Friday, October 19, 2007

Interesting physical security government resources

Most of us deal with network and information security on a daily basis. At times, it can be both edifying and also daunting to read about what those on the front lines of physical security deal with.

Two of my favorites are the FBI list of concealed and hidden weapons, and the the DEA's Microgram Bulletin which lists concealed drugs - an interesting read for security analysts. Cocaine in hammock supports, other drugs in trailer hitches, and more.

If you've found an interesting resource like these, drop a link in the comments!

Thursday, October 18, 2007

MacOS 10.5 - Leopard security features

If you're a Mac user, you've probably been looking forward to MacOS 10.5. The official release feature list has been posted, and there are a few security standouts on the list:

  • Library randomization is included to make stack attacks more difficult.
  • Firewalling is more granular at the application behavior level. This is good news, and I'll be interested in trying it out to see how much control we will get.
  • Stronger disk encryption - AES 256 is now supported for those with high encryption requirements.
There are a number of other security features included. Time Machine, Apple's automatic backup and versioning system may be the most interesting for security analysts, as it may preserve data that users or attackers believe that they have removed from the system.

Thursday, October 11, 2007

Help fund a MacOS port of TrueCrypt

If you're like me, you use TrueCrypt for storing sensitive data. While MacOS has a capable encryption capability, having portable encrypted volumes is nice. There's a community effort to fund a port of TrueCrypt for MacOS - a great way to help make software you want available.

Make sure you read the Fundable FAQ - it is an interesting service, based on a 7% fee for funds gathered. Slashdot has discussed uses of Fundable for open source software projects, and other sites have discussed it as well.

Wednesday, October 10, 2007

Who is Abe Torkelton? - finding a webform bot

A recent web form hit made me curious, and a little bit of digging showed interesting behavior. Here's a bit about the observable anatomy of a form crawler bot going by the alias of "Abe Torkelton".

The bot has been tracked before, and apparently may show up as "Jorge Gonzales" leaving a phone number of 617-750-5939.

Hundreds of websites show in Google with hits from a registered user with a user string in the form:

Abe ???Torkelton????@cape-mail.com
The first three wildcards are letters, the last four are numbers - apparently part of a unique ID for the testing bot. Many more of these registrations can be seen by simply googling for either "Abe Torkelton"or "cape-mail.com".

The domain itself is registered through a domain proxy service run by gkg.net. This effectively hides the identity of the person running the bot.

What is the data being used for? I don't know yet - but somebody is finding every web form that they can submit user data to across the Internet, and they're seeing how those websites respond. Check your logs folks - this one is interesting to see.

UPDATE:

Thanks to comments on this post, I've posted an update.

Tuesday, October 9, 2007

SSN: when a unique ID isn't.

As regular readers know, I work in higher education. I switched employers earlier this year, and recently discovered that the switch led to some interesting issues with insurance. The description below is the best fit to what appears to have happened, however it is written with no inside technical confirmation.

The sequence appears to be:

  1. End employment at former employer A, with insurance provided by insurance company X.
  2. Start employment with new employer B, employer B also uses insurance company X.
  3. Employer B insurance starts, and is identified by SSN to company X.
  4. Employer A carries my insurance through for a few weeks, then sends notice to the same insurer to terminate insurance for my SSN.
This led to my insurance being invalid, despite my current employer - B, believing that it was active. It also points to some interesting flaws behind the scenes.
  • A trusted entity can end insurance for a given SSN.
  • A trusted entity can declare themselves authoritative or is by default authoritative for a given SSN.
  • Crossovers are not flagged for activity - if employer A makes a change, then employer B makes a change, then A makes a change, this is not caught and investigated.
  • There is no regular feed that updates this information.
  • SSNs are used as unique IDs for the insurance - and even if you select a non-SSN ID (which the insurer offers) they appear to still be the primary key for your account.

Monday, October 1, 2007

Reconaissance: LinkedIn and social engineering

I attended Ed Skoudis's SANS 504 track in Las Vegas last week, and picked up a lot of useful tidbits. One of the more interesting offhand comments Ed made was about using LinkedIn to assess what vendors a given organization is buying from based on their recent link adds.

It makes for a fun exercise, and could potentially be useful when doing recon of an organization for penetration testing. A quick look at my own contacts lends some credence to the idea, and given a bit of other research, a LinkedIn survey seems like a clever method to get a few extra bits of information.

Does this mean that using professional social networking should be banned? Probably not, but it is a great reminder of the level of detail an intelligent aggressor can gather given a bit of cleverness and time.