Sec Tools

Password reset questions

Recently therewas some discussion about “self-service” password resets.  The standard option, of course, is to have some sort of “secret question” that the true account holder should be able to answer.  You know: super-secret stuff like your pet’s name.  (Yes, Paris Hilton, I’m talking about you.)

The discussion was more detailed, turning to policy and options, and asked whether you should turn off “custom” questions, and stick to a list of prepared questions.

I would definitely allow custom questions.  The standard lists never seem to give me options that I can both a) remember, and b) that wouldn’t be immediately obvious to anyone who was able to find out some minimal information about me.

If I can make up my own question, I can ask myself what my favourite burial option would be.  The answer, “encryption,” is something I will remember to my dying day, and nobody else is ever going to guess.  (Well, those who have read the “Dictionary of Information Security” might guess that one, so I guess I won’t actually use it.)

Go ahead: try and guess what is the only pain reliever that works for me.

What sits under my desk and keeps the computers running in the case of a power failure?

What is Gloria’s favourite ice cream flavour?

Finish the following sentence: Don’t treat Rob as your _______ ___.  (This is a two-factor authentication: you also have to fill in the standard response to that statement.)

The thing is, all of these oddball questions have special meaning for Gloria and I, but for very few other people in the world.  They rely on mistakes or quirks that have become “family phrases.”  For example, what do you need before bed to get to sleep?  Answer: “warum melek,” coming from an elderly lady of our acquaintance from a northern European background.

Yeah, I like “custom questions” a lot.

(OK, yes, you do have to do a bit of security awareness training to indicate that “who is my sweetie poo” may not be as secret as some people seem to think …)

S. Korea Cyber Attack Crashes Navigation Devices. Time to fuzz your GPS?

South Korea suffered a major cyber attack yesterday. The origin of the attack seems to be China at the moment, but that is far from being definite.

I happened to be in one of the (several) cyber security operation centers, by pure coincidence. I had a chance to see events unravel in real time. Several banks have been hit (including the very large shinhan bank) and a few broadcasting channels.

The damage is hard to assess, since it’s now in everyone’s advantage to blame the cyber attack on anything from a system crash to the coffee machine running out of capsules. Budget and political moves will dominate most of the data that will be released in the next few days.
It’s clear, however, that the damage substantial. I reached out to a few friends in technical positions at various MSPs and most had a sleepless night. They’ve been hit hard.

The most interesting part of this incident, in my opinion, was a report on car GPS crashing while the attack was taking place. I haven’t seen a news report about that yet, and I couldn’t personally verify it (as I mentioned, I was stationary at the time, watching the frantic cyber-security team getting a handle on a difficult situation) but this is making rounds in security forums and a couple of friends confirmed to me that their car navigation system crashed and had to be restarted, at the exact time the attack was taking place.

The most likely explanation is that the broadcasting companies, who send TPEG data to the GPS devices (almost every car in Korea has a GPS device, almost all get real-time updates via TPEG), had sent malformed data which caused the devices to crash. This data could have been just a result of a domino effect from the networks crashing, or it could have been a very sophisticated proof-of-concept by the attacker to see if they can create a distruption. Traffic in Seoul is bad even on a normal day; without GPS devices it can be a nightmare.

Which brings up an interesting point about fuzzing network devices. TPEG fuzzers have been available for a while now (beSTORM has a TPEG module, and you can easily write your own TPEG fuzzer). The difficult part is getting the GPS device to communicate with the fuzzing generator; this is something the GPS developer can do (but probably won’t) but it is also possible for a government entity to do the necessary configuration to make that happen, given the proper resources or simply by forcing the vendors to cooperate.

The choice of the attacker to bring down the broadcasting networks might be deliberate: other than knocking TV and radio off the air (an obvious advantage in a pre-attack strike) the broadcasting networks control many devices who rely on their data. Forcing them to send malformed data to crash a variety of devices can have interesting implications. If I was a little more naive, I would predict that this will push governments around the world to focus more on fuzzing to discover these kind of vulnerabilities before they see their adversaries exploit them. But in the world we live in, they will instead throw around the phrase “APT” and buy more “APT detection products” (an oximoron if I’ve ever heard one). Thank god for APT, the greatest job saving invention since bloodletting.

An detailed analysis of the attack here:
http://training.nshc.net/KOR/Document/virus/20130321_320CyberTerrorIncidentResponseReportbyRedAlert(EN).pdf

Read this book. If you have anything to do with security, read this book.

I have been reviewing security books for over twenty years now.  When I think of how few are really worthwhile that gets depressing.

However, Ross Anderson is always worth reading.  And when Ross Anderson first published “Security Engineering” I was delighted to be able to tell everyone that it was a worthwhile read.  If you are, in any way, interested in, or working in, the field of security, there is something there for you.  Probably an awful lot.

When Ross Anderson made the first edition available online, for free, and then published the second edition, I was delighted to be able to tell everyone that they should buy the second edition, but, if they didn’t trust me, they should read the first edition free, and then buy the second edition because it was even better.

Now Ross has made the second edition available, online, for free.

Everyone should read it, if they haven’t already done so.

(I am eagerly awaiting the third edition  :-)

Comparison Review: AVAST! antiviral

PCAVAST7.RVW   20120727
Comparison Review

Company and product:

Company: ALWIL Software
Address: Trianon Office Bldg, Budejovicka 1518/13a, 140 00, Prague 4
Phone:   00 420 274 005 777
Fax:     00 420 274 005 888
Sales:   +42-2-782-25-47
Contact: Kristyna Maz nkov /Pavel Baudis/Michal Kovacic
Email:   mazankova@avast.com baudis@asw.cz
Other:   http://www.avast.com
Product: AVAST! antiviral

Summary: Multilayered Windows package

Cost: unknown

Rating (1-4, 1 = poor, 4 = very good)
“Friendliness”
Installation      3
Ease of use       4
Help systems      1
Compatibility           3
Company
Stability         3
Support           2
Documentation           1
Hardware required       3
Performance             3
Availability            3
Local Support           1

General Description:

Multilayered scanning, activity-monitoring, and change-detection software.  Network protection including Web and email monitoring.

Comparison of features and specifications

User Friendliness

Installation

The product is available as a commercial package, but also as a free download for home or non-commerecial use.  As previously noted in other reviews, this is highly desirable not simply as a marketing and promotional effort by the company, but because making malware protection available to the general public reduces the malware threat for the entire computing and network environment.  One important
aspect is that the free version, unlike some antivirus products which reduce available functions, appears to be complete.  Scanning, disinfection, network protection, reporting, and management functions all seem to be included in the free version, making Avast a highly recommended product among free downloads.

I downloaded the free version, and installed it with no problem.  It was compatible with Windows 7, as well as previous versions.  The basic installation and configuration provides realistic protection, even for completely naive users.

Ease of use

With ten basic, and a larger number of minor, functions now included in the program, the interface is no longer very easy to figure out.  For example, one of the first things I (as a specialist) need to do is to turn off scanning of my “zoo” directory.  I initially thought this might be under the large “Maintenance” button.  No, “maintenance” is reserved for upgrading and buying additional features.  I did finally find the function I wanted under a much smaller “Settings” tab.  However, as noted, most users will not require any additional functions, and need not worry about the operation of the program.  The default settings provide decent protection, and updating of signatures, and even the basic program, is almost automatic.  (The updates for the free version do push the user to “upgrade” to the commercial version, but it is not necessary.)

I located (eventually) some great functions in the program which I found very helpful.  Admittedly, I’m a very special case, since I research malware.  But I really appreciated the fact that not only could I turn scanning off for a particular directory (my “zoo”), and that I could pull programs out of the quarantine easily, but that I could also turn off individual network protection functions, very easily.  Not only could I turn them off, but I was presented with options to stop for 10 minutes, 1 hour, until the next reboot, or permanently.  Therefore, I could turn off the protection for a quick check, and not have to remember to turn it on again for regular work and browsing.

However, I cannot commend Avast for some of the reporting and logging functions.  Late in the review period it reported an “infected” page, but refused to tell me where/what it is.  In addition, recently Avast has been blocking some of my email, and the message that an email has been blocked is the only available information.

Help systems

Help is available onscreen, but it is not easy to find.  There is no help button on the main screen: you have to choose “? Support,” and then, from a list of six items choose the last one, “Program Help.”  (The standard Windows F1 key does bring up the help function.)  Most other help is only available online via the Web, although there is a downloadable PDF manual.

Compatibility

The system scores well in malware detection ratings from independent tests.  I have been running Avast for over a year, and have not seen a false positive in a scan of the computer system.  I have observed only one false positive blockage of “known good” Websites or email, although this is of some concern since it involved the updating of another malware package under test.

Company Stability

Avast has been operating (previously as Alwil Software) for over twenty years.  The program structure is thoughtful and shows mature development.

Company Support

As noted, most is via the Web.  Unfortunately, in the recent case of a false positive the company, even though I had alerted them to the details of both the review and the warning I had noted, there was no useful response.  I received email stating that someone would review the situation and get back to me, but there was no further response.

Documentation

The documentation available for download is primarily for installation and marketing.

System Requirements

The system should run on most extent Windows machines.

Performance

The antivirus system has minimal impact on the computer system.  When performing a full scan, there are other programs that run faster, but Avast runs very well unattended.

As noted above, the free version has complete and very useful functionality.

Local Support

None provided.

Support Requirements

Basic operation and scanning should be accessible to the novice or average user.

copyright Robert M. Slade, 1995, 2012   PCAVAST7.RVW   20120727

Anti-Virus, now with added Michelangelo

Apparently it’s all our fault. Again. Not only is anti-virus useless, but we’re responsible for the evolution and dramatic increased volume of malware. According to something I read today “If it wasn’t for the security industry the malware that was written back in the 90’s might still be working today.”

I guess that’s not as dumb as it sounds: we have forced the malware industry to evolve (and vice versa). But you could just as easily say:

“The medical profession is responsible for the evolution and propagation of disease. If it wasn’t for the pharmaceutical industry illnesses that killed people X years ago might still be killing people today.”

And to an extent, it would be true. Some conditions have all but disappeared, at any rate in regions where advanced medical technology is commonplace, but other harder-to-treat conditions have appeared, or at least have achieved recognition.

I can think of plenty of reasons for being less than enthusiastic about the static-signature/malcode-blacklisting approach to malware deterrence, though I get tired of pointing out that commercial AV has moved a long way on from that in the last couple of decades. Even so, if pharmaceutical companies had to generate vaccines at the rate that AV labs have to generate detections (even highly generic detections) we’d all have arms like pincushions.

However, there are clear differences between ‘people’ healthcare and PC therapeutics. Most of us can’t trust ourselves as computer users (or the companies that sell and maintain operating systems and applications) to maintain a sufficiently hygienic environment to eliminate the need to ‘vaccinate’. It’s not that we’re all equally vulnerable to every one of the tens or hundreds of thousands of malicious samples that are seen by AV labs every day. Rather, it’s the fact that a tailored assessment of which malware is a likely problem for each individual system, regardless of provenance, region, and the age of the malware, is just too difficult. It’s kind of like living at the North Pole and taking prophylactic measures in case of Dengue fever, trypanosomiasis and malaria.

Fortunately, new or variant diseases tend not to proliferate at the same rate that malware variants do, and vaccines are not the only way of improving health. In fact, lots of conditions are mitigated by better hygiene, a better standard of living, health-conscious lifestyles and all sorts of more-or-less generic factors. There’s probably a moral there: commonsense computing practices and vitamin supplements – I mean, patches and updates – do reduce exposure to malicious code. It’s worth remembering, though, that even if AV had never caught on, evolving OS and application technologies would probably have reduced our susceptibility to antique boot sector viruses, macro viruses, and DOS .EXE infectors. Is it really likely that they wouldn’t have been replaced by a whole load of alternative malicious technologies?

David Harley CITP FBCS CISSP
ESET Senior Research Fellow

Sophos Threatsaurus

http://www.sophos.com/en-us/security-news-trends/security-trends/threatsaurus.aspx

Concentrating on malware and phishing, this is a very decent guide for “average” computer users with little or no security background or knowledge.  Three sections in a kind of dictionary or encyclopedia format: malware and threats, protection technologies, and a (very brief but still useful) history of malware (1949-2012).

Available free for download, and (unlike a great many “free” downloads I could name) you don’t even have to register for endless spam from the company.

Recommended to pass around to family, friends, and your corporate security awareness department.

Security unawareness

I really don’t understand the people who keep yelling that security awareness is no good.  Here’s the latest rant.

The argument is always the same: security awareness is not 100% foolproof protection against all possible attacks, so you shouldn’t (it is morally wrong to?) even try to teach security awareness in your company.

This guys works for  a security consultancy.  He says that instead of teaching awareness, you should concentrate on audit, monitoring, protecting critical data, segmenting the network, access creep, incident response, and strong security leadership.  (If we looked into their catalogue of seminars, I wonder what we would find them selling?)

Security awareness training isn’t guaranteed to be 100% effective protection.  Neither is AV, audit, monitoring, incident response, etc.  You still use those thing even though they don’t guarantee 100% protection.  You should at least try (seriously) to teach security awareness.  Maybe more than just a single 4 hour session.  (It’s called “defence in depth.”)

Tell you what: I’ll teach security awareness in my company, and you try a social engineering attack.  You may hit some of my people: people aren’t perfect.  But I’ll bet that at least some of my people will detect and report your social engineering attack.  And your data isolation won’t.

Trust me, I didn’t look right as I typed this …

‘Lying eyes’ are a myth – looking to the right DOESN’T mean you are fibbing.

“Many psychologists believe that when a person looks up to their right they are
likely to be telling a lie.  Glancing up to the left, on the other hand, is said to
indicate honesty.

“Co-author Dr Caroline Watt, from the University of Edinburgh, said: ‘A large
percentage of the public believes that certain eye movements are a sign of lying,
and this idea is even taught in organisational training courses. … The claimed link
between lying and eye movements is a key element of neuro-linguistic
programming.

“According to the theory, when right-handed people look up to their right they
are likely to be visualising a ‘constructed’ or imagined event.  In contrast when
they look to their left they are likely to be visualising a ‘remembered’ memory.
For this reason, when liars are constructing their own version of the truth, they
tend to look to the right.”

“Psychologist Prof Wiseman, from the University of Hertfordshire, said: ‘The
results of the first study revealed no relationship between lying and eye
movements, and the second showed that telling people about the claims made by
NLP practitioners did not improve their lie detection skills.’

However, this study raises a much more serious question.  These types of “skills” are being extensively taught (and sought) by law enforcement and other agencies.  How many investigations are being misdirected and delayed by false suppositions based on NLP “techniques”?  More disturbingly, how many people are being falsely accused, dismissed, or charged due to the same questionable “information”?  (As I keep telling my seminars, when you get sidetracked into pursuing the wrong suspect, the real culprit is getting away free.)

(I guess we’ll have to stop watching “The Mentalist” now …)