December 31, 2003
The Crock^H^H^H^H^H Art of Intrusion
Information security professionals sometimes are looked upon as soothsayers of the digital divide. Typically the outside world cannot fathom what we do, and how we do it. There are many examples I can give you to illustrate this, but the point is that many times we are misunderstood.
Newer people to the infosec world love to try to use FUD (fear, uncertainty and doubt) to push their points home. This is normal, and it can be outgrown if the professional actually spends any real time in the field and realizes that information security is about mitigating risks, not eliminating them. The problem exists when these people get their "learning" from books written by witty hackers of the past.
If you are a Kevin Mitnick or Adrian Lamo fan, you probably are not going to want to read any further.
Still with me? Good.
The problem I speak of is wearing blinders and thinking modelling after self-professed crackers is a GOOD thing. These guys have actually stated that they had good intentions when they were breaching systems. They did it for curiosity sake and meant to cause no real damage. People like Lamo have had WorldCom, SecurityFocus and TechTV giving him praise for his efforts and promoting him as an expert. Mitnick has already written a book about his social engineering skills in The Art of Deception, regularly speaks at security conferences and has started his own company. Although I cannot deny these gentlemen have great skills, promoting yourself as an information security professional because you can relate to them is a CROCK.
Security is not a game. You will not become a respectable information security professional by 'doing a righteous hack' or simply reading a single book like Hacking Exposed or Mitnick's next one called The Art of Intrusion. Which gets me to the reason for my post.
The Register posted a good article about Mitnick calling out to the hacking community looking for good stories to add to his book on the art of intrusion. For $500, you too can be published. *snicker*
This is just dumb thinking. Profiling your attacker is one of the first logical steps when evaluating the threats you are susceptible to, and what risks you need to mitigate. What keeps me up late at night is not the nuisance from egotistical script kiddies that want glory in a book from Mitnick, or a few minutes on TechTV with Leo Laporte. It’s the professional hacker that is going to use these new blended threats we are seeing in the real world to cause real information theft or maybe terrorism on our critical infrastructure. It’s the insider attack from a disgruntled employee that will bring down an entire corporation to its knees, or perhaps destabilize parts of the economy. blah blah blah. You get my point.
You see the real hacker (evil intruder connotation here) isn’t going to tell you about his exploits. He doesn’t get caught. He treats the digital domain as a field of espionage and respects the boundaries that he plays in. (Although I use the term respect loosely here)
This is no better then the security vendors who offer money in contests to breach their new wiz-bang device. The reality is there is nothing wrong with vulnerability assessment, but this is not the way to go about it. A professional hacker isn’t going to waste his time breaching your system to gain a quick buck. If he has any real intent, it will be to make big money later if someone installs your new device in a real environment where the target is unaware, and has information resources worth something to the attacker. Typically this sort of ‘we are unhackable’ attitude comes from inexperienced vendors and professionals that are not seasoned in how the attack will work... and who will typically have very little real-world experience.
So what am I trying to say? Well, if you want to be an information security professional don’t model after these guys. Feel free to read and learn from some of their experiences, but put it into context. Misguided in their pursuits, what they did was ILLEGAL. It was UNETHICAL. And it was WRONG.
They used the guise of ‘curiosity’ to shield them from the very fact that they were TRESPASSING. The consequences of their actions had DAMAGING after effects to the target, if they knew it or not. There were REAL COSTS associated with having to deal with the cleanup of the incidents, and the time associated in the evaluation and analysis of what these attackers did. Worst of all, they continue to promote the action as something good for the security industry, when IT IS NOT.
There was a good analogy that Lawrence Walsh wrote about in a Information Security magazine article a few months back about Lamo that I thought was bang on:
You see an opulent house with many ornate windows and doors. Out of curiosity, you try to enter. By chance, you have a ladder and find an unlocked window on the second floor. From Lamo’s perspective, it’s completely acceptable to enter, rearrange the furniture and make a few long-distance phone calls, so long as you tell the owner how you did it.
That thinking is WRONG. They undermine everything an information security professional should stand for, and its right that they be prosecuted to the fullest extent of the law. I wouldn't put much faith in 'war stories' sought out with small amounts of money from the hacking community either. The quality of the information of the attack is just not there.
December 30, 2003
Secure Coding: Keep an eye on inputs
David Wheeler has another input validation article over at IBM looking at the how to find and secure the gateways into your programs.
This article discusses various ways data gets into your program, emphasizing how to deal appropriately with them; you might not even know about them all! It first discusses how to design your program to limit the ways data can get into your program, and how your design influences what is an input. It then discusses various input channels and what to do about them, including environment variables, files, file descriptors, the command line, the graphical user interface (GUI), network data, and miscellaneous inputs.
Security Testing with csUnit
Recently I have been wrestling with the idea of providing unit testing within our codebase. Wim has put up some good info pointers in his Miniwiki about automated unit testing, which included a link to csUnit, a C# unit testing framework.
Nick Smith wrote a good article on how to Write Unit Tests for C#, although he uses dotUnit, which is a .NET branch of JUnit, a unit testing framework for Java. It seems clean enough, but for some reason I like csUnit better. No real intellectual basis for this... just a feeling. Not sure why.
This DOES have me thinking about security tests in my .NET code though. There is no reason that these test harnesses cannot be retrofitted to supply security testing per method. I just am not sure I like how the 'extreme programming' community approach unit testing in this regard. I don't know how practical it is to write the tests BEFORE the code. I think it would be easier to write the initial security tests for each method once the method is written, so you know what to test for, and more importantly what the resiliency reaction should be in the face parameter validation, tainted data injection, state manipulation etc.
Another important tangent to this is trying to make this integrate across the project scope and build scripts. Unlike C, C# did not appear to have clear preprocessor directives, to ensure the tests are not compiled into the IL for production release builds. Scott originally thought using ConditionalAttributes would work out, and later found that there are tonnes of #if#else conditions and other C# preprocessor directives. Seems no one knows about them... but they ARE there. I love learning something new every day. Now if/when I implement this I can go write tonnes of C style DEBUG blocks around the testing framework.
What are other peoples experience with this? Anyone out there doing C# unit testing? Any focused on security testing?
December 29, 2003
The Eight Rules of Security
Recently I have found myself with the opportunity to continue my ambassadorial role as it comes to information security, and provide some teaching on the basics of security as it relates to business. As I sit here and reflect on just what should be covered in a span of 15 minutes to give the most in depth understanding, I realize that its not such a simple task. Traditionally, people look at the infosec field as something to do about firewalls and antivirus. They treat technology as THE solution, instead of simply the enabler. And it's this fallacy that weakens any security implementation. Security is a process, not a product... and should be treated as such. Through the security lifecycle, policy and procedure needs to take precedence over implementation. It's a bigger part of the circle for a reason.
Anyways, as I think about it more I realize that there are eight components of any good security decision. This isn't new, and has been covered off in writings from people like Kevin Day years ago. And it still applies today. What it comes down to is eight simple rules (commandments so to speak) of information security.
With these eight rules, you will be significantly more secure. Technology will fail. Accept it. With proper policies and procedures in place though, you significantly reduce the impact that it may have on your organization. You will find that riddled through each of the above rules, a common theme exists.... if you only followed one rule, let it be The Rule of Least Privilege. Using least privilege significantly reduces the damage that may be caused when exposed to risk. It contains suspect behaviour to the smallest set of actions and activities, and maintains the confidentiality, integrity and availability of the rest of the environment. And in the end... thats what we want to accomplish.
I do hope everyone is having a good holiday season. With Christmas now behind us and the 2004 before us, I do hope you are as excited as I am at the prospects of a joyous and prosperous New Year.
It has been nice getting away for the week to just enjoy the holidays. A nice dump of snow has graced our landscape, even if it was on boxing day.. and not actually a white Christmas. Christmas itself was great, with Santa being extra generous this year to me. I got a nice new 4x DVD burner, and the book that I wanted on computer espionage tactics and countermeasures.
Wishing you the very best in 2004!
December 24, 2003
Deploying ICF in Managed Environments with XPSP2
With XP SP2 beta now on MSDN, I guess its time to point out that there is an article released by Microsoft on deploying Internet Connection Firewall Settings for Microsoft® Windows® XP with Service Pack 2.
This article describes how to deploy the appropriate configuration settings for ICF on an organization network so that it is enabled and providing protection and so that communications are not impaired.
If you are looking to deploying the ICF in your organization now is a good time to start looking into how to do it with the enhancements of XPSP2.
Think of it as an early Christmas present from Microsoft to you.
This year I have been truly blessed, and I do hope you have been too. I would like to wish everyone a Merry Christmas, and a Happy New Year.
[Our Christmas Tree]
OpenSSL gains FIPS 140-2 Certification!
Way to go guys! GCN reports that NIST has approved the OpenSSL library of encryption algorithms for use on sensitive government networks.
The cryptographic module of OpenSSL has passed Federal Information Processing Standard 140-2 Level 1 tests. (FIPS 140-2).
This is great news. And its great to see open-source software get a thumbs up on the security end of things. If you don't understand why having FIPS is good, understand that it is an extensive external validation of the crypto used in the software. Check out the FIPS Standards to learn more about the validation process. If you want to understand the implications for OpenSSL, read the OSSI FIPS FAQ.
An In-Depth look Into Linux Security in 2003
Following up on the heels of my earlier post a few days ago on Windows security in 2003, HelpNet Security released an article called Reflecting On Linux Security In 2003, which talks about the state of affairs that is security on Linux in the last year.
This article wasn't of the same substance as the Windows one. It seems to be more of a he-said/she-said finger pointing article about Linux vs. Windows security than about Linux as a whole. However, there are some good points to reflect on if you take time to read between the lines. Patching is just as much an issue on Linux as it is Windows. High-profile breaches (such as the Debian project and the kernel tainted code injection attempt) shows Linux, and the Linux development process, as being just as fallable as other systems.
So what can you make of that? I dunno. Go read the article and make your own determination.
December 23, 2003
Make more Mistakes: Don't Fear Failure
More interesting writings from a CEO that is willing to admit he is not perfect. More importantly, he was willing to open up and talk about some of the boneheaded moves that he (...well most of us actually) have had to go through as we build our companies.
It's refreshing to see it published on MSDN, allowing other ISVs to benefit from Eric's experience. Along side some of his other great articles, this is great reading if you are building out as a ISV.
Veradys hires Dan Geer
I knew it wouldn't take long for Geer to get picked up. After Dan got fired from @stake for sounding off against Microsoft as a "national security threat" in the report "CyberSecurity: The Cost of Monopoly" (I talked about this document a while back), NetworkWorld Fusion reports that Veradys hired Dr. Geer as their chief scientist. A couple of interesting quotes from Dan on being fired from @stake:
Quote 1: "I was fired for saying the emperor is naked."
Of course, we need to remember this is coming from someone just fired, and openly admits that he is bitter at @stake. But its interesting to hear him finally comment on it.
NIST releases Guidelines for Mapping Types of Information and Information Systems to Security Categories
NIST has completed the first draft of Special Publication 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories. The purpose of the draft guideline is to assist Federal government agencies in identifying information types and information systems and assigning impact levels for confidentiality, integrity, and availability. Impact levels are based on the security categorization definitions in FIPS 199, which I talked about back in September.
The document comes in two volumes:
A goal of this document is to independently define the impact level, that is, determine the impact level without considering countermeasures or controls. If you wish to comment on the draft, NIST requests that you do so by February 20, 2004. You can send them an email at email@example.com
December 22, 2003
An In-Depth look Into Windows Security in 2003
HelpNet Security published a good article on the state of affairs that is security on Windows in the last year.
The article is interesting as it quotes people typically very critical of Microsoft as having a somewhat "pro-Microsoft" attitude as it relates to Microsoft's stance towards security in the past year.
Of course if you have been reading my blog over the last year, you will know I agree with them. Microsoft has a long way to gain our trust, but they are making the effort. And thats important. By the time they fully transform the campus into a completely security-minded company, Longhorn should be getting released, and we will finally see if Microsoft really got it right.
Until then, we will have to see how they do with XP SP2. With the beta now out... it shouldn't be to long before its released!
Winbeta.org even has some interesting screenshots:
This is an area that should be interesting to watch in the coming year. Microsoft could do a LOT to strengthen their security offering by adding the right tools here to monitor and maintain security policies across a Windows network. Time will tell if they start integrating things together.
December 21, 2003
Gain root on OSX by holding down CTRL-C
I haven't posted a lot recently on exploits / vulnerabilities since so many lists are doing a good job of that, its pretty redundant for me to do the same. However, today I just had to post this one, as it made me chuckle as I realized that Alan's PowerBook is mine :P
Security Tracker reports that if you have a USB keyboard and you hold CTRL-C during a boot/reboot it will cause "init" to fail and give you a shell. Of course, you have to have physical access to the box, and should thus consider the box suspect anyways if someone can plug in a USB keyboard and then perform the CTRL-C deed... but thats not the point.
There is a fix for it. I suggest if you run OSX, that you go get it.
Update: There is an article about this by the original reporter with step-by-step screenshots on compromising the box if you are interested.
MPx200: My next phone?
Well, I think I found the next phone I want. It is the MPx200. It is a Windows Smartphone in a slick clamshell, capable of also acting as a modem for my laptop through USB. This has some serious potential.
Things I like about this:
This I DON'T like about it:
There currently isn't any availability in Canada, but I seem to find a lot of people selling "unlock" codes to take care of that on Ebay. Apparently I can buy a locked phone and then get it uinlocked, but I am not sure how that works. Since its GSM, I just need to move my SIM card over and it should all work if its unlocked. Not entirely sure if thats true or not. Wish I knew. *sigh*
Of course, if I lived in the States I would snap this up. Especially since I can get the phone for free on Amazon.com if I get a plan with AT&T. Apparently Rogers AT&T in Canada has no affiliation with AT&T US, so I can't take advantage of that offer. Oh well.
So, if you happen to be looking in a cell store and see one of these things, check it out. You might be suprised how far cells have been coming lately.
Passive Surveillance with OnStar
Ok, well now that its in the news I can finally talk about this. Some people might remember about my talk a couple years ago on hijacking the original OnStar signal and be able to extract information about a motor vehicle, including complete vehicle diagnostics and the ability to unlock/disarm a vehicle. People freaked when I showed the data flowchart for the ignition kill routines. (Imagine driving on the highway and a hacker turning off you car. Not a pretty sight)
Most of this was fixed when GM launched the next version of it, which actually made SOME efforts to fix the lax security in the communication protocol. However, the one thing I didn't talk about much was the fact that deep within the OnStar system is a cell signal which OnStar can control... passively.
In other words, it is possible for OnStar to listen in on you covertly and without your knowledge at all... or a way to turn it off at will. Of course the FBI learned of this... and decided that this would make the best surveillance wiretap. And now that its out in public, I am informing you. Don't drive a car with OnStar if you are worried about being monitored by big brother.
Kinda makes me thankful I don't drive a GM.
December 19, 2003
Vulnerability Scanning with Nessus
What was more interesting was that they pointed out that there is now a commercial version for Windows called Newt.
Will have to check that out.
Gene Spafford on Linux vs Microsoft Security
On one of the secure coding mailing lists that I am on Gene Spafford made an interesting and quite funny post in regards to Linux vs Microsoft security (although I must admit originally the thread was open vs closed source security which doesn't just cover Linux).. I just have to share it with you:
Of course we have always heard these debates in OS flame wars, but for some reason the tail fin and french-fry oil made me chuckle.
Ken was smart enough to kill the thread before it got any more "heated", but alas... there is one serious and interesting point. Read spaf's last paragraph. I've been saying that for sometime now. That should be what Longhorn is about when it comes to security... if Microsoft does it right.
Time will tell on that bit.
December 18, 2003
Solaris 9 available free [for non-commercial use]
Sun has now released Solaris 9 for free download, allowing non-commercial use, on
December 17, 2003
Lord of the Rings:Return of the King
OMG. Warren, Alan, Andrea and myself took the afternoon to go see it. I won't spoil it for you.... just go see it.
GO SEE IT NOW!
Reducing the attack surface of Windows
Today Michael posted an excellent entry with tonnes of good links on ways to reduce the attack surface of a Windows machine. As a quick summary, here is a list of readings on the subject:
December 15, 2003
Checkpoint to acquire Zonelabs
What the heck is this, acquisition day? I go to meetings all day, come home late in the evening and find everyone is buying everyone else. *sigh*
If you haven't heard, apparently Checkpoint is buying Zonelabs for $205 Million. This is an interesting move. Checkpoint has been weak in the desktop arena, and this can signifcantly strengthen their offering... now extending to all endpoints in the network.
Good move Gil!
VMWare to be acquired!
OMG. Apparently EMC is buying VMWare for around $635 Million in cash. I hope they don't lose focus on the product. Its the best virtual emulator for doing kernel development testing on. Thank $DEITY for named pipes treated as virtual serial to use WinDbg +VMWare... its a GREAT combo that I use all the time.
OSX vs Windows Security
There has been a lot of debate about OSX vs Windows security, with the most recent being a strong article from PC Magazine criticizing OSX security. Today there was a great rebuttal by Richard Forno which you should check out.
I am never into finger pointing (and Richard has his own issues in his rebuttal... I could criticize, but I am not your average Windows user :) ), but this is getting to be an interesting thread. You should check it out.
Cultural differences between Unix and Windows programmers
Joel posted an excellent article entitled "Biculturalism", in which he discusses the cultural differences between Unix programmers and Windows programmers. Being that I come from both backgrounds, I can seriously relate to this, and appreciated the insight.
I found this quote interesting:
There are many details and subtleties, but for the most part it comes down to one thing: Unix culture values code which is useful to other programmers, while Windows culture values code which is useful to non-programmers.
You will need to read the article to see what thats about. :)
December 14, 2003
Developing Software in Visual Studio .NET with Non-Administrative Privileges
I know most of you have already read my really simple CodeProject article on Secure Coding Practices: Running with Least Privileges in Windows, but I came across a more focused article published on MSDN recently.
Lars Bergstrom wrote a good article entitled "Developing Software in Visual Studio .NET with Non-Administrative Privileges" which I think you should read. It covers off everything I discussed and goes further to assist beyond the code development cycle.
Eau Claire: Finding potential security breaches in C
Today Brian Chess posted some interesting information about extended static checking to find common types of security vulnerablities in real C programs. The tool, called Eau Claire, looks for common types of security vulnerabilities such as buffer overflows, race conditions and format string vulnerabilities.
Although Brian admits it is not a program verifier, it looks like a pretty good tool to add as part of your QA process as it relates to static checking. I will have to look into this some more when I have some free time. I think that my verifier tools I already use do all this, but it never hurts to add more tests!
December 11, 2003
Bill Gates To Speak at RSA Conference
Wow, does Bill Gates have guts. Infoworld reports that Bill will be a keynote speaker at the next RSA conference in February.
I would really like to be there to see that. I would like to hear what he has to say. Pete Lindstrom said it best when he said:
Clearly, Microsoft is stepping up to the plate. It shows intestinal fortitude for Bill Gates to stand in front of an audience of academics and security experts and tell his story. But I'm more interested in the reaction of the crowd and whether they will be receptive than that he's giving the keynote.Me too. Good luck Bill!
Microsoft Security Newsletter
It seems Microsoft published its first Security Newsletter today.
And you know what, its an online newsletter actually worth reading. (I can't believe I am saying that... I hate online newsletters that do nothing but self-promote themselves and have no useful information)
DoS Web Service with a Single Packet
Just saw on Bugtraq that you can send a specially crafted SOAP packet that has a modified DTD in it to a Web Service and the XML parser will cause the CPU load to remain at 100% for as long as the process keeps running. Another effect is that memory (hundreds of megabytes) could not be freed, even after the CPU came down from the high load. In some cases, the parser returns an out of memory error after some time.
Nothing like a single packet to DoS your machine. *sigh*
There is a fix for it. Microsoft has released an update to the .NET Framework that fixes this. It is documented in KnowledgeBase article 826231, but this article isn't actually online yet.
December 10, 2003
ACL Security Management in C#
Ok, so I had a need today to do some serious access control work in C# and decided to google the early morning away trying to figure out how to work with security descriptors in C#. Not much luck. I get to a point that I decide I will need to use the system APIs that are available in C.
So I take the entire day and port all the SDDL, ACE and ACL stuff over from C into C#, marshalling all required functions to P/Invoke nice and pretty like.
I rip my hair out while I try to map the SECURITY_DESCRIPTOR struct correctly, and get it all working in about 8 hours. I am impressed with myself. Works great on checking DACL on a file. Then hell breaks loose. The world comes to a halt when for some reason I can't WRITE to the DACL. Ok, I spend more time googling to see if I can find the answer.
So what do I find after another hour of googling? That Renaud Paquay, a Microsoft employee that is active on gotdotnet.com has already fully ported all I want in the Microsoft.Win32.Security namespace. 10 minutes after downloading the source, not only is everything working, but I have access to even more features then my own port.
Arggggggggg!!! Gotta write today up as a learning experience with marshalling and P/Invoke, as it was a totally unproductive day otherwise. Then again... I do now have wicked access control in my latest app. On the fly DACL manipulation, oh ya baby.
So, if you are writing code in C# and need access to the Windows security APIs, check out Renaud's port.
December 09, 2003
Online version of Handbook of Applied Cryptography
I was recently responding to a comment on my blog about crypto and pointed out that the "Handbook of Applied Cryptography" covered the topic quite well. I just received two different emails from people asking me about the book, and how it rates against Bruce's Applied Cryptography. Well, I am a fan of Bruce's writing, so I am biased, and will refrain from commenting on the fact YOU SHOULD OWN BOTH BOOKS.
However, why don't you go read the online version of Handbook of Applied Cryptography and see for yourself?
Analyzing Your Applications with Windows Application Verifier
AppVerifier watches your application when it is running and monitors its behavior by intercepting certain API calls. Sitting between your application and the operating system, it has the ability to verify an application's behavior by checking the parameters passed to API functions, injecting erroneous inputs to test the application's ability to recover from errors, logging changes to the registry and file system, and doing other API-level sanity checks.
That is so kewl. I am disappointed I didn't know this tool even existed. A note to Microsoft if you are listening.... please document these sort of tools more so we can use them! I would have added this to my QA process over a year ago, had I known.
Forensic Analysis of a Compromised Linux Harddisk
Spent some time tonight at the local University doing a presentation for the LUG about forensic investigation, and how to use common Linux tools available through Knoppix-STD to do an analysis of a compromised harddisk. I promised I would put the presentation online, so here it is.
The cavet is that as I look over the presentation, I notice much of it is useless if you were not there for the live demo. Seeing a listing of steps to take and tools to use isn't as good as actually seeing me use it to do an analysis right there in front of you. Recovering deleted data directly from the lost inodes and tracing the attack sequence is kinda hard unless you know HOW to use the tools. I'm sorry I didn't think about that sooner and screenshot it or something. Oh well... hopefully you will still get some use from it.
December 08, 2003
Password cracking using TeraFLOP and PetaByte Resources
Now here is an interesting paper on Teracrack. Basically they have examined the use of applying High-Performance Computing (HPC) resources such as parallel supercomputers to pre-compute and store crypt() based passwords that would be found using bruteforce cracking tools.
I love some of the findings:
Using the Blue Horizon supercomputer at the San Diego Supercomputer Center, we found that pre-computing the 207 Billion hashes for over 50 million passwords can be done in about 80 minutes. Further, this result shows that for about $10K anyone should be able to do the same in a few months time, using one uni-processor machine.
Now for all you beowulf cluster fans... here is another project for ya. :)
.NET Code Correctness with FxCop
Microsoft has released an interesting MSDN TV issue in which Michael Murray and Jeffrey Van Gogh from the CLR Team describe FxCop, the freely-available code analysis tool from Microsoft.
FxCop is a code analysis tool that checks .NET managed code assemblies for conformance to the Microsoft .NET Framework Design Guidelines. It uses reflection, MSIL parsing, and callgraph analysis to inspect assemblies for more than 200 defects in the following areas: naming conventions, library design, localization, security, and performance. FxCop includes both GUI and command line versions of the tool, as well as an SDK to create your own rules.
The FXCops team even has their own blog if you want to learn more. From the 12 minute video, it sounds like a pretty good tool. I will have to check it out when I have a few moments.
December 06, 2003
The fallability of Man: Misguided trust in Encryption
When Bruce Schneier published Applied Cryptography back in the middle of the 1990's (1995 or 1996 I believe) my world changed. There was a fundamental resource book I could turn to that properly documented cryptography and allowed me to take advantage of encryption to store my secrets programatically. You know the ones, how to best pour a Guinness, and how to take over the world. Some even said it was the book the NSA didn't want published. Bruce was even quoted to have said that "It is insufficient to protect ourselves with laws; we need to protect ourselves with mathematics.".
In 2000, Bruce stunned the world in the preface of Secret & Lies, when he stated that the new book was partially written to correct a mistake he made in Applied Cryptography... that he erroneously talked about cryptography as if it was "The Answer" without putting it into context. He even admitted he was naive about it.
The reality is he quickly fixed that mistake and throughout Secret & Lies touted that "Security is a process, and not a product".
What is funny today, now going into 2004, is that many people still don't get this. Worse yet is that people still think encryption will solve everything, and they put a misguided trust into encryption tools without really understanding how they work, or what they do.
Tie that with misguided fear many have towards Microsoft, this becomes a deadly combination. I saw that today while in discussion with another information security professional who has a really misguided level of trust in his understanding of his tools and not enough experience with the tools available to him. I was so frustrated with this arrogant attitude towards his solution that I just had to call him on it. Soon after, he realized his mistake... and we left the conversation both having to document the experience. Although his documentation now has to deal with the audit he just finished... since he wrongly assumed some particular data was securely protected... when it may not be. I on the other hand... decided to blog about it. :)
Lets reflect back on how this all started with a little bit of history to set the stage. I was called into a situation where a particular client has a need to surrender a few mobile desktops to another division of the company for a period of time, and that the division cannot have access to the information that has been stored on the machines, and that these machines cannot currently be reinstalled. (There is actually a reason for this, but I can't disclose why.) The solution was that the users routinely PGP encrypted the data on disk, and all they would have to do is move the data off and delete it from the machine.
First off, simply deleting the information in question is not enough. There are plenty of tools that can scrape a harddisk and recover files. And he knew this as this was already disclosed in his report. Those findings didn't both me. He felt the risk was low because it was encrypted data, and that would make it virtually impossible to recover, even if they could get the ciphertext.
I then asked him why he didn't use XP's Windows encrypted file system. His response was that he didn't trust Microsoft, and felt the users followed the security policy and correctly PGP encrypted their information. (Lets assume for argument sake this was the case, and the weakest link was NOT the human factor) This is when I had to say something.
Now I must say I like PGP and I mean no disrespect to it or its use. But even though it provides strong encryption, it is useless if you can recover the plaintext from the information on disk. And this was the problem exposed in this particular situation. There was still a risk of information disclosure.
Why? Because the file system was NOT encrypted, the files were at one point plaintext on the disk. Somewhere on some platter in the harddrive the documents may still be stored in clear text. And it might be recoverable. Simply PGP encrypting it is not enough. Especially when there could easily be backup cache files from office related documents that were not wiped correctly.
Using EFS would have been a better solution. (Although it was to late at this point) The plaintext would never have ever touched the harddrive, which would mean it was truly unrecoverable (Well, except for the most determined attacker... but thats another story). And if he had MISTRUST in Microsoft he could have found another encrypted file system to use from a third party vendor.
Moral of the story? I dunno.. you make one up. Trust, but verify? Know what your tools do? Use a proper disk wiping tool? I'll let you build your own conclusions.
The Electronic Evidence Information Center
I have most of these tools in some form or another, or atleast links to them in my bookmarks, but its nice to see them all in one place. For those of you attending my "Forensic Analysis of a Compromised Harddisk" lecture I am doing on Monday will find many of the tools I will be using through the Security Tools Distribution on this list.
On an aside, if you haven't had a chance to read the detailed report the Debian guys did on their forensic analysis of the brk() compromise, you can read it here.
Windows Unix Services for Free
A few nights ago Alan and I were in a heated discussion about the difference between the OS, and the "distribution", especially as it relates to vulnerabilities and tools. I am of the mind that one of the drawbacks to many of the Linux distributions is the fact that too much software that is not of commercial quality is shipped with it. You get really good tools mixed in with ones that have no right to be in a commercial distro.
Examples? KDE ships with some sweet tools like Konqueror, KDevelop etc, which all work great. But they also ship with KOffice, which is pathetically incomplete... crashes constantly and is just not ready yet. (IMNSHO) Of course, that is balanced with OpenOffice... but my point is that KOffice shouldn't be there until its ready. If you want granny to adopt Linux on the desktop, she can't have products working and acting like its Win95. We are going into 2004 for christs sake. And I am not the only one that points this out.
Anyways, one of the discussion points we got onto was the fact that "diff" comes with Linux for free. Well, actually its BUNDLED and is not part of the OS. And I won't get into the fact you can get the same free tool through cygwin. But thats not the point. Alan contends that he doesn't have to pay for his unix tools. Good point....
... until today. You can now get Microsoft's Unix Tools for free. The only drawback right now is that you need to have a US address to ship to. Not sure what to make of that.
Anyways, for my buddy Alan... you can have diff for free on Windows now. :P
December 05, 2003
Network forensic analysis with TCPReplay?
Wim pointed out a neat tool to me tonight called TCP Replay. It can take a tcpdump data file and replay it at a later date. It can even replay it faster or slower, and can dynamically change the IP and/or dest MAC so you can watch the interaction.
This has some neat implications for network forensic analysis of attacks. It would be possible as an example to deconstruct a blended threat not yet analyzed and point it to a honeypot to record the interaction.
Some neat potentials here. The FAQ is quite detailed and will do more to explain the tool that I could.
Give it a try!
December 04, 2003
Is Windows Mobile 2003 More Secure?
Just noticed that Chris published a small but good article about the security in Windows Mobile 2003. With everyone around me talking about new smartphones, and new PocketPCs this seems just about the time to consider the security aspects of it.
Chris also released some "Inside Research on Windows Mobile 2003 Network Security", which includes a fairly detailed list of security bugs that he has reported to Microsoft, many with work arounds/fixes.
.NET Rocks! - Pat Hynds on Security
In the latest edition of .Net Rocks, Carl talks with Pat about security, from the general concepts to the practical tips and in between. Pat draws on his millitary background to render a keen understanding of how to secure today's complex systems. You will pick up some great tips, and hopefully start thinking of security issues in your everyday development efforts after listening to this show.
I need to start looking at getting a portable player so I can listen to these when I am driving, instead of always having to burn them.
Access rights bits in a security descriptor
Understanding the little bits of the ACE in a security descriptor can be daunting. Raymond clears this up today with a great post.
I also learned that the ConvertSecurityDescriptorToStringSecurityDescriptor() function can be very helpful, but will typically guess the what the object is incorrectly. That explains some weird results I have gotten in the past. Raymond's chart was really helpful.. and something I will refer to from time to time.
Learn something new every day. Thanks Raymond!
Troy pointed out a great tool called TCPTrack that will sniff and then display information about TCP connections it sees on a network interface. It passively watches for connections on the network interface, keeping track of their state and then displays a list of connections in a manner similar to the unix 'top' command. It displays source and destination addresses and ports, connection state, idle time, and bandwidth usage.
I was just playing with it and it works great. This is a great Linux tool to add to your arsenal.
December 03, 2003
Ballmar/Gates Matrix Spoof
It is only the first half... and I am DYING to see the second half now. If anyone has it.. PLEASE LET ME KNOW!
Funny Bumper sticker
While I was at Microsoft I saw the FUNNIEST bumper sticker on someones office door, which I thought I would recite to you since the Linux Kernel, Debian and Gentoo compromised systems seem to be in the news lately:
My other machine is your Linux System
Ya I chuckled too.
Well, for those of you that visit my site, and don't use the RSS feed, you may have noticed we were not here since 10pm last night. Apparently the SCSI drive that holds /home "went bye-bye" last night... and it just came back up. Ends up being a bad cable. *sigh*
December 02, 2003
Readers Wouldn't Buy Security Products From Microsoft
SecurityPipeline has an article discussing InternetWeek's poll where their "Readers Wouldn't Buy Security Products From Microsoft". This isn't all that shocking, put you got to read the comments. Some are really good... while others are very anti-Microsoft koolaid.
In case you haven't heard, InternetWeek did a poll of their readers to see how receptive they are to Microsoft's new "Securing the Perimeter" tactics that Ballmar has been talking about. But only a meager 18 percent, or 164 of the 889 respondents to InternetWeek.com's unscientific poll, said yes when asked if they would buy security products from Microsoft. The remaining 82 percent, or 725 respondents, said no.
Secure Wireless in 6 Easy Steps
Found an article today on how in six steps to secure your wireless connection. Pretty basic stuff here, but hey... never hurts to read. As a recap:
CSI/FBI Computer Crime Survey Webcast
The Computer Security Institute will be hosting a one-hour webcast on December 4th. Robert Richardson, Editorial Director of the Computer Security Institute (CSI), will first detail the results from the 2003 CSI/FBI Computer Crime and Security Survey and go on to discuss trends suggested by several years of survey data, compare survey findings to other statistical information on security, point out relevant connections and draw conclusions on the overall state of information security.
Should be an interesting webcast, along side the Microsoft ones going on all week. (In case you forgot, I blogged about that a while back).
Go register now!
December 01, 2003
New Secure Coding Mailing List
My good ol buddy Ken van Wyk (you might remember he autographed and delivered to me the first copy of Secure Coding: Principles and Practices earlier this year) sent out an email about the fact that they are starting a new secure coding mailing list. SecurityFocus' secprog has been dead lately ... I guess we are all to busy coding to be talking.
Anyways, what follows is his original email in case you missed it.
-----BEGIN PGP SIGNED MESSAGE-----
I would like to announce the availability of a new and free resource to the
To subscribe to the list, simply connect to http://www.securecoding.org/list
Ken van Wyk
RHEL3 seeks Common Criteria Standard
Computerworld reports that RedHat Enterprise Linux 3 is currently seeking EAL2 of the Common Criteria Standard (CCS). If approved, Red Hat Enterprise Linux 3 would sit alongside versions of Sun Solaris, HP-UX and IBM’s AIX operating system.
And they are getting support from Oracle on this. Once RHEL is certified, the Oracle9i database will comply with the US government's equivalent security policy directive, which requires independent security evaluations for products used in national security systems.
Good luck Redhat. And bravo on making the effort to gain certification. EAL2 is pretty low on the totem pole, but its a great first step!