Wednesday, October 31, 2007

Shameless self-promotion...

Have you checked out No? What are you waiting for, an invitation? OK, find, you're invited ...

Thanks. Be safe!

Playing in a sandbox

I've been thinking about this for a while now. It's bothered me to the point where I can't help but to write about it and suck it up and do some research.

I'm talking about sandboxes. Not the kind your kids play in, but the kind that you want to run something in when you don't trust it's intentions. Say, for example, you have a website you want to go visit that's not exactly super trustworthy. You really want to go grab some latest hacker-tool, or download some script, or some piece of knowledge -whatever. You know you're not going to use MSIE (doesn't matter what version) and you're not sure that even FireFox will protect you adequately against what this particular site may throw at you...

So what are you paranoid about? Remember you're not paranoid if they really ARE out to get you. And boy howdy are they. They being the "bad guys" out there, in cyberspace, trying to take over your computer, steal your credit card information, use your computer to attack the government of Canada, and any number of nasty things.

So you are now faced with two choices if you're the conventional user.
  • Option 1 is to simply forego visiting the site... not necessarily the best way to go - but at least it's safer
  • Option 2 is to take a chance and hope you're not infected with some trojan, BHO, or XSS'd out of your life savings.
  • But there's a secret Option 3! That's right - you can "sandbox" your browser and render it (or at least your computer) impervious to those nasty bugs out to get you.

Right about now you're either telling yourself that this I'm some loony selling snakeoil to a dying man. You're only half right. I'm doing some research in this area, and will have some intersting findings soon. If you happen to know some vendors (big or small) who are selling or giving away tools to help in this endeavor - please contact me! If you're a vendor - contact me. I'll publish the results of my research in a few weeks and hopefully make us all a teenie bit safer.

I'm looking for products to review, and people to help test "real life" scenarios. Please let me know if you'd be willing to participate.

/Be safe!

Thursday, October 25, 2007

Airline misses the point... spins story

Have you heard anything about a Delta Jet which left Chicago Midway airport, and upon take-off, the baggage door flew open and some duffel bags flew out? Yes, there could have been serious risk to loss of life, but I bet you didn't hear it that way. The story that's being carried on local news, and on national media (what little there is) sounds a little like this:

Jet fallout: Girl's dolls lost from plane

'RATHER TRAUMATIC' | Duffel bag fell out of open cargo door

October 25, 2007

Pat Telan regrets talking his 9-year-old daughter Abby Ann into checking a duffel bag containing her favorite dolls at the gate before they boarded an Atlanta-bound flight out of Midway Airport.

The bag fell out of the Delta Connection plane Sunday after a door in the cargo hold opened after takeoff. The plane landed safely, and no one on the ground was injured by the two pieces of luggage that fell out.

One of the bags was found and returned to its owner, but Abby's duffel is still missing. Now she is trying to cope with the loss of some of her closest friends.

What's wrong with this story as it's covered? This situation feels a little like that from "Pulp Fiction" where the cleaner is called in to clean up a mess that the two main characters created. In this case, the mess that's being cleaned up and quietly swept under the rug is the fact that Delta's carelessness caused a cargo bay to fling open during takeoff. How is this not being covered as a Delta blunder in security/maintenance/operations and rather as a human interest piece on a little girl losing her dolly.

There had to be some serious coverage of this issue somewhere... and here it is. This article mentions some interesting points about Delta's failure...
  • Airline inspectors had recently written up the plane, a 70-passenger Bombardier CRJ700, for deferred maintenance on a malfunctioning indicator light on the cargo door, the FAA said
  • The plane did not fly all the way to Atlanta, but rather turned around and landed safely
  • It is extremely rare for a latch to come off during flight, according to the FAA
  • The most frequent cause, according to the FAA of latch failure was ground crew failure

Perhaps we need to analyze the potential effect if a cargo bay flies open during takeoff?
  • Possible loss of cabin pressure leading to a crash and thus loss of life
  • Additional luggage 'fallout' which would rain down on traffic, homes, or unsuspecting people later in the flight
  • Plane flight de-stabilization due to the gaping hole in the bottom of the plane
You'll notice none of the above end well and yet the story isn't being carried as a piece on airline safety and security - but rather as a piece about a little girl who lost her dolly. The cleanup man has done his job, apparently. Personally - I'm appalled.

Wednesday, October 24, 2007

Fraudsters evolve to stealing YOU

In the ever-evolving world of Fraud - the bad guys adapt and change strategy as us security folks find ways to curb their effectiveness. This constant and on-going struggle is no surprise to anyone (or shouldn't be!) reading this.

What does strike me, is the evolution of the tricks used to part Joe User from his personal information (PII). When this whole game started tricksters and fraudsters were out to steal your credit card number, cvv/cvv2, and your expiration date along with your userID and password. The game has certainly changed, hasn't it?

Since we the security community, with the help of the media (or hinderence if you read the NY Times) have been beating people over the head with the idea that they shouldn't give away this information to just anyone, the fraudsters have gotten more clever as they had to in order to continue to get their information. What started out as campaigns of mass-email to everyone that appeared to come from eBay, PayPal, and the like has now turned into a targeted, micro-targetted attack against people who have a very high likelihood of not only being part of the organization you're seeking to defraud, but also likely to fall for your fraud.

Blasting two hundred million emails to everyone in the world worked well the first few times - but then people started hearing from the news man, the neighbor, the computer guy at the office, and your own mum that you shouldn't fall for those schemes. OK, problem solved right? Wrong. Then came a slightly more targeted attack, customer lists were lifted from, say, CitiBank as an example and these customers' emails would then be peppered with "We're from CitiBank, click here to re-set your password"... since these people were also customers, and their neighbor and mother didn't get the same email, the people who got them figured they were authentic and fell for the frauds. Millions of targeted attacks later, people have heard about this, and for the most part ignore them when they hit your mailbox.

Now you get something like this, an email in your mailbox that says what you've been hearing from all around - organizations of good repute will never send you email soliciting you to send them your personal account information. Sounds logical, right? But look at the bottom of the email! This is a classic confidence scam. Lure the person in with a confidence-builder so that they figure they can at least minimally trust you, then steal their information.


And now the really bad news... notice that the site (pasted here) doesn't even ask you for anything more than a username and password (which, in all fairness should be a good sign that wait a minute... wouldn't they want me to authenticate first... then give my information??) and the answers to some simple questions. But once you've answered these questions - the person can then become YOU. These aren't just ordinary questions, mind you. These are questions that the more advanced "multi-factor authentication systems" such as RSA/Passmark and others utilize.

See the bigger picture now? You can change your password for Regions Bank's website, easy enough... but can you change your ...favorite food? what about your first dog's name? what about the high school you went to? your first car? Now you get it, hopefully. The attack is much deeper than just password theft - this is stealing some information about you which you CANNOT CHANGE, and which will be asked over and over in other "high security" sites and applications.

This type of theft, once it's happened to you, has **no defense**. You can't go change your information... easily. Unless you now change your favorite color, college roommate's name, and street you grew up on in your head - and remember that you changed it - you're in for a world of hurt.

Lookout folks - fraudsters are getting smarter in their efforts to part people from their hard-earned money and their identities. This is scary stuff. We must spread the word, let people know this is happening... write about it, tell people about it, and make yourself heard because we all pay the price from our own wallets.

Good luck out there, and be safe.

Wednesday, October 17, 2007

Storm [worm] SuperComputer

With the recent coverage coming out the Washington Post blog posting, covering the Storm worm - I think there has been insufficient analysis of what the point of this absolutely massive super-computer will be. I won't re-present the facts to you, but if you haven't read it I'll sum it up for you by saying that Storm worm is more powerful than all the [previous] top 10 Supercomputers... that's saying quite a lot. The other major point, is that this is the first time in history that the world's most powerful "computer" (or cluster in this case) is not owned by a nation, a research organization - but by organized crime.

The analysis and breakdown of the raw power of the Storm worm is here, at the Full Disclosure archives.

I challenged a friend of mine who is also in the "security research" field to think about what in the world we could use this type of supercomputing power, and more importantly, why the apparent owners of this botnet/supercomputer are partitioning out this massive herd, using encryption keys for small blocks of bots.

I have a theory on both these things, and I disagree with the mainstream media analysis so far. The mainstream analysis has been wrong so far, I think. Jim Carr over at SCMagazine online quotes SecureWorks' Joe Stewart saying
"This [partitioning and encrypting communications in smaller groups] effectively allows the storm author to segment the storm botnet into smaller networks [and] could be a precursor to selling storm to other spammers."
I don't agree with this at all. If you apply logic to this from a different angle you have to realize that this botnet took lots of time and energy to build, ergo, you're going to go to extreme length to ensure that if someone manages to crack your communication scheme - they can't take over the whole lot. This is, I strongly believe, the point of encrypting communication to these botnet groups in small chunks, effectively partitioning herds of Storm-bots. To make my point even more clear, here is what I think the herder(s) are doing.
  • Storm worm botnet will be used for obviously malicious intent
  • Establishing ciphers for encryption of small chunks of the herd at a time gives it resiliency against infiltration and full compromise
  • No one in their right mind would "sell" a piece of such a masterpiece and raw power grid
  • It is more likely that the herder(s) will allow people to pay for time-slices on this massive supercomputer to do whatever it is they want to do, computationally...
This brings me to my next point. What in the world would someone want with this much absolute raw power? I think an interesting hint is given by Lawrence Baldwin, of myNetWatchman...
Baldwin said the raw power of the Storm botnet might be taken more seriously if it were more often used to take out large swaths of the Internet, or in attempting to crack some uber-complex type of encryption key used to secure electronic commerce transactions.
Fasinating. Cracking encryption keys is just one of the possibilities - here are some more:
  • On-the-fly cracking of some of the world's strongest encryption - remember all security is based on the fact that we develop technologies that are computationally improbable to break... not anymore?
  • DDoS at will - how will you stop a ~320Gb/sec onslaught?(assuming ~10million users at 256kb/sec DSL speeds, which is estimating low) What's worse is that it's not like you can block a certain netblock, or router... these Storm bots live all over the Internet.
  • Rainbow tables anyone? - Sure, there are plenty of arguments made that rainbow tables are useless now because any developer with a brain uses a salt... this is a false statement, guaranteed. Even if people salt, salts can be predictable, and what's worse, computer even if there are quadrillions of combinations; remember you have 10 million CPUs at your disposal here. Why not hash (SHA-1, SHA-256?) all permutations of credit card numbers, passwords, DOBs, SSNs, and other important pieces of data so that when you steal a hashed table from a database, it's only a [short] matter of time before you can successfully pull out the real information!
  • SPAM - yes, I acknowledge that this is a great vehicle for spam... but it's such a waste of power to spam from these botnets... maybe I'm nieve
That's just my analysis - because I think people that have looked at this have missed the point a little bit. There is so much raw power, that I simply think that human greed will prevent this thing from being partitioned out and sold off to high bidders... I don't see it happening, there is simply too much status, power, and prestige from being the one that controls 10Million slaves, and the most powerful supercomputer on the planet.

God help us all.

So what did we expect?

With the major malware detection companies out there screaming bloody murder and how there are now several thousand new permutations of viruses, worms and various malware out there every other week... we as security researchers and US patriots need to investigate what's going on. I find it my civic duty to apply some logic, a little research, and do some basic 2+2 -style math to come up with this analysis.

Let me lay out some facts, first, to make my following point more clear:
If this is all still obvious to you, then I applaud you for noticing the obvious. What I don't hear about in the papers, the digital media, or any security-related publications, etc is how much these political tensions are directly impacting the IT Security space via the malware business. Malware as a business is booming. Developers are writing re-usable code modules, programs and scripts, selling these off or even doing SAAS (Software as a Service) in some cases. When investigators identify and attempt to track some of these software writers they often realize that they are in politically unfriendly countries to the United States and therefore cooperation is difficult to come by if not impossible. More often than not requests for foreign support go ignored, or given little attention.

Again, this may be completely obvious to you, and I will not disagree. What I am disgusted with is the following:
  • The US government is absolutely clueless on digital security and digital asset protection
  • The US government and most specifically the current administration (and some candidates for the 2008 Presidential race) are creating a hostile global climate for US-based interests when it comes to security
  • No one has been successfully (in my humble opinion) able to put these simple facts together and speak these in an open forum, to the highest heads of state
To sum this up in a nutshell... the US is creating a hostile environment, which the digital security forces in the US will suffer the consequences of. Given the current degree of apathy and cluelessness by the United States government in digital security, this does not bode well for our national secrets and "secret/secured" systems. This bodes even worse for our economic situation as it relates to fraud, identity theft and resulting losses, and commerce disruption in general.

Unless the efforts to fix this obviously political time-bomb are started soon, we in IT Security are going to be pushing an even bigger boulder up the hill of our daily jobs... this one will be ticking.

Good luck out there.

Wednesday, October 10, 2007

Illinois DMV loophole enabling fraudsters!

This is a little off-topic on IT, but it's interesting and worth writing about in my opinion, so here it is.

I went to get my new Illinois driver's license (being that I recently moved back from Georgia) and found an interesting loophole in the system that even the employees here acknowledged was ridiculous. If you read the requirements for getting a license in Illinois, they are as follows: passport or birth certificate, Social Security ID card, and a utility bill with your name and address on it. Given that I didn't want to have to drive home and get a utility bill, I asked if there was anything else I can do. The lady at the counter was quick to ask if I had to register my vehicle as well - to which I said yes. In that case, she stated, I could simply get the auto registration changed first (since that didn't even require an ID!), and then come over to the license side and use the registration as a form of identification and address verification.

So, let me get this straight... to verify that I live where I say I live, and I am who I say I am (as a third factor), I can go register a car to an address/name/etc that I don't have to present proof for, and then come and use that as proof of address??

There is something seriously wrong here...

So you may be wondering - so what? How can you possibly exploit this? Well allow me to explain. I can make up an address (as long as I can register some non-verified car) and bring that as my proof of residency at the address I'm claiming. This does indeed help create a situation where I can basically make up where I live, and not have to really prove it in any way.

Yes - it's not like I can create a fake ID with this loop-hole... but in a way, yes I can. I can come in from out of state and get an Illinois driver's license without actually proving that I live in Illinois... doesn't that bother anyone? I asked around, and everyone there that I asked agrees it's an egregious fault... but no one really cares enough (or doesn't have the power to) do anything about it.

That's a sad, sad state of affairs. I wonder how many other states have this provision? Maybe I an get a license in another state? If this kind of thing isn't a fraudster's dream...I don't know what is.

Spy Bugs -- 007 in real life?

The Washington Post is running a very interesting article on micro-bug-like spy devices. Rick Weiss, staff writer at the Washington Post wrote a piece which started out as a science-fiction read, and turns into a very real "what if?" as the article progresses. Despite the speculation, the denial of the existence of such technology, and paranoia discussed in the article, it's an interesting read.

Of course, for those of us in the security field, this brings a whole new set of problems to light. Industrial espionage, intelligence, and orther forms of "security" that may be more commonplace may already be benefiting from the types of technologies discussed in the article. Now, the article does address challenges with fuel to power micro-spy devices, as well as issues like cross-winds, bid attack, and other unavoidable mishaps, the implications are immense.

Why bother using spyware or other now-detectable forms of malware to infect a computer if you can simply employ a mosquito-sized "bug" camera to follow a victim around and record voice conversations, photos, and maybe even live video? Right now this all sounds like technology 007 would use, but remember that DARPA has had precursor technology to this as early as possibly 30 years ago! Where has technology come in 30 years plus? Of course, no comment from the 3-letter agencies.

So should you be preparing your enterprise against micro-bugs? Chip-infused moths? Mosquito-borne surveillence? Probably not quite yet... of course, unless you work in government!

Do your own research, and figure out what you believe... and if you find anything to share post it here.

More research:

Friday, October 5, 2007

DHS DDoSes itself... with email

I've never been a big supporter of the DHS' security initiatives, and even less of the government's efforts to be "secure" (I mean, their track record alone speaks volumes) but this latest oops is too much. I guess I'm glad I'm not on their mailing list, because I wouldn't want to be spammed to hell now that some of their personal email addresses are out.
What's worse, you have to wonder who the original "reply-to-all" person was, or if it was really a "user who un-checked a box..." somewhere in the mailserver. What's particularly interesting to me is that the mailing list doesn't use traditional listserv or MajorDomo distribution channels, and obviously uses some bungled Domino install at a contractor site.

Lovely. I'm sure their internal security is much better...

Read all about this snafu here on eWeek, in case you've missed it.