Down the Security Rabbithole, The Blog
This is a collection of my thoughts and ideas, and anything expressed here is unrelated to anything in real life and does not represent opinions of clients, employers or colleagues. If it feels a little bit like stream-of-consciousness, it probably is.
Wednesday, October 31, 2007
Shameless self-promotion...
Thanks. Be safe!
Playing in a sandbox
I'm talking about sandboxes. Not the kind your kids play in, but the kind that you want to run something in when you don't trust it's intentions. Say, for example, you have a website you want to go visit that's not exactly super trustworthy. You really want to go grab some latest hacker-tool, or download some script, or some piece of knowledge -whatever. You know you're not going to use MSIE (doesn't matter what version) and you're not sure that even FireFox will protect you adequately against what this particular site may throw at you...
So what are you paranoid about? Remember you're not paranoid if they really ARE out to get you. And boy howdy are they. They being the "bad guys" out there, in cyberspace, trying to take over your computer, steal your credit card information, use your computer to attack the government of Canada, and any number of nasty things.
So you are now faced with two choices if you're the conventional user.
- Option 1 is to simply forego visiting the site... not necessarily the best way to go - but at least it's safer
- Option 2 is to take a chance and hope you're not infected with some trojan, BHO, or XSS'd out of your life savings.
- But there's a secret Option 3! That's right - you can "sandbox" your browser and render it (or at least your computer) impervious to those nasty bugs out to get you.
Right about now you're either telling yourself that this I'm some loony selling snakeoil to a dying man. You're only half right. I'm doing some research in this area, and will have some intersting findings soon. If you happen to know some vendors (big or small) who are selling or giving away tools to help in this endeavor - please contact me! If you're a vendor - contact me. I'll publish the results of my research in a few weeks and hopefully make us all a teenie bit safer.
I'm looking for products to review, and people to help test "real life" scenarios. Please let me know if you'd be willing to participate.
/Be safe!
Thursday, October 25, 2007
Airline misses the point... spins story
What's wrong with this story as it's covered? This situation feels a little like that from "Pulp Fiction" where the cleaner is called in to clean up a mess that the two main characters created. In this case, the mess that's being cleaned up and quietly swept under the rug is the fact that Delta's carelessness caused a cargo bay to fling open during takeoff. How is this not being covered as a Delta blunder in security/maintenance/operations and rather as a human interest piece on a little girl losing her dolly.Jet fallout: Girl's dolls lost from plane
'RATHER TRAUMATIC' | Duffel bag fell out of open cargo door
October 25, 2007BY MONIFA THOMAS Staff Reporter mjthomas@suntimes.comPat Telan regrets talking his 9-year-old daughter Abby Ann into checking a duffel bag containing her favorite dolls at the gate before they boarded an Atlanta-bound flight out of Midway Airport.
The bag fell out of the Delta Connection plane Sunday after a door in the cargo hold opened after takeoff. The plane landed safely, and no one on the ground was injured by the two pieces of luggage that fell out.
One of the bags was found and returned to its owner, but Abby's duffel is still missing. Now she is trying to cope with the loss of some of her closest friends.
There had to be some serious coverage of this issue somewhere... and here it is. This article mentions some interesting points about Delta's failure...
- Airline inspectors had recently written up the plane, a 70-passenger Bombardier CRJ700, for deferred maintenance on a malfunctioning indicator light on the cargo door, the FAA said
- The plane did not fly all the way to Atlanta, but rather turned around and landed safely
- It is extremely rare for a latch to come off during flight, according to the FAA
- The most frequent cause, according to the FAA of latch failure was ground crew failure
Perhaps we need to analyze the potential effect if a cargo bay flies open during takeoff?
- Possible loss of cabin pressure leading to a crash and thus loss of life
- Additional luggage 'fallout' which would rain down on traffic, homes, or unsuspecting people later in the flight
- Plane flight de-stabilization due to the gaping hole in the bottom of the plane
Wednesday, October 24, 2007
Fraudsters evolve to stealing YOU
What does strike me, is the evolution of the tricks used to part Joe User from his personal information (PII). When this whole game started tricksters and fraudsters were out to steal your credit card number, cvv/cvv2, and your expiration date along with your userID and password. The game has certainly changed, hasn't it?
Since we the security community, with the help of the media (or hinderence if you read the NY Times) have been beating people over the head with the idea that they shouldn't give away this information to just anyone, the fraudsters have gotten more clever as they had to in order to continue to get their information. What started out as campaigns of mass-email to everyone that appeared to come from eBay, PayPal, and the like has now turned into a targeted, micro-targetted attack against people who have a very high likelihood of not only being part of the organization you're seeking to defraud, but also likely to fall for your fraud.
Blasting two hundred million emails to everyone in the world worked well the first few times - but then people started hearing from the news man, the neighbor, the computer guy at the office, and your own mum that you shouldn't fall for those schemes. OK, problem solved right? Wrong. Then came a slightly more targeted attack, customer lists were lifted from, say, CitiBank as an example and these customers' emails would then be peppered with "We're from CitiBank, click here to re-set your password"... since these people were also customers, and their neighbor and mother didn't get the same email, the people who got them figured they were authentic and fell for the frauds. Millions of targeted attacks later, people have heard about this, and for the most part ignore them when they hit your mailbox.
Now you get something like this, an email in your mailbox that says what you've been hearing from all around - organizations of good repute will never send you email soliciting you to send them your personal account information. Sounds logical, right? But look at the bottom of the email! This is a classic confidence scam. Lure the person in with a confidence-builder so that they figure they can at least minimally trust you, then steal their information.

And now the really bad news... notice that the site (pasted here) doesn't even ask you for anything more than a username and password (which, in all fairness should be a good sign that wait a minute... wouldn't they want me to authenticate first... then give my information??) and the answers to some simple questions. But once you've answered these questions - the person can then become YOU. These aren't just ordinary questions, mind you. These are questions that the more advanced "multi-factor authentication systems" such as RSA/Passmark and others utilize.

See the bigger picture now? You can change your password for Regions Bank's website, easy enough... but can you change your ...favorite food? what about your first dog's name? what about the high school you went to? your first car? Now you get it, hopefully. The attack is much deeper than just password theft - this is stealing some information about you which you CANNOT CHANGE, and which will be asked over and over in other "high security" sites and applications.
This type of theft, once it's happened to you, has **no defense**. You can't go change your information... easily. Unless you now change your favorite color, college roommate's name, and street you grew up on in your head - and remember that you changed it - you're in for a world of hurt.
Lookout folks - fraudsters are getting smarter in their efforts to part people from their hard-earned money and their identities. This is scary stuff. We must spread the word, let people know this is happening... write about it, tell people about it, and make yourself heard because we all pay the price from our own wallets.
Good luck out there, and be safe.
Wednesday, October 17, 2007
Storm [worm] SuperComputer
The analysis and breakdown of the raw power of the Storm worm is here, at the Full Disclosure archives.
I challenged a friend of mine who is also in the "security research" field to think about what in the world we could use this type of supercomputing power, and more importantly, why the apparent owners of this botnet/supercomputer are partitioning out this massive herd, using encryption keys for small blocks of bots.
I have a theory on both these things, and I disagree with the mainstream media analysis so far. The mainstream analysis has been wrong so far, I think. Jim Carr over at SCMagazine online quotes SecureWorks' Joe Stewart saying
"This [partitioning and encrypting communications in smaller groups] effectively allows the storm author to segment the storm botnet into smaller networks [and] could be a precursor to selling storm to other spammers."I don't agree with this at all. If you apply logic to this from a different angle you have to realize that this botnet took lots of time and energy to build, ergo, you're going to go to extreme length to ensure that if someone manages to crack your communication scheme - they can't take over the whole lot. This is, I strongly believe, the point of encrypting communication to these botnet groups in small chunks, effectively partitioning herds of Storm-bots. To make my point even more clear, here is what I think the herder(s) are doing.
- Storm worm botnet will be used for obviously malicious intent
- Establishing ciphers for encryption of small chunks of the herd at a time gives it resiliency against infiltration and full compromise
- No one in their right mind would "sell" a piece of such a masterpiece and raw power grid
- It is more likely that the herder(s) will allow people to pay for time-slices on this massive supercomputer to do whatever it is they want to do, computationally...
Baldwin said the raw power of the Storm botnet might be taken more seriously if it were more often used to take out large swaths of the Internet, or in attempting to crack some uber-complex type of encryption key used to secure electronic commerce transactions.Fasinating. Cracking encryption keys is just one of the possibilities - here are some more:
- On-the-fly cracking of some of the world's strongest encryption - remember all security is based on the fact that we develop technologies that are computationally improbable to break... not anymore?
- DDoS at will - how will you stop a ~320Gb/sec onslaught?(assuming ~10million users at 256kb/sec DSL speeds, which is estimating low) What's worse is that it's not like you can block a certain netblock, or router... these Storm bots live all over the Internet.
- Rainbow tables anyone? - Sure, there are plenty of arguments made that rainbow tables are useless now because any developer with a brain uses a salt... this is a false statement, guaranteed. Even if people salt, salts can be predictable, and what's worse, computer even if there are quadrillions of combinations; remember you have 10 million CPUs at your disposal here. Why not hash (SHA-1, SHA-256?) all permutations of credit card numbers, passwords, DOBs, SSNs, and other important pieces of data so that when you steal a hashed table from a database, it's only a [short] matter of time before you can successfully pull out the real information!
- SPAM - yes, I acknowledge that this is a great vehicle for spam... but it's such a waste of power to spam from these botnets... maybe I'm nieve
God help us all.
So what did we expect?
Let me lay out some facts, first, to make my following point more clear:
- Political relations between the United States and foreign governments who weren't necessarily US-friendly have been strained at best recently, and to the point of breaking ties at worst (I cite Russia, China, and various other US foreign policy failures)
- Political tension over military buildup in the Middle East is escalating to what some call a mini-Cold War (Reference: http://www.themedialine.org/news/news_detail.asp?NewsID=19240
- Politically apathetic nations are [co-incidentally] currently a hot-bed for malware developers
- China is writhe with spammers and malware writers (Reference: http://www.vnunet.com/vnunet/news/2200948/asia-generates-spam-torrent)
- Russia becomes a safe-haven for malware writers (Reference: http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1275987,00.html?track=NL-102&ad=606028USCA&asrc=EM_NLN_2382688&uid=1594988)
- Investigating, identifying, and capturing "bad guys" in these nations is unlikely at best, impossible most likely given the government's reluctance to assist the US with investigations and police actions.
Again, this may be completely obvious to you, and I will not disagree. What I am disgusted with is the following:
- The US government is absolutely clueless on digital security and digital asset protection
- The US government and most specifically the current administration (and some candidates for the 2008 Presidential race) are creating a hostile global climate for US-based interests when it comes to security
- No one has been successfully (in my humble opinion) able to put these simple facts together and speak these in an open forum, to the highest heads of state
Unless the efforts to fix this obviously political time-bomb are started soon, we in IT Security are going to be pushing an even bigger boulder up the hill of our daily jobs... this one will be ticking.
Good luck out there.
.
Wednesday, October 10, 2007
Illinois DMV loophole enabling fraudsters!
I went to get my new Illinois driver's license (being that I recently moved back from Georgia) and found an interesting loophole in the system that even the employees here acknowledged was ridiculous. If you read the requirements for getting a license in Illinois, they are as follows: passport or birth certificate, Social Security ID card, and a utility bill with your name and address on it. Given that I didn't want to have to drive home and get a utility bill, I asked if there was anything else I can do. The lady at the counter was quick to ask if I had to register my vehicle as well - to which I said yes. In that case, she stated, I could simply get the auto registration changed first (since that didn't even require an ID!), and then come over to the license side and use the registration as a form of identification and address verification.
So, let me get this straight... to verify that I live where I say I live, and I am who I say I am (as a third factor), I can go register a car to an address/name/etc that I don't have to present proof for, and then come and use that as proof of address??
There is something seriously wrong here...
So you may be wondering - so what? How can you possibly exploit this? Well allow me to explain. I can make up an address (as long as I can register some non-verified car) and bring that as my proof of residency at the address I'm claiming. This does indeed help create a situation where I can basically make up where I live, and not have to really prove it in any way.
Yes - it's not like I can create a fake ID with this loop-hole... but in a way, yes I can. I can come in from out of state and get an Illinois driver's license without actually proving that I live in Illinois... doesn't that bother anyone? I asked around, and everyone there that I asked agrees it's an egregious fault... but no one really cares enough (or doesn't have the power to) do anything about it.
That's a sad, sad state of affairs. I wonder how many other states have this provision? Maybe I an get a license in another state? If this kind of thing isn't a fraudster's dream...I don't know what is.
Spy Bugs -- 007 in real life?
Of course, for those of us in the security field, this brings a whole new set of problems to light. Industrial espionage, intelligence, and orther forms of "security" that may be more commonplace may already be benefiting from the types of technologies discussed in the article. Now, the article does address challenges with fuel to power micro-spy devices, as well as issues like cross-winds, bid attack, and other unavoidable mishaps, the implications are immense.
Why bother using spyware or other now-detectable forms of malware to infect a computer if you can simply employ a mosquito-sized "bug" camera to follow a victim around and record voice conversations, photos, and maybe even live video? Right now this all sounds like technology 007 would use, but remember that DARPA has had precursor technology to this as early as possibly 30 years ago! Where has technology come in 30 years plus? Of course, no comment from the 3-letter agencies.
So should you be preparing your enterprise against micro-bugs? Chip-infused moths? Mosquito-borne surveillence? Probably not quite yet... of course, unless you work in government!
Do your own research, and figure out what you believe... and if you find anything to share post it here.
More research:
- Fox News (The Times) Article - May 30th, 2007
- University of Norte Dame link trove - various articles dating back to 1996
- Stamford University "Mesocopter" Presentation - May 1999
- "Spy Fly" -
Friday, October 5, 2007
DHS DDoSes itself... with email
What's worse, you have to wonder who the original "reply-to-all" person was, or if it was really a "user who un-checked a box..." somewhere in the mailserver. What's particularly interesting to me is that the mailing list doesn't use traditional listserv or MajorDomo distribution channels, and obviously uses some bungled Domino install at a contractor site.
Lovely. I'm sure their internal security is much better...
Read all about this snafu here on eWeek, in case you've missed it.