softsecurity.com In focus

Consumerization and Corporate IT Security

Tue, 07 Sep 2010 15:25:10 GMT

If you're a typical wired American, you've got a bunch of tech tools you like and a bunch more you covet. You have a cell phone that can easily text. You've got a laptop configured just the way you want it. Maybe you have a Kindle for reading, or an iPad. And when the next new thing comes along, some of you will line up on the first day it's available. So why can't work keep up? Why are you forced to use an unfamiliar, and sometimes outdated, operating system? Why do you need a second laptop, maybe an older and clunkier one? Why do you need a second cell phone with a new interface, or a BlackBerry, when your phone already does e-mail? Or a second BlackBerry tied to corporate e-mail? Why can't you use the cool stuff you already have? More and more companies are letting you. They're giving you an allowance and allowing you to buy whatever laptop you want, and to connect into the corporate network with whatever device you choose. They're allowing you to use whatever cell phone you have, whatever portable e-mail device you have, whatever you personally need to get your job done. And the security office is freaking. You can't blame them, really. Security is hard enough when you have control of the hardware, operating system and software. Lose control of any of those things, and the difficulty goes through the roof. How do you ensure that the employee devices are secure, and have up-to-date security patches? How do you control what goes on them? How do you deal with the tech support issues when they fail? How do you even begin to manage this logistical nightmare? Better to dig your heels in and say "no." But security is on the losing end of this argument, and the sooner it realizes that, the better. The meta-trend here is consumerization: cool technologies show up for the consumer market before they're available to the business market. Every corporation is under pressure from its employees to allow them to use these new technologies at work, and that pressure is only getting stronger. Younger employees simply aren't going to stand for using last year's stuff, and they're not going to carry around a second laptop. They're either going to figure out ways around the corporate security rules, or they're going to take another job with a more trendy company. Either way, senior management is going to tell security to get out of the way. It might even be the CEO, who wants to get to the company's databases from his brand new iPad, driving the change. Either way, it's going to be harder and harder to say no. At the same time, cloud computing makes this easier. More and more, employee computing devices are nothing more than dumb terminals with a browser interface. When corporate e-mail is all webmail, corporate documents are all on GoogleDocs, and when all the specialized applications have a web interface, it's easier to allow employees to use any up-to-date browser. It's what companies are already doing with their partners, suppliers, and customers. Also on the plus side, technology companies have woken up to this trend and -- from Microsoft and Cisco on down to the startups -- are trying to offer security solutions. Like everything else, it's a mixed bag: some of them will work and some of them won't, most of them will need careful configuration to work well, and few of them will get it right. The result is that we'll muddle through, as usual. Security is always a tradeoff, and security decisions are often made for non-security reasons. In this case, the right decision is to sacrifice security for convenience and flexibility. Corporations want their employees to be able to work from anywhere, and they're going to have loosened control over the tools they allow in order to get it. This essay first appeared as the second half of a point/counterpoint with Marcus Ranum in Information Security Magazine. You can read Marcus's half here.

Terrorism Entrapment

Mon, 06 Sep 2010 15:24:50 GMT

Back in 2007, I wrote an essay, "Portrait of the Modern Terrorist as an Idiot," where I said: The JFK Airport plotters seem to have been egged on by an informant, a twice-convicted drug dealer. An FBI informant almost certainly pushed the Fort Dix plotters to do things they wouldn't have ordinarily done. The Miami gang's Sears Tower plot was suggested by an FBI undercover agent who infiltrated the group. And in 2003, it took an elaborate sting operation involving three countries to arrest an arms dealer for selling a surface-to-air missile to an ostensible Muslim extremist. Entrapment is a very real possibility in all of these cases. Over on Salon, Stephan Salisbury has an essay on FBI entrapment and domestic terrorism plots. It's well worth reading.

Friday Squid Blogging: Squid Car

Sat, 04 Sep 2010 00:58:03 GMT

Squid car.

UAE Man-in-the-Middle Attack Against SSL

Fri, 03 Sep 2010 14:27:05 GMT

Interesting: Who are these certificate authorities? At the beginning of Web history, there were only a handful of companies, like Verisign, Equifax, and Thawte, that made near-monopoly profits from being the only providers trusted by Internet Explorer or Netscape Navigator. But over time, browsers have trusted more and more organizations to verify Web sites. Safari and Firefox now trust more than 60 separate certificate authorities by default. Microsoft's software trusts more than 100 private and government institutions. Disturbingly, some of these trusted certificate authorities have decided to delegate their powers to yet more organizations, which aren't tracked or audited by browser companies. By scouring the Net for certificates, security researchers have uncovered more than 600 groups who, through such delegation, are now also automatically trusted by most browsers, including the Department of Homeland Security, Google, and Ford Motors�and a UAE mobile phone company called Etisalat. In 2005, a company called CyberTrust�which has since been purchased by Verizon� gave Etisalat, the government-connected mobile company in the UAE, the right to verify that a site is valid. Here's why this is trouble: Since browsers now automatically trust Etisalat to confirm a site's identity, the company has the potential ability to fake a secure connection to any site Etisalat subscribers might visit using a man-in-the-middle scheme.

Successful Attack Against a Quantum Cryptography System

Thu, 02 Sep 2010 21:46:00 GMT

Clever: Quantum cryptography is often touted as being perfectly secure. It is based on the principle that you cannot make measurements of a quantum system without disturbing it. So, in theory, it is impossible for an eavesdropper to intercept a quantum encryption key without disrupting it in a noticeable way, triggering alarm bells. Vadim Makarov at the Norwegian University of Science and Technology in Trondheim and his colleagues have now cracked it. "Our hack gave 100% knowledge of the key, with zero disturbance to the system," he says. [...] The cunning part is that while blinded, Bob's detector cannot function as a 'quantum detector' that distinguishes between different quantum states of incoming light. However, it does still work as a 'classical detector' � recording a bit value of 1 if it is hit by an additional bright light pulse, regardless of the quantum properties of that pulse. That means that every time Eve intercepts a bit value of 1 from Alice, she can send a bright pulse to Bob, so that he also receives the correct signal, and is entirely unaware that his detector has been sabotaged. There is no mismatch between Eve and Bob's readings because Eve sends Bob a classical signal, not a quantum one. As quantum cryptographic rules no longer apply, no alarm bells are triggered, says Makarov. "We have exploited a purely technological loophole that turns a quantum cryptographic system into a classical system, without anyone noticing," says Makarov. Makarov and his team have demonstrated that the hack works on two commercially available systems: one sold by ID Quantique (IDQ), based in Geneva, Switzerland, and one by MagiQ Technologies, based in Boston, Massachusetts. "Once I had the systems in the lab, it took only about two months to develop a working hack," says Makarov. Just because something is secure in theory doesn't mean it's secure in practice. Or, to put it more cleverly: in theory, theory and practice are the same; but in practice, they're very different. The paper is here.

Cyber-Offence is the New Cyber-Defense

Thu, 02 Sep 2010 15:33:08 GMT

This is beyond stupid: The Pentagon is contemplating an aggressive approach to defending its computer systems that includes preemptive actions such as knocking out parts of an adversary's computer network overseas?but it is still wrestling with how to pursue the strategy legally. The department is developing a range of weapons capabilities, including tools that would allow "attack and exploitation of adversary information systems" and that can "deceive, deny, disrupt, degrade and destroy" information and information systems, according to Defense Department budget documents. But officials are reluctant to use the tools until questions of international law and technical feasibility are resolved, and that has proved to be a major challenge for policymakers. Government lawyers and some officials question whether the Pentagon could take such action without violating international law or other countries' sovereignty. "Some" officials are questioning it. The rest are trying to ignore the issue. I wrote about this back in 2007.

Wanted: Skein Hardware Help

Wed, 01 Sep 2010 21:17:40 GMT

As part of NIST's SHA-3 selection process, people have been implementing the candidate hash functions on a variety of hardware and software platforms. Our team has implemented Skein in Intel's 32 nm ASIC process, and got some impressive performance results (presentation and paper). Several other groups have implemented Skein in FPGA and ASIC, and have seen significantly poorer performance. We need help understanding why. For example, a group led by Brian Baldwin at the Claude Shannon Institute for Discrete Mathematics, Coding and Cryptography implemented all the second-round candidates in FPGA (presentation and paper). Skein performance was terrible, but when they checked their code, they found an error. Their corrected performance comparison (presentation and paper) has Skein performing much better and in the top ten. We suspect that the adders in all the designs may not be properly optimized, although there may be other performance issues. If we can at least identify (or possibly even fix) the slowdowns in the design, it would be very helpful, both for our understanding and for Skein's hardware profile. Even if we find that the designs are properly optimized, that would also be good to know. A group at George Mason University led by Kris Gaj implemented all the second-round candidates in FPGA (presentation, paper, and much longer paper). Skein had the worst performance of any of the implementations. We're looking for someone who can help us understand the design, and determine if it can be improved. Another group, led by Stefan Tillich at University of Bristol, implemented all the candidates in 180 nm custom ASIC (presentation and paper). Here, Skein is one of the worst performers. We're looking for someone who can help us understand what this group did. Three other groups -- one led by Patrick Schaumont of Virginia Tech (presentation and paper), another led by Shin'ichiro Matsuo at National Institute of Information and Communications Technology in Japan (presentation and paper), and a third led by Luca Henzen at ETH Zurich (paper with appendix, and conference version) -- implemented the SHA-3 candidates. Again, we need help understanding how their Skein performance numbers are so different from ours. We're looking for people with FPGA and ASIC skills to work with the Skein team. We don't have money to pay anyone; co-authorship on a paper (and a Skein polo shirt) is our primary reward. Please send me e-mail if you're interested.

More Skein News

Wed, 01 Sep 2010 14:01:50 GMT

Skein is my new hash function. Well, "my" is an overstatement; I'm one of the eight designers. It was submitted to NIST for their SHA-3 competition, and one of the 14 algorithms selected to advance to the second round. Here's the Skein paper; source code is here. The Skein website is here. Last week was the Second SHA-3 Candidate Conference. Lots of people presented papers on the candidates: cryptanalysis papers, implementation papers, performance comparisons, etc. There were two cryptanalysis papers on Skein. The first was by Kerry McKay and Poorvi L. Vora (presentation and paper). They tried to extend linear cryptanlysis to groups of bits to attack Threefish (the block cipher inside Skein). It was a nice analysis, but it didn't get very far at all. The second was a fantastic piece of cryptanalysis by Dmitry Khovratovich, Ivica Nikolié, and Christian Rechberger. They used a rotational rebound attack (presentation and paper) to mount a "known-key distinguisher attack" on 57 out of 72 Threefish rounds faster than brute force. It's a new type of attack -- some go so far as to call it an "observation" -- and the community is still trying to figure out what it means. It only works if the attacker can manipulate both the plaintexts and the keys in a structured way. Against 57-round Threefish, it requires 2503 work -- barely better than brute force. And it only distinguishes reduced-round Threefish from a random permutation; it doesn't actually recover any key bits. Even with the attack, Threefish has a good security margin. Also, the attack doesn't affect Skein. But changing one constant in the algorithm's key schedule makes the attack impossible. NIST has said they're allowing second-round tweaks, so we're going to make the change. It won't affect any performance numbers or obviate any other cryptanalytic results -- but the best attack would be 33 out of 72 rounds. Our update on Skein, which we presented at the conference, is here. All the other papers and presentations are here. (My 2008 essay on SHA-3 is here, and my 2009 update is here.) The second-round algorithms are: BLAKE, Blue Midnight Wish, CubeHash, ECHO, Fugue, Grøstl, Hamsi, JH, Keccak, Luffa, Shabal, SHAvite-3, SIMD, and Skein. You can find details on all of them, as well as the current state of their cryptanalysis, here. NIST will select approximately five algorithms to go on to the third round by the end of the year. In other news, we're once again making Skein polo shirts available to the public. Those of you who attended either of the two SHA-3 conferences might have noticed the stylish black Skein polo shirts worn by the Skein team. Anyone who wants one is welcome to buy it, at cost. Details (with photos) are here. All orders must be received before October 1, and we'll have all the shirts made in one batch.

Interactive undersea cable map

Wed, 01 Sep 2010 08:29:18 GMT

Ever since I was a kid, maps have always fascinated me. I eagerly anticipated each month’s National Geographic not for the usual, ah, imagery that would so fascinate adolescents but instead because I knew the magazine would include an incredibly detailed map of someplace in the world or beyond. Even today maps can hold my [...]

Network Security Podcast, Episode 210

Wed, 01 Sep 2010 03:19:23 GMT

Rich is off dealing with the joy of fatherhood (again), leaving Martin and Zach to rope Mike Rothman into the podcast for a few weeks. Our news stories are pretty short tonight, thanks to an interview with the one-and-only Jennifer Granick of the Electronic Frontier Foundation. Martin discusses GPS tracking, the DMCA, and more with [...]

Update on Security Advisory 2269673

Wed, 01 Sep 2010 00:00:00 GMT

Hi everyone, Since we released Security Advisory 2269673 on August 23, we've continued to conduct an investigation not only into our own affected products, but also into how we can best help to protect customers given DLL preloading also affects some third-party applications. We'd like to provide an update on our investigation. First, I want to be clear that Microsoft plans to address those of our products affected by this issue in the most appropriate way for customers. This will primarily be in the form of security updates or defense-in-depth updates. Also, due to the fact that customers need to click through a series of warnings and dialogs to open a malicious file, we rate most of these vulnerabilities as important. One of the goals we have at Microsoft is to make it easy for developers to create secure applications on our platform. As we stated in our previous blog post, DLL preloading is a well-known class of vulnerabilities and we have had guidance for developers in place for quite some time. We have recently updated that guidance to provide more clarity. Even with improved guidance, we recognize that it may take quite a bit of time for all affected applications to be updated and for some, an update may not be possible. With the advisory, we released a tool to help customers protect their systems (see KB 2264107). This tool provides a framework for customers to modify the behavior of the DLL search path algorithm and essentially block unsafe DLL loading. When installed, this tool still needs to be configured in order to block malicious behavior, and customers have asked us for our recommended setting. As a result, our Security Research & Defense team has written a detailed blog post on this topic and has worked with our Microsoft Fix-it team to develop a Fix-it to enable our recommended setting which blocks most network-based attack vectors. (Please note that the tool needs to be installed prior to enabling the Fix-it.) Many enterprise customers have asked us to make it easier for them to deploy this tool. As a result, we are working with the Windows Update (WU) team to add the tool to the WU catalog. This will make it easier for those running Windows Server Update Services (WSUS) to deploy. We are working to have that solution in place within the next couple of weeks. We are also considering releasing this solution more broadly via WU as a defense-in-depth update for all customers in an "off by default" state. We will share more information through the MSRC blog as our plans are solidified. Customers should note that the tool is limited to protecting against DLL preloading only and does not protect against .exe files that do not properly load files via a fully qualified path and developers will be required to update those applications accordingly. Thank you, Jerry Bryant
Group Manager, Response Communications

Eavesdropping on Smart Homes with Distributed Wireless Sensors

Tue, 31 Aug 2010 20:39:14 GMT

"Protecting your daily in-home activity information from a wireless snooping attack," by Vijay Srinivasan, John Stankovic, and Kamin Whitehouse: Abstract: In this paper, we first present a new privacy leak in residential wireless ubiquitous computing systems, and then we propose guidelines for designing future systems to prevent this problem. We show that we can observe private activities in the home such as cooking, showering, toileting, and sleeping by eavesdropping on the wireless transmissions of sensors in a home, even when all of the transmissions are encrypted. We call this the Fingerprint and Timing-based Snooping (FATS) attack. This attack can already be carried out on millions of homes today, and may become more important as ubiquitous computing environments such as smart homes and assisted living facilities become more prevalent. In this paper, we demonstrate and evaluate the FATS attack on eight different homes containing wireless sensors. We also propose and evaluate a set of privacy preserving design guidelines for future wireless ubiquitous systems and show how these guidelines can be used in a hybrid fashion to prevent against the FATS attack with low implementation costs. The group was able to infer surprisingly detailed activity information about the residents, including when they were home or away, when they were awake or sleeping, and when they were performing activities such as showering or cooking. They were able to infer all this without any knowledge of the location, semantics, or source identifier of the wireless sensors, while assuming perfect encryption of the data and source identifiers.

High School Teacher Assigns Movie-Plot Threat Contest Problem

Tue, 31 Aug 2010 14:42:54 GMT

In Australia: A high school teacher who assigned her class to plan a terrorist attack that would kill as many innocent people as possible had no intent to promote terrorism, the school principal said yesterday. The Year-10 students at Kalgoorlie-Boulder Community High School were asked to pretend they were terrorists making a political statement by releasing a chemical or biological agent on "an unsuspecting Australian community". The task included choosing the best time to attack and explaining their choice of victims and what effects the attack would have on a human body. "Your goal is to kill the MOST innocent civilians," the assignment read. Principal Terry Martino said he withdrew the assignment for the class on contemporary conflict and terrorism as soon as he heard of it. He said the teacher was "relatively inexperienced" and it was a "well-intentioned but misguided attempt to engage the students". Sounds like me: It is in this spirit I announce the (possibly First) Movie-Plot Threat Contest. Entrants are invited to submit the most unlikely, yet still plausible, terrorist attack scenarios they can come up with. Your goal: cause terror. Make the American people notice. Inflict lasting damage on the U.S. economy. Change the political landscape, or the culture. The more grandiose the goal, the better. Assume an attacker profile on the order of 9/11: 20 to 30 unskilled people, and about $500,000 with which to buy skills, equipment, etc. For the record, 1) I have no interest in promoting terrorism -- I'm not even sure how I could promote terrorism without actually engaging in terrorism, 2) I'm pretty experienced, and 3) my movie-plot threat contests are not misguided. You can't understand security defense without also understanding attack. Australian police are claiming the assignment was illegal, so Australians who enter my movie-plot threat contests should think twice. Also anyone writing a thriller novel about terrorism, perhaps. An AFP spokeswoman said it was an offence to collect or make documents preparing for or assisting a terrorist attack. It was also illegal to be "reckless as to whether these documents may assist or prepare for a terrorist attack".

Scam spam on the rise

Tue, 31 Aug 2010 02:05:38 GMT

What a busy weekend it must have been for folks who need assistance transferring money out of their destitute dictatorial regimes. As I watched my inbox open this morning I was overcome with joy: so many near-famous yet obscure political figures are reaching out to me personally for help! I’m so grateful to everyone, and [...]

Misidentification and the Court System

Mon, 30 Aug 2010 20:05:09 GMT

Chilling: How do most wrongful convictions come about? The primary cause is mistaken identification. Actually, I wouldn't call it mistaken identification; I'd call it misidentification, because you often find that there was some sort of misconduct by the police. In a lot of cases, the victim initially wasn't so sure. And then the police say, "Oh, no, you got the right guy. In fact, we think he's done two others that we just couldn't get him for." Or: "Yup, that's who we thought it was all along, great call." It's disturbing that misidentifications still play such a large role in wrongful convictions, given that we've known about the fallibility of eyewitness testimony for over a century. In terms of empirical studies, that's right. And 30 or 40 years ago, the Supreme Court acknowledged that eyewitness identification is problematic and can lead to wrongful convictions. The trouble is, it instructed lower courts to determine the validity of eyewitness testimony based on a lot of factors that are irrelevant, like the certainty of the witness. But the certainty you express [in court] a year and half later has nothing to do with how certain you felt two days after the event when you picked the photograph out of the array or picked the guy out of the lineup. You become more certain over time; that's just the way the mind works. With the passage of time, your story becomes your reality. You get wedded to your own version. And the police participate in this. They show the victim the same picture again and again to prepare her for the trial. So at a certain point you're no longer remembering the event; you're just remembering this picture that you keep seeing.

Security Theater on the Boston T

Mon, 30 Aug 2010 13:31:35 GMT

Since a fatal crash a few years ago, Boston T (their subway) operators have been forbidden from using -- or even having -- cell phones while on the job. Passengers are encouraged to report violators. But sometimes T operators need to use their official radios on the job, and passengers can't tell the difference. The solution: orange tape: The solution? Goodbye, sober black; hello, bright orange, a hue so vivid that, MBTA officials hope, no one will mistake the radios for phones anymore. Workers at the agency's car barns and garages are in the process of outfitting every handset in the fleet with strips of reflective tape emblazoned with T logos. [...] ... a small but steady number of hot line tips have been found to be cases of drivers or operators communicating with dispatch by radio, according to video and operations-center call logs. That is where the electric-orange tape should help, Davey said. Over the past two months, the tape has been applied to handheld radios on about 95 percent of the T's 1,050 buses (each of which has one handset) and one-fourth of its nearly 210 double-ended Green Line trolleys, which have handsets at each end. The rest of the Green Line and the Orange, Blue, and Red line radios will follow. Taisha O'Bryant, a Roxbury resident who serves as chairwoman of the T Riders Union, said she is more concerned with the frequency and reliability of bus service than the appearance of bus radios. But she said it is a good thing if a driver or operator can call dispatch in the event of a breakdown or service problem without worrying about appearing to talk on a cellphone, and she hailed the cellphone ban. Of course, no T operator would ever think of putting bright orange tape on his cell phone. Because if he did that, the passengers would immediately know not to report him.

Defcon 2010 Interview: Joe Grand

Sat, 28 Aug 2010 17:31:24 GMT

I was only able to get a few interviews while I was in Vegas this year. �But one of my favorites was talking to Joe Grand, the creator of all five year’s worth of electronic Defcon badges. �This year’s badge was smaller than previous years but it had some unique and interesting capabilities and it [...]

Friday Squid Blogging: Jewel of the Sea

Sat, 28 Aug 2010 00:28:37 GMT

Pretty.

Me at the EastWest Institute

Fri, 27 Aug 2010 20:47:25 GMT

Back in May, I attended the EastWest Institute's First Worldwide Cybersecurity Summit in Dallas. I only had eight minutes to speak, and tried to turn the dialog to security, privacy, and the individual.

Certified Application Security Specialist in job description

Fri, 27 Aug 2010 16:59:30 GMT

Last year Rich Mogull and Jeremiah Grossman created a little know certification, the Certified Application Security Specialist or Certified ASS. To those in the know, or with the intelligence of the average house pet, it should be immediately obvious that this was an April Fool’s joke. Funny, and it’s been a continuing joke through out [...]

Is the Whole Country an Airport Security Zone?

Fri, 27 Aug 2010 15:58:50 GMT

Full-body scanners in roving vans: American Science & Engineering, a company based in Billerica, Massachusetts, has sold U.S. and foreign government agencies more than 500 backscatter x-ray scanners mounted in vans that can be driven past neighboring vehicles to see their contents, Joe Reiss, a vice president of marketing at the company told me in an interview. This should be no different than the Kyllo case, where the Supreme Court ruled that the police needed a warrant before they can use a thermal sensor on a building to search for marijuana growers. Held: Where, as here, the Government uses a device that is not in general public use, to explore details of a private home that would previously have been unknowable without physical intrusion, the surveillance is a Fourth Amendment "search," and is presumptively unreasonable without a warrant.

Detecting Deception in Conference Calls

Thu, 26 Aug 2010 14:15:11 GMT

Research paper: Detecting Deceptive Discussions in Conference Calls, by David F. Larcker and Anastasia A. Zakolyukina. Abstract: We estimate classification models of deceptive discussions during quarterly earnings conference calls. Using data on subsequent financial restatements (and a set of criteria to identify especially serious accounting problems), we label the Question and Answer section of each call as "truthful" or "deceptive". Our models are developed with the word categories that have been shown by previous psychological and linguistic research to be related to deception. Using conservative statistical tests, we find that the out-of-sample performance of the models that are based on CEO or CFO narratives is significantly better than random by 4% - 6% (with 50% - 65% accuracy) and provides a significant improvement to a model based on discretionary accruals and traditional controls. We find that answers of deceptive executives have more references to general knowledge, fewer non-extreme positive emotions, and fewer references to shareholders value and value creation. In addition, deceptive CEOs use significantly fewer self-references, more third person plural and impersonal pronouns, more extreme positive emotions, fewer extreme negative emotions, and fewer certainty and hesitation words.

May see you at HacKid

Thu, 26 Aug 2010 06:00:42 GMT

Zach Lanier brought up HacKid (pronounced ‘hacked’ I’m told) on the podcast last night and I just realized I haven’t even written a single post on the subject. My friend Chris Hoff, aka @beaker, is one of the key organizers and Zach is on the committee as well, and this looks like it’s going to [...]

Social Steganography

Wed, 25 Aug 2010 14:20:52 GMT

From danah boyd: Carmen is engaging in social steganography. She's hiding information in plain sight, creating a message that can be read in one way by those who aren't in the know and read differently by those who are. She's communicating to different audiences simultaneously, relying on specific cultural awareness to provide the right interpretive lens. While she's focused primarily on separating her mother from her friends, her message is also meaningless to broader audiences who have no idea that she had just broken up with her boyfriend.

Network Security Podcast, Episode 209

Wed, 25 Aug 2010 05:50:42 GMT

The gang reunites this week after skipping an episode and, despite wondering if Rich’s house was going to get blown away to the merry old land of Oz, squeezed out a show — and even included our very first bumper (from our friends over at Eurotrash Security Podcast). Yes, we did cover the proverbial “elephant [...]

Skeletal Identification

Tue, 24 Aug 2010 14:56:07 GMT

And you thought fingerprints were intrusive. The Wright State Research Institute is developing a ground-breaking system that would scan the skeletal structures of people at airports, sports stadiums, theme parks and other public places that could be vulnerable to terrorist attacks, child abductions or other crimes. The images would then quickly be matched with potential suspects using a database of previously scanned skeletons. Because every country has a database of terrorist skeletons just waiting to be used.

Malware Contributory Cause of Air Crash

Mon, 23 Aug 2010 14:03:35 GMT

This is a first, I think: The airline's central computer which registered technical problems on planes was infected by Trojans at the time of the fatal crash and this resulted in a failure to raise an alarm over multiple problems with the plane, according to Spanish daily El Pais (report here). The plane took off with flaps and slats retracted, something that should in any case have been picked up by the pilots during pre-flight checks or triggered an internal warning on the plane. Neither happened, with tragic consequences, according to a report by independent crash investigators. More here. I have long thought that the Blaster worm was a contributing cause of the 2003 blackout in the U.S. and Canada. EDITED TO ADD (8/23): In the comments, many readers point out that there are a bunch of problems with the El Pais article this is all based on, and that we should wait for more information before drawing any conclusions.

Black Hat 2010: Branden Williams, RSA

Sun, 22 Aug 2010 22:33:08 GMT

Branden Williams is one of the thought leaders in the PCI field, or at least someone like me who blogs about it a lot and hopes others find value in our thoughts. I had a few minutes to catch up with him at Black Hat, where we discussed what he’d seen at Black Hat as [...]

Microsoft Security Advisory 2269637 Released

Sun, 22 Aug 2010 09:03:00 GMT

Overview Today we released Microsoft Security Advisory 2269637. This is different from other Microsoft Security Advisories because it's not talking about specific vulnerabilities in Microsoft products. Rather, this is our official guidance in response to security research that has outlined a new, remote vector for a well-known class of vulnerabilities, known as DLL preloading or "binary planting" attacks. We are currently conducting a thorough investigation into how this new vector may affect Microsoft products. As always, if we find this issue affects any of our products, we will address them appropriately. Additionally, today we are providing a defense-in-depth update that customers can deploy that will help protect against attempts to exploit vulnerable applications through this newly identified vector. Finally, we are using our strong connections with researchers and partners in the industry to help address this new class of vulnerability. Our Microsoft Vulnerability Research program has been working to coordinate communication between the researcher who first brought this new vector to us and other application developers who are affected by this issue. Technical Background What this new research demonstrates is a new remote vector for DLL preloading attacks. These attacks are not new or unique to the Windows platform. For instance, PATH attacks that are similar to this issue constitute some of the earliest class of attacks against the UNIX operating system. The attack focuses on tricking an application into loading a malicious library when it thinks it's loading a trusted library. For this to succeed, the application has to call the trusted library by name instead of properly using its full path (for example, calling dllname.dll rather than C:Program FilesCommon FilesContosodllname.dll). The attacker then has to place a malicious copy of the library in a directory that the system will search to locate the library and have that be a directory it will search before the directory where the trusted library actually is. For example, if an attacker knows that the application simply calls for dllname.dll (rather than using the full path) and it will look for dllname.dll in the current working directory before looking in C:Program FilesCommon FilesContoso. Then if the attacker can plant a malicious copy of dllname.dll in the current working directory, the application will load it first executing the attacker's code in the application's security context. PATH or DLL preloading attacks have so far required the attacker to plant the malicious library on the local client system. This new research outlines a way an attacker could levy these attacks by planting the malicious library on a network share. In this scenario, the attacker would create a data file that the vulnerable application would open, create a malicious library that the vulnerable application would use, post both of them on a network share that the user could access, and convince the user to open the data file. At that point, the application would load the malicious library and the attacker's code would execute on the user's system. Because this is a new vector, rather than a new class of vulnerability, the existing best practices that protect against this class of vulnerability, automatically protect against this new vector: ensuring that applications make calls to trusted libraries using full path names. While the best protection is following best practices, we are able to provide an additional layer of defense by offering a tool that can be configured to disable the loading of libraries from network shares. In particular, because this is altering functionality, we encourage customers to evaluate this tool before deploying it. As part of your evaluation, we encourage you to review the information at the Security Research and Defense (SRD) blog. We will continue our work with the researchers and the industry to identify and address vulnerable applications. And as always, we will update you with any new information we have through our security advisories, security bulletins and the MSRC weblog as appropriate. Thanks Christopher

Intel Buys McAfee

Thu, 19 Aug 2010 18:44:16 GMT

Intel buys McAfee. It's another example of a large non-security company buying a security company. I've been talking about this sort of thing for two and a half years: It's not consolidation as we're used to. In the security industry, there are waves of consolidation, you know, big companies scoop up little companies and then there's lots of consolidation. You've got Symantec and Network Associates that way. And then you have "best of breed" where a lot of little companies spring up doing one thing well and then you cobble together a suite yourself. What we're going to see is consolidation of non-security companies buying security companies. So, remember, if security is going to no longer be an end-user component, companies that do things that are actually useful are going to need to provide security. So, we're seeing Microsoft buying security companies, we're seeing IBM Global Services buy security companies, my company was purchased by BT, another massive global outsourcer. So, that sort of consolidation we are seeing, it's not consolidation of security; it's really the absorption of security into more general IT products and services. EDITED TO ADD (8/19): Here's something else I wrote about the general trend, from 2007.