January 2009

Police hacking

Recent news that UK government approving Police hacking into suspected home computers has caused a bubble in the info-sec world. They can hack into private computers either by sending an e-mail containing a virus to the suspect’s computer or breaking into a residence to install a keystroke logger onto a machine or simply place a surveillance van in the vicinity of a wireless network to intercept the traffic. Computers of users who are suspected of terrorism, pedophilia or identity or credit card theft will be targeted.

They have even asked the security product/services providers to stop detecting/blocking their keyloggers and other spyware tools. However few security vendors have raised an issue and expressed their inability to cooperate with the federals. As per Znet, security vendors Kaspersky Labs and Sophos told ZDNet UK that they would not make any concession in their protective software for the police hack. Symantec has not commented on this. However in the past they have Symantec has said that its antivirus software will not scan for the FBI’s Magic Lantern keylogging software. This is a spyware program that the Feds can hack into your machine to log and report all keystrokes back to them.

I personally find this very scary and “privacy intruded” and since conceptually there’s no difference between a malicious code and the one used for the Government, there are BIG chances that an AV can miss it!!!

This means punching a BIG hole in the security device which in turn is surely a big Boom for malware authors. If Cops drop a trojan on suspect’s system installed with antivirus software white-listing Police hacking tools and if this suspect turns out to a prestigious member of underground malware writers, then he can reverse engineer the cop-hack-tool to write his own code and compromise more such systems.

I personally feel Kaspersky Labs and Sophos are really doing a good job by taking their stand on not creating a backdoor for malware writers.

Madoff, insiders, internal controls, and fraud

The Madoff story is extremely interesting, for a number of reasons.  However, primarily, the tales now coming to light of ongoing suspicions and investigations (such as this Wall Street Journal piece) point out the weaknesses and limitations of audit and internal controls in controlling insider attacks and fraud.

First CVE of 2009

I’d like to welcome the first CVE vulnerability in 2009, which is CVE-2008-2381. The first CVE-2009 to be released to the public is CVE-2009-0022 (hat tip to Steven M. Christey).

By all indications we have a year with many vulnerabilities ahead of us – it already started with a major twitter account hack followed by a widespread phishing via DM, and we’re not even a week into 2009. For marginally interesting stats on 2008, visit SecuriTeam’s stats page.

Gmail Attachment Filter

I ran across something interesting today. A friend asked me to send him a certain exe to his email. Not thinking much about it, I composed an email on my gmail, attached the exe, hit send and then seen an error in which basically told me google doesn’t allow exes to be sent through gmail.

Irritating enough, but seemingly familiar, I decided to ‘get smart’ and zip the exe in a folder and send it. Same thing.


I also tried gzipping the archive and sending it.. didn’t work either.

I finally compressed the folder+exe to make a bz2 archive and sent it away. Worked like a charm.

Where was Google attachment filters then!? *grin*

Snow and security

I live in Vancouver.  Despite the fact that this is in Canada, we do not live in igloos, nor do we have to get around by dogsled.  Most of the time.  At the moment, we are having an unusual spell of snowy weather.  It’s here, for one thing.  It’s been here for more than two weeks, for another.  It’s also much deeper than usual: more than 30 cm (a foot, US) is on level areas in many places, and the piles where the snow has been shovelled are getting pretty high.

That’s not unusual in many places, but in Vancouver it is practically unheard of.

The weather in Vancouver is very similar to the weather in Seattle, so Seattle is snowed in, too.  And I was discussing this with a much younger friend in that area.  I was complaining that nobody around here was shovelling their sidewalks.  He was complaining that people in his area were.

Those of you who live in the deep snow areas will probably not understand his complaint.  You see, in this region, when we do get snow, the temperatures tend to hover around the freezing point.  So, some days the snow will start to melt.  And at nights, or on other days, it freezes again.  So if you don’t shovel the sidewalk properly, you create a bit of skating rink.

The key is to shovel properly.  There are a few factors involved in this, but the primary one is to shovel right to the edge of the sidewalk.  If you can see even one blade of grass as the edge, then, when the snow starts to melt, the meltwater does into the ground.  Leave even a centimetre of snow on the edge of the walk, and the meltwater runs all over the sidewalk, and, when it freezes, you’ve got the slickest, most treacherous footing imaginable.

Which brings me to security.  For a number of years, many of us in the field have been faced with the extreme frustration of preparing security architectures, designs, and plans to fit the particular business and environment in which we find ourselves.  Finely tuned, appropriate to the assets and risks involved, and complete.  Only to have some bean-counter come along and say that this is great, but a bit too expensive: couldn’t we get half the security for half the cost.

The answer, as we know, is no.  Security is not something you buy by the kilogram.  Security is not like a blanket, where the more you have, the warmer you are: it’s like a roof or tent, where you’ve either got one up or not.  Security is not like a road, where, no matter how long it is, it is of some use: it’s like a bridge, where, if it’s even a little bit too short it is no use at all.

So, here’s another illustation for you.  Security is like clearing the snow in Vancouver.  Do it right, out to the very edge, and you’re golden.  Do it quick and dirty and cheap, with one shovel width down the middle, and you’re creating a problem for yourself.  And others.

Joe-jobing in the real world

This is a few weeks old, but I think it’s very cool. First, because it implements in real life what an attack that is constantly done on the Internet –  life imitating art, so to speak. Second, because it reminds me of the “Panther Moderns” terrorist attack in Neuromancer and remembering Neuromancer is a great way to start the year.

The only problem, of course, is that it’s easy to catch who did it – for one, there’s a picture of their real car.