Monday, December 15, 2008

McCain Campaign BlackBerry Sold Full Of Confidential Contact Data

Washington D.C.'s Fox 5 news bought a used BlackBerry from the McCain campaign as they shut down. The contents were surprising:

"When we charged them up in the newsroom, we found one of the $20 Blackberry phones contained more than 50 phone numbers for people connected with the McCain-Palin campaign, as well as hundreds of emails from early September until a few days after election night. "
Laptops were also sold, although no word has come out about remnant data on them. This once again points to the importance of wiping devices or destroying them. While destruction results in no residual benefit to the original owner, it can prevent data loss, which may save more money than the small gains from re-sale. In this case, a $20 selling point for the BlackBerries is likely far outweighed by the negative publicity and anger of those whose contact information was exposed.

How difficult is it to wipe a BlackBerry? In many cases, it is incredibly easy. For BlackBerries that have security set up, simply typing in the wrong password enough times will wipe them. Others, such as the 8800 series, have a simple wipe process:
  1. Go to Options
  2. Select Security Options
  3. Select General Settings
  4. Click the Menu key
  5. Select Wipe Handheld
  6. Click Continue
  7. Type in the word blackberry

Thursday, December 11, 2008

Cell Phone Jammers As A Skimming Control

Lets Japan points out that a Japanese bank has begun to deploy cellphone jammers near their ATMs to prevent skimming attempts that are increasingly using SMS messages from a cellular phone equipped reader device to phone home.

According to Lets Japan, "Chiba Bank installed phone signal-jamming devices at 4 unmanned ATMs at bank branches in the Tokyo metropolitan area Dec. 10. It is the first use of the device in a financial institution in Japan."

This isn't likely to occur legitimately in the US due to the Communications Act - the FCC rule can be seen here, and notes that, "Fines for a first offense can range as high as $11,000 for each violation or imprisonment for up to one year, and the device used may also be seized and forfeited to the U.S. government."

Monday, December 8, 2008

I thawte this was interesting...

The Daily WTF has a post of failure from last Friday regarding Thawte's Personal Email Certificates website regarding the leakage of other users' personal security questions:

It didn’t take Eric too long to realize what was happening. For some bizarre reason, Thawte was completing his questions by using other user’s questions. When he typed in simply What was, it shot back What was Seti 1...

I was able to verify the behavior my self. I typed "When was" in the question box and was greeted with the response: "When was "M" born". I typed "do you" and got "do you live alone". Granted, you don't get answers to questions, nor are they tied to particular users. However, its hard to argue that it's not a leak of useful data that could be used to attack other users of the site.

From a design perspective, I can't possibly imagine why any users' questions would have any impact on other users' questions (although I could probably conjure up a couple of explanations for the behavior).

So, what happens when you can't trust the Web of Trust?

Sunday, December 7, 2008

CheckFree's DNS Compromise - DNS In A Dangerous World

CheckFree, a major Internet bill payment site recently acquired by Fiserv had their customer sign in page DNS modified on Tuesday, resulting in users being redirected to a Ukranian malware site that attempted to infect users with a password theft trojan.

According to Brian Krebs' article about the incident, the root of the compromise was a DNS re-direct -

"It appears hackers were able to hijack the company's Web sites by stealing the user name and password needed to make account changes at the Web site of Network Solutions, CheckFree's domain registrar. Susan Wade, a spokeswoman for the Herndon, Va., based registrar, said that at around 12:30 a.m. Dec. 2, someone logged in using the company's credentials and changed the address of CheckFree's authoritative domain name system (DNS) servers to point CheckFree site visitors to the Internet address in the Ukraine."
This of course indicates that a trusted users's credentials were phished. Interesting, according to Krebs, as many as 71 other sites were also re-directed, making this a reasonably large attack, and likely one that foreshadows a trend that we will see this year. With site security becoming greater, and more time spent on front facing web application security, phishing and compromise of DNS and hosting platforms is becoming more attractive.

Sadly, it took until today for CheckFree to notify customers in any detail via email, and CheckFree's customer email notes that the following conditions that might mean that users of their site were infected, but does not provide detailed information or a link for detail about the malware. Customers might be affected if:
  • You attempted to access online bill payment between 12:30 a.m. and 10:10 a.m. Eastern time (GMT -5) on Tuesday, December 2, 2008, and
  • You were using a computer with the Windows operating system, and
  • You reached a blank screen rather than the usual bill payment screen when you attempted to navigate to online bill payment, and
  • After reaching the blank screen, your computer's virus protection program did not tell you via pop-up or other messaging that malicious software was detected and quarantined.
CheckFree offers further help, with a direct 1-800 number for those affected as well as the promise that "We will also offer you both advice and free services that can help you mitigate any risk you may face as a result of this incident or other everyday exposures you may encounter.".

For now, users who were affected will need to clean their systems, reset passwords, and to make sure that they are using better browser and system security to help prevent future compromises.

Wednesday, December 3, 2008

Spoofing Face Recognition Software

Gizmodo via CNET's Crave has an interesting overview of BKIS's face recognition software exploits. As described, they modify a relatively low resolution image of a person from Facebook or another site with pictures available. A tweaking process creates an image that is highly compatible with the face recognition software, allowing a malicious third party to log in to that user's system.

Wednesday, November 26, 2008

Reading RFID tags - Adam Laurie's RFIDIOt and the CardMan 5321 USB reader

As I noted in my last post, Improvised RFID Blocking Wallets: Preventing PayPass Skimming, I have recently been working with an OmniKey Cardman 5321 USB RFID reader in Windows. The reader is compatible with a broad range of RFID cards (From Omnikey's website):

  • Philips/NXP: MIFARE®, DESFire®, MIFARE ProX®, and i.code
  • HID: iCLASS®
  • Texas Instruments: TagIT®
  • ST Micro: x-ident, SR 176, SR 1X 4K
  • Infineon: My-d (in secure mode UID only)
  • Atmel: AT088RF020
  • KSW MicroTech: KSW TempSens
  • JavaCard: JCOP / SMART-MX in RSA mode with 2048 bit keys
Omnikey provides drivers, as well as a simple diagnostic tool which can read tag IDs and can provide basic information about the contents of the tag. If you want to do more with RFID, you need a more full featured software package, and Adam Laurie's RFIDIOt handily answers that call. RFIDIOt reads ICAO 9303 encoded Machine Readable Travel Documents, and both Data Group 61 (MRZ) and DataGroup 75 (Encoded Information Features - FACE), as well as many other data types.

To make RFIDIOt work, I installed Python 2.5.2, as some of the packages it relies on work with 2.5, but not with 2.6. You'll need the following software packages to make it all work:
You can ignore the need for PCSCLite for the purposes of this install.

You will also need to modify RFIDIOtconfig.py to use the USB device. Simply modify the section that reads:
# serial port (can be overridden with -l for Windows)
line= "SERIAL”
With the following:
# serial port (can be overridden with -l for Windows)
line= "USB”
A simple re-compile of RFIDIOtconfig.py results in an updated RFIDIOtconfig.pyc, and you're ready to go.
Once you have done this, you should be able to test your reader by executing multiselect.pyc, which is a simple looping tag ID reader. If you see the tag IDs when the green LED on your CardMan turns red, you've succeeded.

RFIDIOt presumes that you will have a directory in your system root called /tmp - if you want to capture any data for testing, you'll need to manually create the directory on Windows systems.

Friday, November 21, 2008

Improvised RFID Blocking Wallets: Preventing PayPass Skimming


Many credit card users do not realize that they have PayPass enabled RFID credit cards in addition to the new RFID enabled US Passports. These RFID enabled devices are easily read at distances compatible with casual contact in a crowded environment such as a subway or an airport, and various data can be gathered from them (US passports require key data to decrypt the data stream). More and more people carry fob based RFID PayPass tokens, or have PayPass cards, making the wireless exposure of their card data far more likely.

How can we combat this? The good news is that commercial RFID blocking wallets are available, and various people have created their own versions such as the duct tape and tin foil wallet. The resourceful traveler can easily replicate their functionality on an ad-hoc basis too. We have tested with a number of common objects, such as the cookie bag and tinfoil above, which worked quite nicely for our 13.56 Mhz test tags.


As you would expect, common food packaging is a very easy to obtain improvised RFID blocking material. We have not tested 125 kHz tags, so your mileage may vary if you are attempting to block RFID tags using that frequency.

Our testing was conducted using a commercially available Omnikey Cardman 5321, a USB connected RFID reader, and using Adam Laurie's RFIDIOt package. Longer ranges are possible using custom antennas and readers, with some testing on these passive tags being done at up to 30 feet by NIST - a result that worries the ACLU.

Check your wallet - you may have a PayPass enabled card without realizing that you do. To check, simply check the back of your wallet for the PayPass logo. In addition, many cards have a chip logo on the front, making them easily identifiable.

Wednesday, November 19, 2008

PayPal Scams and Evolutionary Pressure

We've discussed the anatomy of a typical PayPal scam email in the past, and we've analyzed other scams such as credit union member phishing. With that in mind, a recent PayPal scam email has a few little tweaks that are worth noticing.

The first thing to note is that it tells the recipient that the investigation process will take at least 12 hours, and that they recommend that you verify your account then. This means that most users won't try to log in for at least 12 hours, giving the scammer a chance to loot the account.

Second, it was interesting to see that the scammer did not use a very well concealed clickable Paypal URL - a simple mouseover points it to a site easily identified as a non-PayPal site. The most interesting part here for me was that the help link redirects to an alternate site as well - although, again a poorly concealed one.

Finally, the email spends almost a third of its length discussing what PayPal does to address scams and to prosecute fraud. This appears to be an attempt to tap into what Bruce Schneier discussed recently regarding the science of cons.

These incremental improvements - and the lack of sophistication in the links show that PayPal scam email continues to evolve and adapt, and that some of the most common tricks aren't universally used. As users become more savvy, successful scams must become more realistic, and must appear more trustworthy.

The email is reproduced below as a clickable image - click to expand:

Tuesday, November 18, 2008

Digital Forensics: Data Carving With Foremost

If you're doing forensic work, or if you need to do data recovery, you'll likely run into deleted files that you need to match up with actual file types. This is where data carving, or file carving comes into play. Data carving involves searching an input (in this case, a dd image) for content, rather than metadata like filenames.

One of the easiest ways to do this is with an open source tool called foremost. Foremost recovers files using headers, footers, and standard data structures, allowing you to match files on a disk image. Usage is simple:

foremost -v -T -t (type) -i (file)

This enables verbose mode (-v), timestamps the output directory (-T), selects the type of files you want to search for (jpeg, gif, etc), and feeds in your dd'ed input image file (-i).

You can find previous DA posts about digital forensics here:

Thursday, November 13, 2008

How Does Your ATM Uplink? Or "Physical Security Humor As An Installation Art Form"

A recent trip to the ATM resulted in an interesting receipt as the ATM crashed. Note the debugging information providing connectivity details for the ATM. In and of itself, this wasn't a real issue, but it was interesting to see, as the ATM appeared to be working properly.

Once this three foot long error receipt printed however, we noticed something more interesting about the ATM.


That deep dark space to the left of the ATM contained networking devices, including the network uplink. Since this is a third party ATM on private property, it was not connected to the building's network.


The devices appear to include some form of serial or parallel device, an ethernet to PCMCIA bridge with an AT&T wireless cell card, and an antenna with a magnet to provide reception from the top of the ATM. Sadly, the strongest physical security control here is the sheer amount of dirt present. Nothing would prevent a malicious (or curious) person from placing a hub between the bridge device and the ATM's link to capture traffic. The cell network card could even be taken and used quite easily. Best of all, the ATM has no coverage with a camera system, and is in an area that is open at all hours of the day.

A number of very simple actions could be taken to greatly improve the security of this ATM and its operations.

  • Secure the connectivity devices and network connections.
  • Install a security camera, either in the ATM or, better, with a vantage point to watch the ATM itself.
  • Prevent the device from providing debugging or error messages without entry of an administrative code or key.

Tuesday, November 4, 2008

The Security Mentality: Scary Security Guy?

I act as a stand-in instructor for an undergraduate security class a couple of times a year. Typically, I teach an hour or so about physical security, and lecture in coordination with the campus data center manager about data center security and operational security at the university. I tell a number of stories, and offer examples of how security design is done on campuses, as well as in the students' every day lives.

Each time I lecture, I ask the instructor about the feedback from the class. Typically, there is positive feedback, and often there is something interesting that the students will pick up on. The most recent class, however, had something new to say:

"Your friend is scary".

I'm used to scaring our datacenter manager - the security analyst's approach to systems is something I've talked about before. He knows that I analyze based on risk, and that while I may enumerate a wide variety of risks, that I'll work with him on the most plausible, and dangerous risks. The students, however, aren't used to assessing risk in the same manner, and don't think like analysts would.

This points out a problem: people rarely react well to things that are scary, and we don't want to be seen as paranoids. How can we avoid being the scary security analyst?

In general, we need to do three things:

  1. Choose our battles wisely, and avoid being Chicken Little.
  2. Be helpful, even when describing risk: cast the risk as an opportunity, or offer useful assistance and guidance.
  3. Teach security mentality when possible.

Thursday, October 30, 2008

Spamming Friendster: Video links and blog spam

Spam on Friendster has taken a clever turn: using static images of a clickable video to get hits on sites.

It looks like this - normally users will simply click on the apparent video link.


The URL behind it, however, is a spam link to a blogspot blog. Time to remind our users that clicking on things they don't expect or that are from people they don't know is a bad idea.

Friday, October 24, 2008

Easy Packet Capture Using Network Miner

Network Miner is a great simple packet capture and search utility. The interface is simple, easy to understand, and provides many of the frequently desirable searches in one place.

Network Miner's Sourceforge site says:

NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows that can detect the OS, hostname and open ports of network hosts through packet sniffing or by parsing a PCAP file. NetworkMiner can also extract transmitted files from network traffic.
You'll need WinPcap to run it, but once you have it installed, you're ready to start capturing packets.

What can you do?

Network Miner's main interface is an easy to navigate tabbed menu. By default, you'll see hosts.


From there, it is simple to select files, which will show files transferred while sniffing - in this case, I opened Google in Firefox.


You can also see images, which display in the window. Note the Google logo from the packet capture.


While both of these capabilities are fun, other automatic filters are likely far more useful. You can select Credentials or Cleartext and you'll see userids and passwords that are sent, and the plaintext sent over the wire, respectively. Both can be extremely useful in troubleshooting. An easy example is checking to see if credentials for a website are being sent in plaintext when they shouldn't be, or if a cookie contains a string you don't want to be sent.




Network Miner also includes the ability to view DNS queries, frames, parameters, keywords, and protocol anomalies. You can sort entries based on IP address, MAC, hostname, packet count, byte count, and ports open.

While Network Miner isn't as flexible as WireShark, it provides an extremely approachable interface, and makes packet capture much easier for those who need the basic functionality without the complexity of a full featured solution.

Monday, October 20, 2008

OS X CLI tricks: Empty Trash Securely

Thanks to one of my local Mac gurus, here's a MacOS security tip.

If you'd like to set secure delete to occur in MacOS 10.5, you can either set it via the GUI (
Finder --> Preferences --> Advanced --> Empty Trash Securely), or you can set it via the CLI.

To set it via the CLI, you can use the defaults command.

First, check your current setting:

defaults read com.apple.finder EmptyTrashSecurely

Next, set the setting using defaults write:

defaults write com.apple.finder EmptyTrashSecurely 1

You can log out, then log back in, and your settings will carry over.

Wednesday, October 15, 2008

The Intersection of Can and Shouldn't

Every IT staffer knows that there are times when technology supports capabilities that can make a solution work, but which shouldn't be implemented. A co-worker phrased that nicely recently - "that's the intersection of can and shouldn't".

What intersections of can and shouldn't have you run into? My best example recently? Overly helpful helpdesks.

Often, help desk staff have access to a lot of data, allowing them to assist with various cases and events. Unfortunately, this leads to the inclination to be helpful outside of the scope of IT technical support, and can lead to additional risk exposure for an organization. In this case, training has to overcome the highly ingrained inclination to be helpful - something that help desks are designed to do.

Oh, and just because you can fix NAT issues by using your inline IPS or other packet filter to change them to the correct IP doesn't mean that you should...

Friday, October 10, 2008

ATM skimmers with SMS notification hit the scene

ZDNet has details on a $8500 ATM card skimming device that does automatic SMS notification when it captures data. Interestingly, the system also provides greater security for the person running it, preventing data capture and code based exploits. The article is worth a read if you're interested in the state of the art in skimming attacks.

Thursday, October 9, 2008

Security Humor: Comcast Listens

Comcast has been heavily advertising their "Triple Play" service, which includes VoIP telephone service. I opened my mailbox the other day and realized that their recent survey message may not have the intended interpretation in that context.


I wonder if their marketing team read this one carefully...

Friday, September 26, 2008

Security Humor: Ensuring Proper Installation

Users of McAfee's e-Policy Orchestrator know that MacOS integration requires you to run a shell script on the hosts. That script, install.sh includes the following missive to potential tinkerers:

"##DO NOT PUT ANYTHING AFTER __ARCHIVE_FOLLOWS__ UNDER ANY CIRCUMSTANCE (NOT EVEN WHITESPACE). YOU SHALL BE HANGED IF YOU DO"
I think I'll leave the file alone...

If you are attempting to locate the install.sh file as part of a VirusScan for MacOS ePO build, you can find the file on your ePO server at \Program Files\McAfee\ePolicy Orchestrator\DB\Software\Current\EPOAGENT3700MACX\ Install\0409. You will need to run the script as root using install.sh -i as your command.

NACUBO: The FTC's Red Flag Rule Identity Theft Prevention Rule May Affect Colleges

The National Association of College and University Business Officers notes that the FTC's Red Flag rule likely applies to colleges. For security analysts, this means that your identity theft prevention procedures and policies may get a federally mandated update.

Two parts of the rule may apply to colleges - first, that users of consumer reports must develop reasonable policies and procedures when they receive notification from a credit agency that there is an address discrepancy. Second, that financial institutions and creditors holding covered accounts must develop a written identity theft prevention program for their accounts.

NACUBO points out that many of the activities and accounts offered by higher education might cause such organizations to fit the rule. These include Perkins loans, institutional loans, and other similar activities.

NACBU also provides a nice breakdown of the FTC rules. This is a good one to point out to your university administration if they're not aware of it yet.

Monday, September 22, 2008

McAfee to acquire Secure Computing

The AP reports that McAfee will acquire Secure Computing. That gives McAfee Secure's firewall and border appliance capabilities, and helps them to match Symantec's acquisitions of the past year. This follows Secure's recent sale of their Safeword division to Alladin, and was at a premium over Secure's current stock price.

Tuesday, September 16, 2008

Identity Theft and VISA giftcards

A recent news article shows another way to use a stolen credit card: write the magstripe to a gift card that won't be questioned when it is processed. In this case, the cards were used to purchase cigarettes, which are difficult to trace. The criminals' only mistake was returning to the place that they purchased the cigarettes to make a second transaction.

With magstripe encoders a commodity item, this is an easy way to avoid questions about a name not matching on a card. Small transactions in stores without cameras would make for a very difficult to trace crime.

Friday, September 12, 2008

IPhone Pwnage and bypassing the security code

Wired's coverage of Jonathan Zdziarsk's IPhone hack which I mentioned the other day notes that the Pwnage tool can be used in combination with a custom firmware to access the phone without the code. While a local only exploit, it does give forensic investigators a potential way into locked phones without using any special hardware. O'Reilly's webcast of the event is not available yet.

Zdiarski also spoke about the cache retained for fade transitions on the phone. These leave remnant data, which can be recovered, and would show data that users might expect would not still reside on the phone - anything on screen when a transition was prepared would be recoverable.

This emphasizes the need for a secure erase capability on the phone - something that is obviously lacking in the current implementation.

Monday, September 8, 2008

IPhone Firmware Hacking: Bypassing the Security Code

According to Gizmodo by way of Wired, "Jonathan Zdziarski will guide law enforcement personnel "and anyone else who has a need to access the not-so-readily available data on an iPhone" through the process of bypassing the passcode lock security using a custom firmware bundle during a 45-minute webcast on O'Reilly.com."

Depending on how this works, Zdiarski's bypass could be an interesting tool for those who need to do IPhone forensics, or simple data recovery. I'll try to catch the webcast for further detail.

Friday, September 5, 2008

DHS Daily Reports: Another Useful Feed

The Department of Homeland Security Daily Open Source Infrastructure Report is available in feed form at http://dhs-daily-report.blogspot.com - take a look if you're interested in seeing what the DHS is reporting on a daily basis for public consumption. The PDF form is available directly from the DHS at http://www.dhs.gov/xinfoshare/programs/editorial_0542.shtm.

Saturday, August 30, 2008

Hashing: Making it easier for users

Recently, I've been pondering how infrequently most people take advantage of MD5 or SHA-1/256 hashes of software on download pages. Here are two ways to easily use hash checks on a daily basis.

HashTab, which adds a properties tab to files which lists commonly referenced hashes for the file. This is an easy way to verify hashes in Windows for users who don't keep Cygwin handy

DownTheAll!, a popular and useful download plugin for FireFox will also verify MD5, SHA1, SHA256, and other hashes.


Of course, using md5sum on your *nix box is an easy option as well. How do you integrate hash checks for yourself, and how do you get your users to use them?

Friday, August 29, 2008

IPhone Security Bypass Fix: Coming in September

Computer World cites an Apple representative as stating that a fix for the security bypass using the home button that I posted about on Wednesday will be available in September.

"The minor iPhone security issue, which surfaced this week, is fixed in a software update which will be released in September," said Apple spokeswoman Jennifer Bowcock in an e-mail Thursday.
Computer World also notes that the same issue was patched prior to the 2.0 release - patched versions were available in January 2008. Patch regression like this is a serious concern for enterprise and home users alike.

Wednesday, August 27, 2008

Viruses in Space


A BBC news story says that NASA has confirmed that laptops on the ISS were infected with Gammima.AG. The story goes on to note that the laptops don't run AV. While the laptops aren't part of the core operating capability of the ISS, the fact that a virus did make it to the station shows that there are potential gaps in their information security coverage. It will be interesting to see where the virus came from when further analysis is done - the theory of a thumbdrive or other portable media carrying it is quite believable.

Creative Commons image courtesy of Flickr user Accidental Angel.

IPhone: In An Emergency, Expose All Of My Contact Data

Gizmodo reports by way of Mac Rumors that simply hitting "Emergency Call" on a locked IPhone can allow access to contacts, email, Safari, and SMS, without knowing the user's passcode.

1. Select emergency call from the lock screen.
2. Quickly double tap the home button.

I've verified this, and it does work - the trick was hitting the home button quickly.

This can be avoided by setting the Home button default:

1. Click on Settings.
2. Click on General.
3. Click on Home Button.
4. Make "Home" or "iPod" our default selection.

With a large number of IPhone users in my organization, I'm sure I'll get some mileage out of this one.

Tuesday, August 26, 2008

Practical Security: Dealing With Drug Spam Using Google Alerts

I've been using Google Alerts to monitor for drug and gambling spam placed into compromised user accounts for a while. If you're a provider of web space for any reasonably sized organization, or if you have the ability to publish web pages and want to monitor the, Google Alerts can be a great way to add an additional layer of defense.

To build an alert, simply identify common key words from the sites, then add them to an alert. You'll note that I remove PDF, PowerPoint, and Microsoft Word .doc files by default, as those are often used in research or presentations.

You can use anything you can do via the normal Google search syntax, allowing you to create reasonably powerful tripwires.

site (your site) -pdf -ppt -doc "poker" or "xanax" or "viagra" or "cialis"
Once you've built your alerts, build a filter for them, and check the folder. Don't forget to set your alerts to plain text mode in your preferences if you want to view them more easily.

Friday, August 22, 2008

MacOS Security Guidelines and Best Practices: Corsaire's "Securing Mac OS X Leopard (10.5)"

Daniel Cuthbert of Corsaire has published "Securing Mac OS X Leopard (10.5)", a lockdown and general security guide for MacOS 10.5. If you're building a MacOS security guideline, you should take a look.

Reminder: Set your gmail to require SSL

Gmail's new setting to require SSL makes the habit of typing "https" unnecessary. Simply select "Settings" from the top of your Gmail page, then at the bottom click the radio button:


Your session will expire, but a page reload will drop you back in, and you'll be using SSL from there

This is one quick and easy fix that I'll be emailing quite a few people about.

RedHat System Compromise Results In Updated Signed OpenSSH packages

RedHat has released updated OpenSSH packages for Red Hat Enterprise Linux 4 i386 and x86_64, and Red Hat Enterprise Linux 5 x86_64 due to a system compromise that resulted in the intruders being able to sign OpenSSH packages for those versions of RHEL. The Fedora infrastructure was also compromised, however investigation there seems to indicate that no changes were made to the distribution.

The Fedora signing key is being updated due to the intrusion, even though Fedora it appears not to have been exposed:

"Based on our review to date, the passphrase was not used during the time of the intrusion on the system and the passphrase is not stored on any of the Fedora servers."
This change to Fedora's signing key may require changes by all Fedora system administrators, and more details are promised if needed.

On the RedHat side, they are careful to note that RedHat Network subscribers would not have received the modified packages via their automatic updates. If you download OpenSSH from any other location, you should carefully verify the MD5 hash against the hashes listed by RedHat.

The question becomes: What are RedHat's signing key management processes, and how did they break down to allow an intruder to sign packages? What level of access did the intruders have to the signing servers?

There are a number of methods to protect systems from this type of compromise, including restricting access at the network level to the signing servers to only allow internally initiated pulls of files to be signed, and then only allowing outbound pushes of signed files.

Today's reminder? Proper key management, particularly for keys that are trusted by customers is crucial!

Thursday, August 21, 2008

TrueCrypt 6.0a How To: Free Full Disk Encryption in Windows XP

Our HOWTO: Windows full disk encryption with TrueCrypt 5.0 article is the most popular article we've published on Devil's Advocate Security with over 900 page views, and we're past due to write an updated article about TrueCrypt 6.0a.

A number of changes were made between 5.0 and 6.0a. These include:

  • Support for encrypted hidden operating systems with plausible deniability
  • Hidden volume creation for MacOS and Linux
  • Multi-core/multi-processor parallelized encryption support
  • Support for full drive encryption in XP and Vista even with extended and/or logical partitions
  • A new volume format which increases performance, reliability, and expandability
  • A number of bug-fixes and other features.
Last time I wrote about TrueCrypt, I noted that MacOS full disk encryption wasn't available on the market yet. Since that time, CheckPoint has put a full commercial version of their full disk encryption software on the market, and other vendors have released their products into beta. I'll report here when I get my hands on a them for testing.

Without further ado, here is our TrueCrypt 6.0a Windows installation walk-through.

TrueCrypt full disk encryption walkthrough

1. Download TrueCrypt and install it. Accept the license, and select "Install" as your option rather than "Extract". TrueCrypt will ask you for a number of setting options - if you are unfamiliar with them, the defaults should be reasonable for most users. Once you click next, you'll see a message that TrueCrypt has sucessfully installed. Click OK, then click Finish and continue onwards.

2. Start TrueCrypt - if you did a default install, you will have a blue and white key icon on your desktop. TrueCrypt will ask you to read the tutorial if you haven't read it before. Once you've through, you'll see the TrueCrypt main window.



3. Select System, then Encrypt System Partition/Drive.


4. If you want to create a hidden operating system for plausible deniability, this is when you should select the "Hidden" option. For the purposes of this walk-through, we will simply do a "Normal" installation with the intent of protecting data, rather than hiding it.

5. Now you need to choose whether you will encrypt just the Windows system partition, or the entire drive. If you have performance concerns, you may opt to encrypt just the Windows system partition, however for the greatest security, you'll likely want to encrypt the entire drive. For this example, we will encrypt the entire drive, which is the default setting.


6. TrueCrypt will ask about Host Protected Areas, which may contain your system diagnostics, RAID tools, or other data. If you're unsure, you should likely select "no" for safety. Most programs do not store sensitive data in the HPA.


7. If you are running a multi-boot system with multiple operating systems, the next question is relevant for you. For most users, selecting Single Boot for their single OS is the route to take. We'll go with single boot for this walk-through.


8. Now you need to select your encryption options - the defaults of AES and RIMEMD-160 should be find for most users. If you have specific compliance requirements, make sure you meet them here.


9. Type your password, or better, a strong passphrase. This will let you access your drive, so you must remember this passphrase!

10. Now TrueCrypt gathers mouse movement to generate a random seed for your encryption. Move your mouse around randomly, and then click next to let it generate your keys.



11. TrueCrypt forces you to create a TrueCrypt Rescue Disk, which allows you to restore your boot loader if it is damaged, lost, or you otherwise cannot access the TrueCrypt volume. By default, it will save an ISO file to your My Documents folder. You will need to burn the ISO to a CD, and then let TrueCrypt verify that it works.

12. Burn your ISO with your favorite CD burning software, then verify it.

13. Now select the wipe mode that you'd like to use. For most users, a 3 pass wipe will be sufficient, although for day to day use, no wipe is likely ok. If you do choose a wipe mode, you will be notified that each wipe will increase the encryption time. Once you click Next, a window of notes to print about the encryption process will pop up. Click OK, and "Yes" when asked if you're ready to reboot.

14. TrueCrypt will ask you to test the encryption by rebooting. This is a good time to make sure that you have your password recorded properly! After rebooting and providing your password, the pretest is complete. Select "Encrypt", print the notes if you would like to have them available, and your drive encryption will begin.



The encryption process is typically quite fast, but will vary with the size of your drive. The demonstration drive is running in a VM, and is an 8 GB partition. Real time to complete with no wipe was approximately 15 minutes.

15. When you reboot, simply enter your password, and your encrypted partition will unlock. Your normal OS boot will occur.


You now have a fully encrypted disk. Make sure you remember your password and keep your rescue CD in a safe place!

Friday, August 15, 2008

Where are the law enforcment information security trainees?

Richard Bejtlich asked where the law enforcement trainees are in information security classes:

"When I teach, there are a lot of military people in my classes. The rest come from private companies. I do not see many law enforcement or other legal types. I'm guessing they do not have the funds or the interest?"
I've worked with cybercrime and computer forensic training programs in the past, and my former employer had a very close relationship with both state and local law enforcement. We saw many police officers and federal agents in forensics classes learning system forensics, and we often provided expertise for those who did not have it. What we see was many officers sent to network analysis or other broader information security classes - their jobs were focused on the investigation rather than threat prevention, or digital defense. Many of the classes spent a lot of time looking for predators online, which tends to be a high profile activity for departments when they do make an arrest.

With all of that said, forensic skills are becoming more common, and training for forensics is available from organizations like Purdue's CyberForensics lab and Eastern Michigan University's Staff and Command school. Even with these resources, network forensics and similar skillsets are typically not a focus at the local level, but do become more useful for state and federal agencies.

Does this mean that our law enforcement organizations are unprepared? In some cases, yes - either because the specialized training isn't available, or their budgets or time are restricted. In addition, many police departments continue to use antiquated IT infrastructure, and smaller police departments are reliant on external support, or no formal support at all. These departments are both more vulnerable and less likely to have access to the training and technology needed to do useful forensic analysis of systems. That's what regional forensic centers are seeking to help with.

I think that many security analysts would benefit from spending some time with their local police forensic analysts - perhaps by joining Infragard, or attending a local cyber forensics class. Those contacts can pay off in the future, and will help you understand what they're dealing with.

You're Doing It Wrong

XKCD is often amusing - the most recent, however, is a great one for security folks. How many good ideas is your organization doing the wrong way?

Thursday, August 14, 2008

VM infrastructure and disaster recovery

VMWare's ESX/ESXi Update 2 contained what they describe as a "build timeout" which caused patched machines to expire their licenses on August 12th. This meant that VMs could not be powered on or resumed on updated machines, and that VMotion couldn't be used to move VMs to those systems. VMWare has released a patch and a letter to their customers notifying them of the issue, and has flagged the isssue as an alert in their knowledgebase. The fixed patch requires a reboot of the VMWare host, potentially causing off-cycle maintenance to be required for those systems that were affected.

As more infrastructure moves to a VM environment, we create the potential for greater failures when the VM host systems have issues. In this case, a single patch could prevent DR from occurring if all of your VMWare systems were patched and a failure occurred. Workarounds were relatively easy if you knew what was wrong - system date and time could be changed in the short term, or, if necessary, a pre-patch backup could be restored to the system.

How can we best plan to handle issues like this? In many ways, the same processes that system administrators have used for years to test patches will continue to serve us, but we need to have plans in place for what to do when an issue effects all VM hosts at a given patch level. This reminds me of Hoff's talk about VM infrastructure at BlackHat - we're more vulnerable than we think we are with VMs, and this patch issue is a great, relatively low cost reminder.

So - how are you planning to handle VM infrastructure outages?

Wednesday, August 13, 2008

DEFCON 16 Badge pictures

For those who might be interested, here are images of the "HUMAN" standard DEFCON 16 attendee badge. The badge itself has solder pads for a USB port, an SD card reader, a Freescale processor, IR support, status LEDs, and more. The folks at Hack A Day have more details of the badge's capabilities.

Apparently, getting the badges out of China was a major issue this year, which led to the massive delays in badge distribution. The builder ended up shipping in a number of smaller shipments, which did clear customs. Also of note, badges from the earliest shipments did not have the SD card reader onboard, although parts kits were available to add it. Later shipments did have the SD card reader.



Note the barcode on the back - it is a 2D datamatrix. Unfortunately, neither of the 2D datamatrix recognition programs (edit: NeoReader and 2D sense) I carry on my phone recognize the matrix on the back with a default snapshot, although it appears that a black and white photocopy might work better. I'll update here once I get a good copy of it.

What else does the badge do? Per Kingpin's description:

  • By default, the badges act as IR receivers.
  • A button push puts them in transmit mode if they find an SD card. They then transmit the contents up to 128KB read only file in the / directory of a FAT16 formatted SD card via IR to any receiver.
  • If no SD card is found, transmit mode makes the badge into a TV-B-Gone.

H.R. 4137 - P2P and Higher Education


EDUCAUSE and the American Council on Education have released an advisory regarding H.R. 4137, a recently passed law waiting on the President's signature. The law requires higher education institutions to do three major things:

  1. To notify students that illegal distribution of copyrighted materials may subject them to civil and criminal penalties, and to describe the steps that the institution will take to detect and punish illegal distribution of copyrighted materials.
  2. The institutions will have to certify to the Secretary of Education that they have created plans to effectively combat unauthorized distribution of copyrighted materials. Institutions are required to consider the use of technology based deterrents such as bandwidth shaping and traffic monitoring. Notably, institutions are not required to adopt any specific technology, and the Secretary of Education is not required to collect, review, or to approve the plans.
  3. Institutions are required to offer alternatives to illegal file sharing "to the extent practicable".

These requirements are far less egregious than the might have been, and allow quite a bit of room for universities to operate within. That is, in large part because EDUCAUSE and other higher education organizations have been fighting this and similar requirements for some time. There is both good and bad news for institutions: the good is that as the EDUCAUSE memo notes, institutions operating in good faith and making reasonable efforts to comply should be in good shape. The bad news is that the negotiated rulemaking around the law must still occur, and that further restrictions and requirements can result.

Flickr Creative Commons image courtesy of MacGBeing.

Tuesday, August 5, 2008

BlackHat 2008: Lessons Learned, Training, and Day One


After a four hour delay at O'Hare - and sub-par updates from United, we managed to arrive in Vegas just after BlackHat's Sunday registration had closed. This is the first flight on which I've heard applause from the other fliers when we were told we would be taking off, and most of the fliers laughed when one person asked loudly "Are we driving to Vegas?" after taxiing for an interminable period of time.

Adventures in travel aside, my first BlackHat has been an interesting experience. I've previously attended other training at Caesar's, including SANS. BlackHat doesn't appear to have the conference setup down as well - wireless in our training room did not work reliably for almost a day and a half, and the food at the breaks was on a single floor in one area. With thousands of attendees crowding in during a 15 minute break, it leads to 30 minute delays in the courses.

Humorously, our class also had an issue with certificates - both missing certificates and duplicates. I'm not horribly worried about not receiving a certificate for attendance, but it was another minor issue added to the list.

How about the course content? The general feeling from two of the three of us who are attending the course segment is that our courses aren't as challenging and deep as we had expected from such a highly regarded conference. The third member of our group, who attended a Cisco course, has had glowing things to say.

I attended Tim Mullen's Microsoft Ninjitsu class. Tim is genial, has a good sense of humor, knows his stuff, and has a good supporting crew, but the content hasn't been as hardcore as I had expected. With that said, I've picked up a number of useful reminders and tidbits, particularly in terms of a Microsoft only network. I still won't be using ISA as a primary edge security device, but there are a number of uses for it when you have a Microsoft specific environment to protect.

The briefings were definitely content rich - I modified my schedule, and attended quite a few good presentations.

I started with Jared DeMott's AppSec A-Z. Jared provided a broad overview of application security topics, with details on how reverse engineering works from the ground up. Jared was working from a much longer talk, and he was definitely squeezed for time. If you're new to reverse engineering, and have some CS background, the presentation was a good intro.

Dan Kaminsky's DNS Goodness talk was massively attended. With co-workers and friends in attendance, I passed and sat in on Nate Lawson's Highway to Hell: Hacking Toll Systems. Nate gave a great presentation about the toll passes used by BATA and other California tolling systems. He discussed both the privacy aspect of remotely activated devices that can be used for both tolling and simple use monitoring, as well as the hardware itself.

Interestingly, the hardware is programmable and has flash storage, allowing them to be updated remotely. Nate offered a number of attack vectors that this could allow, ranging from cloning to shuffling between large numbers of devices as they pass on the highway. As with many other hardware devices, basic measures would have made the devices less susceptible to attack, and less useful for tracking users. Overall? Quite an enjoyable talk - it makes me wonder what EZPass and I-Pass look like.

Next up was Hoff's The Four Horsement of the Virtualization Security Apocalypse. This was one of my favorite talks. Hoff is both a good showman and he has a lot of insight into virtualization - if you're using a virtualized infrastructure, you should check his presentation out. His predictions of increased cost and lower reliability in virtual infrastructures due to lack of high availability VM appliances, as well as infrastructure consolidation are on the mark, and should make any security professional think twice about what their future virtualized infrastructure will look like.

One of the biggest issues that he brought up was the possibility of having a VM infrastructure lose security as VM appliances fail. Infrastructure isn't configured in the same way that a HA physical infrastructure is, meaning that a failure either causes a loss of service or a loss of security. As he spoke, I was struck by the need for a declarative syntax for VM architectures: basically a rules based system that would cause systems to always have the right elements in front of them, even if VMs in the system failed. In essence, we need a way to ensure that the infrastructure remains logically sound, even if the physical and virtualized elements of the infrastructure move or fail. We also need a way to manage VM based appliances in a way that scales - as we deploy IDS sensors, firewalls, WAFs and other tools in VMs, we're going to need to make ourselves more effective.

After a break, Bruce Potter's Malware Detection Through Network Flow Analysis was enjoyable. Bruce was selling his new tool Psyche throughout the presentation, and it sounds like he and the team who ar working on Psyche have the right idea - unfortunately, the quoted speeds are less than a fifth of my normal flow rate. For now, a commercial solution is my best answer to replace my existing NFSen/NFDump architecture. Bruce ran long - but his content was good and I'm sure it was useful and persuasive for those who aren't using netflow. For those who are, he captured some of the biggest issues that we face - how do we identify what isn't right, and how can we visualize it effectively to create useful monitoring capabilities.

I'll run through day two, including great talks on web application security in my next post. Still to come? DEFCON 16, where they've already run out of badges in the first run - if you're going, you won't get a hackable badge until 3 PM tomorrow.

Friday, August 1, 2008

Heading to Blackhat: two aspirin and a glass of water coverage

It sure is a good thing that Blackhat and DEFCON are in Vegas. I'm not sure I could deal with security geeks, hax0rs, and script kiddies for a week straight anywhere else.

Here's a few tips on attending both conferences:

  • There's parties going on every night - mostly vendors and some organizations. Ask around at booths and ask early - the parties usually fill up fast. I'll be hitting up at least the OWASP/WASC party.
  • The double-edged sword of DEFCON: Often, talks that are occuring at Blackhat are also occurring at DEFCON. The relaxed atmosphere of DEFCON usually makes them much more entertaining, but becareful: rooms fill up really fast at DEFCON.
  • Don't forget, Blackhat Briefings pass get's you into to DEFCON for free [as in beer]
  • Trust nothing/no one: I know this should go without saying, but there's a Wall of Sheep for a reason. Keep your Wifi radios computers on at your own risk
As far as briefings, I usually have a few that I want to attend, and then bounce around from room to room looking for something interesting. Sometimes a talk is nothing like you expected it to be based on the description, and sometimes the rooms are just packed - have alternatives.

I'll probably spend my time in AppSec mostly, but here are a few I've got earmarked:

Heading to Blackhat: Additional Briefing Coverage

As David mentioned here, several members of the DA crew are headed to Blackhat next week. While I'll be sampling a bit here and there, I'm interested mostly in Web Application security issues.

The briefings I plan on attending are:

Expect a number of posts from the field next week.

Wednesday, July 30, 2008

Heading to Blackhat: Blackhat briefings coverage by the Devil's Advocate crew

Most of the Devil's Advocate crew is going to Black Hat and/or DEFCON this year. While Dan Kaminsky's DNS exploit cat is basically out of the bag, I expect that a number of the briefings will be valuable.

I'll be sitting in on the following briefings:

It looks like there will be a lot of good information - and better discussion at the conference. I'll see many of you out there! I'll also be blogging the high points as the conference progresses, so stay tuned.

Aladdin acquires Secure Computing's SafeWord

Aladdin Knowledge Systems has announced their intent to acquire Secure Computing's Safeword product line, with an expected date in August or September. This merges two of the larger two factor token vendors into a single entity, and should make for a good combination of capabilities and technologies.

Tuesday, July 29, 2008

Planning around tokens: When your token fails


My organization uses Secure Computing's Safeword tokens. They're handy, and offer an increased level of security over simple password authentication. The problem with a token is that you can lose it or damage it. In my case, the LCD on the token that I use has a partial non-working character. I can work around it, but it made me appreciate the fragility of a token based system for secure remote access if the token fails.

How can you work around this? There are a few options:

  1. If you have an operations or helpdesk organization, you can give them an emergency token, and provide the second half of the string to your team. Build appropriate controls in so that use is limited and is recorded, and simply call your on-site team to push a button and read numbers to you over the phone in the event of a token failure.
  2. Provide a method to bypass the two factor authentication, either via a controlled VPN or other system, or via console access. You'll need to ensure that the bypass isn't used except when absolutely necessary, and it creates more exposure and more maintenance.
  3. Ensure that you have enough staff to handle a single failed token by re-assigning tasks. In larger organizations, this is often workable. In a smaller organization, this can be a more difficult task.

Token based two factor authentication is an attractive solution, but as with any technology, you must plan for failure while designing for success.

Monday, July 28, 2008

Security Tools: VMWare ESXi for free

VMWare is one of my favorite tools for testing malware and for building test networks. Now, VMWare has released their ESXi hypervisor for free. The platform is very similar to ESX, with a smaller disk footprint.

VMWare also advertises ESXi's security features, citing the ability to "Enforce security for virtual machines at the Ethernet layer. Disallow promiscuous mode sniffing of network traffic, MAC address changes, and forged source MAC transmits."

I won't debate the differences in licensing models between VMWare's products and XEN or Microsoft's virtualization technologies here. Instead, I'll simply note that having virtualization capabilities and pre-built test environments for your common operating systems is where the real advantage is for malware analysis, architecture testing, and separation.

Tuesday, July 22, 2008

Malware Analysis and Response: A Quick Howto

A recent wave of spam has managed to bypass some central email AV systems. The virus, which Sophos calls Troj/Agent-HFZ, wasn't recognized by many of the larger players in the antivirus space until earlier today. Virustotal's list shows many players still don't recognize this specific variant. As I watched some of our staff work to deal with the infections that resulted from users running the infected executables, I realized that a few basic steps could really save them some time. Here they are:

1. Get a copy of the malware and submit it to:

You'll see something like this - note that only 19 of 34 vendors recognized this malware when VirusTotal checked it.


2. Review the responses - often at least one or two vendors will have identified the malware, and some may have already written directions for removal. In this case, Sophos provided directions on removal that matched what was seen on infected systems.

3. Run strings on the malware. If it isn't packed or otherwise encoded, you may get enough information to either block remote contact sites, or you may learn more about it.

4. If you don't have a vendor provided removal process, and if you're technically proficient enough, you can test the malware out yourself. I like to use a locked down VM with network access only to a host that runs Wireshark. Here's an example of an outbound connection attempt from a recently infected host:


Note the attempts to connect to a .ru site - not something I would expect to see in a normal boot process.

I'll also use a utility that will monitor the host for changes - Wise's Installation Studio is a commercial example, and various freeware packages are also available . You may also find tools like Windows SteadyState to be useful, as they allow virtual sandbox environments for testing.

5. Once you've figured out what the malware does, and what it changed, you're ready to figure out a course of action. In most cases, this will be one of three things:
  • Rely on 3rd party AV products to do the removal
  • Create a scripted or manual removal process
  • Reinstall or restore system state
You may also discover that there are outbound IP addresses or domains that you may wish to block to prevent outbound communications from occurring, or there may be specific strings you want to filter for on your inbound mail server. By now, you should know what you're looking for, and you'll be far more ready to handle further occurrences of the malware.

As for the malware of the day? The SMTP scanner servers are filtering it, the helpdesk has repair information, and our AV vendors are releasing updates to remove it. The users? Well, they're still occasionally clicking on their fake UPS invoices.

Monday, July 21, 2008

Phishing for Credit Union members

The scheme of the day today is an apparently VoIP based phishing attempt with the call asking victims to call 515-414-2182. The call claims to be from a local credit union, and that the victim's credit union card has been deactivated. Notes on this can be found on whocallsme.com's listing for the number.

I'll be spending some time today reminding staff that they shouldn't call a number provided in a voicemail or on the phone without verifying it, and this looks like a great opportunity for our next outreach and education project.

Tuesday, July 15, 2008

Is your Security Guy Beanie (tm) on too tight?

I work in a reasonably large dedicated IT organization. Often, the staffers that I work with understand the risks and the controls that they can use on their systems as well as, or better than I do. What they come to me for is a level of professional paranoia. They acknowledge the difference between the system administrator's "it must work" mantra, and my "it must be secure and it must work".

This results in the occasional moment where we both acknowledge that security concerns are over the top - but that they need to be expressed. We need due diligence, and we need a full awareness of the risks. Even so, we're all aware that some of the security concerns can sound silly.

I simply tell them that my Security Guy Beanie is on a little too tight, but that I have to wear it like that to keep my paycheck.

We all chuckle, we figure out a reasonable set of controls, and the admins know that there is somebody who is paid to worry about the obscure things.

Thursday, July 10, 2008

Blinded by necessity: Avoiding Dr. No

Often requests come in for vetting that don't reflect any risk awareness on the part of the requesting party. In many cases, the person making the request is normally security conscious, follows the rules, and treats data and systems carefully. For one reason or another, this request is different, and it is needed right away!

Why the gap?

Necessity, or at least perceived necessity. In the end, most of these requests are driven by an organizational need for immediate response. A project needs to be completed, a new hire is in place and needs access, or senior management has made the project that caused the requirement a priority.

Dealing with these priorities is one of the more challenging day to day issues that security analysts face because they are one of the easiest ways to become known as the local security obstacle. Even if your normal answer is "yes, and here's how to do that securely", the high priority, snap decision requests will get bogged down due to their nature - they're different, they don't follow the rules, and they often involve unnecessary risks that could be easily avoided if normal processes were followed.

When I run into one of these cases, I ask a few simple questions:

1. What are you trying to accomplish?

2. Why are you requesting it this way?

3. How is this different from your normal operation?

4. What problems or costs are associated with not doing this the way you have requested it versus the via the normal process or rules?

Often, these answers will lead to a realization that the normal process does include what is needed. In other cases, it will be obvious that there is a need for a one-off variation, at which point risks can be properly gauged and handled.