It is raining these days in Sydney and I guess that this guy didn’t want to get wet and stayed home all day. One thing led to another, and eventually, he managed to break into his coffee machine… Apparently he had found some cool security holes in his Jura F90 Coffee maker. I was looking for more hacks like this one, but couldn’t find any laundry machine, electric toothbrush or a fridge in the product vulnerabilities list.
I wonder if one day I’ll discover that someone hacked my toothpick, (although I’m sure that toothpicks will be safer since they will run Linux, not Windows).
Is the world turning into a place where every toilet seat needs it’s own Firewall?

I recently talked to my friend, a nice guy but with limited computer skills, and what he told me quite amazed me:

I stopped caring about security, I no longer install Microsoft patches unless they install themselves automatically, I don’t upgrade my antivirus, antimalware or any other protection mechanism, I simply can’t spend the time doing it - my work is not my computer - the computer is a tool for me you can’t expect me to be an enigneer and fix my car right? so why is this expected from me with my computer?

Why was he talking like that? well simply put he is tired, he is tired of worrying about his computer security, about whether his antivirus is the latest, whether his malware prevention works, whether the patches are needed or not.

Security has become such a burden on the simple people that they are no longer caring about it.

And don’t get him wrong, he is a good guy, he even recently upgraded his hardware to accommodate his new OS installation of Vista - this because he was “promised” that Vista resolved all the security issues and that everything will be seamless - security wise - but of course it isn’t.

Vista is no different from previous OSes, XP promised and failed and I don’t see how the next OS will be able to deliver on its promise of secure OS.

Before you jump and say move to Linux, my friend here hasn’t the option to move to Linux as he needs several programs critical to his job that aren’t available for Linux - of course there are alternatives to them, but he is a professor not a kid, he has work to do with these programs and he can’t now just switch to a different OS and different programs, he has jobs to hand in, and research to do.

I am not sure what I can do for him - beside comfort him

Social networks mean different things to different people. Some people want the world to know what they are doing NOW. So they blog, update their facebook status, use twitter to tell friends and stalkers what they’re thinking and dopplr to make sure everybody knows where they’re going.

Other people think social networks are a danger to privacy. A friend of mine wrote back in response to a linkedin invitation:

i regret to inform you that i don’t do social networking in any form.

This is a man that was there when the Internet started (and in fact laid some of its corner stones), and yet he refuses to take part in the most important revolution on the Internet in the last 10 years?

I used to think there was a third way to look at it. Use social networking in moderation: write what you want people to know, like where you work or what zip code you’re in and do that only because you have a use for it and not because you’re invited (ok, the last part is horseshit. I join things early so that I can reserve aviram as a username to the service. This strategy earned me aviram at gmail.com). For me, privacy was not an issue as long as you know what kind of information you put there. But now, it seems, things are getting out of hand.

I got an email from one of my linkedin connections with a link to a video sharing site called vidjar.com. This link was to videos tagged with his first name - not too uncommon, and you can probably imagine there were a few videos there with that tag.

But his problem was that on the sidebar, was the sentence:

[his full name] is now connected to Aviram Jenik

A deeper investigation showed that the sidebar included a widget that had an RSS feed into linkedin. This RSS feed somehow recorded the fact that he and I had connected. I’m not an expert in linkedin’s new API platform, so I’m not sure how that works - but I can understand how he was not happy to see that everybody on vidjar could see that he and I were connected via linkedin. This is information that only people directly connected to him or me should be able to see, and only when logged into linkedin. Here, it was viewable to the world - we verified it by looking at the flattened google cache.

An API issue? Maybe. But it definitely demonstrates the old saying that information you give, is no longer yours.

http://news.bbc.co.uk/go/em/-/2/hi/uk_news/7456216.stm

“Lawyers for Glasgow-born Gary McKinnon told the House of Lords US authorities had warned him he faced a long jail sentence if he did not plead guilty.

“The systems analyst is accused of gaining access to 97 US military and Nasa computers from his London home.

“Known as Solo, he was arrested in 2002 but never charged in the UK.”

So far, so bad.  Breaking into computers has very little justification, and “just having fun” isn’t exactly a defence.  However:

“Without co-operation, the case could be treated as a terrorism case, which could result in up to a 60-year sentence in a maximum security prison should he be found guilty on all six indictments.

“With co-operation, he would receive a lesser sentence of 37 to 46 months, be repatriated to the UK, where he could be released on parole and charges of `significantly damaging national security’ would be dropped.

“A US embassy legal official quoted New Jersey authorities saying they wanted to see him `fry’.”

This bothers me.  A lot.  It’s too much like security theatre, as well as being flat-out immoral.  He did something wrong: he should be punished.  But he should be convicted properly, and punished appropriately, not intimidated into pleading guilty in order to inflate someone’s prosecution records.

The lead article/editorial in Bruce Schneier’s latest CryptoGram (http://www.schneier.com/crypto-gram.html) points out the foolishness in warning people to beware of terrorists taking pictures.  Millions of people take billions of pictures every year for legitimate or innocent reasons, and the major terrorist attacks have not involved terrorists walking around taking photographs of the targets.  It doesn’t make sense to try and protect yourself by raising an alarm about an activity that is probably (*extremely* probably) not a threat.

Rather ironically, the second piece talks about the fact that your laptop may be searched when you fly to another country, and the advisability of laptop encryption.  Leaving aside privacy and legality concerns, Schneier is for encryption.

Now, I don’t fly as much as some, but more than many.  Since I’m a security researcher, I’ve got all kinds of materials on my laptop that would probably raise all kinds of flags.  I’ve got files with “virus,” “malware,” “botnet,” and all kinds of other scary terms in the filenames.  (I’ve got a rather extensive virus zoo in one directory.)  Nobody at immigration has ever turned a hair at these filenames, since nobody at immigration has ever asked to look at my laptop.  (Even the security screeners don’t ask me to turn it on as much as they used to, although they do swab it more.)

I’m not arguing that people shouldn’t encrypt materials on their laptops: it’s probably a good idea for all kinds of reasons.  However, unless I’m very fortunate in my travels (and, from my perspective, I tend to have a lot more than my fair share of travel horror stories), the risk of having immigration scan your laptop is not one of them.

A recent survey revealed that 57 percent of Americans fear that their account passwords will be stolen when they bank online, and 38 percent do not trust online payment processing, banks and other ecommerce services. […] Justifying consumer concerns, 21 percent of the respondents in the survey said they had already had their bank data stolen. 40 percent of consumers who took the survey said they would buy more online if the security was strengthened. Another 44 percent of people said that online credit card processing worried them.

Source: http://www.prweb.com/releases/2008/4/prweb851444.htm

Customer satisfaction with online banking sites has risen significantly over the past five years. […] The reading of 82 was higher than customers gave banks overall – 78 in 2007 – suggesting they are more pleased with banks’ online operations than with branches and call centers. […] The survey measured customers’ experiences with three types of financial institutions – banks, credit card companies and investment services firms. Banks got the highest score out of the three financial categories.

Source:
http://news.yahoo.com/s/ap/20080415/ap_on_hi_te/online_banking_survey[…]

Recently, there has been a great deal of concern over the rise is prices of common staple food grains.  A frequently cited cause for this price jump is international speculation in commodity markets, and the disproportionate aspect this can have on the price of the commodities themselves, quite apart from the usual cycles of supply and demand.

What fewer people may know is that the UN declared 2008 as the international year of the potato.  (They did this, of course, some time ago, so the contrast in notions becomes even more intriguing.)

There is some irony in that, but it gets better.  (Both from the perspective of irony, and from the point of view of useful analogies for infosec.)

The potato (the “humble” potato, as it is frequently described) is suitable to a great many climatic conditions, and is generally more productive than grain crops (and *much* more productive than meats, etc.)  It is also surprisingly nutritious.

(Ah! I hear you cry, what about the Potato Famine?  Well, in that case the potato was, oddly, a victim of its own success.  We know, or should know, the dangers of the monoculture, which was what led to the famine.  [And that topic has relevance to infosec as well, but it has been amply discussed elsewhere.]  However, what is less well known is that the introduction of the potato, 250 years prior to the famine, led to a 5-8 fold increase in the population of Ireland over those twenty-five decades, due to an increase in both food source and in nutrition.)

So, what about world food crops, commodities, and skyrocketing prices?  If we convinced people to grow potatoes, wouldn’t we just become dependent upon potatoes, and then there would be speculation in potato futures?  Well, oddly, it seems not.

Grain, when harvested, is fairly dry, and can easily be dried even more for storage and shipment.  And, to pretty much anyone except a pasta maker, wheat flour is wheat flour.  You can make any product you want out of basically any flour you can get.

Potatoes are wet.  They get used fresh, for the most part.  (The technical advances in producing dried mashed potatoes seems to parallel that or artificial intelligence: there is a lot of interest, and a lot of work, but those who have tried the results can tell you that there is work yet to be done.)  Also, people who use and eat potatoes tend to have preferences.  (And there are a great many varieties of potatoes.  Remember that monoculture bit?)

It seems that potatoes are one of the few staple crops that are resistant to commodity markets (however susceptible it may be to the blight).

So, what’s the point for infosec?  Remember the lessons of security architecture.  Build your architecture based on resilient and resistant technologies, not on the most popular.  It’s not a new lesson: it rests on the foundation of risk management which should be foundational to all security.

As Microsoft gradually stops supporting Windows 2000, vendors of other products around them also stop supporting it. This is no big deal for those that moved to Windows XP, 2003 or Vista - but it could be a big deal to all those that simply don’t have the computer power to do the switch and want to stick to their working OS.

Microsoft has promised to release security related patches for Windows 2000 for a bit more, but this will eventually stop - what is more concerning is the fact that Adobe and Apple have done this quietly and are placing their users at risk.

It has been quite a while now that Adobe [Acrobat Reader] has not released an update for its software with the claim - you guessed it - unsupported OS, and even more than a while that Apple [QuickTime] has not released an update for Windows 2000.

With the emergence of new vulnerabilities for Acrobat Read and QuickTime people are not only left behind on the vulnerability prevention race track, they are not made aware of it - both programs don’t care enough to give their users adequate wanning they are at risk.

List of issues affecting QuickTime with no apparent fix for Windows 2000:

* QuickTime 7.2 issues, QuickTime 7.3 issues, QuickTime 7.4 issues, QuickTime 7.5 issues - all these probably affect QuickTime 7.1 too

I recently added a contact to my BlackBerry PIN network. The contact was informed of this via an email, and then went on to reply (accept) to this email based invitation.

The response sent from his blackberry was not visible in his “sent” folder, nor was it visible in my “inbox” as apparently BlackBerry has the ability to secretly delete emails as soon as they are processed - thus making it do things a bit “under the radar”.

It’s not yet clear to me how difficult it is to do this manually - adding of a contact to your BlackBerry PIN list - but here are some clues on the email mechanism. Apparently, you need to include in the subject and in the beginning of the message body (subject works in most cases - html appears to behave differently) the following string:

< $RemoveOnDelivery,SuppressSaveInSentItems>

You can combine the above in the subject line with confirm, which will cause BlackBerry to send back a delivery confirmation, combined with the deletion and suppression of saving the item:

< $confirm, RemoveOnDelivery,SuppressSaveInSentItems>

Here’s something we knew ever since we implemented DLL Fuzzing in beSTORM: when you give direct API access you are likely to expose some serious weaknesses.

Those weaknesses can lead to Paris Hilton being exposed, if you know what I mean. Actually, I mean that literally: a myspace API given to Yahoo! exposes the private profiles of Paris Hilton and Lindsay Lohan. Some people will consider that a better find than overwriting the EIP.
Here’s the howto, courtesy of Byron Ng:

1. you’ll need a Yahoo account. go to www.yahoomail.com and create a yahoo account if you don’t have one already. and you will need to go to www.myspace.com to sign up for a myspace account first, if you don’t have one already.

2.go to http://beta.m.yahoo.com/w/gallery/widget click on the ‘mail’ button under “sign in to yahoo!”

3. click on ‘click here to sign in’

4. enter your yahoo id, yahoo password

5. then on the top of the screen in the white box, enter: myspace then click Search Widgets Gallery

6. you will see a green box in the middle with the word ‘myspace’ in there.

7. click the green myspace.

8. see in the middle of the screen it says “add it” - click that.

9. click yes when it asks you about sharing info

10. go here http://beta.m.yahoo.com/w/gallery/widget

11. enter myspace into the box. click search widgets gallery

12. click on the green myspace. now, since you have already set it up in the previous steps, it won’t ask you to download again

13. click on ‘go to widget’ (that’s right below the ‘already added it” text

14. now sign in to myspace

15. now take the URL I asked you to save above before step 1: http://beta.m.yahoo.com/w/myspace/profile/en.osl?userID=16527727 and click on it. it may ask you to sign into yahoo or my space. sign in as appropriate. now you should be able to see the person’s pictures. if you can only see your own profile, then click on it again http://beta.m.yahoo.com/w/myspace/profile/en.osl?userID=16527727 then it will work.

The moral of the story: Check you API, and check it well. If you don’t, others will…

We recently did some work finding inherited vulnerabilities in SNMP supporting devices - mainly embedded/hardware.

SNMP like many other protocols is defined in several RFCs, starting with the basic RFC that describes the protocol structure and goes up to RFC 3414 which describes how authentication and encryption (referred to as privacy by the SNMP spec) are done.

The RFC describes a few algorithms, such as the one for key localization, in great detail - i.e. providing a C source code:


void password_to_key_md5(
u_char *password, /* IN */
u_int passwordlen, /* IN */
u_char *engineID, /* IN - pointer to snmpEngineID */
u_int engineLength,/* IN - length of snmpEngineID */
u_char *key) /* OUT - pointer to caller 16-octet buffer */
{
MD5_CTX MD;
u_char *cp, password_buf[64];
u_long password_index = 0;
u_long count = 0, i;

MD5Init(&MD);
MD5Update(&MD, password_buf, 32+engineLength);
MD5Final(key, &MD);
return;
}


People reading this RFC would jump with joy and just copy paste the above code into their own code and continue on their work of getting SNMP to work on their hardware.

Little will they know that the RFC team has made notice that:

May want to ensure that engineLength < = 32, otherwise need to use a buffer larger than 64

“Ohh pff, who needs to ensure anything on my robust hardware - what is the worst that can happen, a server crash ”

Actually, the worst that can happen is a neat buffer overflow, as no one guarantees that the engineID is limited to 32 bytes, in reality the length is not limited by the transport layer (the ASN.1) but rather only by the RFC specification, which again not everyone checks or conforms to it by 100%.

I would expect the RFC editors/creators to place sample code that is secure. Something like so would have sufficed to prevent the code from being easily exploited:
memcpy(password_buf, key, 16);
memcpy(password_buf+16, engineID, engineLength < 32 ? engineLength : 32);
memcpy(password_buf+16+(engineLength < 32 ? engineLength : 32), key, 16);
Especially since Google searching the above example proved that quite a few people were too lazy to not only fix the security issue but too lazy to remove the embarrassing comment.