Friday, September 17, 2010

Facebook Status and Burglaries

WMUR in New Hampshire reports what is one of the first large-scale burglary cases based on Facebook status messages that I'm aware of. For those of us who need to communicate about Facebook and social network security concerns to varied populations, this is a great example to cite. According to the article, "Investigators said the suspects used social networking sites such as Facebook to identify victims who posted online that they would not be home at a certain time."

The article mentions $100,000-200,000 of stolen property that was recovered, and that the case was solved due to an officer who noticed that fireworks of the same brand reported stolen in a burglary were being shot off and investigated on orders to check out any fireworks they heard being fired.

Thursday, September 16, 2010

A Different Angle on Identity Theft: When Identity Thieves Use Your Identity

The story of Dr. Gemma Meadows, as reported by MSNBC is an intriguing one. Like many victims of identity theft, she was contacted by her bank and informed of fraudulent activity. What happened next though, is a bit off the normal path for identity theft victims.

Various packages with a wide range of values started to show up, and have continued to show up. Now, Dr. Meadows spends time tracking and returning packages, as well as fielding calls from various vendors from whom the items are ordered.

Why? According to the article, and what she has been able to determine, the identity thieves are using her information to test validation scripts on e-commerce websites. Her valid address, phone, and other details are being used to make transactions appear valid.

Interestingly, the scripts seem to work in some cases, flagging the transactions as possible fraudlent. The article mentions that some sites note that the item is to be shipped thousands of kilometers away from the order location, and that others call to verify that she is the one placing the order. Many others, however, don't do as well, and the stream of packages continues.

The article is well worth a read. We're used to seeing lives disrupted by identity theft and the credit and financial issues that can go with it. Receiving packages when criminals use your identity to support their crimes in a different way is an entirely different event, and appears to be one that law enforcement and our database driven society isn't geared to handle.

Thursday, July 29, 2010

Blackhat, ATMs, and Money Fountains, Oh My!

Security blogs and websites are all buzzing with the news of Barnaby Jack's Blackhat demonstration of ATM insecurity. Wired has coverage, our favorite security monkey has a video, and others including Tony Bradley from PC World covers the important lessons from the talk.

So does the hack tell us something truly new? I don't really think so. For years, many ATMs have been poorly embedded systems, often running commodity operating systems that rely more on physical security provided by locked boxes than on heavily secured operating systems with appropriate security controls. I've written about the insecurity of some ATM uplinks before, and accessing their network connection is often very simple in public locations.

What the exploit does do is serve to point out vulnerabilities in the specific ATMs, both of which were running Windows CE. It also serves as a reminder that any operating system that can be remotely accessed, or that allows its filesystem to be written, or to mount USB devices is vulnerable. Since many ATMs run Windows XP, or even Windows NT, they make attractive targets to those who have pre-written malware that works on Windows systems.

It should also remind us to review what devices we rely on that have embedded PC platforms in them. Windows CE, NT, XP, and various flavors of Linux appear throughout our IT infrastructure, and while we're used to locking down network access, often embedded devices don't provide strong local security. I've run into everything from AV controllers and music players to embedded systems running animal feeding systems for research. Most of the time, my only ability to secure them is to lock them away, limit access to the room they live in, and to ensure that they're on a secured network.

How do you secure your embedded systems? Have you gone so far as to modify appliances that manufacturers don't want changed?

Friday, May 21, 2010

O'Reilly Book Deal - Get Security and Other Ebooks Cheap Today

O'Reilly has a coupon available for today only that makes any one ebook in their store $10. If you're like me and like to have an electronic edition handy, this is a great deal for books that are updated and searchable. Their security books can be found here. You'll want to use coupon code "FAVFA".

Tuesday, May 18, 2010

Check Facebook Privacy Settings with's Scanner Bookmarklet provides a simple bookmarklet that works simply by loading it when you visit your Privacy settings page on Facebook. Simple, neat, and it appears to be a neat way to get a basic checkup. Better, the source code is available for review.

Thursday, May 13, 2010

Facebook Friend Suggestions - Not a Virus!

Facebook status updates are quickly being populated with warnings that the suggest a friend notes that are appearing in users inboxes are virus driven. They're not - in fact, Facebook has released a notice that posted stating

"This is neither a bug nor a virus, and the “Virus Alert” status update is incorrect. Friend suggestions are now mutual and will appear for both users involved. That is, if I suggest that one person become friends with another, both the person I suggested and the person to whom I sent the suggestion will receive the notification."
The fact that the Facebook populace quickly communicates about a potential issue is good - the fact that false information is spreading quickly is not as good - but I'd rather my users avoid a fake virus than not avoid a real one.

Sunday, May 9, 2010

Experiments in Security: Magstripe Reading Using Rust Particles

Tetherdcow via BoingBoing has a great science experiment to try with magstripes on credit cards and other ID cards: using rust particles to read the magstripe. This looks like a great hands on and visible way to talk about how data is encoded when teaching students.

Tuesday, May 4, 2010

Opting out of Facebook's Instant Personalization

The EFF as a quick look at how to opt out of Facebook's new Instant Personalization capabilities. Of note, you must block ALL of the Instant Personalization websites if you use them, rather than just setting one master setting. They provide both written steps and a video, as well as a suggestion on how to make your voice heard about this new "feature".

Monday, May 3, 2010

Security Humor: McAfee's...Quicktart?

A search for McAfee's QuickStart HealthCheck service today resulted in the following listing:

Yes, that says Quicktart. I'll avoid McAfee QA jokes, but the actual page title does currently list their Quicktart service!

No news on whether other fast pastries will be in their continued product offerings...

Thursday, April 29, 2010

McAfee's Apology - And Recompense For Corporate Customers

McAfee has revealed the first phase of their corporate customer followup to the 5958 DAT issue. The notice, available via their SNS notification service and via McAfee's website, says:

McAfee is offering a complimentary one year subscription to our automated security Healthcheck Platform. This will include a 4-hour session of remote consulting in which we will help you set up and run the health check, review your policies, server configuration and environment, interpret the results and provide recommendations based on McAfee best practices. If you would like to take advantage of this offer, please email by June 15, 2010.
Unlike the offer extended to home users, which included a 2 year subscription renewal, and the potential to see recompense for "reasonable" repair fees, this does not include any real significant remedy to corporate users. While the expense to McAfee would be far higher than the costs from their home users, it does mean that corporate customers may feel that they have been left out in the cold. Stories of hospital emergency rooms (as described in the comments on techielobang and Ars Technica's posts about the issue) and 911 call centers (as described by the ISC) going down in the wake of the DAT release mean that McAfee will likely face very upset customers as the full cost and impact of the issue are calculated.

McAfee president David DeWalt's open letter, posted to the McAfee Security Insights blog claims that "The vast majority of affected users were back up and running smoothly within hours, and we are continuing to work diligently until we are sure that every last user node among each and every one of our customers is back in action." - a claim that may be difficult to back up in large organizations, or for users whose only access to the Internet and email was taken down by the issue. In many cases, large organizations with a significant XP SP3 install base saw hundreds of systems taken down that required manual visits. Stories such as this comment posted in response to his letter tell a story of woe. "Our team of 10 technicians worked for over 24 hour straight to touch all 1200+ machines by hand in order to assure our patients safety and our continued operations."

For an organization, that's a cost that could reach into thousands, if not tens of thousands of dollars in staff time alone. Lost productivity for offline machines could total far more. What will McAfee offer to heavily affected corporate customers? We'll likely know in the next week or so. Until then, security professionals and IT support staff can only point their management to McAfee's apology, and decide how they can best update their business practices to avoid update issues without compromising quick response.

Perhaps more interestingly, as our industry starts to ponder whether whitelisting is the way to, we should consider what a bad update to a whitelist could do to our organizations. The risk model is much the same - so the question will remain. Do we trust our vendors QA processes and update release methodologies?

Friday, April 23, 2010

What The Theft Of Google's Gaia Code Means To You

The New York Times recently reported that the attacks against Google late last year netted the source code to Google's single sign on systems, Gaia. The danger that the Times mentions and then dismisses - that the hackers would insert a back door into Gaia - truly is unlikely. Instead, the greater danger is that exposed source code will allow a deeper analysis of potential flaws in the code. If the multi-site single sign on code does have flaws that can be leveraged, this could mean that the advantages of Google's spreading multi-site single sign on are also a major security hole.

The most interesting part of the article is how targeted the attacks were:

"the intruders seemed to have precise intelligence about the names of the Gaia software developers, and they first tried to access their work computers and then used a set of sophisticated techniques to gain access to the repositories where the source code for the program was stored."
The level of sophistication of the attacks, and the targeting of Google's source code may point to a far more intelligent and dangerous attack than we in the security industry are used to, even with the advanced persistent threats that are becoming more common.

The question: What comes next?

Thursday, April 22, 2010

McAfee's DAT Debacle: When Your Security Software Causes Harm

On Wednesday, April 21st, McAfee's 5958 DAT file (McAfee's virus definitions file) was released with a bad detect for the w32/wecorl.a virus. This inadvertently detected svchost.exe on Windows XP machines as an infected process, and VirusScan took its normal actions - either quarantine or deletion in most cases. Per McAfee's description of the problem, this was a heuristics issue that only showed when deployed - which should make you wonder about how their testing is done.

At 12:05 PM, EST, McAfee sent out an urgent email stating:

"McAfee is aware of a w32/wecorl.a false positive with the 5958 DAT file April 21 at 2:00pm (GMT +1). McAfee advises NOT to download this DAT. Please disable pull tasks and update tasks.

Information updates will be sent every 90 minutes to keep you advised."

Administrators who quickly pulled the DAT using ePO were somewhat protected, as only those systems that had checked in since the DAT release were effected. Those users who did not update while the bad DAT was available were similarly safe. In many organizations that use McAfee's e-Policy Orchestrator (ePO) management tool, this was reasonably easy. For those that do direct updates, this would not have been as simple, and in either case, many systems did update with the bad DAT during the time it was available.

For enterprise users, this meant that any machine that received the DAT before McAfee's 12:05 EST email were likely taken offline. If the system rebooted, it would typically no longer have a working network connection, and thus could not be remotely repaired. Symptoms included blue screens and DCOM errors, as well as shutdown messages.

Less than 90 minutes later - as promised, McAfee sent out a second email with more detail, citing XP Service Pack 3 systems as problems, and noting that the DAT had been removed. In addition, it provided links to McAfee's knowledgebase which, unfortunately, was already starting to perform poorly under the load.

An extra.dat (McAfee's name for off-cycle, non-mainstream update files) was made available shortly after this, with a general email via SNS coming out just before 4 PM EST. The email provided more detail on an issues page for the DAT.

At 8:40 PM, EST, McAfee published both a recommended and an alternate remediation procedure for the DAT created issues. These procedures were included on the issues page, making it an easy central reference.

In total, less than 9 hours had elapsed. A total number of affected machines worldwide is unlikely to be released, but my own experience indicates that the number is likely quite sizable. For most organizations, today has been a day of remediation, often by hand, as machines that rebooted were unable to be accessed remotely with their networking broken.

One of the biggest lessons learned is that McAfee's reasonably new SNS notification service is a must-subscribe for McAfee users and admins. Another is that ePO can greatly increase your chances of getting in front of a widespread update issue given sufficient notice.

For McAfee, the lessons will not be easily forgotten - better testing, amongst other practices is likely to be on their list. It is equally obvious that McAfee did learn a lesson since the infamous DAT that detected Microsoft office files as infected, and their 90 minute notifications and quick response clearly show that.

Will this change how your organization views antivirus updates? Is immediate deployment worth the danger? I'm sure I will be having serious discussions with local PC support staff about the relative risks of a 24 hour delay against the possibility of a bad DAT - and I'm not sure I have as concrete of an answer as I would have a week ago, particularly in light of the increasingly high percentage of malware that evades mainstream AV.

Friday, April 9, 2010

SteadyState - Not Available for Windows 7

According to Windows Secrets, Microsoft has opted not to port its Windows SteadyState lockdown and security package to Windows 7. The free tool itself is used in many libraries, as well as in computer labs and for public access kiosks.

For those who use SteadyState, a number of alternatives exist, with Deep Freeze being the most popular in my experience. The cost of Microsoft discontinuing SteadyState may be a relatively small incremental cost for smaller institutions - according to Faronics website, a $30 or so per system cost, but larger scale licensing can have a real impact on non-profits and public institutions like those libraries which are already fighting tight budgets.

(note: edited 4/9/2010 - Microsoft has opted NOT to port SteadyState).

Thursday, April 8, 2010

The (ISC)2 Takes the CSSLP To Computer Based Testing

The (ISC)2 has joined the ranks of security certification organizations in allowing computer based testing for its exams. The CSSLP is the first, as described by the (ISC)2 in the email quoted below:

"(ISC)2 today announced the availability of computer-based exams for its Certified Secure Software Lifecycle Professional (CSSLP) credential. The CSSLP is the first (ISC)2 certification exam to make the transition from paper-and-pencil delivery. Computer-based testing for (ISC)2 's other credential exams will be phased in over the next three years."
Moving the CSSLP and other certification tests from a large scale pencil and paper exam to an online format isn't a huge change, but should make the testing process more approachable for many. Why it will take three years is a better question - this should actually make the tests easier to maintain, and it should mean that the (ISC)2 's exam creation process and question randomization is far simpler.

Friday, March 26, 2010

iPhone Security: SMS Database Owned in Seconds

The exploit, which was demonstrated at Pwn2Own contest at CanSecWest and targets a non-root user named "mobile" is able to access SMS data, including previously deleted messages according to ZDNet. The exploit relies on a chained return-into-libc, a reasonably common buffer overflow attack.

The data that could be stolen by attacking Safari includes the phone contact list, the email database, photographs and iTunes music files.

Apple is sure to release a patch soon, but the underlying issue with code signing and stack protection is likely to remain. The important question is whether Apple will fix their approach to stack protection and will futher lock down the access provided to their browser user.

Thursday, March 25, 2010

Followup: GIAC Certificate Renewals

I recently posted about GIAC's new renewal process, and inquired with SANS about how the renewal tracking would work. Here's their answer:

"SANS training no earlier than two years prior to your certification expiration date is eligible for CMUs toward your certification renewal. Once you register and pay for your renewal, you will need to fill out the Submission Form and fax it 866-627-6387 for review."

Hopefully SANS will follow in the footsteps of their peers as they work with this process, and will automatically count SANS courses toward a rolling renewal total.

Tuesday, March 23, 2010

Snort ACID MySQL Database maintenance...

I've recently inherited a Snort installation that uses MySQL/ACID/BASE which had run itself out of room on the root partition where everything was stored. After some emergency resuscitation of the LVM, I set out to create a few MySQL statements that will remove data that are older than X days old. These specific commands can be run from the mysql command line (in order) replacing X with the number of days you want to keep:

DELETE FROM data USING data LEFT OUTER JOIN event USING (sid,cid) WHERE event.sid IS NULL;
DELETE FROM iphdr USING iphdr LEFT OUTER JOIN event USING (sid,cid) WHERE event.sid IS NULL;
DELETE FROM icmphdr USING icmphdr LEFT OUTER JOIN event USING (sid,cid) WHERE event.sid IS NULL;
DELETE FROM tcphdr USING tcphdr LEFT OUTER JOIN event USING (sid,cid) WHERE event.sid IS NULL;
DELETE FROM udphdr USING udphdr LEFT OUTER JOIN event USING (sid,cid) WHERE event.sid IS NULL;
DELETE FROM opt USING opt LEFT OUTER JOIN event USING (sid,cid) WHERE event.sid IS NULL;
DELETE FROM acid_event USING acid_event LEFT OUTER JOIN event USING (sid,cid) WHERE event.sid IS NULL;
DELETE FROM ag USING acid_ag_alert AS ag LEFT OUTER JOIN event AS e ON ag.ag_sid=e.sid AND ag.ag_cid=e.cid WHERE e.sid IS NULL;
OPTIMIZE TABLE event, data, iphdr, icmphdr, tcphdr, udphdr, opt, acid_event, acid_ag_alert;

Of course if you want to automate this you can place these commands and any others you need to execute (such as archiving the database first) in a script and use the ".my.cnf" mysql configuration file to store your user/database information. Don't forget to secure the preferences file!

Have you got any suggestions to make this better? Leave a comment on how you maintain the Snort data - and play some golf with the commands.

Monday, March 22, 2010

Dealnews Ad Feed Hit With Malware

On March 19th, an ad served by's third party ad service started distributing FakeAV malware. Dealnews response is below:

"Updated: An ad served from a major third-party ad server generated "virus warnings" when those ads were viewed on dealnews, as several readers found. The ad has been disabled, eliminating any threat. In at least some cases, the ad attempted to download an ".exe" file and execute it, which is what caused the virus warnings. If you visited dealnews since Friday, use a Windows PC, and are concerned about this possibility, we suggest that you run an anti-virus check. We apologize profusely for any inconvenience.

We are deeply troubled by even the possibility that any of our readers' computers could be affected, and we're working hard to put processes in place to prevent such incidents from happening in the future. Thank you to the readers who alerted us of the warning from their antivirus software."

Until ad networks vet code more thoroughly, users will have to continue to protect themselves by using NoScript, a sandbox program, or through some other method of protecting their browser from attacks. The slow update cycles for browser plugins continues to make them a threat for most users.

Wednesday, March 17, 2010

New GIAC Certification Maintenance Process - Keep your GIAC cert without retesting

SANS is moving their GIAC certification maintenance to fit a model closer to that used by (ISC)2). Now, options are both a re-certification exam or a "Certification Maintenance Unit" (CMU) approach requiring 36 CMUs over a 4 year time period. The cost to renew - $399 - is still required, although additional certifications that expire within the next two years are done at half cost.

The main options are course based CMUs and GIAC Gold papers, although the standard certification exam remains an option, and a number of smaller CMU count secondary activities are available.

In brief:

  • Retaking and passing the test is worth 36 CMUs
  • A GIAC gold paper is worth 36 CMUs
  • A completed 6 day SANS or "qualifying non-SANS" course is worth 36 CMUs
  • A 1 day course is worth 6 CMUs.
  • Documented work experience is worth 12 CMUs
  • GIAC or SANS community participation is worth 6 CMUs
If you have a SANS certification, this is an attractive option - you'd pay the same for the test, and can likely complete enough coursework over four years to finish 36 CMUs. Will these requirements keep GIAC certification holders up to par? Only time will tell.

I've queried SANS about how they're tracking existing training during the past 4 years for those who have pending renewals, and if they will provide a tracking mechanism like (ISC)2 does for CISSP holders, and I'll post their response.

Friday, March 12, 2010

Why Stopping Modern Malware Isn't Working - Fighting Torpig, Sinoval, and Mebroot

Those of us who have been in the IT world for a while recall when viruses were transferred by floppy disks, creating infection patterns that could be easily handled by simply cleaning up a lab or a small group of friends who used the same PCs. Over time, we became used network based infections as Code Red and Nimda hit our networks.

Since then, we've seen far fewer heavy hitting worms as our systems and our networks have been armored against such exploits. Over the past few years, we've begun to see a transition to malware that relies on users to spread. This malware such as the broad family of Fake AV products require a user to click, and are usually aimed at the user themselves. Fake AV, for example, typically seeks to get users to provide their credit card number to remove the fake malware it lists.

Nastier malware is out there, however. Mebroot, a particularly nasty specimen, is often the first step in a hard to handle infection. Mebroot is often spread through web based ad networks - so called "drive-by downloads" or "drive-by infections" targeting browser plugin and browser vulnerabilities. Once there, it injects itself into the PC's master boot record. As F-Secure puts it, "In the competition between rootkits and rootkit detectors, the first to execute has the upper hand."

Once Mebroot is on a system, Torpig, a botnet client often follows. Torpig, like Mebroot, comes in many flavors, but most attempt to steal user credentials, credit card information, and bank account details, which they send to central servers. One group of researchers observed 70 GB of stolen data in a 10 day exercise conducted against a Torpig botnet. The same researchers observed 180,000 infections during that time.

The Torpig botnet is well protected - it uses domain flux to keep the controller nodes moving, and when paired with a Mebroot infection, Torpig itself can be both very hard to find, and extremely hard to remove. Thus far, my own work with it has shown that manual capture and analysis of the MBR using tools like Virustotal and Norman Sandbox is somewhat successful, although the quick changes that the malware authors make mean that most mainstream antivirus is useless, and the more targeted tools like GMER can't always keep up.

There's not a silver bullet for these infections yet, other than running an OS that is not targeted by the malware. Thus, MacOS and Linux users remain safe, although that may change over time. If you're stuck in a Windows environment, particularly if you're using Windows XP, you're in much greater danger. Those users running Windows Vista and Windows 7 are likely to have a better chance of avoiding infection thanks to UAC.

For those looking for a solution, sandbox technologies like Sandboxie may be a good option. As always, patching your browser and all of its plugins is still a reasonable best practice, but many plugins have unpatched holes for weeks or months at a time.

In the meantime, show your senior management this New Zealand Herald article - it provides one of the better mainstream media writeups I've seen.

Thursday, March 11, 2010

Battery Chargers and Trojans, Oh My!

Energizer recently confirmed the existence of a vulnerability in the charging status software provided with their Duo Charger. The software was found to contain a back door called "Arucer.dll", which is a remote access Trojan. This trojan is set to autorun, and on will request a firewall exception when it runs.

US-CERT provides full detail, including removal and cleanup information.

This is another great reason to periodically run a report of the firewall exceptions allowed in your organization (using SMS or another tool), if they're allowed at all.

Thursday, March 4, 2010

How Not To Destroy a Flash Drive..and How To

The Smoking Gun describes a recent incident in which a New York city man under investigation by the Secret Service for ATM skimming "grabbed Subject Flash Drive 2, which had been on his person at the time of his arrest, and swallowed". Unfortunately for the subject, after four days had passed without the reappearance of the flash drive, it was surgically removed.

The article does not note whether the data on the drive was recoverable, but the list of other evidence indicates that this probably just added another charge to the accused's list of charges.

If you actually do want to erase a thumbdrive, your best bets are:

  • Eraser for Windows
  • Disk Utility for MacOS
  • DBAN, if you're careful to only wipe the device you mean to, or a simple commandline: dd -if=/dev/zero -of=/dev/your device bs=1M (you can also use urandom to fill with random data, and can adjust your blocksize for speed) for Linux
If you're more interested in destruction, most of the typical processes used to physically destroy hardware work, from a hammer to an appropriately powerful shredder. Remember that they're not magnetic media, and that you degausser won't do you any good.

Monday, March 1, 2010

When System Issues Look Like Malware...But Aren't

"My computer is typing to itself" - that's one of those lines that gets the attention of any IT person, and particularly gets a security analyst to sit up and pay attention.

Thus, when I heard those words, I headed down the hall to check out the system in question. It was definitely typing to itself. The sytem - a laptop, would fill in text wherever the cursor sat, and would open a search bar if no application was active. Left to its own devices, rather oracular sounding text like the following was appearing:

"The you know you are using the zone to the net and what it is a young man in a long line of you didn't know as soon the room will send you wish you sell and move the mean no longer be a U.N. own movie and more than one and one was injured when an E. and in an And move is not invite you to UNITA has not been a move that was a year in and was thrown in the sense that certainly room move on and down and was down there that are the men and women in the news and then an And you you and you end up in a bit of the moon and when you move in the middle of the yen is wrong in what"
It looked a bit like every chat session on the network was being dropped in fragmentary fashion into the applications that were open. What it didn't look like was malware. That meant that we could satisfy curiosity rather than pull out the event response process.

The usual tricks - disconnecting the network, disabling network devices, ensuring that no Bluetooth or IR activity was possible, and of course, removing the wireless USB keyboard and mouse had no effect. This was obviously coming from the local system.

The interesting thing is that the text reminded me of a text to speech program, but the user didn't use one - they did note that they had used one years ago, but not since, and that Office had been upgraded in the interim.

Keeping the room silent and saying easily distinguishable words did not result in matching - or even similar text. The result continued to look like this:

Rebooting the system made it stop...for a while. Dogbert may have had a point.

It has been a while since I was a full time desktop support person, so I enlisted the aid of a couple of senior user support folks in case there was something common that I hadn't dealt with before. The answers that came back could be paraphrased as "That's really weird" and "That does look like some sort of text to speech".

Further digging showed that yes, the system's built in microphone was on, and that it used an integrated sound driver. The microphone's gain was so high that it was generating significant amounts of data even in a completely silent room - and our source of oracular typing was found.

We disabled the microphone, and since then, the system has kept its literary attempts to itself. As for your friendly local security guy? Well, I had a good laugh - and I know where to find a good source of random when I need one.

Thursday, February 25, 2010

Microsoft's Global Criminal Compliance Handbook

Business Insider via Gizmodo reports links to a Microsoft document describing Microsoft's contact details and processes for being served legal documents. The document sets expectations for response, enumerates the online services described, and what data the users provide to the services. An example is their XBox Live service which records Gamertag, credit card number, phone number, first and last name with zip, the serial number of devices registered online, service request numbers, email account, and the IP history for the lifetime of the gamertag.

Yes, according to this document, XBox Live tracks every IP your gamertag has logged in from. Ever. That might surprise some XBox players, but shouldn't really surprise most security analysts.

The document fully describes the information retained about each service's users, their activities, and their content. Along with these, Microsoft offers sample language describing a records request, such as this: "Any and all website information for the [group requested] including content, images, member lists, and all IIS logs" for MSN Groups.

Finally, the document describes the legal process required to acquire this information.

This is an interesting read - take a look for yourself:
Microsoft Spy

Friday, February 19, 2010

The 2010 Higher Education Cybersecurity Summit

Indiana University will host the 2010 Higher Education Cybersecurity Summit on April 1st. The keynote speaker is Bruce Schneier, who is scheduled to give a talk titled "Security, Privacy, and the Generation Gap".

Of particular interest at this year's event are a panel on information privacy in higher ed, and talks on PCI compliance, as well as discussions.

I've attended and have spoken at this conference in years past, and found it to be an enjoyable higher ed focused conference, as well as a great place to touch base with peers. If you're an Indiana resident higher education security staffer, this is a great, short, and local conference.

Crypto Cracking: RSA 768 Factored

When I cover cryptography for security professionals, I always discuss bad choices in cryptographic solutions: designing your own cryptosystem, choosing a bad mode, and of course, too short of a key length. The good news is that scientists continue to pursue key cracks, providing great fodder for my teaching efforts.

The key length question in particular is interesting, as we continue to see higher and higher key lengths broken in widely used crypto systems. The most recent hurdle to fall is RSA 768, which was cracked using a number field sieve by an international team. The good news for those who have critical secrets encrypted with 768 bit keys is that this was a multi-year effort - we're not to the point where we can do commodity cracking of RSA keys of that length yet.

Interestingly, the techniques used significantly decrease the effort required to derive the key - the Register article describes a "thousands" of times more difficult effort than the signficantly greater effort that the key size alone would indicate. This makes teaching students about key length trickier - but it also means that explaining why key length alone is not the only factor to consider is important.

Thursday, February 18, 2010

Flash Forensics: Bunnie Studios Analysis of SD cards

If you're a hardware geek, or simply a fan of the forensic process, "On Micro SD Cards" on the Bunnie Studios blog is a great read. A problem that started with a higher than normal failure rate in Chumby devices coming off the assembly line leads the author through SD card fingerprinting and analysis, and ends with a much deeper understanding of SD card fabbing and manufacturer design choices than most IT professionals would have.

Wednesday, February 17, 2010

Google Buzz Security, Part 1 - Follower Privacy

Part 1: Follower Privacy

If you're a Gmail user, you likely recently discovered that you now have a Google Buzz account. The new social networking platform automatically enrolls your contacts as followers of your posts, and you automatically follow theirs. For many users, this new functionality is more of a data leak than a welcome feature, and Google's opt-out, rather than opt-in rollout is creating some discord.

The good news is that if you preferred that your contacts not be listed for others to see, the fix is quite simple, although rather well hidden.

First, navigate to your Buzz page using the left hand Google menu found in Gmail. You'll see a window that looks like this (note that these images are done using a sample account, and don't have followers).

Now click "Following people" near the bottom of the page next to Buzz. You'll see this menu:

Click the checkbox at the bottom labelled "Show the lists of people I'm following and people following me on my profile". You can also edit the list of who you are following here, which provides a great way to get rid of the old contacts Google likely added for you.

Friday, February 12, 2010

ATM Skimmers - Brian Krebs on advances in skimmers

Brian Krebs' Krebs on Security blog has a great slideshow of some of the more advanced ATM skimmers that have been found recently - well worth a look if you're interested in ATM security.

We've talked about ATM security before:

Thursday, February 11, 2010

Insecure As Designed: Logitech's Touch Mouse application

Logitech recently introduced a handy application that converts an iPhone into a Wifi enabled mouse and virtual keyboard. The TouchMouse app is available for free, and has both Windows and MacOS clients, making it a neat way to control a home theater PC, or other system that you want to interact with from across the room.

Unfortunately, it isn't an app that I can recommend to most users because it is insecure as designed. The first thing I noted after starting the app and linking it to a PC was that there was no authentication. Any TouchMouse user can connect to any other TouchMouse system that they can find.

That's bad enough with a mouse, but add the keyboard and you're in interesting territory. If the application had some form of authentication, even at the simple level of a Bluetooth bonding style code, my next step would have been to sniff the traffic between the devices to make sure that it was encrypted. Without any form of encryption, I stopped there. Some applications disqualify themselves right away...

Thursday, January 28, 2010

Choosing a Security LiveCD in 2010

A few years ago security oriented live CDs were a dime a dozen, and it was simple to find one that fit your preferred usage models. A few years later, the rolls of the dead, discontinued, or just plain no longer updated include Auditor, Whax, Fire, Knoppix-STD, Local Area Security Linux, and many others.

Along the way, Helix, which a large number of people used went commercial, although at a quite reasonable price.

Now, if you want a good security distribution, your choices are a lot narrower. My default is BackTrack, which is used widely by groups including SANS.

More specialized tools like Ophcrack (a Windows password cracker) remain available, and can help fill out a security toolkit, but the days of huge numbers of distros appears to be over. Most of those that remain can be found linked by

Wednesday, January 27, 2010

Browser Fingerprinting Research: the EFF's Panopticlick

The EFF has introduced Panopticlick, a browser profiling tool that will tell you how unique your browser's fingerprint is. This gives you a good idea of how easily your browsing habits might be tracked based on how many other browsers look like yours.

Results are simple: you receive a rating, such as "one in 177 browsers have the same fingerprint as yours.", and you receive detail on how many pieces of information you disclose: "we estimate that your browser has a fingerprint that conveys 7.47 bits of identifying information".

This is accompanied by a table which describes your browser:

I'm looking forward to using this in my security training classes when I talk about fingerprinting, as user agent fingerprinting is something that can be more difficult to explain.

Monday, January 11, 2010

Malware Eye Charts Revisited

During last year's Conficker outbreaks, various Conficker "eye charts" were created to allow quick diagnosis of infected systems. UCLA has now made their DNS changer malware eye chart available.

This chart allows a quick check to see what DNS changes may have been made to your system by DNS changing malware. I think the eye chart concept is great for both technical and non-technical users, as it provides an easy way to quickly diagnose problems.

Thursday, January 7, 2010

Beyond Your Credit Report: My Money Blog and Free Identity Checkup Information

MyMoneyBlog is a well written, frequently updated financial blog that caters to personal finance enthusiasts. Their post today includes a lot of excellent information, starting with free credit report checks, then moving through ChexSystems, medical history, and insurance claims on houses and autos, as well as ChoicePoint tenant and employment history reports. All are free, and they'll help individuals understand how they appear in these frequently used data sources. I'm making a point of adding these to what I call my list of recommended identity checkup items.

An IT Vendor Checklist - Minimum Standards for IT Outsourcing

A co-worker keeps the following handy list of items to request from vendors during IT contract negotiations:

• Require that the vendor operate under security model conformant to a standard such as ISO, COBIT, or PCI-DSS
• Require that the vendor disclose breaches that may materially affect the organization
• The vendor must permit the organization to audit and/or assess their operation, with reasonable advance notice or request
• They must escrow data, possibly in addition to code, in case of supplier insolvency
• And finally, they must destroy data upon termination of services

This short list is easy to hand off to project managers and departments looking for quick advice, and while it doesn't cover every situation, it helps make sure that contracts have reasonable language in them. It can also help spur discussions about why vendors might not be desirable partners.