Tuesday, April 22, 2008

"HackerSafe"... how's this for fitting...

I've pointed out over the past that the HackerSafe shield is nothing but a sham - but check this out folks. Just like ScanAlert is all about conversions and marketing, this says it all...

You can find this for yourself... here: http://popover.generatorsoftware.com/

At least they're "Hacker Safe"... gives credibility to their cause...

Tuesday, April 15, 2008

Taking wireless internet to new heights (like, say 35,000ft)

Let's face it, you love staying connected. You browse the Internet to keep track of your blog and RSS feeds on your cell phone, your laptop, and some of us do it on our fridge - but the one thing that keeps this possible is Internet access. You can get connected to the magical world of the Internet at an airport (in the terminal, underground, wherever), on the road (via 3G wireless technology), and in your house - but until now you couldn't get Internet in an airplane crusising at 30,000 feet... Someone had to do it, so now you will soon be able to surf the Internet while sitting next to the screaming baby and the guy who just can't stop talking to you - that's right - you will by the end of 2008, be able to surf the Internet in-flight! Check this brochure from AirCell out. More details on the service here, but let's ponder this for a moment. OK, simple reality check, in order for this all to work, the plane has to have communications with the ground at broadband speeds, and then has to distribute that access to the in-flight passengers. There are a lot of working parts here so I'll dissect them one by one.

AirCell is using EV-DO (Rev A) technology (just like your cell phone, the newer ones anyway) which peaks at about 3.1Mbps... not too shabby! They're going to cover the "United States coast to coast, border to border", with about 100 ground-base stations, and hand-off between base-stations will be "seamless"... They're also running some sort of encryption between air and ground links but don't state what strength, etc. AirCell states in their tech primer data sheet that the security of the links will equate to other "hotspots" (I'll address this in a minute...).

First, let's address the whole network. From what my brain was able to comprehend there are two systems at work here, both built by AirCell. The main network is the AirCell Axxess network which is the in-cabin system and provides the link to the ground. The Axxess system operates some of the gadgets in the cockpit, as well as some of the comm system (their data sheet mentioned a PBX!?) and other such things - I'm not an expert in avionics so I won't pretend to understand this in full. The AirCell broadband system is what will link through that Axxess system and into the EV-DO ground-to-air system that will provide broadband quality Internet access over 802.11 b/g wireless to the laptop or PDA device.

While I may have some of the finer details wrong (someone from AirCell or the airline industry correct me please?) I have several security concerns here. First off - connecting the cockpit and the users in the back can't possibly be safe. I can't imagine someone purposely "hacking into" a plane's systems to cause themselves and their fellow passengers harm (but I won't put it past people...) I can possibly see a ground-to-plane type hack coming along and wreaking havok. Everything on that plane will be network-addressable, it has to be if you're using IP-based communications... now factor that the AirCell network will likely be as imperfect as every other network out there. This could lead to a recipe for disaster. Now - I'm not all doom and gloom so I think this could also be a wonderful tool as well, on those 5-hour cross-country flights. Of course, here's the kicker, we still won't have a way to keep our laptops from dying out (faster now that we're using WiFi) because they don't give us outlets to plug into for juice!

Here's another way to think about it. If you're read Billy Hoffman's new book on Ajax security (and if you haven't, you should) you know of the example of the hacker-chick in the coffee house being completely anonymous. Now imagine you've got a thousand of these in-the-air wireless hotspots where everyone is anonymous and internet access is cheap. Sure, you have to register and pay (likely with a credit card) but how easy is it to fake that information?

I just hope that these systems have been tested, re-tested, and tested again by some of the bright minds in security these days... otherwise - look out!

As a side note, the AirCell DIU (which I think is a separate air-to-ground communication path for the cockpit) has a "password protected web-based configuration tool"... yikes? Who wants to bet you can XSS or SQL Inject your way to pwning this thing? What sorts of chaos would that cause? Who's tested it?... ... I haven't found that info yet.

AirCell folks - I'd love to have a discussion on the security aspects of your technology... write/call if you get a chance!

Monday, April 14, 2008

Some thoughts on CAPTCHAs...

First, in case your cave doesn't get Internet, let me define CAPTCHA from Wikipedia...

A CAPTCHA (IPA: /ˈkæptʃə/) is a type of challenge-response test used in computing to determine that the user is not run by a computer. The process involves one computer (a server) asking a user to complete a simple test which the computer is able to generate and grade. Because other computers are unable to solve the CAPTCHA, any user entering a correct solution is presumed to be human. A common type of CAPTCHA requires that the user type the letters of a distorted image, sometimes with the addition of an obscured sequence of letters or digits that appears on the screen.

The term "CAPTCHA" was coined in 2000 by Luis von Ahn, Manuel Blum, Nicholas J. Hopper (all of Carnegie Mellon University), and John Langford (then of IBM). It is a contrived acronym for "Completely Automated Public Turing test to tell Computers and Humans Apart", trademarked by Carnegie Mellon University.

Now, let's think about this from a security perspective. I'll start by stating the obvious - no one in modern computing (anyone who understands computing power as of Jan 1, 2008) will advocate using a CAPTCHA as a method of authentication... ever. There have been a series of discussions, blog posts and articles about how CAPTCHA is dead, and shouldn't be used, and even some pay-for CAPTCHA hacking services!... see references here, here and here. With all that going against CAPTCHA, let's dissect some of the lunacy, and make some sane assessments of this anti-bot technology.

Let me state that I firmly believe that the delta between humans and artificial intelligence (the ability for a computer to "think") is quickly closing with the exponential increase in processing power, network bandwidth and ingenuity. That being said, I'm not entirely convinced that CAPTCHAs are being solved by super-smart software which amounts to tweaked OCR code. Once you've looked at sites like CAPTCHAsolver, and talked to some people who rely on broken CAPTCHAs for their daily bread, you'll come to the conclusion I did - it's just cheaper to have someone else solve the CAPTCHA for you, and pay them for it, or reward them somehow than it is to try and build super-leet OCR software. There are a number of schemes to break large-scale CAPTCHA implementations, mostly involving college kids, or "work-from-home" schemes, or access to porn sites out there and the reason for their existence is simple - money. If you use some of the math that powers the spamming world - for every million emails you sent out you get back something like $100 in revenue, so that means one thing... you must send out millions and millions of emails. The problem with that is that email servers and accounts quickly get black-listed so the spammers have turned to some of the free email account providers out there. In order to counter-act this these issues these providers put up CAPTCHAs on the sign-up pages so that the idea was in order to sign up for a free webmail account you had to be a "human" or at least be able to type back the characters that were in the scrambled window displayed to you. As evolution would dictate; the provider built a better mouse-trap and the spammers built a better mouse... so now you have this perpetual war that is being waged between providers and spammers over CAPTCHAS while the security world ponders their purpose.

Let me make it simple - this is going to be a race that the "good guys" will never win. After all, they have a finite amount of time and effort they can put into this while the "bad guys" can spend all day/week/month breaking these and are money-driven and will eventually succeed. So the point then is - don't use CAPTCHAs as anything more then a small test to weed-out the obvious computer-driven spammers. Know that you will be defeated and cannot possibly win. And over-all... understand that a CAPTCHA is *not* a security measure... it's just a (flawed) way to determine the difference between a human and a computer.

Am I out in left field here?

Oh! I almost forgot, if you really want to read more about this and the statistics of breaking CAPTCHAs, give this site a read, it's a wonderful resource! More at PWNtcha - captcha decoder website.

Wednesday, April 9, 2008

Vista SP1 Hillarity

I just installed SP1 on one of my Vista boxes, and started reading the "What do you need to do before installing SP1" part... I couldn't resist. I don't know who this is written for, but obviously Microsoft has realized that the folks installing their software may not be the brightest... have a look and laugh.

"In Cyberspace - No one can hear your database scream"

I just posted an entry over at http://portal.spidynamics.com/blogs/rafal/ with the same title - and am soliciting feedback in the form of "other ideas". Give the artile a read, and please leave some comments on how you're tackling this difficult issue in your enterprise.

Thanks for participating.

Sunday, April 6, 2008

Voting Machine Hacking - The Saga of Sequoia

I don't know if anyone else has caught this - but electronic voting machines have had my attention lately. With the election this coming fall as critical as it is, we as a voting public can't afford to have shoddy code running on our election systems. Of course, there are always pundits who claim that every piece of hardware that vendors put out is insecure, will 'change their vote' and all that - but it's interesting to see that claim substantiated.

Enter "Sequoia Voting Systems". Back on Feb. 5th in the New Jersey primary, there was some discrepancy about the outcome of votes versus the number of votes cast - read here. While that may be old news, some of the aftermath and fallout is what concerns me. Specifically, here are the points that worry me:
  • Sequoia sends nasty-gram to Princeton professor asked to investigate the 'security' of these devices. This is an interesting response to Union County's request that Ed Felten of Princeton review these devices. I'm posting a link to his blog and some of his analysis here as well... Link here.
  • Sequoia's website gets hacked - interesting. They're obviously very serious about their security! Link here.
  • A March 20th press release from Sqeuoia mentions Kwaidan Consulting, the party which will do the source code review of their product. Who is Kwaidan Consulting? Check out this MySpace page (cached from Google)... the profile of the person is not "Private"...
Sequoia has commissioned an independent source code review of the software version currently in use on the Advantage voting equipment used throughout New Jersey.
  • We're still waiting on this report... I don't see any press release or results yet?
  • Why is Sequoia threatening law suits? What is this language they are using against the Princeton professor attempting to conduct a truly independent evaluation?
Sequoia threatened to sue Union County if Rajoppi turned over voting machines to Princeton Universityprofessor Edward Felten for analysis. Sequoia executives said the study would violate the terms of their licensing agreement and put their "trade secrets" at risk.
Trade Secrets?! Doing an independent security analysis of a critical piece of hardware will somehow tamper with trade secrets?

The two things that bother me, and I've extensively Googled this one... Who the heck is Kwaidan Consulting?? Why exactly is Sequoia trying to bury this issue? Another quote from a research site here...

Why is Sequoia so vigorously attempting to block a security review of its products? The company says that the machines have already been put through extensive independent review by federally-accredited voting test labs. The adequacy of those reviews is contested by critics, however. One of those labs, which had been doing work for the government for years, lost its accreditation last year after flaws were found in its review process by the Election Assistance Commission. Sequoia says that it is simply trying to protect its intellectual property rights
Fascinating. This blog has a great chronology and more information on the topic, if you're interested in digging deeper. But the bottom line is - someone claims shinanigans against your product, you throw up a smoke screen, threaten law suits, and then do your "own independent" investigation to show how great the results are. Is anyone buying this crap? I'm going to go vote and hope that the machine I use isn't a Sequoia machine.

Friday, April 4, 2008

Penetration Testing - Should you do it?

Hello readers! Today I'd like to refer you to a blog entry in my HP - Application Security Center blog. I'm talking about penetration testing with regards to web applications - and would love to hear some comments!

Please feel free to leave your comments here, or on there...

Thanks for reading!

Tuesday, April 1, 2008

News Commentary: Advanced Auto Parts

I've focused on this line in the write-up of this story:

The retailer reported March 31 that a "network intrusion" had exposed financial information and was the subject of a criminal investigation.

... and while I can't comment (because I don't know) on how the data was 'removed' from Advanced Auto Parts, or what the "network intrusion" was - I'm willing to give great odds that it happened via either a wireless hack, or web-application hack.

Let me go back to that line I highlighted above - they are now the subject of a criminal investigation. Hrmm... that can be interpreted as either "they did something bad, it got them in trouble, and they're being investigated" OR "they are participating in the criminal investigation to figure out what happened"... Im' betting on the first option. The more that companies are thrown into hot water for this kind of "intrusion", the better for the consumer. That's not to say that legitimately, sometimes a company does all it can and it still gets hacked; but awareness must be raised at the CxO level, and the only way to do that is by costing negligent companies big buck$.

/ Comments welcome.