ZDNet has a nice piece on why cheap GPU’s are making strong passwords useless. They are right, of course (though it’s pretty much been that way for 20 years, since the need for /etc/shadow) but they missing the obvious solution to the problem.

The solution is not to make passwords more complex. It’s making them less complex (so that users can actually remember them) and making sure brute force is impossible. We know how to do that, we just have to overcome a generation-old axiom about trivial passwords being easy to break (they are not, if you only get very few tries).

It’s not just cheap GPUs. Complex passwords are also the problem. Simple passwords are the solution.

It’s amazing to compare how the Microsoft Security Response Center handles vulnerability disclosures versus how things were just 10 or 12 short years ago.

Here’s a typical disclosure process 10 years ago (based on a very true story):

Us: (sending an email to secure@microsoft.com) we’ve discovered a vulnerability in an office product. Here are the technical details. Can you confirm the issue and let us know when it’s patched?
Microsoft: Thanks for reporting, bla bla, we’ll get back to you soon

[about a week passes]

Us: Hi MSRC, any news about our office vulnerability?
[no reply]
[Sending a personal email to an MSRC friend to speed things up]
Microsoft: Oh, thanks for reminding us. We’ll check with the office team

[another few days pass]

Us: Hello? Anybody there?
Microsoft: Oh, yes. That vulnerability thing. Here’s what we decided: (a) It’s not a vulnerability. (b) it’s not a problem with the office product but with the world (or the RFC) (c) The office team can’t recreate it (d) even if the vulnerability was real, it wouldn’t be exploited in real world scenarios
Us: are you kidding us? Did you actually look at the sample code we gave you?
[a few days pass. We are pondering if to go complete full disclosure or give them time to digest]

Microsoft: Ok, this time we actually read your advisory and yes, it seems to work. But it’s just a denial of service. Nobody will ever exploit it because of … [something that heap spraying/DEP bypass/code mutation made look ridiculous about a year later]
Us: [starting the get mad] look guys. We sent you PoC code. You actually want us to write an exploit code for you?
Microsoft: yes, that would help convince our developers

[Us, spending time writing code so that Microsoft is convinced to fix their own products based on free information while wasting our precious time]

Us: here it is
Microsoft: oh, wow, it really does run code. Ok, we’ll fix it in the next release cycle which should be right after the democratic primaries of 2012.

Us: Ok, forget it. We’re going full disclosure

Microsoft: no, wait wait wait. We found your name on the world wide web and now realize you’re legit. Ok, we’ll fix it. Happy now? We might even mention your name in our advisory if/when that happens.

If it sounds familiar, that means you were disclosing vulnerabilities to vendors in the early 2000′s or late 1990′s. If you think I’m exaggerating, it’s only because you didn’t.

But here’s the amazing thing. Just a few years later, some radical changes started to happen. The big dysfunctional dinosaur that was MSRC became an efficient, friendly and if I didn’t know it, I would think it’s a different company altogether. Here’s a real recent discussion:

Us: Hello MSRC, here’s information about an office vulnerability
Microsoft: Hi, thanks for reporting. I checked the information, went over the sample code and have some technical questions [some intelligent questions here, basically they are doubting the findings but being really careful to check all the angles first]

[technical discussion continues for a couple of days with questions and answers going back and forth]

Microsoft: Ok, we get the picture now. Thanks for reporting. Here’s the guy that is going to be responsible for your case.
[a few days pass]
Microsoft: Ok, we now know it’s a [...] vulnerability and not a [...] one. We’ll pass it to the relevant team, just wanted to keep you posted
[further proactive updates and niceties continue until disclosure time. Credits, the end.]

What could have possibly caused this radical change that made MSRC focus on the technical side instead of the PR, not to mention being so research-friendly? New team? New procedures? Full disclosure forced them to see the truth? Too many beers at defcon finally showed them the light? Whatever they are taking, I wish they could spread some around. Most of the other vendors could use that. Yes, I’m looking at you Google.

More information here.

Korean is a tricky language. It is probably the easiest language on the planet to read and write in, especially for geeks.

It takes literally hours to learn: if you have any background in breaking codes as a hobby, you will be able to learn to read and write Korean fully, within the day. Now you can read signs, read most of the newspaper and decipher the airplane safety card on Korean Airlines.

But reading is not understanding, and this is where the trap springs. While its writing is possibly the easiest of all languages, the vocabulary/grammar part is one of the hardest that exist. Forget hash functions: identical Korean sentences can look totally different just because you’re speaking to your father instead of your son; Ask a few native Koreans how to say “the Apple is red”. I have 3 different answers so far (with no resemblance whatsoever to one another). The real code here is the semantics. It’s like doing a simple XOR cypher to a book cipher. What a clever trick.

But by the time I hit the brick wall with the honorifics, Subject-Object-Verb and impossible pronunciation I was already too deep in to stop. Plus, I never let security by obscurity stop me. Though in this case, I have to mention they’ve perfected their obscurity to impressive levels.

So I was very excited when I was asked to speak at Codegate 2011 in Seoul. It looks like a really fun conference. If you are in Seoul or the area, I recommend it.
I will be speaking on April 5th, and don’t expect too much: the Korean part of my lecture won’t go beyond Annyeong haseyo and je ireum eun Abiram imnida. And even that will be with incomprehensible pronunciation so bad they might have to subtitle that part.

In any case, if you are in the conference, come say hello and test my Korean. Just don’t be offended if I get my honorifics completely wrong.

Update: The correct date is April 5th and not as I originally wrote.

Commentators are now agreeing with what I wrote two weeks ago. It’s now clear there is simply no way to effectively shut down the Internet.

Typically, this is where the skynet references come in, except that this version of skynet is not a computer brain, it’s the sum of you and me and the other human users. The People’s republic of the Internet, if you will.

Reports are saying cell phones and Internet connections are off in egypt at the moment. Can a country really shut off its Internet connection?

China, who has placed restrictions on its Internet infrastructure from day 1 (meaning, the whole infrastructure for connecting to the Internet was built with government control in mind) and that develops a lot of its own networking equipment, is unable to really block users. When I’m in China, twitter and facebook are blocked in the hotel and in the office, but not on the blackberry. Most anonymizers work, and some twitter-over-instant messenger bots work as well. Most of the time, I can find the new list of working anonymizers on google, while I’m there – so there’s no special preparation involved. On my last visit I was introduced to a free VPN service that enables unrestricted access to facebook, twitter and other blocked sites, that seems to be quite popular in the country.

Egypt is not as big and certainly not as advanced as China, but is fairly big. As anyone who worked for a large company knows – it’s difficult if not impossible to track all incoming and outgoing connections. We know the DNS servers are refusing to resolve .eg domains – but what if we go into the inner-works. Are some of the IP’s inside Egypt reachable?

One glaring example is the Egyptian stock exchange. Its IP rotates, but at least some connections point to  217.139.183.2, which belongs to the ISP “the Noor group”, in Cairo. Other times it points to 41.222.175.2 that belongs to “Misr Information Services and Trading” in down-town Cairo. Both are clearly reachable and pingable; is every router on the way configured to route communication only to those IPs? Are there other routers, IP’s or servers that are still open for communication? I would imagine that some emergency lines run on IP-based infrastructure that must be kept on; some devices – military ones perhaps – might rely on IP infrastructure. Dial-ups might still exist. Speaking of which: can one dial from Egypt into a modem in Germany?
Also, one has to wonder about internal communication. Blocking the country’s gateways is one thing; but blocking all internal communication is extremely hard to do. If internal communication is available, is there a way to piggyback into those few holes in the dam to get external communication? Taking the egyptse.com example: if the perimeter routers only allow communication to/from the Noor network, can I route my connection through them?

We all know the Internet was designed to be resilient; and forty years after its initial deployment, it’s proving to be very hard to kill, even by those who believe they have their hand on the cut-off switch.

Wanting something good to read, I found myself reading “Neuromancer” again, probably for the hundredth time now.

Looking around for recommendation for new books in the usual places like “NYT Best Sellers list” turned up fairly dull results. So given that the crowd that reads this blog probably shares the same preferences as me, what book did you enjoy this past year? Any genre.

This was sent to me by a friend who wanted to stay anonymous:

There’s a utility called SetFSB which tweaks the clock speed for overclocking stuff.
It was written in Japan, and is used for many years already.
Recently it came to me that I can speed up my old machine by 25% so I dl’ed it as well,
however, when running, I discovered that upon termination, the .exe creates 2 files,
1 batch file and 1 executable.
The batch file is being spawned, and starts a loop trying to delete the original executable, and continues indefinitely until it’s deleted. after that it will rename the new .exe to the be the same name as the old one.
Now, isn’t that suspicious?
I’ve tried googling it, and just found 1 reference in PCTool’s ThreatFire, but the shmucks just got the threat and couldn’t see the .exe and .bat, so they just decided it’s a false alarm and whitelisted the utility.
I thought it would be a good idea to contact the author, give him a chance to explain, and this is message train, which I find very funny:

there’s a uility called SetFSB which tweeks the clock speed for overclocking stuff.
It was written by some Jap, and is used for many years already.
Recently it came to me that I can speed up my old machine by 25% so I dl’ed it as well,
however, when running, I discovered that upon termination, the .exe creates 2 files,
1 batch file and 1 executable,
the batch file is being spawned, and starts a loop trying to delete the original executable, and continues indefinitely until it’s deleted. after that it will rename the new .exe to the be the same name as the old one.
Now, isn’t that suspicious?
I’ve tried googling it, and just found 1 reference in PCTool’s ThreatFire, but the shmucks just got the threat and couldn’t see the .exe and .bat, so they just decided it’s a false alaram and whitelisted the utility.
I thought it would be a good idea to contact the author, give him a chance to explain, and this is message train, which I find very funny:

ME>>>

Dear Mr.

Why after exiting SetFsb, it will create a .bat and new .exe
the .bat will loop to try delete the old .exe, and rename the new .exe to old .exe ?

Thanks!

HIM>>>

Hi,

Yes,

abo

ME>>>

Hello.

Yes… good…

but WHY???
is it a VIRUS?

thanks!

HIM>>> (here comes the good part )

I do not have a lot of free time too much.
Why do you think that i support you free of charge?

ME>>>

to make viruses?

HIM>>> (this is the original font color and size he used!!!)

I do not have a lot of free time too much!

ME>>> (trying to hack his japanese moralOS v0.99)

Please, dear Abo,

You must understand. People start to be VERY worried about your software,
because it behave like a virus.
If you will not give a good explanation to WHY it behave like this,
then people will stop using it, and stop trusting you forever.
Then your name will become bad, and you will have a lot of shame.
I only try to help you.

I hope you understand!

HIM>>>

It is unnecessary. Please do not use SetFSB if you are worried.

Personally, I’m not sure who’s more weird: my friend, overclocking his computer in 2011, or the Japanese programmer not willing to explain if his downloadble program is a Trojan or not.

Not sure what to make of this yet:

“FBI Added Secret Backdoors to OpenBSD IPSEC”

Theo De Raadt seems to be ambiguous about this:

It is alleged that some ex-developers (and the company
they worked for) accepted US government money to put backdoors into
our network stack, in particular the IPSEC stack.  Around 2000-2001.

[...]

I refuse to become part of such a conspiracy, and
will not be talking to Gregory Perry about this.

There is something special about Berlin. Just a feeling that can’t be fully explained, that the cold and snowy weather enhances well. But I also can’t help thinking about the Len Deighton cold-war-espionage books, checkpoint Charlie, east and west clashing in this city that was like an explosive tip of a gun powder barrel.

When I grew up, Sting sang “I hope the Russians love their children too” and what he meant was love them enough to not annihilate the entire planet. War was serious, and war between world powers was scary. Remember War Games? You’d think people will be afraid of Kevin Mitnick’s hacking skills, but what they were more afraid of was him starting world war III that would potentially wipe out hundreds of millions of people.

So I must admit I’m slightly amused by the threats of ‘cyberwar’. Lets assume for a minute John Lennon was wrong and there will never be ‘peace on earth’. Lets assume that whether it’s because of testosterone, ego, or some other reason taught in psychology 101, nations will continue to fight each other. If that’s the case, what better way to do that than on the Internet? Have them hack each other Ad Nauseam; bring down computers or networks, plant Trojan Horses and steal sensitive data. Assuming the current superpowers are China and the US, isn’t cyberwar the perfect way to ventilate mutual aggression without human casualties?

Of course, there’s a worse case scenario where that stops being funny: if cyberwar can be used to shut down critical infrastructure, people will get killed. But that doesn’t seem to be the direction this “war” is going. Nations fighting on the Internet? I say bring it on.

On a related note, check out Richard Stiennon’s new book about Cyberwar. And if you are in DC, go hear him speak on Thursday about Google Aurora, Stuxnet, and the wikileaks DoS attacks. Really fascinating stuff.

Despite what Dilbert Comic Strips may teach you, our job as security professional is to enable information services – not prevent them.

The bad guys do evil: we try to prevent it (or clean-up after) so that users can continue and use systems as if there is no evil in the world. If IT security had a Hippocratic oath, it would probably be along those lines.

Here’s a recent example. This morning I got a call from my credit card company asking me if I’d done some transactions that seem suspicious. I hadn’t, and so they will cancel the transactions (and unfortunately, cancel my credit card and send me a new one). I’m not going to stop using my credit card, and will probably completely forget about this incident. I didn’t lose any money, and the inconvenience was minimal: this is all thanks to the people that chase up the credit card fraud and enable customers around the world to use their cards despite countless attacks on credit card users, some (as my example shows) successful.

Things are not so simple in the email war front. When SMTP was introduced, it described a simple, reliable, scalable system for communication. Almost 30 years after that, we stripped email of some of its most important features. By we, I mean the IT security world. In fact, we’re slowly doing to SMTP what TSA is doing to air travel.

First, the major feature of SMTP: sending and receiving emails. This is probably our biggest failure today: There is no guarantee you will be able to send or receive emails. In fact, if you communicate with the external world, it is almost guaranteed that you will not receive a certain percentage of your emails, and that some emails you send will not arrive. Sure, there are legitimate reasons: we need to protect from spam, viruses and phishing. But the bottom line is that SMTP was designed to reliably deliver an email from point A to point B. Today, we send an email and then call to verify it was received (or send a second email which mysteriously arrives after the first one was blocked).

Next, we kill useful SMTP features. Remember the days when you got an email ‘bounce’ when mistyping the email recipient’s address? Forget about it; those days are long gone. I’m not sure what Spamcop’s exact mission statement is, but it might as well be “make email unuseful”. They have outlawed email bounces (which, by the way, are required by the SMTP RFC) and continued to take out all auto-responders.

Remember read-receipt? Gone. The postal service had this feature in 1841, but we can’t have it in 2010. Do you want to know if a certain email exists? You can’t.  Want to send email directly from your computer without using a mail relay? A non-starter. Ever heard of email fragmentation? This is an awesome feature of SMTP but don’t waste time learning it – it won’t work on the Internet today (and this time we share some of the blame).

Look at HTTP. You click on a link, and you get to the page. If you get an error, you know it’s the web site’s fault. An attack on NCSA’s httpd server is one of the first documented buffer overflow attacks, and yet attacks on modern HTTP servers are practically non-existent. SQL injection and XSS are everywhere and yet users surf dynamic pages all the time without being blocked. We’re doing a good job fixing up HTTP without being a “Mordac”. Too bad we couldn’t do it with SMTP.

Is there hope for SMTP? I think there is. Last decade the doctors were ready to pull the plug on email: spam and viruses were so frequently in the users’ inbox that email was on the verge of being unusable: You had to spent a noticeable percentage of your day clicking the ‘del’ button. These days are over: you rarely see spam in your inbox today, and if you’re like me, you get more irritating chain letters from family members you can’t block (hi mom) than shady ads for pills.

This war can be won. We just need to remember the Hippocratic oath for the IT security world and enable reliable communication again.

Bruce Schneier suggests closing the Washington Monument:

An empty Washington Monument would serve as a constant reminder to those on Capitol Hill that they are afraid of the terrorists and what they could do. They’re afraid that by speaking honestly about the impossibility of attaining absolute security or the inevitability of terrorism — or that some American ideals are worth maintaining even in the face of adversity — they will be branded as “soft on terror.”

Damn right.

Stuxnet is a worm that focuses on attacking SCADA devices. This is interesting on several levels.

First, we get to see all of those so-called isolated networks get infected, and wonder how that happened (here’s a clue: in 2010, isolated means in a concrete box buried underground with no person having access to it).

Then, we get to see how weak SCADA devices really are. No surprise to anyone who has ever fuzzed one.

After that, we get to theorize on who’s behind it and who is the target. What’s your guess?

A month ago I complained about Sonicwall and google brushing us off when we reported vulnerabilities to them. The good news: Sonicwall has since contacted us, acknowledged the problem and is now rolling out a fix.

Was I too harsh on Sonicwall? It was hard to get their initial attention, but once we did they cooperated in an exemplary way. I’m not fooling myself to think any researcher that will notify them of a problem will get the same level of attention, but obviously they do give a damn, and maybe security@sonicwall will be open for notifications from now on.

Did you wonder what this is used for? The following FAQ may give a hint:

Hi! I want to bypass captcha from my bots. Bots have different IPs. Is it possible to use your service from many IPs?

We have no restrictions about IP: with DeCaptcher you can bypass CAPTCHA from as many IPs as you need.

In other words: Just used a Virus to break into thousands of botnet computers and now you are not sure what to do? These guys will help you take the next step and set up myspace/facebook/gmail/twitter accounts while bypassing the CAPTCHA and you can then use that to spam the world. Thank you DeCaptcher for giving the Internet such a valuable service.

The Russians obviously did not read my earlier posts on why longer passwords are often less secure than shorter ones.
So they forced their agents to use a 27-character password which was easily retrieved by the FBI… since it was written on a piece of paper.

The time it takes to break a 27-character password: a few hours (going through the post-it notes and paper scraps)
The time it takes to break an 8-character password: 242 Days (assuming uppercase/lowercase letters only, brute forcing 10,000 passwords per second).

(via Bruce Schneier. Password recovery calculation time here)