Flaming certs

Today is Tuesday for me, but it’s not “second Tuesday,” so it shouldn’t be patch Tuesday.  But today my little netbook, which is set just to inform me when updates are available, informed me that it had updated, but I needed to reboot to complete the task, and, if I didn’t do anything in the next little while it was going to reboot anyway.

Yesterday, of course, wasn’t patch Tuesday, but all my machines set to “go ahead and update” all wanted to update on shutdown last night.

This is, of course, because of Flame (aka Flamer, aka sKyWIper) has an “infection” module that messes with Windows/Microsoft Update.  As I understand it, there is some weakness in the update process itself, but the major problem is that Flame “contains” and uses a fake Microsoft digital certificate.

You can get some, but not very much, information about this from Microsoft’s Security Response Center blog.  (Early mentionLater.)

You can get more detailed information from F-Secure.

It’s easy to see that Microsoft is extremely concerned about this situation.  Not necessarily because of Flame: Flame uses pretty old technology, only targets a select subset of systems, and doesn’t even run on Win7 64-bit.  But the fake cert could be a major issue.  Once that cert is out in the open it can be used not only for Windows Update, but for “validating” all kinds of malware.  And, even though Flame only targets certain systems, and seems to be limited in geographic extent, I have pretty much no confidence at all that the blackhat community hasn’t already got copies of it.  (The cert doesn’t necessarily have to be contained in the Flame codebase, but the structure of the attack seems to imply that it is.)  So, the only safe bet is that the cert is “in the wild,” and can be used at any time.

(Just before I go on with this, I might say that the authors of Flame, whoever they may be, did no particularly bad thing in packaging up a bunch of old trojans into one massive kit.  But putting that fake cert out there was simply asking for trouble, and it’s kind of amazing that it hasn’t been used in an attack beofre now.)

The first thing Microsoft is doing is patching MS software so that it doesn’t trust that particular cert.  They aren’t giving away a lot of detail, but I imagine that much midnight oil is being burned in Redmond redoing the validation process so that a fake cert is harder to use.  Stay tuned to your Windows Update channel for further developments.

However, in all of this, one has to wonder where the fake cert came from.  It is, of course, always possible to simply brute force a digital signature, particularly if you have a ton of validated MS software, and a supercomputer (or a huge botnet), and mount a birthday (collision) attack.  (And everyone is assuming that the authors of Flame have access to the resources of a nation-state.  Or two …)  Now the easier way is simply to walk into the cert authority and ask for a couple of Microsoft certs.  (Which someone did one time.  And got away with it.)

But then, I was thinking.  In the not too distant past, we had a whole bunch of APT attacks (APT being an acronym standing for “we were lazy about our security, but it really isn’t our fault because these attackers didn’t play fair!”) on cert authorities.  And the attacks got away with a bunch of valid certs.

OK, we think Flame is possibly as much a five years in the wild, and almost certainly two years.  But it is also likely that there were updates during the period in the wild, so it’s hard to say, right off the top, which parts of it were out there for how long.

And I just kind of wonder …

Share

Words to leak by …

The Department of Homeland Security has been forced to release a list of keywords and phrases it uses to monitor social networking sites and online media.  (Like this one?)

This wasn’t “smart.”  Obviously some “pork” barrel project dreamed up by the DHS “authorities” “team” (“Hail” to them!) who are now “sick”ly sorry they looked into “cloud” computing “response.”  They are going to learn more than they ever wanted to know about “exercise” fanatics going through the “drill.”

Hopefully this message won’t “spillover” and “crash” their “collapse”d parsing app, possibly “strain”ing a data “leak.”  You can probably “plot” the failures at the NSA as the terms “flood” in.  They should have asked us for “help,” or at least “aid.”

Excuse, me, according to the time on my “watch,” I have to leave off working on this message, “wave” bye-bye, and get some “gas” in the car, and then get a “Subway” for the “nuclear” family’s dinner.  Afterwards, we’re playing “Twister”!

(“Dedicated denial of service”?  Really?)

Share

Flash! TSA bans bread!

Following the explosions in two BC sawmills, which experts are speculating may have been caused by fine sawdust caused by excessively dry wood, the TSA has banned any particulate materials, such as sawdust, flour, and icing sugar, to be banned from all flights.

Also included in the ban are any objects made from particulate materials, such as particleboard, bread, and icing sugar dusted donuts.  (The union representing TSA workers had argued, unsuccessfully, against this last item.)  The TSA’s Director Of Really Dangerous Stuff also noted that materials with larger particle sizes, such as table salt and sand, were also being included in the ban.

At press time, we were still awaiting word on whether computer equipment was to be included in the ban, since silicon chips are commonly said to be made of sand.

(Yeah, yeah, I know, don’t give the TSA ideas …)

Share

REVIEW: “Dark Market: CyberThieves, CyberCops, and You”, Misha Glenny

BKDRKMKT.RVW 20120201

“Dark Market: CyberThieves, CyberCops, and You”, Misha Glenny, 2011,
978-0-88784-239-9, C$29.95
%A   Misha Glenny
%C   Suite 801, 110 Spadina Ave, Toronto, ON Canada  M5V 2K4
%D   2011
%G   978-0-88784-239-9 0-88784-239-9
%I   House of Anansi Press Ltd.
%O   C$29.95 416-363-4343 fax 416-363-1017 www.anansi.ca
%O  http://www.amazon.com/exec/obidos/ASIN/0887842399/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0887842399/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0887842399/robsladesin03-20
%O   Audience n Tech 1 Writing 2 (see revfaq.htm for explanation)
%P   296 p.
%T   “Dark Market: CyberThieves, CyberCops, and You”

There is no particular purpose stated for this book, other than the vague promise of the subtitle that this has something to do with bad guys and good guys in cyberspace.  In the prologue, Glenny admits that his “attempts to assess when an interviewee was lying, embellishing or fantasising and when an interviewee was earnestly telling the truth were only partially successful.”  Bear in mind that all good little blackhats know that, if you really want to get in, the easiest thing to attack is the person.  Social engineering (which is simply a fancy way of saying “lying”) is always the most effective tactic.

It’s hard to have confidence in the author’s assessment of security on the Internet when he knows so little of the technology.  A VPN (Virtual Private Network) is said to be a system whereby a group of computers share a single address.  That’s not a VPN (which is a system of network management, and possibly encryption): it’s a description of NAT (Network Address Translation).  True, a VPN can, and fairly often does, use NAT in its operations, but the carelessness is concerning.

This may seem to be pedantic, but it leads to other errors.  For example, Glenny asserts that running a VPN is very difficult, but that encryption is easy, since encryption software is available on the Internet.  While it is true that the software is available, that availability is only part of the battle.  As I keep pointing out to my students, for effective protection with encryption you need to agree on what key to use, and doing that negotiation is a non-trivial task.  Yes, there is asymmetric encryption, but that requires a public key infrastructure (PKI) which is an enormously difficult proposition to get right.  Of the two, I’d rather run a VPN any day.

It is, therefore, not particularly surprising that the author finds that the best way to describe the capabilities of one group of carders was to compare them to the fictional “hacking” crew from “The Girl with the Dragon Tattoo.”  The activities in the novel are not impossible, but the ability to perform them on demand is highly
unlikely.

This lack of background colours his ability to ascertain what is possible or not (in the technical areas), and what is likely (out of what he has been told).  Sticking strictly with media reports and indictment documents, Glenny does a good job, and those parts of the book are interesting and enjoyable.  The author does let his taste for mystery get the better of him: even the straight reportage parts of the book are often confusing in terms of who did what, and who actually is what.

Like Dan Verton (cf BKHCKDRY.RVW) and Suelette Dreyfus (cf. BKNDRGND.RVW) before him, Glenny is trying to give us the “inside story” of the blackhat community.  He should have read Taylor’s “Hackers” (cf BKHAKERS.RVW) first, to get a better idea of the territory.  He does a somewhat better job than Dreyfus and Verton did, since he is wise enough to seek out law enforcement accounts (possibly after reading Stiennon’s “Surviving Cyberwar,” cf. BKSRCYWR.RVW).

Overall, this work is a fairly reasonable updating of Levy’s “Hackers” (cf. BKHACKRS.RVW) of almost three decades ago.  The rise of the financial motivation and the specialization of modern fraudulent blackhat activity are well presented.  There is something of a holdover in still portraying these crooks as evil genii, but, in the main, it is a decent picture of reality, although it provides nothing new.

copyright, Robert M. Slade   2012    BKDRKMKT.RVW 20120201

Share

The speed of “social” …

I made a posting on the blog.

Then I moved on to checking news, which I do via Twitter.  And, suddenly, there in my stream was a “tweet” that, fairly obviously, referred to my posting.  By someone I didn’t know, and had never heard of.  From Indonesia.

This blog now has an RSS feed.  Apparently a few people are following that feed.  And, seemingly, every time something gets posted here, it gets copied onto their blogs.

And, in at least one case, that post gets automatically (and programmatically) posted on Twitter.

I would never have known any of this, except that the posting I had made was in reference to something I had found via those stalwarts at the Annals of Improbable Research.  I had made reference to that fact in the first line.  The application used to generate the Twitter posting copies roughly the first hundred characters of the blog post, so the Improbable Research account (pretty much automatically) retweeted the programmed tweet of the blog posting that copied my original blog posting.  I follow Improbable Research on Twitter, so I got the retweet.

This set me to a little exploration.  I found, checking trackbacks, that every one of my postings was being copied to seven different blogs.  Blogs run by people of whom I’d never heard.  (Most of whom don’t seem to have any particular interest in infosec, which is rather odd.)

Well, this blog is public, and my postings are public, so I really can’t complain when the material goes public, even if in a rather larger way than I originally thought.  But it does underline the fact that, once posted on the Internet, it is very unsafe to assume that any information is confidential.  You can’t delete data once it has passed to machines beyond your control.

And it passes very, very fast.

Share

REVIEW: “Steve Jobs”, Walter Isaacson

BKSTVJBS.RVW 20111224

“Steve Jobs”, Walter Isaacson, 2011, 978-1-4104-4522-3
%A   Walter Isaacson pat.zindulka@aspeninstitute.org
%C   27500 Drake Road, Farmington Hills, MI   48331-3535
%D   2011
%G   978-1-4104-4522-3 1451648537
%I   Simon and Schuster/The Gale Group
%O   248-699-4253 800-877-4253 fax: 800-414-5043 galeord@gale.com
%O  http://www.amazon.com/exec/obidos/ASIN/1451648537/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/1451648537/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1451648537/robsladesin03-20
%O   Audience n+ Tech 1 Writing 2 (see revfaq.htm for explanation)
%P   853 p.
%T   “Steve Jobs”

I have read many fictional works that start off with a list of the cast of characters, but this is the first biography I’ve ever read that started in this way.

It is fairly obvious that Isaacson has done extensive research, talked to many people, and worked very hard in preparation for this book.  At the same time, it is clear that many areas have not been carefully analyzed.  Many Silicon Valley myths (such as the precise formulation of Moore’s Law, or John Draper’s status with regard to the Cap’n Crunch whistle) are retailed without ascertaining the true facts.  The information collected is extensive in many ways, but, in places (particularly in regard to Jobs’ earlier years) the writing is scattered and disjointed.  We have Jobs living with his girlfriend in a cabin in the hills, and then suddenly he is in college.

Material is duplicated and reiterated in many places.  Quotes are frequently repeated word-for-word in relation to different situations or circumstances, so the reader really cannot know the original reference.  There are also contradictions: we are told that Jobs could not stand a certain staffer, but 18 pages later we are informed that the same person often enthralled Jobs.  (Initially, this staffer is introduced as having been encountered in 1979, but it is later mentioned that he worked for Jobs and Apple as early as 1976.)  At one point we learn that an outside firm designed the Mac mouse: four pages further on we ascertain that it was created internally by Apple.  The author seems to have accepted any and all input, perspectives, and stories without analysis or assessment of where the truth might lie.

It is possible to do a biography along a timeline.  It is possible to do it on a thematic basis.  Isaacson follows a timeline, but generally only covers one subject during any “epoch.”  From the first time Jobs sees a personal computer until he is dismissed from Apple, this is less of a biography and more the story of the development of the company.  There is a short section covering the birth of Jobs’ daughter, we hear of the reality distortion field, and terse mentions of vegan diets, motorcycles, stark housing, and occasional girlfriends, but almost nothing of Jobs away from work.  (Even in covering Apple there are large gaps: the Lisa model is noted as an important development, but then is never really described.)

In fact, it is hard to see this book as a biography.  It reads more like a history of Apple, although with particular emphasis on Jobs.  There are sidetrips to his first girlfriend and daughter, NeXT, Pixar, miscellaneous girlfriends, his wife and kids, Pixar again, and then cancer, but by far the bulk of the book concentrates on Apple.

The “reality distortion field” is famous, and mentioned often.  Equally frequently we are told of a focused and unblinking stare, which Jobs learned from someone, and practiced as a means to intimidate and influence people.  Most people believe that the person who “doesn’t blink” is the dominant personality, and therefore the one in charge.  It is rather ironic that research actually refutes this.  Studies have shown that, when two people meet for the first time, it is actually the dominant personality that “blinks first” and looks away, almost as a signal that they are about to dominate the conversation or interaction.  Both “the field” and “the stare” seem to tell the same story: they are tricks of social engineering which can have a powerful influence, but which are based on an imperfect understanding of reality and people, don’t work with everyone, and can have very negative consequences.

(The chapters on Jobs’ fight with cancer are possibly the most telling.  For anyone who has the slightest background in medicine it will be apparent that Jobs didn’t know much in that field, and that he made very foolish and dangerous decisions, flying in the face of all advice and any understanding of nutrition and biology.)

Those seeking insight into the character that built a major corporation may be disappointed.  Like anybody else, Jobs is a study in contradictions: the seduction with charm and vision, then belittlement and screaming at people; the perfectionist who obsessed on details, but was supposedly a visionary at the intersection of the arts and technology who made major decisions based on intuitive gut feelings with little or no information or analysis; the amaterialistic ascetic who made a fortune selling consumer electronics and was willing to con people to make money; the Zen meditator who never seemed to achieve any calm or patience; the man who insisted that “honesty” compelled him to abuse friends and colleagues, but who was almost pathological in his secrecy about himself and the company; and the creative free-thinker who created the most closed and restricted systems extent.

There is no attempt to find the balance point for any of these dichotomies.  As a security architect I can readily agree with the need for high level design to drive all aspects of the construction of a system: a unified whole always works better and more reliably.  Unfortunately for that premise, there are endless examples of Jobs demanding, at very late points in the process, that radically new functions be included.  Then there is Jobs’ twin assertions that the item must be perfect, but that ship dates must be met.  One has to agree with Voltaire: the best is the enemy of the good, and anyone trying to be good, fast, *and* cheap may succeed a time or two, but is ultimately headed for failure.

Several times Isaacson repeats an assertion from Jobs that money is not important: it is merely recognition of achievements, or a resource that enables you to make great products.  The author does not seem to understand that an awful lot of money is also another resource, one that allows you to make mistakes.  He only vaguely admits that Jobs made some spectacular errors.

The book is not a hagiography.  Isaacson is at pains to point out that he notes Jobs’ weaknesses of character and action.  At the same time, Isaacson is obviously proud of being a personal friend, and, I suspect, does not realize that, while he may mention Jobs’ flaws, he also goes to great lengths to excuse them.

Was Steve Jobs a great man?  He was the driving force behind a company which had, for a time, the largest market capitalization of any publicly traded company.  He was also, by pretty much all accounts, an arrogant jerk.  He had a major influence on the design of personal electronics, although his contribution to personal computing was mostly derivative.  We are conventionally used to saying that people like Napoleon, Ford, and Edison are great, even thought they might have been better at social engineering than the softer people skills.  By this measure Jobs can be considered great, although not by the standards by which we might judge Ghandi, Mother Teresa, and the Dalai Lama (which is rather ironic, considering Jobs’ personal philosophy).

Those who hold Jobs, Apple, or both, in awe will probably be delighted to find a mass of stories and trivia all in one place.  Those who want to know the secrets of building a business empire may find some interesting philosophies, but will probably be disappointed: the book tends to take all positions at once.  For those who have paid much attention to Apple, and Jobs’ career, there isn’t much here that is novel.  As Jobs himself stated to a journalist, “So, you’ve uncovered the fact that I’m an *sshole.  Why is that news?”

Having all of the material in one book does help to clarify certain issues.  Personally, I have always fought with the Macs I used, struggling against the lock step conformity they enforced.  It was only in reviewing this work that it occurred to me that Apple relies upon a closed system that makes Microsoft appear open by comparison.  So, I guess, yes, there is at least one insight to be gained from this volume.

copyright, Robert M. Slade   2011     BKSTVJBS.RVW 20111224

Share

Webcast? No, thanks.

I had a call today inviting me to “attend” a Webcast.  The vendor makes security products.  I work in security.  I won’t be attending.

I never watch Webcasts.  In the early days I watched a couple.  I even presented on a couple of Webcasts, at the request of different parties.  I’ve subsequently made it a policy that I never do attend.

Webcasts are a waste of time.

Back before Webcasts we had podcasts.  I could partially see a reason for podcasts.  After all, as the name implies, you were supposed to download them and play them on your iPod or other MP3 player.  You could do this on your commute, or while out jogging, or any other time that you would spend plugged into your device.  So, on what would normally be mental downtime, you could be learning something.

For me, personally, there were a couple of problems with this.  The first was that I never bothered to get an MP3 player.  The second was that I always had books to read (and review) on my commute.

Yes, I know I could download the podcasts to my computer, and listen to them that way.  But a) when I’m at the computer, that’s not downtime, and b) I can read faster than you can talk.  So listening to a podcast is still a waste of time.  Sorry to my friends who do podcasts, and I know you are sincerely trying to help (and probably do), but even if you are podcasting on an interesting topic, somebody else has written about it.  And I can search and read faster than you can talk.

The same goes, in spades, for Webcasts.  In addition, whereas podcasts are generally done by people who have something to say, but no money or major resources to say it with, Webcasts are done by vendors.  And trade rags (who are, these days, desperately trying to find something to make themselves relevant again).  And erstwhile conference and event promoters, who see it as a cheaper way to get the (advertising) message out.

And that’s part of the trouble.  It is cheaper.  A Webcast, no matter how many frills you add (sometimes turning it into a “virtual trade show” or “virtual conference”) is going to be cheaper than renting a hotel facility, flying actual people in, laying on coffee (at hotel catering prices), and advertising your event to get people to come.  If a vendor or promoter has to do all that, they figure they might as well make sure someone is going to listen to the pitch.  So they are much more likely to make sure that a) the speaker knows how to speak, b) the speaker has something to say, and c) there is some actual useful content in addition to the straight sales pitch.

But a Webcast is cheap.  No rooms to rent, no people to move, no coffee to buy.  Even if you have to rent Webcast time, it’s a pittance compared to all of that.

And, hey! you can get people to attend more easily!  From the comfort of their own desk or computer!  Wherever they are (as long as they can get to a hotspot)!  All they have to do is register and log in!

(I’ll come back to that.)

So, if a Webcast is cheap and easy, why take any trouble with it?  Drag in anyone as a speaker.  There are probably any number of people who think they could make it big on the lecture circuit if only they got a little “exposure.”  Sorry, but I’ve run into too many people who thought I should be glad to write or speak for them just for the “exposure.”  They only people who are going to fall for that are those who don’t get asked because a) they have nothing to say, and b) they can’t say it anyway.  Even if you do find someone with something to say, why give them time (and possibly money) to research or prepare anything?  As a matter of fact, if you are a trade rag you’ve probably got lots of people who are willing to be expert on anything, with a moment’s notice.

Like I said, I attended a few.  It very quickly became apparent not only that I can read faster than Webcasters can speak, but that almost none of them had anything worth saying anyway.

(I’ll make an exception for TED.  Not even all of TED.  But definitely Cliff Stoll.)

So, I made it a policy never to attend Webcasts.  We are all busy.  My time is finite.  Webcasts are a waste of time.

I said I’d come back to this business of it being easy to get people to come.  Recently I’ve noticed that the Webcasts aren’t just being advertised.  Now there are bribes and come-ons.  You can win an iPod, or an IPad, if you register and attend.  You can get a USB drive if you attend.  You can get a Starbucks card or an Amazon giftcard.  (I am somewhat reminded of the studies where they offered people chocolate bars or Starbucks cards if the people would tell their passwords.)  And not only am I getting multiple invites to the event, but now telemarketers are calling to “invite” me to attend.  They are starting to sound desperate.

Do you think it just vaguely possible that other people are starting  to think Webcasts are a waste of time?  Maybe a large number of other people?

Share

Who is responsible?

Galina Pildush ended her LTE presentation with a very good question:”Who is responsible for LTE security?  Is it the users? UE (User Equipment, handsets and devices) manufacturers and vendors?  Network providers, operators and telcos?”

It’s a great question, and one that needs to be applied to every area of security.

In the SOHO (Small Office/Home Office) and personal sphere, it has long been assumed that it’s the user who is responsible.  Long assumed, but possibly changing.  Apple, particularly with the iOS/iPhone/iPad lines, has moved toward a model where the vendor (Apple) locks down the device, and only allows you certain options for software and services.  Not all of them are produced or provided by Apple, but Apple gets vetting responsibilities and rights.

The original “user” responsibility model has not worked particularly well.  Most people don’t know how to protect themselves in regard to information security.  Malware and botnets are rampant.  In the “each man for himself” situation, many users do not protect themselves, with significant consequences for the computing environment as a whole.  (For years I have been telling corporations that they should support free, public security awareness training.  Not as advertising or for goodwill, but as a matter of self defence.  Reducing the number of infected users out there will reduce the level of risk in computing and communication as a whole.)

The “vendor” model, in Apple’s case (and Microsoft seems to be trying to move in that direction) has generated a reputation, at least, for better security.  Certainly infection and botnet membership rates appear to be lower in Macs than in Windows machines, and lower still in the iOS world.  (This, of course, does nothing to protect the user from phishing and other forms of fraud.  In fact, it would be interesting to see if users in a “walled garden” world were slightly more susceptible to fraud, since they were protected from other threats and had less need to be paranoid.)  The model also has significant advantages as a business model, where you can lock in users (and providers, as well), so it is obviously going to be popular with the vendors.

Of course, there are drawbacks, for the vendors, in this model.  As has been amply demonstrated in current mobile network situations, providers are very late in rolling out security patches.  This is because of the perception that the entire responsibility rests with the provider, and they want to test every patch to death before releasing it.  If that role falls to the vendors, they too will have to take more care, probably much more care, to ensure software is secure.  And that will delay both patch cycles and version cycles.

Which, of course, brings us to the providers.  As noted, there is already a problem here with patch releases.  But, after all, most attacks these days are network based.  Proper filtering would not only deal with intrusions and malware, but also issues like spam and fraud.  After all, if the phishing message never reaches the user, the user can’t be defrauded.

So, in theory, we can make a good case that the provider would be the most effective locus for responsibility for security.  They have the ability to address the broadest range of security issues.  In reality, of course, it wouldn’t work.

In the first place, all kinds of users wouldn’t stand for it.  Absent a monopoly market, any provider who tried to provide total security protection, would a) incur prohibitively heavy costs (putting pressure on their competitive rates), and b) lose a bunch of users who would resent restrictions and limitations.  (At present, of course, me know that many providers can get away with being pretty cavalier about security.)  The providers would also, as now, have to deal with a large range of devices.  And, if responsibility is lifted from the vendors, the situation will only get worse: vendors will be able to role out new releases and take even less care with testing than they do now.

In practical terms, we probably can’t, and shouldn’t decide this question.  All parties should take some responsibility, and all parties should take more than they do currently.  That way, everybody will be better off.  But, as Bruce Schneier notes, there are always going to be those who try and shirk their responsibility, relying on the fact that others will not.

Share

CanSecWest evolving

Let me say, right off the top, that I love CanSecWest.  I am tired of “vendor” conferences, where you pay outrageous fees for the privilege of sitting through a bunch of sales pitches.  At least CanSecWest has real information, as opposed to virtual information.  (Virtual information: n. – marketing spiel dressed up as actual technical information.)

However, today I have had the same conversation half a dozen times, with half a dozen different people.  (And I didn’t initiate any of them.)  The conversation generally starts out the same way, with the question, “Don’t you think CanSecWest is getting … less technical?”

Now, it may simply be a one year glitch, or a random set of presentations.  But, yes, I have to agree that, so far, the presentations have not been as great as in the past.

Still good, don’t get me wrong.  But we started with a pres on the boot process, nicely technical, but nothing new.  Pen testing, which was also pretty generic, and nothing new.  The social authentication, yes, that was good.  Recent research, and some neat ideas to play with.  The piece on APT was mostly about finding bugs in Shockwave/Flash.  The piece on Duqu and Stuxnet was good, but I feel a bit used: Kaspersky obviously timed it to present the same thing at both CanSecWest and CeBit at the same time.  Good PR hack, but a bit of a cheat in terms of “unique” presentations that haven’t been done before.

The smartphone rooting had some interesting points, but didn’t demonstrate real exploits.  The probing of mobile networks had more real and technical data.  (Marcia Hoffman’s presentation was, last year, a personal disappointment to me, since I’m a legal and forensics guy, and expected more depth.  However, when I thought about it, I realized that she had nailed the target audience: these guys are geeks, and need the basic warnings about what they are doing.  She did just as well this year.)

The iOS exploitation pres was interesting but covered material that was covered quite well last year.  The piece on hardware-involved attacks boiled down to “if you don’t take care with your programming, hardware can do things you don’t expect: be a careful programmer.”  The Near Field Communications (NFC) item did raise some interesting points about the careless acceptance of chip codes, but most of it was little different from discussions about RFID or validating input in general.  (The HDMI was pretty cool.)

Like I said, I love CanSecWest, and I’m still going to come.  I may complain a bit about these presentations, but they are still far above anything you are likely to find at a vendor conference.  But I hope the program gets back to some solid, new technical stuff.

(By the way, if you want more details about the specific presentations, the slides are generally made available in an archive shortly after the event closes.  It’ll probably be this link, or something similar.)

Share

Probing mobile (cell) networks

Mobile networks have many disparate types of devices.  You can probably guess what some of them are, or even go to the provider’s store or kiosk and get a list.  But there are going to be more devices out there.  So why not scan the IP addresses on your subnet?

Well, the access points for mobile networks generally don’t allow promiscuous access.  So you may have to go to ARIN and other lists in order to start getting some ranges to check.  You can also check access logs of a Website to find visitors with mobile devices.  (Of course, there is always the NATting that the providers do, not to mention DHCP, and the fact that most mobile devices don’t run servers or services.)

Colin Mulliner, of the Berlin Institute of Technology, did manage to find a fair amount of interesting stuff.  Windows Mobile tended to be a useful source of open ports and services (usually open FTP services on mobile devices).  He also found and was able to identify a number of specialized devices that were identifiable from responses to probes.  Some of the most interesting were mobile access points: connecting to the mobile networks and then providing local wifi for computers.  Others were HTTP servers for surveillance cameras.  (Others were GPS tracking devices which, oddly, had no security against “guest” login  :-)  (Some were smart meters.  With smart meters rolling out here in BC, lets hope they are more secure …)

Possibly of concern was the large number of jailbroken iOS devices.  Many of them still had the default “alpine” password.  (If you hack your own device, you’d better be prepared to secure it.)  This could form the basis of a fair sized worm and/or botnet.  Then again, iOS users aren’t alone here.  An awful lot of people seem to think nothing of creating mobile devices and hooking them up to mobile networks with very little in the way of security.

Share

Smartphone vulnerabilities

Scott Kelly, platform architect at Netflix, gets to look at a lot of devices.  In depth.  He’s got some interesting things to say about smartphones.  (At CanSecWest.)

First of all, with a computer, you are the “tenant.”  You own the machine, and you can modify it any way you want.

On a smartphone, you are not the only tenant, and, in fact, you are the second tenant.  The provider is the first.  And where you may want to modify and customize it, the provider may not want you to.  They’d like to lock you in.  At the very least, they want to maintain some control because you are constantly on their network.

Now, you can root or jailbreak your phone.  Basically, that means hacking your phone.  Whether you do that or not, it does mean that your device is hackable.

(Incidentally, the system architectures for smartphones can be hugely complex.)

Sometimes you can simply replace the firmware.  Providers try to avoid doing that, sometimes looking at a secure boot system.  This is usually the same as the “trusted computing” (digital signatures that verify back to a key that is embedded in the hardware) or “trusted execution” (operation restriction) systems.  (Both types were used way back in AV days of old.)  Sometimes the providers ask manufacturers to lock the bootloader.  Attackers can get around this, sometimes letting a check succeed and then doing a swap, or attacking write protection, or messing with the verification process as it is occurring.  However, you can usually find easier implementation errors.  Sometimes providers/vendors use symmetric enryption: once a key is known, every device of that model is accessible.  You can also look at the attack surface, and with the complex architectures in smartphones the surface is enormous.

Vendors and providers are working towards trusted modules and trustzones in mobile devices.  Sometimes this is virtual, sometimes it actually involves hardware.  (Personally, I saw attempts at this in the history of malware.  Hardware tended to have inherent advantages, but every system I saw had some vulnerability somewhere.)

Patching has been a problem with mobile devices.  Again, the providers are going to be seen as responsible for ongoing operation.  Any problems are going to be seen as their fault.  Therefore, they really have to be sure that any patch they create is absolutely bulletproof.  It can’t create any problems.  So there is always going to be a long window for any exploit that is found.  And there are going to be vulnerabilities to exploit in a system this complex.  Providers and vendors are going to keep trying to lock systems.

(Again, personally, I suspect that hacks will keep on occurring, and that the locking systems will turn out to be less secure than the designers think.)

Scott is definitely a good speaker, and his slides and flow are decent.  However, most of the material he has presented is fairly generic.  CanSecWest audiences have come to expect revelations of real attacks.

Share

Net accesses …

So, I’m always excited about CanSecWest, and I was yesterday, as I got ready.  I went to do a last minute download of email.  (Yes, the conference provides wireless, and it usually works, after a few initial glitches.  But I like to avoid risks, and I like to have most of my stuff with me on my machine.)

I could pull the email off my main account.  (I have multiple email addresses with Shaw.)  But I couldn’t get any email off the subsidiary accounts.  In order to check if this was some setting gone wrong on my MUA I tried the Web interface.  Same result: I could get at my main account, but not the subsidiary accounts.

Later in the day, at the conference, I was able to access all the accounts.  But I found that, while my main account was still accessible though the original interface, suddenly all the others were using a new “Webmail 2.0.”

I thought this was kind of odd, so I reported this to Shaw through their “ShawHelp” account on Twitter.  You can’t explain a lot in 140 characters, so we passed a few “direct messages” back and forth.

I have previously mentioned that Shaw’s support is not the best, and their attitude to security could use some work.  (As a side result of this, a friend has provided me with an emergency proxy for outbound email.  I tried it this morning, and, unlike Shaw, which requires that you be on their network before you get access to your email, it works from CanSecWest.)  So I shouldn’t have been shocked when I got a message from ShawHelp saying … well, let me quote it:

“Not seeing issues with either of them. You can’t log into cissp? What is password so we can take a look? ^LL”

I had forgotten this.  In the old days, when I stilled tried to call Shaw support when I had a problem, I frequently got asked for my password.  Since I won’t give them my password (what do you think I am, a normal user?), that usually ended any attempt on their part to deal with the problem.

So, here we are, some years later, and Shaw is still asking their customers for passwords.  How many years have we been telling people, “customer support will never ask you for your password”?

On a very slightly positive note, I can say that, two months after they announced it, the Shaw Wifi AP in Lynn Valley is finally operating.

(I suppose I shouldn’t bash too hard on Shaw.  Their tech support and security is abysmal, but the service only goes down about once a quarter.  The other day I was at the barbershop.  They are putting in service through the other major provider in our area, Telus.  Telus’ initial installation had only given them partial access, so they called in Telus’ support.  The support tech managed to shut off access completely, and had been coming back, sporadically, for over a week, without success.)  (Yes, I did manage to get them partial access back …)

Share

CanSecWest

I always look forward to CanSecWest.  Usually cutting edge stuff.  Some of it incomprehensible, some of it interesting, some very entertaining.

Every year is a different program, of course, but every year has some changes to the setup, as well.  This year is the latest I can remember them opening the doors to the ballroom/theatre, but it was also one of the earliest in terms of starting the registrations.

Between getting registered and getting in to the room there’s some time to mingle.  It was nice to see old friends, including some whose presence surprised me.  Also nice to meet a few new people.

It’s always interesting who you run into at CanSecWest.  One friend, on his first time out, sat down next to a nice chap, and got to talking.  Said chap shortly asked my friend to mind his computer for the next little while, then walked up to the front and was introduced as the next speaker, Charlie Miller.  Miller is a bit of a fixture at the event, as he tends to win the Pwn2Own contest year after year.  You’ve probably heard of his escapades in other areas.

(As I say, lots of nice people here.  However, this is definitely a conference on the geek end of the spectrum, and you can often count on running into people whose “people skills” could use work.  It makes starting up conversations with strangers possibly more surprising than usual  :-)

Not as many vendors at CanSecWest as at other conferences.  Some interesting ones this year: one company doing managed security and reselling.  They are looking at the enterprise and government market, and I suspect they may be at the wrong conference.  Adobe is here: they seem to be trying to overcome the perception of them as the problem.  A number of companies appear to be primarily interested in recruiting.  (If they are really serious about it, they might have sent more technical people: a number of tables are staffed by sales people who are having difficulty talking to the geeks they are trying to recruit.)

As usual, getting connected to the CanSecWest network was a bit of a challenge, but I seem to be on now  :-)

Share

Michelangelo

Graham Cluley, of Sophos and Naked Security, posted some reminiscences of the Michelangelo virus.  It brought back some memories and he’s told the story well.

I hate to argue with Graham, but, first off, I have to note that the twentieth anniversary of Micelangelo is not tomorrow (March 6, 2012), but today, March 5.  That’s because 1992 was, as this year is, a leap year.  Yes, Michelangelo was timed to go off on March 6th every year, but, due to a shortcut in the code (and bugs in normal comptuer software), it neglected to factor in leap years.  Therefore, in 1992 many copies went off a day early, on March 5th.

March 5th, 1992, was a rather busy day for me.  I was attending a seminar, but kept getting called out to answer media enquiries.

And then there was the fact that, after all that work and information submitted to the media in advance, and creating copies of Michelangelo on a 3 1/2″ disk (it would normally only infect 5 1/4″s) so I could test it on a safe machine (and then having to recreate the disk when I accidentally triggered the virus), it wasn’t me who got my picture in the paper.  No, it was my baby brother, who a) didn’t believe in the virus, but b) finally, at literally the eleventh hour (11 pm on March 4th) decided to scan his own computer (with a scanner I had given to him), and, when he found he was infected, raised the alarm with his church, and scanned their computers as well.  (Must have been pretty close to midnight, and zero hour, by that time.)  That’s a nice human interest story so he got his picture in the paper.  (Not that I’m bitter, mind you.)

I don’t quite agree with Graham as to the infection rates.  I do know that, since this was the first time we (as the nascent antivirus community) managed to get the attention of the media in advance, there were a great many significant infections that were cleaned off in time, before the trigger date.  I recall notices of thousands of machines cleaned off in various institutions.  But, in a sense, we were victims of our own success.  Having got the word out in advance, by the trigger date most of the infections had been cleaned up.  So, yes, the media saw it as hype on our part.  And then there was the fact that a lot of people had no idea when they got hit.  I was told, by several people, “no, we didn’t get Michelangelo.  But, you know, it’s strange: our computer had a disk failure on that date …”  That was how Michelangelo appeared, when it triggered.

I note that one of the comments wished that we could find out who created the virus.  There is strong evidence that it was created in Taiwan.  And, in response to a posting that I did at the time, I received a message from someone, from Taiwan, who complained that it shouldn’t be called “Michelangelo,” since the real name was “Stoned 3.”  I’ve always felt that only the person who wrote that variant would have been that upset about the naming …

Share

REVIEW: “Liars and Outliers: Enabling the Trust that Society Needs to Thrive”, Bruce Schneier

BKLRSOTL.RVW   20120104

“Liars and Outliers: Enabling the Trust that Society Needs to Thrive”,
Bruce Schneier, 2012, 978-1-118-14330-8, U$24.95/C$29.95
%A   Bruce Schneier www.Schneier.com
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2012
%G   978-1-118-14330-8 1-118-14330-2
%I   John Wiley & Sons, Inc.
%O   U$24.95/C$29.95 416-236-4433 fax: 416-236-4448 www.wiley.com
%O  http://www.amazon.com/exec/obidos/ASIN/1118143302/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/1118143302/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1118143302/robsladesin03-20
%O   Audience n+ Tech 2 Writing 3 (see revfaq.htm for explanation)
%P   365 p.
%T   “Liars and Outliers: Enabling the Trust that Society Needs to
Thrive”

Chapter one is what would ordinarily constitute an introduction or preface to the book.  Schneier states that the book is about trust: the trust that we need to operate as a society.  In these terms, trust is the confidence we can have that other people will reliably behave in certain ways, and not in others.  In any group, there is a desire in having people cooperate and act in the interest of all the members of the group.  In all individuals, there is a possibility that they will defect and act against the interests of the group, either for their own competing interest, or simply in opposition to the group.  (The author notes that defection is not always negative: positive social change is generally driven by defectors.)  Actually, the text may be more about social engineering, because Schneier does a very comprehensive job of exploring how confident we can be about trust, and they ways we can increase (and sometimes inadvertantly decrease) that reliability.

Part I explores the background of trust, in both the hard and soft sciences.  Chapter two looks at biology and game theory for the basics.  Chapter three will be familiar to those who have studied sociobiology, or other evolutionary perspectives on behaviour.  A historical view of sociology and scaling makes up chapter four.  Chapter five returns to game theory to examine conflict and societal dilemmas.

Schneier says that part II develops a model of trust.  This may not be evident at a cursory reading: the model consists of moral pressures, reputational pressures, institutional pressures, and security systems, and the author is very careful to explain each part in chapters seven through ten: so careful that it is sometimes hard to follow the structure of the arguments.

Part III applies the model to the real world, examining competing interests, organizations, corporations, and institutions.  The relative utility of the four parts of the model is analyzed in respect to different scales (sizes and complexities) of society.  The author also notes, in a number of places, that distrust, and therefore excessive institutional pressures or security systems, is very expensive for individuals and society as a whole.

Part IV reviews the ways societal pressures fail, with particular emphasis on technology, and information technology.  Schneier discusses situations where carelessly chosen institutional pressures can create the opposite of the effect intended.

The author lists, and proposes, a number of additional models.  There are Ostrom’s rules for managing commons (a model for self-regulating societies), Dunbar’s numbers, and other existing structures.  But Schneier has also created a categorization of reasons for defection, a new set of security control types, a set of principles for designing effective societal pressures, and an array of the relation between these control types and his trust model.  Not all of them are perfect.  His list of control types has gaps and ambiguities (but then, so does the existing military/governmental catalogue).  In his figure of the feedback loops in societal pressures, it is difficult to find a distinction between “side effects” and “unintended consequences.”  However, despite minor problems, all of these paradigms can be useful in reviewing both the human factors in security systems, and in public policy.

Schneier writes as well as he always does, and his research is extensive.  In part one, possibly too extensive.  A great many studies and results are mentioned, but few are examined in any depth.  This does not help the central thrust of the book.  After all, eventually Schneier wants to talk about the technology of trust, what works, and what doesn’t.  In laying the basic foundation, the question of the far historical origin of altruism may be of academic philosophical interest, but that does not necessarily translate into an
understanding of current moral mechanisms.  It may be that God intended us to be altruistic, and therefore gave us an ethical code to shape our behaviour.  Or, it may be that random mutation produced entities that acted altruistically and more of them survived than did others, so the population created expectations and laws to encourage that behaviour, and God to explain and enforce it.  But trying to explore which of those (and many other variant) options might be right only muddies the understanding of what options actually help us form a secure society today.

Schneier has, as with “Beyond Fear” (cf. BKBYNDFR.RVW) and “Secrets and Lies” (cf. BKSECLIE.RVW), not only made a useful addition to the security literature, but created something of value to those involved with public policy, and a fascinating philosophical tome for the general public.  Security professionals can use a number of the models to assess controls in security systems, with a view to what will work, what won’t (and what areas are just too expensive to protect).  Public policy will benefit from examination of which formal structures are likely to have a desired effect.  (As I am finishing this review the debate over SOPA and PIPA is going on: measures unlikely to protect intellectual property in any meaningful way, and guaranteed to have enormous adverse effects.)  And Schneier has brought together a wealth of ideas and research in the fields of trust and society, with his usual clarity and readability.

copyright, Robert M. Slade   2011     BKLRSOTL.RVW   20120104

Share

New computers – Windows 7 – printers and USB

C’mon, fess up.  Who did the discovery protocol for Windows Universal Plug and Play?

Was it supposed to work for USB?

Windows has always been annoying in regard to USB.  I’ve had it “forget” mice and jump drives (sometimes never to accept them again on that port).  I’ve had a port “locked” by an Adobe picture manager (which I hadn’t realized Adobe was installing while I was trying to upgrade Reader to get rid of the latest round of vulnerabilities) so that it never recognized my camera again on *any* USB port, and insisted that every jump drive I attached was a camera.  Windows has never been willing to specifically identify any USB port even if it reports a problem.

Recently our printer (yes, a Winprinter with a USB connection: these days, can you find any other type?) has been flaky.  Not the printer itself: it’s fine.  And, yes, I did install the correct Win 7 driver, thank you very much.  Not that either Microsoft nor HP were very helpful about that.  The computer started out just fine, for a few months.  Then it started not recognizing that it had a printer.  Then it started seeing that it had something connected, but couldn’t tell what it was.  And sometimes it would cycle between these states constantly, while I was working.  (I’d hear a rising double beep as it realized it had a printer, or a falling double beep as it lost it, or couldn’t recognize it.  It got so bad that I’ve had to turn the speaker volume down given the near constant clamour of beeps.)  We tried different things: rebooting, changing to another user, power cycling the printer, power cycling the printer and waiting a while before we turned it on, turning the printer on first, not turning the printer off when once it had successfully accepted a print job.  Sometimes they worked, sometimes they didn’t.  Recently it’s gotten a lot worse.

(And, yes, I did Google it.  And AltaVistaed it  Never found anything helpful.  Even when I added profanity, as I suspected would be the case with someone who had gotten as frustrated with it as I was.)

So, at Gloria’s suggestion, today I hauled the computer out of its nook and swapped the printer to another USB port.

She was right: after I changed it the queue printed.

I lost the keyboard, monitor (twice), mouse (twice).  Eventually got them back. And then the computer crashed.  I lost some bookmarks I had collected this morning, and some outbound email: don’t know what or how much.  As far as I can tell I still have access to other devices, but I got a report that the Passport drive has a problem and I’m currently running a check on it.

But the printer is still printing.  So far.

I could really get to hate Microsoft.  Very easily …

Share