Thursday, December 31, 2009

The Passwords Twitter doesn't want you to use


The Wundercounter blog has a list of all of the passwords embedded in Twitter's signup page. The list is a pretty broad list of bad passwords that Twitter users probably use more than we might like to hope after years of explaining the need for good passwords. Old favorites like 123456, abc123, and password show up, as does computer, many first names, and of course, twitter.

It seems like most organizations have at least one common password that users tend to gravitate to. At colleges and universities, it tends to be a school spirit oriented password, and for websites, it often involves the name of the site. What's your organization's oft joked about common password?

(flickr Creative Commons attribution licensed image courtesy 7son75)

Tuesday, December 29, 2009

Digital Photo Forensics

HackerFactor's Sec-C blog has a great writeup and analysis of a Photoshop Disasters image. There are a lot of useful techniques to learn here if you're ever asked to check if an image was Photoshopped.

Tuesday, December 15, 2009

Anti-Forensics Tools - DECAF to your COFFEE

Anti-forensics tools meant to counter mainstream forensics packages aren't new, but DECAF, a response to Microsoft's COFFEE tools are a pre-packaged forensic toolkit looks like an interesting entry into the field. Those worried by COFFEE's described capability to "decrypt passwords and analyze a computer’s Internet activity, as well as data stored in the computer" appear to have at least one possible way to counter it.

Fans of The Big Hit are likely wondering when the anti-anti-forensic device will be released...

Monday, December 14, 2009

The Importance of Background Checks

The Department of Homeland Security recently learned the importance of background checks the hard way, as a fugitive wanted on a national arrest warrant for insurance fraud was found to be working for a DHS office. This serves as a great reminder that background checks are a really inexpensive way to make sure that staff working in potentially sensitive positions (or with access to sensitive data) are worth reviewing.

Thursday, December 3, 2009

Free Security Software - A Checklist for Setting Up Your New PC

The explosion of new, inexpensive PCs has resulted in a lot of systems that didn't come with pre-packaged software, or that simply come with a trial antivirus package. Is it possible to build a capable security suite for your new system without spending money?

Yes!

Antivirus and Anti-Spyware

Get a copy of AVG's free product. It is relatively lightweight, runs well even on netbooks, and it receives good reviews.

Windows Defender is increasingly capable, and is a good second choice to install.

I also continue to recommend SpyBot as a good general purpose anti-spyware tool.

Virus Recovery and Malware Removal

MalwareBytes remains my default recommendation for those who need to recover from a virus infection.

Password Storage

I continue to use Password Safe for most of my password storage needs, but LastPass's online storage system is an excellent option as well. You can find my previous LastPass article here.

Browsers

Start with Firefox, and if you're comfortable with it, add plugins such as NoScript. Firefox's autoupdate capability as well as the wide variety of security controls available make it a great choice as your default browser.

With these free tools, you'll be well on your way to secure computing - for free!

Saturday, November 28, 2009

The Speedy Evolution of iPhone Worms

The popularity of iPhone worms targeted at jailbroken iPhones with the original SSH password that I described recently continues to grow. The exploits have also become more threatening, moving from the Rickrolling ikee worm (whose creator was recently hired by an Australian iPhone software development Mogeneration) to the more threatening worms, including one that grabs your private data from the phone.

In chronological order so far worms have been:

  • Held iPhones hostage for 5 euros (November 2nd, ihacked)
  • Rickrolled affected users (November 8th, ikee)
  • Stolen personal data such as contacts, email, SMS messages, photos, music, and other users data (November 10th, iPhone/Privacy.A)
Of note, Sophos provides a very nice writeup and commentary on ikee.

Of course, as theappleblog notes, this threat could be much worse in future generations, as the technique is quickly improved and as more iPhone aware coders take advantage of the platform. Right now, a lot of the techniques used by Windows worms haven't shown up - the self replication capabilities are rudimentary, if there at all, and the concealment methods are largely simply based on file location.

The good news continues to be that the worms only go after phones with the default jailbroken SSH password, and that changing that password on a jailbroken phone will prevent the exploit. The bad news is that malware writers are likely now building toolkits that will easily integrate with the next iPhone exploit - and all that is really needed is an OS level vulnerability that can be remotely exploited to make iPhones a treasure trove of data for successful attackers.

The iPhone will continue to be an attractive target, both because of the desire of the user base to expand the phone's capabilities via jailbreak, and because of the user data and network access that a hacked iPhone can provide. I expect to see more concerted attacks on the iPhone's OS and applications over time, meaning that security and IT staff can expect to have new threats appearing on their networks - pocketable devices scanning for other devices and infecting each other may very well be our next big user initiated threat vector.

Tuesday, November 17, 2009

NIST 800-53 v3 controls in database form - No Extra Charge!

Have you ever been asked to implement standards for your organization - only to find out that they are buried within a gazillion page document with tables and appendices that you must pull actionable items out of? Top that off with your organizations's risk scores, cross referenced controls for the defined risk level...you get the picture. I think we all have and we can agree that it isn't much fun. This morning, a colleague pointed me to a new release from our friends at NIST. Enter NIST SP 800-53 v3 in database format. From the readme:

The NIST SP 800-53 reference database application is a FileMaker runtime database solution. It represents the security controls that are organized into families for ease of use in the control selection and specification process. The security control structure consists of three key components: a control section, a supplemental guidance section, and a control enhancements section. The priority and minimum assurance requirements (i.e., low, moderate, and high) for security controls are applicable to each control. The user can browse the security controls based on various criteria, search for specific control, and export the control to various file types, e.g., tab-separated text file, comma-separated text file, XML, etc.

The download is about 42MB and is available here. After a quick decompression, you are ready to roll. However, this beta is limited to Windows support. If you're not familiar with the NIST SP 800 family of publications, you should be. They provide a great set of knowledge, vetted security controls and are available at no extra cost.

The application itself requires no installation, and therefore, will run without administrative control over the machine you are using it on (hint - you can share it with folks like legal counsel or developers so they can enjoy ease of access). To further protect the integrity of the data, the instance runs as read only. Once up and running, you are presented with a fairly busy interface that takes a bit of browsing to understand. However, after a few minutes you can quickly find the controls you need, according to your risk impact scores, with all the supporting information at your fingertips. This truly is a helpful tool to have in your cache.

Monday, November 9, 2009

First iPhone Worm in the wild - for Jailbroken iPhones only

PMP Today reports that the first iPhone targeted worm is hitting jailbroken iPhones due to a standard SSH password. The worm is a mobile device Rick Roll, resulting in a Rick Astley photo being set as the phone's background.

The easy fix is, of course, to not use a default SSH password - "alpine" wasn't exactly a good password to start with.

Thursday, November 5, 2009

Risky Behavior: Making Risk Assessment Fun


The Naval Safety Center's Picture of the Week often provides a great visual aid when discussing risks - I find that audiences get a kick out of them, and they can help break the ice when starting a risk assessment. This one? I'm pretty sure that's an integrity risk (for his bones), and an availability risk (to his services). Impact? High! Probability? Well...that depends.

Sunday, November 1, 2009

Visualizing a Risk Vocabulary

Worlde.net's word visualization tool can be a great way to map out words and concepts. The Wikipedia text for Risk Assessment became part of a presentation I am building for a presentation that I was asked to provide as a guest speaker in an MBA class. Here's what is looks like:


The map for computer virus is also interesting:

I suspect that these will be useful visual aids in my presentations - a new way to present security concepts is often helpful, particularly when dealing with a non-IT staff audience.

Friday, October 30, 2009

Future Proofing an Information Security Job

One of the more interesting information security job questions that I've seen recently is "How do you future proof a security job?".

That's an interesting question - security, like much of IT has changed significantly over the past few years, and the skillsets required have changed or matured. A decade ago, there were far fewer dedicated information security positions, web security was just starting to become a visible issue, and intrusion detection was in its infancy. We've come from a world where local networks mean that copied floppies and boot sector viruses were our main threat to a world where even our phones are possible threat vectors.

How then, can an information technology security professional stay relevant?

If you want to remain a technologist, rather than enter management, there are two popular paths: specialize or become a generalist.

If you choose to specialize, your route will take you down the path of becoming ever more highly trained in one discipline, or possibly a few closely related areas. Penetration testers may become more skilled programmers, and could delve deeply into web technologies, or system kernel exploits. Network security experts might become a CCIE, or tackle high end certifications from specific vendors.

The problem is that when that technology dies, you may have to re-train. That's nothing new in the world of information technology. Banyan Vines and Netware administrators have moved on to handle Active Directory and experts in Token Ring have trained to deal with gigabit switched ethernet and Internet protocols. What it does mean is that you have to keep an eye open to avoid being outdated with the technologies that you are expert in. Specialization is a great way to get a job - if that job is in demand, and the supply is small. Cobol programmers knew this in 1999 - but that was a relatively rare opportunity for a dying technology to make a brief comeback.

The other route, of course, is that of the generalist. This tends to put you into a role that glues together security with other IT areas, and can be quite rewarding - but you may find that you're unable to operate at the same depth that your specialized peers can attain. Generalists may have a harder time justifying specialized training, and will not necessarily find that their resumes qualify them directly for the highly specialized jobs that require a single scarce skill.

Which route should a security analyst take? That's a tough call. At the end of the day, your work environment and your own preferences will likely shape your futureproofing efforts. In either case, technology will change, new threats will appear, and the job will continue to provide the challenges that we all face.

Thursday, October 29, 2009

How To: Search Engine Webpage Removal - A Search Engine Entry Removal Roundup

If you run a website of any type, there is a good chance that you'll want to remove content from Google, Bing, and other search engines at some point, either due to outdated information or sensitive data exposure. Below are links to the documentation provided by each of the major search engines for their removal process.

Most search engines will tell you that your first action should be to create an appropriate robots.txt, and many want you to return a 404 error. If you don't, they may keep your content cached for even longer than they might otherwise.

Google

First, you can build and submit a removal request for information, images, outdated or inappropriate content.

Then, you can remove your own content, then cause Google to re-index it more quickly using their webpage removal request tool.

Finaly, make sure you follow Google's noindex meta tag and robots.txt instructions.

Yahoo!

With Yahoo's move to the Bing search engine, their removal process has changed. You can use their SiteExplorer tool to remove your site from their results.

Ask (formerly Ask Jeeves)

Ask only provides robot.txt support, and has no formal published removal process.

Bing

Microsoft's new search engine has recently published removal instructions.

AltaVista

Per AltaVista's support information,

"If an AltaVista user comes across web pages that contain private personal, professional or financial information that is not available to the public and/or may have been illegally obtained, he or she can write to legal-support-uk@av.com to request that the offending URL be removed from AltaVista's index. Please note that removing said URL from AltaVista's index does not remove the URL from the public internet or the indexes of other search engines."
Archive.org / the Wayback Machine

Archive.org provides a long term snapshot of much of the Internet, dated by when the page was crawled. If your site has been available for any length of time, and if you have static content that it can crawl, there's a good chance you'll want to contact Archive.org for exclusion.

Friday, October 23, 2009

President Obama on Cybersecurity Month

President Obama's short video on cybersecurity month is available. This is the first time I've heard the President outline our frequent security advice - verify identities before giving out information, update your software, beware of suspicious emails. You can watch for yourself below:


Thursday, October 22, 2009

Worried About The Evil Maid?

Joanna Rutkowska's "Evil Maid" TrueCrypt attack has been getting a lot of buzz in security circles today. In essence, the attack involves compromising the trust that TrueCrypt (and the user) places in the boot process. An evil maid (or other ne'er-do-well) exploits their physical access to a machine and that machine's capability to boot from external media such as a USB device to add a keylogger or other trojan to the boot sector or firmware, allowing capture of the presumably unchanging decryption key that the user enters to access their filesystem.

Am I particularly concerned about this as an attack against my organization's resources? Of course not!

We do use encryption on our mobile systems - not TrueCrypt, but the caution is largely against the concept, not necessarily only Rutkowska's specific implementation. With that said, a simple risk assessment serves us in good stead. Is our data so valuable, or are maids so twisted that we have to worry about them attempting to access our laptops which (hopefully) we lock in safes in hotel rooms, or otherwise appropriately protect? No - none of the people that I work with are in Her Majesty's Secret Service, or otherwise likely to be high value targets.

The good news is that Rutkowska's implementation of this attack serves as a good reminder that our trust in enterprise drive encryption is much like any other technological solution in our daily security war - simply a stage in the escalation of tools.

Years ago, we recommended passwords on laptops. Then, legislation and more technically aware users pushed us to drive encryption. Next, as attacks like this become more widely approachable, we'll worry about how to use TPM, drive hashing, two factor authentication, or technologies that can guarantee the state of a system between uses. For now, I'm far more worried about malware installed on systems either via a vulnerability or a user's mistake. Why? Because our drive encryption efforts do nothing when the drive is unlocked for the user's daily work.

For your daily security efforts, you can likely worry about much more immediate security concerns - and in the meantime, if your maid cackles evilly, and speaks in l33t - you may want to guard your USB ports.

Tuesday, October 20, 2009

VirusScan 8.7 and Security Center reporting

If you've been driven to distraction recently by users who noticed that the Windows Security Center wasn't reporting their McAfee VirusScan 8.7 status correctly, you're in luck. Messages like "McAfee VirusScan Enterprise is on but reporting its status to Windows Security Center in a format that is no longer supported" on Windows 7 and Vista, while only a reporting issue, were resulting in a lot of questions.

McAfee has released Patch 2 (link goes to the readme) for VirusScan 8.7 which fixes the issue. Along they way, they also improved the performance of On Access scans, which many users were complaining about as well.

What went wrong? Well, the Microsoft API for this reporting was updated, and this required updates from vendors. McAfee's patch lagged behind, resulting in worried customers. The good news is that their AV was working. The bad news is that we've spent years making our customers more aware, and now even a false positive can cause a lot of helpdesk calls.

Saturday, October 17, 2009

1000 Security Experts? Not exactly what the doctor ordered.

Bob Cringely recently discussed the Department of Homeland Security's plan to hire 1,000 "cybersecurity experts" to defend U.S. computer networks. His take? That there aren't 1,000 cybersecurity experts to be found in the U.S. His unnamed cybersecurity expert friends tend to agree in various forms, ranging from a discussion of the semantics of the goal to a more in-depth discussion of the forms of expertise that can be found, and a note that there are 1,000 security experts - on the wrong side of the fence.

Cringely also contends that no matter what the actual intent, this hiring is largely window dressing and that the end result won't be a sea change in how government information security is done. He points to low CCIE graduation rates as a good metric for how many security experts can be found, which may not be the best metric for security expertise across the board - to me, it indicates that holders of one brand of high level network security expertise do exist, but that the demand for CCIEs isn't sufficient to push further qualifiers into the certificate at a high rate. In addition, personal experience indicates to me that many qualified security experts don't carry all of the certifications that they could qualify for for any of a broad variety of reasons - that doesn't mean that we have hundreds of certification-less CCIEs around, but it does mean that we may have experts we're not counting if we only count certificates.

The problem here is that security expertise covers a broad variety of fields from risk assessment to network security to physical security design and back again. Seeking a thousand cybersecurity experts is, in many ways more akin to seeking a thousand expert college professors in engineering. You many not find them all in nuclear engineering at the level that you desire, but you may very well find that many experts across all of the disciplines that you need - and then you'll realize that you really wanted some of them to be TA's, Ph.D. candidates, and others who many not yet be experts - but will be.

Polymath experts with broad experience and deep expertise across the spectrum of information security are definitely necessary to tie those skillsets together, especially when you need to glue complex systems together, but you don't need - or necessary want hundreds of those big guns. Cringely notes that such experts aren't found in packs, and that is one point that I'll agree with. In any field the major experts hold a special place, and some take full advantage of it.

One of Cringely's experts dismisses the DHS plan - "you will end up with 1,000 Security Managers in the government with Sec+, and CISSP certifications". This picture of outsourced expertise and a lack of true change doesn't reflect the fact that skilled security managers are just as necessary as the heavy hitter deep dive experts. If the Department of Homeland Security really wants to change the face of government information security, the program and these new hires must be run adeptly, and that can be a real challenge.

DHS doesn't need to simply hire 1000 identical security superheroes. They need to embed employees with appropriate skillsets in those areas that face risk - after they assess the risk - and then they need to work out a coherent program to improve and manage both their security program and their security staffers. With the right guidance, 1000 security employees of many types could change how government information security is done.

Thursday, October 15, 2009

The Three Phases of the Security Analyst

Creative Commons attribution licensed image courtesy Flickr user anyjazz65

I spend a lot of time working with people outside of my own immediately group of security analysts, and I often find it useful to provide a model that will help them understand how security analysts work. Fortunately, I've found one that I like.

Security staffers that I have known through the years tend to fall into one of three stages - typically depending on the phase of their career, with some variation depending on the person's personality, their workplace, and of course, their experience.

The Phases:

1. The Black and White Security Analyst: A Binary Analysis - typical amongst newer security professionals, a Black and White analyst sees the world as a series of security issues. A system is either secure, or insecure. It complies with best practices, or it fails. Black and white analysts can drive outsiders nuts (and, at times, their non-black and white compatriots), but they also serve as a very useful check to the other phases - and they make very good auditors.

Some black and white analysts find their role because of limited direct experience. Simple book knowledge rarely has a compromise solution, and forcing best practices can make an otherwise reasonable staffer look like a truly obstinate opponent. Every analyst needs to fall back on these behaviors at times, particularly for thorny problems that have a high risk solution. Of course, in some environments this is the desired mode of operation, and should be fostered.

2. Shades of Gray: The Risk Modeller - as security professionals spend more time in the field - and, often, as they become more jaded, they often start to view the world as a series of risks. Training teaches you to do a risk assessment, to rate those risks, and to build controls based on that model.

Their assessments start to balance these risks, and they become more flexible in their views. The danger? Making too many tradeoffs, whether for functionality or simply for the ease of implementation. This can have a benefit of course, as often the shades of gray allow the analyst to be more flexible when analyzing risks and controls.

3. The Realist: Life Along the Continuum- some, but not all security staffers make it to a third phase. This third phase tends to emphasize the continuum of possible security options, and those who have reached this level will typically rate security based on the improvement along that continuum. Analysts often set a minimum acceptable level - and strive to ensure that a balance is maintained between improvements beyond that and the organizational costs of moving along the line. Realists are fully aware that security cannot always win, and instead choose their battles. This can mean that at times, they are more willing to accept compromise than they necessarily should be, and burnout can lead to a less effective analyst, but realists are often the best interfaces with outside organizations if you need to build bridges.

In the end, all three stages are useful, and each has its place. What matters in the end is reaching an organizationally acceptable balance of risk, usability, and security, and that ebb and flow is what makes the job both a challenge and an adventure.

Sunday, October 11, 2009

Passwords...in Newsweek?

You know that passwords and their problems have gone mainstream when Newsweek carries an article about them. Nick Summers describes current password technology issues, as well as some of the potential future solutions. It even describes brute forcing and the issues with simple passwords - meaning that your users might come ask a few good questions.

Wednesday, October 7, 2009

That's amazing. I've got the same combination on my luggage...

Wired's Danger Room blog quotes analysis of a recent Hotmail, MSN, and Microsoft Live account leak which showed that 123456 was the most common password.

In my experience universities tend to find that their most common passwords are catch phrases common to the school. Corporations that run password audits may find similar patterns in their own users passwords selections.

Does your organization have a common password?

Thursday, October 1, 2009

Hostageware Hits the Mainstream

Creative Commons Attribution licensed image courtesy Alan Miles NYC

The New York Times was recently hit with a hostageware ad that switched from a seemingly legitimate Vonage ad to virus warnings. The Times believed they were trusting a vendor that they had previously worked with, and allowed un-vetted servers to serve ads to their site. The Times isn't the only major site to have this occur, and my security threats crystal ball says that since we've all locked our computers down to prevent worms, the bad guys are going to target the places that they know that we go - and trust.

As the New York Times article notes, "These so-called affiliates can mimic the advertisements of legitimate companies, learn their techniques for submitting ads to networks and sites, meddle with ad servers and then go so far as to provide customer support for people who install the software, keeping the scam running as long as possible."

In my own recent experience, this type of ad is increasingly prevalent as a threat to users, and the malware itself is taking advantage of a number of browser bugs and plugin bugs to slide past users defenses. With threats that take advantage of PDF vulnerabilities, Java vulnerabilities, and more, users who navigate to trusted sites may still be compromised. This also means that the standard habits that we have taught users for years are no longer a panacea - simply not going to untrusted sites and not opening unexpected emails, or avoiding clicking untrusted links isn't the shield it was.

Home users who find themselves staring at a popup screen that offers to save them from the malware that their PC is infected with can find some solace in the fact that capable anti-malware products like MalwareBytes is available for free. Sadly, mainstream AV seems to have real problems with many of these hostageware packages, so a second layer of defense is key.

So, what can you do from a corporate perspective? That's a bit tougher. Here's what I'm looking at:
  • First, full patching for systems that includes browser plugins is really essential. I continue to see systems that have full OS patches that are behind on browser plugins. Comprehensive, system wide software management is becoming even more of a corporate necessity.
  • Second, enterprise AV can still be helpful, even if only for detection. Remember to have your support staffers check out machines that show continued issues, as some components of malware often gets removed, but the remaining parts can restore them. I've had organizations using central AV notice large numbers of their machines disappearing, which resulted in investigation that showed a widespread compromise. Not exactly how they expected to leverage their AV management console, but well worth the price of admission.
  • Third, investigate enterprise licenses for useful tools. MalwareBytes and other vendors do offer attractive pricing for enterprise licensing. I've found that a quick Google results survey can often indicate what secondary package is most recommended, and that can really help.
  • Fourth, monitoring outbound traffic for hits on known malware and scam sites gives you a chance to find infected hosts before they become problems.
  • Finally, user training and awareness is still key. Finding out when these hostageware programs are showing up, and what the user was doing when they got infected can help prevent widespread infections.
How is your enterprise handling hostageware?

Thursday, September 24, 2009

Thawte Discontinues Free Email Certificates and the Web of Trust


Creative Commons Attribution License image courtesy Flickr user Fristle

Thawte's Web of Trust and free email certificates have been a great way to get S/MIME certificates signed for personal use by a large CA. I've been a notary for a few years, and I've found that being able to offer an easy to obtain certificate with a reasonably strong validation process was a great way to introduce S/MIME certificates and secure email to many people.

Today Thawte announced that both their free personal email certificates and the Web of Trust will cease to exist after November 16th, 2009. Details of the impact are covered in their FAQ.

This will remove one of the largest in-person vetted identity certification groups that I know of - a reasonably unique institution. Those who paid money for notarization to receive points in the Web of Trust will find that that investment no longer pays returns. Thawte's consolation prize is a single year of VeriSign's commercial personal email certificate service, and a free one year certificate of the member's choice.

I'm not aware of any viable community replacement for this servicefor S/MIME certificate users, and I'm somewhat disappointed that Thawte hasn't pushed the idea of making this some form of community supported or managed service.

Tuesday, September 22, 2009

Aquisition drive too small? Loop and offset to the rescue!

On any given day, I might need to take an image of a physical drive to analyze offline. In the past, our imaging target drives of 1TB were plenty to handle a raw dump of the drive as well as partition dumps or carves later on. However, with the spate of large capacity drives being installed, even in laptops, I'm lucky to just get the raw dump of the drive with some working space for an evidence locker. But what if I need to parse through the partitions individually or want to mount them remotely? Loop device mounting and offset (commands operands supported within the mount command) to the rescue. After imaging the entire drive and of course verifying the hash, I have everything I need. Now for the fun.

Typically, you can mount a raw image with the loop device operand:

#mount -o loop,ro -t auto /some/image.raw /your/mountpoint

I use this often when I only have an image of a partition. However, this option will not work when trying to mount an image of an entire physical device with one or more logical drives defined within it. So now what?

Given that an image is really just a block level copy of data, we are only dealing with data. Using the the loop device with further options - offset specifically - offers you the ability to tell it where you want it to consider the starting point within the string of data. In essence, the offset operand tells mount and the loop device to offset from the actual beginning of the string of data n bytes. But where do my partitions start and end?

To get an idea of what is contained inside the image, as far as file system information, logical drives etc, you will need to use a utility like fdisk. fdisk is a partition table manipulator for Linux. While it can be used to manipulate the partitions, we'll just use it to find out what's inside the image. The following command will give you all the details we need about an image:

# fdisk -ul image.001

You must set cylinders.
You can do this from the extra functions menu.

Disk image.001: 0 MB, 0 bytes
255 heads, 63 sectors/track, 0 cylinders, total 0 sectors
Units = sectors of 1 * 512 = 512 bytes
Disk identifier: 0xd42ad42a

Device Boot Start End Blocks Id System
image.001p1 * 63 42154559 21077248+ 7 HPFS/NTFS
Partition 1 has different physical/logical endings:
phys=(1023, 254, 63) logical=(2623, 254, 63)
image.001p2 42154560 156296384 57070912+ 5 Extended
Partition 2 has different physical/logical beginnings (non-Linux?):
phys=(1023, 0, 1) logical=(2624, 0, 1)
Partition 2 has different physical/logical endings:
phys=(1023, 254, 63) logical=(9728, 254, 63)
image.001p5 42154623 156296384 57070881 7 HPFS/NTFS

In the example above, I pointed "fdisk -ul" at an image of a Windows drive that had two partitions. I used option "u" to list the sizes in sectors instead of cylinders and "l" to list the partitions within the device and then exit. So, from here, how do we calculate where the starting point is for each partition and then tell mount where we want the beginning to be? First we start by determining the sector size. This will be in bytes, and the number we use as a multiplier to determine how many bytes into the image we want to offset. We can see in the output that the sector size is 512 bytes:

Units = sectors of 1 * 512 = 512 bytes

Next we need to know at what sector each partition starts. In the example above, we see several partitions listed; image.001p1, image.001p2, image.001p5. Each partition entry in the output has a start point denoted in sectors:

Device Boot Start End Blocks Id System
image.001p1 * 63 42154559 21077248+ 7 HPFS/NTFS
image.001p2 42154560 156296384 57070912+ 5 Extended
image.001p5 42154623 156296384 57070881 7 HPFS/NTFS

But wait - in this example I have a drive image that only contained two partitions - why are there three listed? This is because the drive I imaged was partitioned with one primary boot partition and an extended partition which contains another partition. There are many religious debates on how to partition drives, but suffice it to say, this is by far more common than not. Today, we are only concerned about mounting the two NTFS partitions listed. In the fdisk output we can see that partition 1 starts at sector 63 and partition 5 starts at sector 42154623. We'll multiply these starting sectors by our sector size to determine what our offset (in bytes) is for each mount operation:

sector size * starting sector = offset
512 * 63 = 32256
512 * 42154623 = 21583166976

Now that we have the offset, in bytes, we can formulate our mount commands:

#mount -o ro,loop,offset=32256 -t ntfs-3g image.001 /some/mountpoint
and
#mount -o ro,loop,offset=21583166976 -t ntfs-3g image.001 /another/mountpoint

And there we have it - both partitions within a raw drive image mounted and ready to explore without having to take more images of just the logical drives - or carve them out of what we have. Of course, file systems will vary along with disk geometry and associated mounting options. However these basic steps can be used to identify and mount every partition contained within a raw disk image.

Friday, September 18, 2009

Stolen Laptop Recovery with LogMeIN - Round 2

PC World has David Krop's story of laptop recovery using LogMeIn. I've discussed a couple of similar stories involving a laptop and an iPhone previously, as well as the case for remote control software, and this is another example of a laptop that was not properly secured being used by a new user while remote login software was on.

The buyer of the stolen laptop is quoted, saying "I didn't care whether it was stolen, I buy stolen stuff all the time. I don't care... If I can save $600, I'll do it.". While he may not have learned a lesson, the owner of the stolen laptops did, noting that he won't leave the laptops unattended, that he takes only one with him, and that he uses passwords and remote tracking software now.

What You Do on Facebook Can Cause You Harm is True For Criminals Too

Jonathan G. Parker of Fort Loudon, Pennsylvania was arraigned on a burglary charge after he forgot to log out of Facebook on the computer at a house that he had robbed.

We're all busy telling our users that what they do on Facebook can cause them problems in the future, but this is a slightly more direct example...

Thursday, September 17, 2009

Making Web Application Security Controls Repeatable

Raul Siles recently posted a useful reminder as his ISC diary post - "Review the security controls of your Web Applications... all them!". He used the problems described by Ryan Barnett that were found in Yahoo's web API as an excellent example of this rule. Both posts point to a common problem in applications that I see - the loss of established controls in new code and new functionality.

One way I've been working to help fix this in an organization that hasn't developed a comprehensive software develoment lifecycle or broad QA process is to build a multi-step process to handle security flaws found in an application. Typical steps are:

  1. Determine whether the problem is unique to the application, or if it is a flaw that is likely found in other applications, either current or future.
  2. If it is more than a one time problem, design a common library or technique to handle the problem.
  3. Assess the severity of the problem, and apply the fix to other applications if the risk is determined to be high enough to justify the effort. If not, add the fix to the queue for the next update to those applications.
  4. Re-test the application to verify that the fix works.
  5. Document the library and ensure that the rest of the team is aware of it.
One of the best things about this sort of process is that developers start to think about problems in a much broader context. Recently, I've seen two of the developers I work with frequently stop during a meeting and ask out loud "I wonder if that applies in application X too...". That thought process usually ends up in modifications to their standard application libraries which means that problems I saw once tend not to come back across their entire group.

How are these vulnerabilities discovered? A web application vulnerability scanner - WebInspect in this case - provides most of the vulnerability testing. Manual testing, while often deeper and more likely to find corner cases for vulnerabilities doesn't scale as well into an environment with limited resources and a large number of applications. Automated testing systems are also great to help cover some gaps in skillset. As Jeremiah Grossman points out, they may simply cover low hanging fruit, but that can be very valuable.

Do you have a unique or creative internal process to make sure that your organization keeps web application vulnerabilities from recurring?

Monday, September 14, 2009

Brazilian ATM Skimmer Installation Video

LiveLeak has great footage of an ATM skimmer being installed in Brazil, as well as the police arrest that followed. Note - LiveLeak itself may be not safe for some work environments due to adult ads.



The first few seconds are a quick lesson in how easily these skimmers can be attached.

Friday, September 11, 2009

Security Humor: Indiana State Government Ponzi Scheme Education

Google text ads can sometimes be a bit humorous as seen in this example:

I knew there was a reason that our budget wasn't as bad as those in other states. Of course, I wonder if the Secretary of State also teaches advanced Ponzi schemes...

Thursday, September 10, 2009

EDUCAUSE's 2009 Video and Poster Contest Winners

EDUCAUSE has announced their 2009 security video and poster contest winners. They can be viewed at: http://www.researchchannel.org/securityvideo2009/. Previous years can be accessed from the main EDUCAUSE contest site.

The videos produced for this contest are typically aimed at students, but often address topics that are relevant to the general populace.

This year, I particularly liked the Cyber Security Awareness video by Nathan Krochmal, and Lenae Boykin's 10 Most Common Passwords is quite well done. In previous years, Adam Stackhouse's Laptop Theft video has been a big hit.

As with the videos and other materials created each year for this contest, colleges and universities can use these videos as part of their education and awareness campaigns. They're a great way to add spice to typical student security awareness and education videos, and they've helped to inspire some of our staff and faculty awareness efforts as well.

Wednesday, September 9, 2009

SMB2 - Breaking Windows From Afar

Creative Commons Attribution License Photo courtesy Justus Hayes / Shoes on Wires / shoesonwires.com

Announcements have been making the rounds about vulnerabilities in Windows Vista and Windows 7's implementation of SMB, SMB2. As posted on Full Disclosure, this version of SMB "SRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE PROTOCOL REQUEST functionnality.", which results in a remotely initiated crash for any Vista or Windows 7 machine with exposed SMB services.

Older versions of Windows, including 2000 and XP are not affected, as they do not use the new SRV2.SYS driver.

Another good reminder that SMB shouldn't be exposed on workstations in general, and that if it must be available, that it should be locked down to prevent access beyond your local trusted networks or workgroup.

Friday, August 28, 2009

Defeating Acoustic Weapons

Wired covers the BBC show Bang Goes The Theory's designs to defeat acoustic weapons like the LRAD and other systems used to help protect cruise ships and for crowd control. As the article points out, simply defending from non-lethal systems may make users more of a target. Does this mean we'll see pirates attacking cruise ships while wearing giant fishbowl sound dampening helmets? Only time will tell...

Wednesday, August 26, 2009

Details: The Most Notorious Counterfeiter

Details has Albert Talton's story online - he produced over 7 million dollars in counterfeit bills using commodity hardware. An interesting story, and a great lesson about how even the Secret Service can have problems finding counterfeiters, and how easily some of our currency protections can be avoided. Talton's process was ingenious, if flawed - he used the same scan for every bill, making them easier to identify. In the end, a series of mistakes, including those made by those he recruited to help him resulted in his capture.

Thursday, August 13, 2009

Lessons Learned: Test Your Forensic Tools

Creative Commons attribution licensed image courtesy AlexWitherspoon

A recent call for a forensic drive copy which had to be done in a limited timeframe prompted a co-worker to dig out his USB to IDE/SATA bridge. Since we were asked to provide some time estimates, and to brush up on our imaging process, he ran a couple of tests on drives we keep for just those purposes. A quick boot of Helix on one of our laptops and he was ready to image the drive.

As you would expect, he dd'ed the drives, and then checked MD5 sums. For the first test on a small partition, the MD5 sums matched. For the second, larger partition, the MD5 sums didn't. That's not normal - and not something we frequently see. Testing showed that this appeared to be repeatable.

A repeat, with another USB bridge device returned a correct MD5 sum. If we had used the first bridge device for our image, we might have found out that our image wasn't provably correct hours after we began.

The moral of the story? Test any device you use for forensic imaging before you have to face a real event. It will help you provide realistic time estimates, allows you to test your process, and might just save your day.

As for the device? The manufacturer is sending a newer model - apparently this isn't an unknown issue.

Friday, August 7, 2009

The CompuTrace LoJack and Organizational Security Practices

Many of the usual security sites have picked this story up - ZDNet's Ryan Naraine covers Alfredo Ortega and Anibal Sacco's discovery of vulnerabilities and issues in CompuTrace LoJack for Laptops. The duo, both from Core Security Technologies, explain that the BIOS level theft recovery tool can be exploited allowing a persistent compromise. The fixed strings used in the program for remote connections make it an easier target - and worse, because it is a common security program, compromises of it pose an even greater threat - Naraine notes that it is whitelisted by AV vendors, meaning that in many cases a compromise may go unnoticed.

As a security professional, I now have to ensure that we track whether laptops are shipped with a BIOS level recovery tool, and I need to work with our desktop support staff to make sure that another utility gets patched. Since this ships on many laptops, we may not even be aware of its existence in many cases.

Is it a major threat? Probably not. Is it worth watching and preparing for? Quite probably. For now, I'll check our major vendors default installs so that I can advise the appropriate management members.

Thursday, August 6, 2009

Water Gate - Replacing Turnstyles Using Psychology

The Water Gate turnstile replacement that Yanko Design covers makes an interesting use of human psychology to make a turnstile that allows greater access and better response to emergencies. This looks like something that Bruce Schneier would appreciate. It gives up the ability to lock, preventing easy access, but has its own advantages.

USB Input Devices As A Threat Vector

Engadget, via OS News reports that the HardwareUpdaterTool for Apple keyboards can be used to make them into a keylogger. The video is a simple demonstration, but I know that most environments I'm in don't check their keyboard firmware versions and checksums. As our input devices become smarter, we may have to think about how we can keep their firmware and memory safe too.


Wednesday, August 5, 2009

Security Humor: McAfee DATs From The Future

McAfee's ePO central AV management tool can be quite useful. Today, however, it threw me for a bit of a loop when I logged in to find this:


Note the current DAT I have, and the DAT that ePO claims is current. The good news? If I can keep this up, I can really stay ahead of those pesky viruses.

Wednesday, July 29, 2009

Kapersky and Jackie Chan: Odd Security Advertising

Gizmodo, via Animal NY points out an odd Kapersky ad with Jackie Chan on a Segway, Eugene Kapersky, and a trip through "Cyberworld" protected by Kapersky AV in the form of a crash helmet.

Tuesday, July 28, 2009

NACUBO's National Campus Safety and Security Survey Results

NACUBO has released the results of their National Campus Safety and Security survey. The survey had a broad group of project members, covered 342 colleges including a broad range of 2 to 4 year public and private colleges. The results say a number of interesting things about the physical security of the average college campus including the following:

  • Most of the surveyed colleges have plans in place for physical security issues such as acts of violence or natural disasters, but far fewer have formalized plans to handle cyber disruptions.
  • Physical security controls in many campus buildings are not as widely deployed as one might expect - 40% of respondents report that their public buildings don't have exterior security cameras, and internal security cameras are even less common. Similar data points exist for card access systems and other controls.
  • Email, web, text messaging, and landline/voicemail communication systems for emergency notifications are very common.
The survey itself provides many other details on a range of campus security topics from physical security to communications and staff mental health.

This report provides a useful benchmark for higher education safety and security, as well as an interesting perspective. Higher education must carefully balance its historic open nature against modern security needs, as well as budgetary constraints. The data here illustrates the choices that universities are making, and where many may be headed.

Wednesday, July 22, 2009

MacOS Application Layer Firewall Commandline Basics

Krypted covers the basics of managing and controlling the MacOS application layer firewall from the commandline. The provide just the right details to get MacOS users up to speed, providing details on how to allow a single application, how to start and stop the service, and how to set preferences.

If you're a MacOS administrator who prefers the command prompt, or if you're trying to script your firewall management, this is a handy reference.

Tuesday, July 21, 2009

Pay-Per-View Bomb Threats

Public webcams aren't something that most public institutions would consider a significant threat - they're typically in open spaces without sensitive data or activities in front of them. The Register's coverage of Ashton Lundeby and his fellow conspirators might make those organizations reconsider. The Register quotes the indictment, noting that "The conspirators created a 'channel' over which members of the conspiracy could broadcast their misdeeds to as many as three hundred (300) individuals simultaneously".

This moves swatting into the field of mass entertainment - the website advertising the videos was apparently set up to charge fees to view them. With caller ID spoofing and the sensitivity of public institutions to bomb threats, this may become a threat that we are all too familiar with.

For many sites, a simple search of common camera URLs will find Axis and other network cameras:

intitle:”AXIS” | inurl:view/view.shtml

A larger list of search URLs can be found here.

How would your organization handle a false bomb threat? Do you have publicly accessible web cameras? Do you know where they are? This may be yet another worthwhile Google alert search string to build.

Monday, July 20, 2009

SMS Two Factor Authentication and SIM cloning

Kees Leune pointed out the utility of Google's SMS two factor authentication earlier today. Using this becomes an interesting potential vulnerability when combined with the much discussed Nokia 1100 cloning vulnerability discussed in recent months. The threat model used by criminals in Europe is described in the Ultrascan article:

Further investigations revealed that, in particular East European gangs, were buying this German Nokia 1100, were able to hack this model to insert any mobile phone number and use it for criminal purposes, especially to intercept the mobile (sms) TAN code during on-line banking fraud.
This doesn't mean that you shouldn't use the two factor authentication for your password resets - an additional hurdle to attackers resetting your password is a good one. Instead, you simply need to remain aware that any service that allows resets could be attacked. The Nokia 1100 is only a first example of what will likely be an ongoing threat as we use SMS and other technologies for more of our transactions.

Friday, July 17, 2009

Baby Pictures and Social Engineering

Creative Commons attribution licensed image courtesy of The Consumerist

The Times Online covers a study by Edinburgh psychologists who found that a wallet with baby pictures was the most likely to be returned. The study showed that only 10% of wallets with baby pictures were not returned, a far higher rate than any other wallet and picture combination. The article notes that a related study found a hardwired response pattern in the brain to baby pictures, meaning that some elements of our reactions might be hard to overcome.

The flaw in the study - at least for those security practitioners who are now pondering putting baby pictures on all of their possessions? The wallets didn't contain any items of real value - no cash or credit cards, meaning that their return rates were likely higher than might have been seen with wallets with a reward for those who don't return them.

As for cute kittens chewing on wallets? I'm not sure if it guarantees more hits...

Thursday, July 16, 2009

The State Department and Facebook

Creative Commons attribution licensed image courtesy daveynin.

The Register's recent article about the U.S. State Department and Firefox carries an interesting observation tucked into the end of the article - the State Department is using Facebook. The most telling quote:
"For example, an astute consular officer in Hermosillo recently used Facebook to determine a visa applicant’s ineligibility based on information contained on the applicant’s Facebook page, proving its value as an anti-fraud tool."
While many college advisers have been counseling students to avoid posting information on Facebook, and articles noting that businesses are checking out potential employees using it, this should serve as a warning to those applying for a visa, or a government job - at least some government agencies are paying attention to social media sites. Of course, if your profile isn't public, you're likely safer for now, unless the cute girl you added turns out to be a government agent.

Of course, Facebook users can already use TrueScoop to go the other route by checking public records of people that they know. Privacy is being eroded quickly on both sides of social networking, and ease of access to personal detail is increasing.

Twitter's Password is...Password?

TechCrunch reports that the Twitter search product interface was accessible with username "Jack" and password "password". Their take is that this is part of a culture of lax security at Twitter. For screenshots and more detail, click through to the article.

The best part? The screenshot with Twitter's own interface noting that the password is obvious.

Monday, July 13, 2009

CVV2 Irony Redux

Creative Commons attribution licensed image courtesy of Flickr user Andres Rueda

After my recent post about How Not To Sell CVV2's, it was only a matter of time until a CVV2 spammer posted a reply. Yesterday, one came in. Rather than post it, I'll list some of the interesting details.

Here's the price list:
1 US ( visa,master) = 2$/1cvv ( buy > 50 Price $1.5/1cvv)
1 US (Amex,dis) = 3$/1cvv ( buy > 50 price $2/1cvv)
1 US with DOB = 12$/1cvv
1UK = 6$/ ( Buy > 50 price 5$/1cvv)
1UK CVV with DOB = 15$/CVV ( Buy > 50 CVV Price 12$ = 1CVV)
1 Ca CVV = 8$/CVV
1 CA CVV(Amex,dis) = 7$/cvv
1 EU CVV = 15$/CVV
1 EU CVV(Amex,dis) = 15$/cvv
1 US CVV full info = 80$/CVV
1 UK CVV full info = 100$/CVV
In general, prices for non-US countries were higher, as were prices for a credit card with full details on the owner, or one with a date of birth associated with it.

The seller provided ICQ, MSN, and Yahoo contacts, a website, and payment methods via both LibertyReserve and WMZ. They also specified that they did not sell dumps with pins, bank logins, or ATM skimmers. Interestingly, the poster also offered rapidshare premium accounts, including a bonus free account if you bought more than 30 CVV2 numbers. Differentiation in the marketplace is definitely occurring.

Sunday, July 12, 2009

Self Defending ATMs: South African ATM Security

The Guardian describes South African ATMs designed to help combat the high incidence of ATM theft and destruction - over 500 in a single year. The article describes a variety of methods used to break into ATMs including explosives.

Pepper spray seems like a poor deterrent for thieves willing to use explosives to break into an ATM - but it may at least deter more casual criminals. Of course, the article notes that technicians have been amongst those who have suffered from the pepper spray, which they inadvertently activated. This also creates a hazard to those in the surrounding area, as pepper spray can spread and effect customers or others downwind.

In a highly hostile environment, self defending ATMs seem like an obvious step - but pepper spray may not be the best solution for others in the area. For now, law enforcement can look for the ATM using customers wearing gas masks.

Thursday, July 9, 2009

MacOS Security Compliance: Shell Scripting Compliance Checks

Creative Commons attribution licensed photo courtesy of juanpol

While many compliance tools exist for Windows, MacOS often gets less attention. Despite its overall lower rate of compromise, ensuring MacOS compliance with security configuration standards is still important. Tools like the CIS benchmarks exist, but may not be exactly what you want, or you may want the ability to check other arbitrary settings or files.

Since manually testing MacOS for security compliance can be a chore, an automated approach via scripting can make things easier. One of the talented MacOS administrators that I work with recently built a compliance check tool that integrates with an internally designed and built inventory and compliance check application. This allows any MacOS system that runs the inventory script to also pull an up to date copy of the compliance script and to report back to the inventory server about its current status. The local run also lists anything that is out of compliance, as well as the setting required by the standard.

The good news is that his techniques are broadly applicable, and easily adapted to your own compliance standards. If the CIS benchmarks aren't well suited to your needs, or if you can't deploy CIS-CAT to the platform, this shell code can check many of the common configuration variables that you may use in your environment.

Here's an example of how to check whether the login window displays name and password fields, of if it is defaulting to a list of users. Note that the code is modularized, with each compliance check separately annotated and documented internally, allowing additional compliance settings to be added, or for values to change easily if the standard is updated.
Display Login Window as Name and Password Fields
DISPLOGIN=`defaults read /Library/Preferences/com.apple.loginwindow SHOWFULLNAME` ## should return 1
if [[ "${DISPLOGIN}" != 1 ]] ; then
DISPLOGIN="List of Users"
SecStandardCompliance="false"
echo " ** SecStandardCompliance failed: Login Window displays as List of Users. Please set to \"Name and Password\" in Accounts System Preference."
arrSecurityStandardExceptions=( "${arrSecurityStandardExceptions[@]}" "1011" "${DISPLOGIN}" "Name and Password Fields" ) ## Login Window as Name and Password fields
fi
This script does a few simple, but clever things - first:
DISPLOGIN=`defaults read /Library/Preferences/com.apple.loginwindow SHOWFULLNAME`
This checks the preferences - basically a true/false check for the name display. Each step in the script uses a similar check to verify one or more settings related to a configuration option required by the standard. These steps are then used to build a true/false answer to the question: is the system compliant with the setting required by the standard?

Next, the script handles non-compliant systems:
DISPLOGIN="List of Users"

SecStandardCompliance="false"

This sets a variable to a string describing the non-compliant setting, and sets the overall compliance of the system to false - any single setting can take a machine out of compliance. For some organizations, this might be a score based approach, but in our environment, we want to flag any setting that doesn't match.

The script then notifies the local console of the exception:
echo " ** SecStandardCompliance failed: Login Window displays as List of Users. Please set to \"Name and Password\" in Accounts System Preference."
The important action here is that a local user would be told what was wrong, where to find it, and what the required setting is. This means that printing out the results of this script, or simply leaving the window open will provide the local user or administrator with a checklist and instructions that most users should be able to follow.

Finally, the script talks to the central inventory server - not a necessity, but in our case, a great way to add more power to the compliance check. This allows central reporting and long term tracking, which is attractive to our IT organization, and to our system administrators.
arrSecurityStandardExceptions=( "${arrSecurityStandardExceptions[@]}" "1011" "${DISPLOGIN}" "Name and Password Fields" ) ## Login Window as Name and Password fields
This code segment simply flags the important issues to add to the database when the wrapper script run around the compliance check script runs.

What else can you check? With a little cleverness, you can check:
  • AV installation status and version
  • If OS 9 is installed
  • Software update settings and frequency, and if all "recommended" patches are installed
  • If UID accounts othe than root are allowed
  • If fast user switching or autologin are enabled
  • Screensaver settings
  • Non-essential service status
  • Internet sharing status to determine if bridging or sharing are enabled
  • Default umask settings
  • Firewall settings
  • Encrypted swap space use
Some of these tests are more complex than others - the following code checks for use of encrypted swap space:
## Use Encrypted Swap Space
if [[ "${OSVERS}" == "Leopard" || "${OSVERS}" == "SnowLeopard" ]] ; then
ENC_SWAP=`defaults read /Library/Preferences/com.apple.VirtualMemory UseEncryptedSwap`
if [[ "${ENC_SWAP}" != "1" ]] ; then
ENC_SWAP="Disabled"
SecStandardCompliance="false"
echo " ** SecStandardCompliance failed: Please enable the use of encrypted virtual memory."
arrSecurityStandardExceptions=( "${arrSecurityStandardExceptions[@]}" "1028" "${ENC_SWAP}" "Enabled" ) ## Encrypted Swap Space
fi
elif [[ "${OSVERS}" == "Tiger" ]] ; then
ENC_SWAP=`grep ENCRYPTSWAP=-YES- /etc/hostconfig 2>/dev/null`
if [[ -z "${ENC_SWAP}" ]] ; then ## if the string is blank; that is, ENCRYPTSWAP=-YES- was not found
ENC_SWAP="Disabled"
SecStandardCompliance="false"
echo " ** SecStandardCompliance failed: Please enable the use of encrypted virtual memory."
arrSecurityStandardExceptions=( "${arrSecurityStandardExceptions[@]}" "1028" "${ENC_SWAP}" "Enabled" ) ## Encrypted Swap Space
fi
fi
There are still a number of items that you might have in your security standard that might not be easy to check with a script - either because they don't generate a file, because the settings that they require are not stored in a location that can be processed by a script, or because they are external to the system itself, but a script like this can give MacOS administrators a real leg up on checking their configurations.

Monday, July 6, 2009

Prison Makers: Escape Tools and Prison Ingenuity in Pictures

Mark Steinmetz has an amazing set of pictures of objects made by German prisoners. These should serve as a reminder that ingenuity and creativity can overcome many physical security precautions - and that even the most secure environment can provide tools.

EDUCAUSE: The Career of the IT Security Officer in Higher Education

A paper titled "The Career of the IT Security Officer in Higher Education" by Marilu Goodyear, Gail Salaway, Mark R. Nelson, Rodney J. Petersen, and Shannon Portillo was released on July 1st. The paper details research and results of surveys and interviews with higher education security officers, reviews of job postings, and other data. Of note, over 300 individuals responded to the survey from a total of 1685 institutions, resulting in a large sample group.

Details include the reporting lines of the security officers, their previous employment and skillsets, as well as their education and certification levels. Over 90% of the security officers have at least a bachelor's degree, with over 40% having an advanced degree. CISSPs have the greatest showing, which makes sense for a management position, but GIAC and CISM and CISA certifications also make a strong showing.

Those interested in the field will also find the salary table on page 18 of the report noteworthy, with a median range of $70-90,000 across the full range of schools, and a maximum in the $170-190,000 range.

The paper is well worth a read even if you're not in higher education - the challenges described and the training that these security officers want are the same challenges and training that are needed across the board.

Thursday, July 2, 2009

The Case for Remote Control: Theft Recovery

While many corporate laptops are encrypted and passworded, requiring would-be thieves to sell them as-is, to reinstall them after wiping the drive, or to part them out, personal laptops are far less frequently properly secured. In these cases, a remote control application can sometimes help with recovery of a stolen laptop even when they aren't GPS enabled devices.

One incident which I recently dealt with involved a personally owned laptop which the owner regularly accessed via a remote control application. In this case, the user apparently did not use a password for login, and conveniently, the thief or another person who ended up in possession of the laptop proceeded to use the laptop. The user was able to monitor the activity of the person using the laptop and gathered a variety of information, including personal information on the person, as well as their IP address, which they reported to the local police department.

This is where the user ran into a hurdle - the police department that was involved was not sure what to do with this information. This isn't horribly surprising - it is rare that stolen goods report information back about where they are. Fortunately, a little guidance and some cooperation with the ISP that the system was connected to got the right data into the right hands.

While there are a number of theft recovery applications on the market, this was done entirely using standard remote control software. Sadly, stolen laptop tracking applications and remote control applications are only helpful if the system is booted and allowed to contact the outside world, and technically sophisticated thieves, or those who are merely looking for a quick dollar are unlikely to put devices online.

The moral of the story? That's a tough one - first, a properly secured laptop would have likely been lost altogether, but the user's data was exposed when the laptop was stolen. Next, we face the issue of personally investigating crime. This could even prove to be dangerous if the user had been able to locate the thief's actual location. Add in the fact that the person using the laptop might not be the thief and appropriate action can be even more difficult to figure out - once stolen, a laptop is often quickly sold, and having information about an unsuspecting third party could create a difficult situation for user who takes more of a vigilante approach.

In the end, the lessons learned are twofold:

  1. Secure and insure your systems, so that the loss can be handled, and keep a backup so that that loss doesn't cause significant disruptions.
  2. Have a plan in place as a security professional so that you can properly assist with a stolen laptop incident. Knowing what questions to ask, and who your contacts are with local law enforcement, as well as any useful actions you can take in your environment can make a stressful situation far easier to deal with.

Tuesday, June 30, 2009

OWASP AppSec Conference Videos Posted

Jason Dean at 12Robots.com points out that the OWASP AppSec conference videos are available on blip.tv.

A number of these looks interesting to me, and the OWASP folks are sharp - these should be worth watching.

Thursday, June 25, 2009

Firewall Troubleshooting: Looking For Round Numbers

A recent firewall issue reminded me of a co-worker's observation: look for round numbers.

Most firewalls - and many network devices - have a maximum session count. In our case, we had a maximum number of IP filter sessions which hadn't been hit during years of service. When reports of connection issues started to crop up, we went through our normal troubleshooting process - starting at the endpoints then tracking the traffic inwards.

In the end, a co-worker noticed that our IP filter use was at exactly 1500 - a suspiciously round number, and unsurprisingly enough the exact number set in the configuration for the device.

A simple fix later, we were able to restore connections and start troubleshooting what had opened so many new connections.

The moral of the story: use logging, and check for round numbers in your dashboards!

Know Your Audience: How Not To Sell CVV2's

The Society of Payment Security Professionals forum is a great resource for PCI compliance discussions. Sadly for user goodcvv_vn, it is not a good place to sell CVV2 codes.

The price list is, however, a great resource for my security talks - and of course, the offer to share free socks is compelling, as seen in the forum post, quoted here:

Sell cvv2 good& cheap....!!! and share free socks


Hello, I'm a new seller, Im from vietnam, I have any friend hacker
my cvv are the best for you

Ccv US is $ 1.5 per ccv (Visa)
Ccv US is $ 2 per ccv (master)
Ccv US is $ 3 per ccv (Amex + Discover)
Ccv UK is $ 4 per ccv (Visa + Master)
Ccv UK is $ 5 per ccv (Amex + swith)
Ccv Ca is $ 6 per ccv (Visa+ Master)
Ccv Ca is $ 9 per ccv (Visa Business + Visa Gold)
Ccv EU is $ 6 per ccv (Visa + Master)
Ccv EU is $ 7 per ccv (Amex + Discover)
Ccv Au is $ 6 per ccv

I can check balance in cvv,balance will be as you like and price agreements
if u buy over 50, I will sell for you good cheap, good price
I only accept payment with LibertyReserve
i will discount my price for u if u are reseller buy everyday or u buy many
all my cvv will be tested before sell, that's sure.
Please contact me: email redacted
on yahoomesenger: IM redacted
The use of LibertyReserve, a Costa Rica based payment processor is also worth noting for those investigating payment card fraud.

Monday, June 22, 2009

Phone Recovery: A True Story

Kevin (happywaffle) tells the story of losing, then recovering his iPhone using the Find My iPhone feature. While his story might be dangerous under certain circumstances, his story is interesting. It is likely only a matter of time until someone is hurt while trying to recover a stolen or lost phone, but this story offers an interesting perspective on recovering a location aware, remotely accessible device.

Thursday, June 18, 2009

Browser "Safe Site" Plugins

Jason Lam's recent ISC diary post about WOT reminded me that we haven't reviewed browser security plugins for site recommendations recently. There are at least twoo browser plugins that can be useful for less savvy users when browsing the Internet, including:

BlueCoat's K9 is a bit different and provides features including activity reporting, safe search enforcement, time restrictions, and many other features more appropriate to a parental controls environment.

What browser plugins do you recommend to your non-technical users?

Wireshark 1.2 Released, Portable Wireshark Reminder

Wireshark 1.2 is out, and if you're a Wireshark user, two of the features make this a worthwhile upgrade. First, a big bonus for casual and occasion users - display filters now autocomplete, meaning that searching for the proper syntax won't be quite as painful. Second, support for IP packet comparison was added, making one of the things I do often easier - comparison of packets to determine where a break point is.

As a reminder, you can also run Wireshark as a portable app on a PortableApps enabled device. That makes Wireshark an easy tool to provide to your system administrators and security staff. Note that if WinPCap isn't installed, this portable version will install it as needed, then uninstall it when complete - this isn't an entirely zero footprint portable app.

Thursday, June 11, 2009

Facebook Privacy: The App Gap

Joseph Bonneau's article "How Privacy Fails: The Facebook Privacy Debacle" points to deeper application data sharing concerns with Facebook's enforcement. His digging showed session parameters being passed to 3rd parties, in violation of Facebook's rules. More details on this issue can be found here.

These issues will make a great addition to awareness materials I'm preparing - while AllFacebook's 10 Privacy Settings are becoming more widely known, the risks of providing data to the whole host of quizzes, tests, and throwaway apps that populate Facebook are still largely unexplored by most users.

Wednesday, June 10, 2009

Changing Gmail For The Better - A Campaign for S/MIME

Many of us use Gmail for daily personal use. Some use it in their enterprise. What's missing? S/MIME support.

Fortunately, Google allows you to suggest desired functionality. Please join me in suggesting S/MIME support be added to Gmail.

Security bloggers and others, I invite you do make the same call to your audience. S/MIME support would offer a host of benefits, from greater functionality for Google's enterprise and higher education Gmail platforms to better trust models amongst Gmail users.

Tuesday, June 9, 2009

The Rise and Fall of E-Gold

Wired has a great article about the rise and fall of E-Gold, including details on how carders and others used the service to transfer funds. Well worth a read.

Homework Submissions: Beating Corrupted Files

Bruce Schneier recently wrote a blurb on the discussion of corrupted files for homework submission that has been making the rounds. Fortunately for professors and instructors, there are a number of ways to deal with corrupt files:

  1. For these specific files, MD5 checksums have already been created.
  2. For most Office documents, some data can be viewed by simply opening a file using Notepad or VI. This will help determine if the file has any actual relevant content - and will point to a fake file quite quickly.
  3. Simply checking files soon after they are submitted will result in students not getting much of a delay. This is also a good time to check the creator and other metadata on files.
While turning in a corrupted file may sound clever, it shouldn't work more than once for technically aware faculty members. Students will have to return to trying to get their email to be timestamped earlier than the submission date, or any of the other tricks that are often attempted when submitting electronically.

Friday, June 5, 2009

Sprinkling XSS In Your Cookies

Creative Commons attribution licensed image courtesy scuba67

A recent web application vulnerability scan came back with an interesting result - automated cross site scripting tests were showing positive results in cookies.

"Wait! That can't be!" you say, knowing that cookies typically don't contain user visible content that their browser would interpret.

That was my reaction as well, so I went digging. Our environment uses ColdFusion for some application development, so most cookie handling is done via ColdFusion's built in cookie management tools. How was a cookie's content being rolled into the page?

Further digging showed that the error only showed on error pages, and consultation with the developer said that those pages were automatically generated by ColdFusion, and were not custom to his application. This is where having sharp developers comes in handy - the developer paused, looked more closely at the page and noted that he had requested a scan in our development environment - and that the ColdFusion error messages were disabled in our pre-prod and production environments.

Users would never see the XSS in any public facing environment - and, better, would only see the XSS in an error page, not in any valid user page. A false positive due to compensating controls and a very low risk profile even without them.

So, yes, you can have XSS in cookies, but it isn't as tasty as it might sound.

And the sharp developer? He and a co-worker went back through their ColdFusion framework and wrote back to me that the discovery had inspired them to armor their standard framework against similar issues in the future - they proactively updated it and will add that update to all of their standard framework applications.

Data Breaches, Lawsuits, and Auditors - Oh My!

Wired's Threat Level writer Kim Zetter reports that Savvis is being sued as part of the 2005 CardSystems breach. Zetter notes that this is a legal first, making this an intriguing case to follow. Savvis' role as a Cardholder Information Security Program (CISP) auditor. This predecessor to our broadly adopted and audited PCI-DSS standards was expected to help ensure that a compliant entity was secure.

Additional coverage can be found on various security sites around the net, such as SC Magazine, which observes that the breach occurred almost a full year after the certification - enough time for a multitude of compliance issues to creep into any environment if not carefully maintained and re-assessed.

Zetter also notes that credit card companies are aware that even those companies that have clean audit results are often vulnerable. This creates an interesting scenario - companies are required to meet PCI standards, and pay for certified auditors to assess their systems. Should they then be indemnified against compromises? Where does responsibility for incorrect audits and assessments lie?

Unfortunately, it is rare for organizations to completely meet all of the standard, and exceptions and local accomodations are common - and even when an organization meets all of the standards, they do they can be vulnerable. The PCI-DSS standards are a step forward for credit card processor security, but this lawsuit is likely only the first in a series of lessons the entire industry will learn about auditing and standards compliance.