like most of my security posts, this one is from bruce:
The courts have ruled that the police can search your data without a
warrant, as long as that data is held by others. The police need a
warrant to read the e-mail on your computer; but they don't need one to
read it off the backup tapes at your ISP. According to the Supreme
Court, that's not a search as defined by the 4th Amendment.
moral of the story? if you have info online, the govt (or anybody else, really) can get to it. so dont come crying when it gets stolen.
once again, israeli security shows how it should be done.
Schneier on Security: Security Notes from All Over: Israeli Airport Security Questioning
The defender -- the terrorist trying to sneak aboard the airplane -- needs a cover story sufficiently broad to be able to respond to any line of questioning. So he might memorize the answers to several hundred questions. The attacker -- the security screener -- could ask questions scattershot, but instead concentrates his questioning along one particular line. The theory is that eventually the defender will reach the end of his memorized story, and that the attacker will then notice the subtle changes in the defender as he starts to make up answers.
if you use a computer, read this article. the author is one of the most respected authorities on computer security and everything he says is right on. if you do not do a few of the things listed in this article, ask yourself why.
I am regularly asked what average Internet users can do to ensure their security. My first answer is usually, "Nothing--you're screwed."
Schneier on Security: Safe Personal Computing
if you're a security dork, check out quepasa, a system that allows you to essentially remember one passphrase and apply it to all websites, without actually using the same password on every system.
Here's an example: you need a password for Amazon.com, and you've previously selected the passphrase I am too sexy for my shirt. Simply type:In this case the password isquepasa amazon "I am too sexy for my shirt"WQ45f(A..Notice how it's a mixture of letters, numbers and other characters. Now you need a password for Yahoo! as well. Do the same command:In this case the password isquepasa yahoo "I am too sexy for my shirt"%kHcyMQ..
a good extension off the process i use currently, using a sort of algorithm to change passwords between sites, while keeping them predictable by me. this way when i come back to some random support forum, i can remember my password quickly, without trusting them with my "real" password.
why bother? why not use one password for every site? its simply a matter of trust. lets say you have the same password for your online trading company, your online bank, and your webmail. do you trust all of those sites? they're probably big-name companies with plenty of insurance and internal audits of security processes, backups, internal database encryption, firewalled everything, etc. you can probably trust those companies to not divulge your password along with 10,000 other clients in a security breach. maybe.
now what about generic_computer_help_forum.com? do you really trust some guy to secure his database? even ignoring attacks and password leaks, what makes you think this guys isn't hosting this site purely to harvest passwords. instead of encrypting your password and storing it in his database, he keeps it in the clear and sells them off to shady folk.
so, to avoid the potentially bad situation of disclosing a valuable, sensitive password (e.g. banking password) to any old potentially-shady website, mixing up your passwords is recommended. but remembering hundreds of passwords is not going to happen, so an algorithm is developed. for example, you can develop a good password and mix in the initials of the website you are visiting. for example a wellsfargo password might be Wl4kers4evaF but your eBay password might be el4kers4evaB.
the only problem with this is the correlation of a stolen password developed in this way and the site it came from, revealing its structure. for example if bobs honda_forum.com password was Hl4kers4evaF, and honda_forum.com nefariously sold its password database to some evildoers, they might take the time (not very likely) to notice the HF in bob's password and might try using WF for his wellsfargo account, thus breaking the scheme.
seem unlikely? well what about if the passwords are correlated with names? then you get 10 shady sites that sell their passwords this way and a black-hat can build a dossier on a user, noting all of his passwords for each site visited:
honda-forum.com -once this dossier is built for a hacker's target, the scheme is obvious. attempting to log in to other sites becomes a trivial task and the target's identity is taken over.Hl4kers4evaF
beastieboyfanclub.com -BBl4kers4evaFC
corporate-stuff.com -Cl4kers4evaS
potbellypigfarms.com -PBl4kers4evaPF
quepasa is a better way of doing this. instead of using naive and simplistic methods like appending site names, acronyms, or numbers to common passwords, it uses cryptographic techniques to produce irreversible (but still repeatable) passwords. the above dossier becomes something useless to an attacker:
honda-forum.com -WQ45f(A..
beastieboyfanclub.com -#krRxl$%)
corporate-stuff.com -afG%J-4
potbellypigfarms.com -bcg5$S-R
it seems that its good to hear from the implementors of RSA.
skip the first half. the bottom is a bit more interesting. best parts:
reports from the Department of Justice show that no federal wiretaps encountered encryption in 2002. In state and local jurisdictions, investigators encountered encryption in 16 wiretaps out of approximately 1,300 cases; however, in none of these cases did encryption interfere with the ability of the investigators to gather the evidence needed for prosecution.
“Cryptography is typically bypassed, not penetrated.” He said he is unaware of any major, world-class security failure in which hackers penetrated systems by using heavy-duty cryptanalysis. They usually use much easier methods.
the latest worm to hit the internet has had a horrible side-effect on the internet, that is, it has effectively DoS'd all internet news and security update sites.
want to know about recent developments in p2p? gotta wade through the sasser-fest first.
even want to learn exactly sasser is? you have to find which one of the zillions of posts has any kind of useful information (tip: it is article number [one zillion minus one]).
ugh. i hate these trends in online publishing. it reminds me of People magazine ("bennifer! bennifer! brad and jen!")
some researchers from the University of Vienna have reportedly transferred money from a bank to Vienna City Hall using a process secured by quantum cryptography.
from what i've heard, this is the first real, publicized use of quantum crypto that uses single photons. read the article for some details, and if you're interested, check out The Feynman Processor by Milburn and Davies for more info on what the heck quantum crypto is. i have a copy, you can borrow it. also check out these other links
why should you care? there are already secure bank transfer mechanisms. well not quite like this. this is really the only provably secure (besides one-time pads) system for data transfer over public channels. everything else is just really close to totally secure ;)
well it looks like today is a good day for blogging. here is another good post from Chrisopher Allen. this guy's blog is great, go read it, add it to your RSS feed, whatever.
The term privacy seems to be so overused and poorly defined. my undergraduate security course (which i later TA'd) simply defined it as such:privacy: confidentiality with regards to personal informationif that helps at all.
This comes from their [Europeans'] history: the Netherlands in the 1930s had a very comprehensive administrative census and registration of their own population, and this information was captured by the Nazis within the first three days of occupation. Thus Dutch Jews had the highest death rate (73 percent) of Jews residing in any occupied western European country -- far higher than the death rate among the Jewish population of Belgium (40 percent) and France (25 percent). Even the death rate in Germany was less then the Netherlands because the Jews there had avoided registration. (source: The Dark Side of Numbers).now its time for the tin-foil hat. if you have never thought much about privacy, consider the current trend of identity theft crimes. now consider that the people doing this are at best, organized criminals. now consider how easy it would be for large governments (there are more than one) with massive budgets, computing power, and political leverage, to compile similar amounts of data on a much larger set of people in this age of automation and full-text search. in fact, its already being done. people are being stopped in airports due to terrorist watch-lists all the time. and that could be just the beginning. the scary idea is more in line with the example above. sure, you trust your government to keep that giant list of theirs and use if for the Powers of Good, but what about the day that list is leaked by a spy? it can happen. its just a file.
ive been feeling like i really should start coding again. been looking at open-source projects, looking for one that i might be able to contribute to. hopefully something security related. the only problem is that most of those are pretty hardcore, shellcoding type of stuff. i found metasploit while chatting on IRC the other night. pretty cool looking except its almost all windows exploit stuff. well maybe they need someone to get in there with UNIX stuff.
started reading up on stack/heap overflows again, too. totally know the concept behind them, now im just trying to get a handle on the details. might have to break out an OS or architecture book to remember what the EBX register does, etc. i remember thinking that this stuff was way too much the first time i heard it, and i kinda tuned it out. but now i realize that i have to learn this stuff all the way down to the hardware if i really want to do it. hrm.
in related news, i keep reading about Objective-C and haven't done much actual coding. its hard when my only chance is while im at work, where i have other things to do. ugh.
having gentoo at home is really helping me focus again. just having code so close at hand, a mellow windowmanager (fluxbox) to avoid distractions, and the whole linux feel make me want to code. which is good.
check out this article about finding passwords on google.
i did. and i found some encrypted passwords. and i decrypted 4 of them in under 5 minutes (one in less than a second). just something to be paranoid about if you start a website and don't know what you're doing.
Christopher Allen, a name I'd never heard before reading this article (ah the power of blogs) posted an interesting writeup on the state of the computer security industry and its potential futures. check it out here.
The idea of moving away from selling security through FUD (Fear, Uncertainty, Doubt) is great, im all for it. Merging with insurance schemes might be a way to ensure that security sticks around, avoiding the need to sell a product, as in the case of RSA, et al. I really think that security firms like counterpane will become more popular. as more companies need security, more firms will pop up to take the call. companies can not rely on in-house security for long. when a super-worm gets released, who will be better prepared? the company with the guys on the 2nd floor with the firewall-appliance, or the company working with a managed security company that takes preventative measures on all its clients as soon as it recognizes a threat against one of them?
in a business sense, eventually computer security will be much like physical security. companies all have insurance. those that have hired security firms will pay less for their premiums, whether they are insuring their building or their data.
no really, im serious. or at least, the govt is.
reading Object-Level Security Through Accountability by Phil Windley. its pretty good, it gives a good argument that accountability is more effective than control. but to assure accountability requires positive identification and authentication to provide trustworthy audit trails.
while some people get scared off at the idea of identity cards with strong encryption, etc. i think it will be necessary in any environment with a reasonable sense of security. give people tokens that will identify themselves to systems and you can keep track of what information passes through what people. that way if something gets lost/stolen/leaked, you positively know who did it. more importantly, the potentially "bad" employee who knows this mechanism is in place is far less likely to steal/leak if they know they can be tracked down.
for some reason that brings me to an episode of "24" i saw (i think in terms of "24" these days): some devious character tries to cover up their tracks and remove their trace from a video log (think of it as an audit log). this fools everybody except for the boss guy (the main character, Jack) who pulls up "hidden" copies of the logs. what the devious character didn't know is that the video is copied to the database in two locations, one known by people at her clearance, the other only known by people at a higher security clearance. a pretty cool trick.
Sony and Validian have come up with what i consider the first cool use of PKI. a fingerprint reading USB stick with a self-contained IM client. you can plug this into any computer anywhere (no drivers needed on most modern machines) and have secure conversations with anyone. unplug and the computer has no record of the conversation (assuming there aren't any keyloggers, etc)
very cool.
a new worm is out there. don't bother scanning your inbox, don't update your antivirus definitions (you do update them, right?). this one comes hidden as a URL from your best friend over ICQ.
techweb reports on the new worm, describing its payload's ability to log keystrokes, search for financial info, etc. by watching keystrokes, secure protocols such as HTTPS are essentially negated, as any passwords that are transmitted safely to your bank are totally in the clear for this trojan which has likely already netted its author a bundle of money.
the worm works by sending you to a site that exploits common browser flaws to install a program (the trojan) onto your machine. that program then sends messages to all your ICQ buddies with the bad URL and the process continues.
the trojan-feeding site for this particular strain is down now, so you can relax a little. but not much. as Ken Dunham is quoted in the article: “All ICQ and instant messaging users should be careful to avoid hyperlinks sent to them by others ... It's very likely that similar attacks will be launched in 2004 through such mediums.”
so be sure to stop communicating with your friends entirely this year, that way you'll be safe. maybe.
so this article over at k5 is pretty cool. discusses how the military has set up the world's biggest PKI (Public Key Infrastructure) and has issued over 6 million smart cards that employ it. pretty impressive. be sure to read the linked pages. (use a tabbed browser ;) )
i did a paper on PKI in my first-ever security class. its a pretty cool idea, but really only possible in a context like the military. the whole chain-of-command thing suits PKI very well. all attempts at trying to do this in a corporate environment seem to have problems and don't seem to be all that well-supported by the execs.
so my thoughts are that this is very similar to the SSL CA problem facing the internet these days. right now, if you want to get a secure internet site (i mean officially secure with valid CAs and all), you have to pay for a CA for each site you want to lock down. every subdomain, everything. so what do people resort to? only buy one certificate and have the server identified in that cert host all secure transactions. sure, it works. its not even that big of a deal. but why?
there should be a hierarchy of CAs beyond the corporate monoliths (verisign, thawte, etc). there should be a US CA which assigns national-level certs. there should be state-level CAs, signed by the national ones, which give out regional certs and University certs. the hierarchy of public servers is obvious. this way, when a University student needs to host a secure webpage, he doesn't have to spend $90 for a single-server cert. instead, he can be issued a cert by his Department, which is signed by the University, in turn by the State and the US CA. what about end-users? browsers will have to add the US CA certificate as a "root-level" server. too much trust in the government? well why do you trust the 10 Verisign root-certificates already installed in every browser on your computer? why not add one for the government. allow free, public network security.
the same infrastructure could be used for a PKI. every government employee (or student, or whatever) should be able to use public-key-crypto without any effort. i should be able to email my mom securely and she should be able to read it. she shouldn't have to build a PGP web-of-trust or buy a certificate from Verisign. when she pays her taxes, or gets her drivers license, these things should just happen too. why not?
a government is built in a hierarchy: nation, state, region, person. why not take advantage of that? i understand that politics will always get in the way of developing these ideas, that the NSA (or whoever) will try to block individual encryption, but ignore that (please). suppose the NSA gives up and realizes that encryption is coming to the masses and that it is actually a good thing. in order to serve the people best, the government would take what they've learned with the guinea-pig military and apply it to the nation (see GPS, etc). maybe im a big security-nerd and none of this is that important, but hey. i think its possible.
call me a commie, but i think that people shouldn't have to pay some arbitrary company for secure communication and publishing, we already have a hierarchical infrastructure in place called the government. its how roads and schools are built. why not use it?
a paper linked to by a recent post at the openbsd journal does a very good job at describing a (hypothetical) corporate network setup, that looks quite secure and then describes how it could be broken into. the author takes a few leaps (assuming the insider-attacker happened to get a trusted internal IP address is the biggest one) but it is all very plausible.
he elaborates on the (again, hypothetical) response by the company's internal security team, going into nice details.
anyone who thinks that even one of the most (if not the most) trusted Operating Systems in the world is unhackable, think again. everything can be broken. the point is to minimize potential opportunities, potential damage, and "be prepared" by keeping up with patches, using a secured loghost, deploying nIDS', educating users, and finally never simply trusting internal networks (don't forget Troy ;) )
go straight to the paper.
1.) Open a protected document in MS Word
2.) Save as "Web Page (*.htm; *.html)", close Word
3.) Open html-document in any Text-Editor
4.) Search "" tag, the line reads something like
that: ABCDEF01
5.) keep the "password" in mind
6.) Open original document (.doc) with any hex-editor
7.) search for hex-values of the password (reverse order!)
8.) Overwrite all 4 double-bytes with 0x00, Save, Close
9.) Open document with MS Word, Select "Tools / Unprotect Document"
(password is blank) What's your position on full disclosure of vulnerabilities? The only reason that software companies are paying attention to vulnerabilities and issuing patches is because of full disclosure. Before researchers started publishing vulnerabilities publicly, software companies would routinely deny that the vulnerabilities existed. Full disclosure is what's getting them to take security seriously, and it's what's keeping them honest. Yes, it also helps the bad guys. But the benefits grossly outweigh the disadvantages.[bruce schneier, from computerworld]
check out the last comment, at the bottom of this page. this lady(?) is totally whacked.
so i guess there's a downside to being a world-renowned security guru. crazies send you weird stuff like this.
from schneier's cryptogram
The Doghouse: SunnComm Technologies
The home page of this company says "lightyears beyond encryption." Actually, it's an anti-copying technology for music CDs. This technology is being used to protect the new CD by BMG soul artist Anthony Hamilton.
It's actually not worth fighting the pop-ups and the Flash and the annoying website to learn about how the system works or how you can purchase it. It turns out you can defeat this system by holding down the shift key when you insert a music CD into your computer. This disables autorun, so the SunnComm software never gets executed.
Unfortunately, SunnComm has some more tricks up its sleeve. They're suing John Halderman, the Princeton PhD student who first noticed this. That'll make the system secure again; of course it will.
according to this article, you can go get free anti-virus and firewall software for your PC.
so unless you want to be like the guy in my previous entry, and you dont want to pay for anti-virus softare, go do it now.
working on a student's machine. he came to me a week ago saying "i think my computer has a virus. its slow and porn pictures keep coming up."
"no problem," i said
so he comes in today with his machine. rambles a bit about how it used to be fast, etc. his virus scanner had expired long ago (even though all students are eligible to download NAV for free with unlimited updates from calpoly.edu), but he says he always installs the windows updates... sure.
so what did i find?
couponsandoffers.exe (they could at least be subtle about writing this crap)
at least this guy's machine runs better now. i feel good about that. sure feels better than just replacing toner in the printers all day, thats for sure.
And as for Microsoft, "When they felt threatened by Netscape, it was just another company with a known HQ that could go out and bomb. But that won't work with Linux, just as it didn't work with Apache. Apache creamed them, and so will Linux. Microsoft has lost the server war."
A supporter of open standards, Ellison does not like the cacophony of enterprise-scale products offered to the companies. "If Detroit ran like Silicon Valley, nobody would sell cars -- just parts", he proclaims. "Customers would have to figure out which were the best parts -- a Honda engine, a Ford transmission, a BMW chassis, GM electrical system -- and buy them and try to assemble them into a working car. Good luck. I know it sounds crazy, but that's how companies put together business systems today".... and from the comments:
"sure they'd only sell parts, but you'd be able to get car parts, truck parts, tank parts, plane parts, train parts, crane parts, snowplower parts, tires, tracks, helicopter rotors, blueprints, jet fuel, nitrous oxide, spoilers, giant robotic arms, spray paint for the exterior, radar systems, chassis extensions, ROCKET LAUNCHERS, and reconfigurable engines. ANALOGIES SUCK."
well, assuming you use outlook or outlook express, here's why you shouldn't open emails from someone you don't know.
This guy got lucky, it makes you wonder if any other people convicted of pedophelia were innocent like this guy.