and asked if anything was received at his end. Slowly but surely info was being mailed back to him.
...
After about three days, we figured we had collected enough data. When I started to review our findings, I was amazed at the results. Of the 20 USB drives we planted, 15 were found by employees, and all had been plugged into company computers. The data we obtained helped us to compromise additional systems, and the best part of the whole scheme was its convenience. We never broke a sweat. Everything that needed to happen did, and in a way it was completely transparent to the users, the network, and credit union management.</em></blockquote>
Yes, you read that right. Their custom trojan emailed the client's account names and passwords and other (presumably important) data out to the auditors' off-site email accounts.
Now, unless these guys put rather a lot more effort into their custom trojan than they described, email is a plain text protocol. So, any fifteen year old kid with a summer job sitting on a router or an SMTP gateway at an ISP between the client and the auditor's email basket can read that email.
Of course, it's possible the trojan was equipped with an X.509 certificate and encryption system, but it seems to me that if the auditors had thought of this, they would have mentioned it. It would have been a source of pride. For either forgetting to encrypt the data, or failing to mention it in their storytelling, they will undoubtedly be punished by the flood of email they are bound to get from every GSEC and CISSP certified security analyst on the planet.
I don't want to be too critical, because they seem to have the best intentions, and their effort served to illustrate a point that clients often don't take seriously -- USB drives really can be dangerous, even if you don't inhale one. However, in their excitement to put the clever idea to the test, these auditors seem to have overlooked one important layer of the security cake and the important dictum, useful to all consultants, "<a href="http://www.geocities.com/everwild7/noharm.html">first, do no harm</a>."
Of course, this isn't the most egregious error ever committed by an auditor. Far from it, in fact. I've personally seen Auditor's laptops spewing worm traffic on a client's network. Of course, it's likely that the auditor's systems were infected by a worm on the client's network, rather than the other way around, but running 3 systems known to be vulnerable to the same defect that they were spanking the client for was, pardon the pun, an oversight.
In the last year or so, several incidents of auditors losing valuable client data including identity information have been reported, notably more than once incident involving <a href="http://www.theregister.co.uk/2006/06/01/ey_hotels_laptop/">Ernst & Young</a>.
So, have someone on your staff work closely with the auditors as a sponsor of the audit, or have an independent consultant watching over their shoulder for you. People sometimes get carried away in their exuberance to do great work, and other times are following bureaucratic procedures that just don't make sense. In either case, your sponsor should have veto power over any actions during the audit, to protect your data from accidental exposure.
In case you're wondering, you don't need an "auditor for the auditor for the auditor" up an infinite chain. What we're really talking about here is a sponsor with veto power who isn't part of the audit team. This kind of outside watchdog can break the pattern of groupthink that causes people to run off with a half-baked idea and accidentally expose the data they are ostensibly trying to help you protect.
<!-- technorati tags start --><p style="text-align:right;font-size:10px;">Technorati Tags: <a href="http://www.technorati.com/tag/antivirus" rel="tag">antivirus</a>, <a href="http://www.technorati.com/tag/auditor" rel="tag">auditor</a>, <a href="http://www.technorati.com/tag/security" rel="tag">security</a>, <a href="http://www.technorati.com/tag/Trojan" rel="tag">Trojan</a></p><!-- technorati tags end -->Gary W. Longsinehttp://www.blogger.com/profile/05653813520423954538noreply@blogger.com0tag:blogger.com,1999:blog-13178036.post-1145329365982605702006-04-17T21:59:00.000-05:002006-04-25T09:11:29.593-05:00McAfee out of ideas - blames internet for rootkits. The recent article <a href="http://www.networkworld.com/news/2006/041706-open-source-rootkits.html">Does open source encourage rootkits? [NetworkWorld]</a> discusses a McAfee report, "Rootkits", in which McAfee lays the blame for rootkits at the door of the open source community by name, security researchers by implication, and unwittingly at the very doorstep of information sharing -- books, libraries, and printed material. The report was issued due to a large jump in the number of rootkits they detected (nine times as many this quarter as the year ago quarter - a dramatic increase). They specifically blame <a href="http://rootkit.com">rootkit.com</a>.
The unstated basis for their argument is a classic tension between open sharing of information about security vulnerabilities on the one hand and secret cabals of security research on the other. McAfee is clearly coming down for the "keep it secret to be safe" camp. Most independent security researchers reject this argument, because industry has a very long track record of totally ignoring security issues until they are made public. Most researchers also practice a policy of advanced notification -- give the vendor a reasonable notice before publishing the findings to the world and attempt to work with them so that a fix is available when the notice is published. However, the threat of publication is sometimes the only thing that motivates software companies to fix security problems.
Blaming open source, web sites, and information sharing by implication is misguided.
The folks who are writing the real malware could (and do) use secret members-only web sites to share ideas and code and whatnot in their pursuit of malfeasance. It's better for the community of researchers to have open sites sharing these ideas.
The fact is that you don't need a web site. There are books that do a pretty good job of explaining how rootkits work and how to build them. Are libraries now to blame? Is the publishing division of McAfee's competitor, Symantec Press to blame? (<a href="http://www.awprofessional.com/title/0321304543"> The Art of Computer Virus Research and Defense</a>).
No. Information sharing is not to blame. Symantec is not to blame (at least not in this respect). Books are not to blame. The internet isn't to blame, web sites are not to blame, security researchers are not to blame.
I wonder if instead we can attribute the continuing and expensive thorn of malware to humanity's continuing struggle to ride a rapid wave of expanding technology while simultaneously attempting to preserving civil liberties and limit the destruction and damage that can be caused by Evil Doers(TM)? Frankly, we're not very good at it, and we will soon face analogous problems in the much more serious realm of biological engineering. Recall that open source specifications for the 1918 influenza have already been published. We need to get better at this stuff pretty quick, because the clock is ticking. The information genie can't be put back in the bottle, we had better figure out how to tame it.
* NOTE: Evil Doers is a Trademark of The Bush Administration.
<!-- technorati tags start --><p style="text-align:right;font-size:10px;">Technorati Tags: <a href="http://www.technorati.com/tag/adware" rel="tag">adware</a>, <a href="http://www.technorati.com/tag/antivirus" rel="tag">antivirus</a>, <a href="http://www.technorati.com/tag/antiworm" rel="tag">antiworm</a>, <a href="http://www.technorati.com/tag/botnets" rel="tag">botnets</a>, <a href="http://www.technorati.com/tag/identity theft" rel="tag">identity theft</a>, <a href="http://www.technorati.com/tag/malware" rel="tag">malware</a>, <a href="http://www.technorati.com/tag/rootkit" rel="tag">rootkit</a>, <a href="http://www.technorati.com/tag/puppy" rel="tag">puppy</a>, <a href="http://www.technorati.com/tag/spyware" rel="tag">spyware</a>, <a href="http://www.technorati.com/tag/Windows" rel="tag">Windows</a></p><!-- technorati tags end -->Gary W. Longsinehttp://www.blogger.com/profile/05653813520423954538noreply@blogger.com3