July 2010

The List Of A 100 Million Facebook Usernames.

By now you’ve probably all heard about the security researcher Ron Bowes, who wrote a script to grab the list of usernames from Facebook’s public directly. You probably also know that the torrent containing all these unique usernames is available as a torrent to download.

You may not know though that at present, on just one torrent site there are currently 4248 people who have downloaded this list, and that there’s a further 8141 currently downloading this list, that’s a hell of a lot of people that are interested in complete strangers personal information and lives.

Let me just set the record straight here as there are quite a few rumors on the Internet at the moment, this was NOT a hack people. The information is publicly available, via Facebook’s directory page. Some say that the users are to blame for not setting their privacy settings securely, others say that Facebook’s convoluted way of implementing user security settings is too complicated for most common users. Me, personally, I’m a member of the latter camp, security settings should be easy for users to apply, not difficult, a simple “Security Yes/No” would be sufficient for most users.

The social engineering possibilities that you could use this list for are just amazing, and you never know when it may come in handy, or is that just me?
Anyway, what’s done is done now.

Oh yeah, I almost forgot, if you want the torrent, well, that can be found right about here, here, or on pretty much any torrent site at the moment, please remember though, if you do download it………..please seed.

REVIEW: “The Myths of Security”, John Viega

BKMTHSEC.RVW   20091221

“The Myths of Security”, John Viega, 2009, 978-0-596-52302-2, U$29.99/C$37.99
%A   John Viega viega@list.org
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2009
%G   978-0-596-52302-2 0-596-52302-5
%I   O’Reilly & Associates, Inc.
%O   U$29.99/C$37.99 800-998-9938 fax: 707-829-0104 nuts@ora.com
%O  http://www.amazon.com/exec/obidos/ASIN/0596523025/robsladesinterne
%O   http://www.amazon.ca/exec/obidos/ASIN/0596523025/robsladesin03-20
%O   Audience i Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   238 p.
%T   “The Myths of Security”

The foreword states that McAfee does a much, much better job of security than other companies.  The preface states that computer security is difficult, that people, particularly computer users, are uninformed about computer security, and that McAfee does a much better job of security than other companies.  The author also notes that it is much more fun to write a book that is simply a collection of your opinions than one which requires work and technical accuracy.

The are forty-eight “chapters” in the book, most only two or three pages long.  As you read through them, you will start to notice that they are not about information security in general, but concentrate very heavily on the antivirus (AV) field.

After an initial point that most technology has a poor user interface, a few more essays list some online dangers.  Viega goes on to note a number of security tools which he does not use, himself.  He then argues unconvincingly that free antivirus software is not a good
thing, unclearly that Google is evil, and incompletely that AV software doesn’t work.  (I’ve been working in the antivirus research field for a lot longer than the author, and I’m certainly very aware that there are problems with all forms of AV: but there are more forms of AV in heaven and earth than are dreamt of in his philosophy.  By the way, John, Fred Cohen listed all the major forms of AV technology more than twenty-*five* years ago.)  The author subsequently jumps from this careless technical assessment to a very deeply technical discussion of the type of hashing or searching algorithms that AV companies should be using.  And thence to semi-technical (but highly opinionated) pieces on how disclosure, or HTTPS, or CAPTCHA, or VPNs have potential problems and therefore should be destroyed.  Eventually all pretence at analysis runs out, and some of the items dwindle down to three or four paragraphs of feelings.

For those with extensive backgrounds in the security field, this work might have value.  Not that you’ll learn anything, but that the biases presented may run counter to your own, and provide a foil to test your own positions.  However, those who are not professionals in the field might be well to avoid it, lest they become mythinformed.

copyright Robert M. Slade, 2009    BKMTHSEC.RVW   20091221

Sophos Free Tool To Detect The Windows Shortcut Exploit (.lnk)

The friendly guys over at Sophos have been kind enough to release a protection tool to protect against the now famous Microsoft LNK 0-day vulnerability. Someone had to do it, it’s a shame it wasn’t Microsoft, but hey.
What this tool does is to replace the current Microsoft icon handler with the Sophos one, so it will check all shortcut (LNK) files before allowing them to run, what’s even nicer is that this tool is free, and you can download it from here.

Please note though that this tool does not protect you from  LNK files or targets stored on the local disk or PIF based exploits.

There’s also a video of the tool in action, which you can find on YouTube here.

Social Engineering and Body Language

Social engineering is defined by Wikipedia as “the act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical cracking techniques; essentially a fancier, more technical way of lying. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim.”

Over the years I’ve done my fair share of social engineering, and the one thing that I have always found to come in handy is being able to read people’s body language. Being able to notice when someone is pacifying themselves, when you ask certain questions, and knowing where to hone in on for example, has helped me countless times in the past. Being able to notice the little things like when people are extremely nervous when you mention things like “Well, I’m not too sure Mr Jones, you manager would be too happy about me not being able to gain access to this room, as he’s paying me to have a look around in your data hall.” When they’re blatantly telling you, that they can’t allow you access under company policy, etc, etc.

I would encourage anyone that performs penetration testing that includes social engineering exercises, to really take the time to read up on body language and how you can make it work for you, it will help your social engineering skills, and this will also help you to help your clients.

There are countless books on this topic that you can get from most decent bookstores to help you along your way, and the good news is that some of these are really not expensive at all.

Another thing that you may want to look into is reading micro expressions, although I would recommend that you start with learning basic body language first, and then progressing on to micro expressions.

Reflections on Trusting Trust goes hardware

A recent Scientific American article does point out that is is getting increasingly difficult to keep our Trusted Computing Base sufficiently small.

For further information on this scenario, see: http://www.imdb.com/title/tt0436339/  [1]

We actually discussed this in the early days of virus research, and sporadically since.  The random aspect (see Dell problems with bad chips) (the stories about malware on the boards is overblown, since the malware was simply stored in unused memory, rather than being in the BIOS or other boot ROM) is definitely a problem, but a deliberate attack is problematic.  The issue lies with hundreds of thousands of hobbyists (as well as some of the hackers) who poke and prod at everything.  True, the chance of discovering the attack is random, but so is the chance of keeping the attack undetected.  It isn’t something that an attacker could rely upon.

Yes, these days there are thousands of components, being manufactured by hundreds of vendors.  However, note various factors that need to be considered.

First of all, somebody has to make it.  Most major chips, like CPUs, are a combined effort.  Nobody would be able to make and manufacture a major chip all by themselves.  And, in these days of tight margins and using every available scrap of chip “real estate,” someone would be bound to notice a section of the chip labeled “this space intentionally left blank.”  The more people who are involved, the more likely someone is going to spill the beans, at the very least about an anomaly on the chip, whether or not they knew what it did.  (Once the word is out that there is an anomaly, the lifespan of that secret is probably about three weeks.)

Secondly, there is the issue of the payload.  What can you make it do?  Remember, we are talking components, here.  This means that, in order to make it do anything, you are generally going to have to rely on whatever else is in the device or system in which your chip has been embedded.  You cannot assume that you will have access to communications, memory, disk space, or pretty much anything else, unless you are on the CPU.  Even if you are on the CPU, you are going to be limited.  Do you know what you are?  Are you a computer? Smartphone?  iPod?  (If the last, you are out of luck, unless you want to try and drive the user slowly insane by refusing to play anything except Barry Manilow.)  If you are a computer, do you know what operating system you are running?  Do you know the format of any disk connected to you?  The more you have to know how to deal with, the more programming has to be built into you, and remember that real estate limitation.  Even if all you are going to do is shut down, you have to have access to communications, and you have to a) be able to watch all the traffic, and b) watch all the traffic, without degrading performance while doing so.  (OK, true, it could just be a timer.  That doesn’t allow the attacker a lot of control.)

Next, you have to get people to use your chips.  That means that your chips have to be as cheap as, or cheaper than, the competition.  And remember, you have to use up chip real estate in order to have your payload on the chip.  That means that, for every 1% of chip space you use up for your programming, you lose 1% of manufacturing capacity.  So you have to have deep pockets to fund this.  Your chip also has to be at least as capable as the competition.  It also has to be as reliable as the competition.  You have to test that the payload you’ve put in place does not adversely affect performance, until you tell it to.  And you have to test it in a variety of situations and applications.  All the while making sure nobody finds out your little secret.

Next, you have to trigger your attack.  The trigger can’t be something that could just happen randomly.  And remember, traffic on the Internet, particularly with people streaming videos out there, can be pretty random.  Also remember that there are hundreds of thousands of kids out there with nothing better to do than try to use their computers, smartphones, music players, radio controlled cars, and blenders in exactly the way they aren’t supposed to.  And several thousand who, as soon as something odd happens, start trying to figure out why.

Bad hardware definitely is a threat.  But the largest part of that threat is simply the fact that cheap manufacturers are taking shortcuts and building unreliable components.  If I was an attacker, I would definitely be able to find easier ways to mess up the infrastructure than by trying to create attack chips.

[1] Get it some night when you can borrow it, for free, from your local library DVD collection.  On an evening when you don’t want to think too much.  Or at all.  WARNING: contains jokes that six year olds, and most guys, find funny.

Safari AutoFill Exploit

So it seems that Safari uses the details from your Address Book to AutoFill forms on web sites, this is enabled by default. In theory this is a great idea, until someone writes some malicious JavaScript to get these details passed to a hidden form without your knowledge. Looking through all the possible available fields in the Apple Address Book app, it really gets quite troubling. Name, Address, Job Title, Department, Anniversary. This could all be used nicely for a really fun Social Engineering exercise, or really help with an identity theft scam.

There is a PoC of this hosted here.

Personally I’d suggest disabling AutoFill in Safari’s preferences, better safe than sorry.

REVIEW: “The Design of Rijndael”, Joan Daemen/Vincent Rijmen

BKDRJNDL.RVW   20091129

“The Design of Rijndael”, Joan Daemen/Vincent Rijmen, 2002, 3-540-42580-2
%A   Joan Daemen
%A   Vincent Rijmen
%C   233 Spring St., New York, NY   10013
%D   2002
%G   3-540-42580-2
%I   Springer-Verlag
%O   212-460-1500 800-777-4643 service-ny@springer-sbm.com
%O  http://www.amazon.com/exec/obidos/ASIN/3540425802/robsladesinterne
%O   http://www.amazon.ca/exec/obidos/ASIN/3540425802/robsladesin03-20
%O   Audience s- Tech 3 Writing 1 (see revfaq.htm for explanation)
%P   238 p.
%T   “The Design of Rijndael: AES – The Advanced Encryption Standard”

This book, written by the authors of the Rijndael encryption algorithm, (the engine underlying the Advanced Encryption Standard) explains how Rijndael works, discusses some implementation factors, and presents the approach to its design.  Daemen and Rijmen note the linear and differential cryptanalytic attacks to which DES (the Data Encryption Standard) was subject, the design strategy that resulted from their analysis, the possibilities of reduce round attacks, and the details of related ciphers.

Chapter one is a history of the AES assessment and decision process.  It is interesting to note the requirements specified, particularly the fact that AES was intended to protect “sensitive but unclassified” material.  Background in regard to mathematical and block cipher concepts is given in chapter two.  The specifications of Rijndael sub-functions and rounds are detailed in chapter three.  Chapter four notes implementation considerations in small platforms and dedicated hardware.  The design philosophy underlying the work is outlined in chapter five: much of it concentrates on simplicity and symmetry.
Differential and linear cryptanalysis mounted against DES is examined in chapter six.  Chapter seven reviews the use of correlation matrices in cryptanalysis.  If differences between pairs of plaintext can be calculated as they propagate through the boolean functions used for intermediate and resultant ciphertext, then chapter eight shows how this can be used as the basis of differential cryptanalysis.  Using the concepts from these two chapters, chapter nine examines how the wide trail design diffuses cipher operations and data to prevent strong linear correlations or differential propagation.  There is also formal proof of Rijndael’s resistant construction.  Chapter ten looks at a number of cryptanalytic attacks and problems (including the infamous weak and semi-weak keys of DES) and notes the protections provided in the design of Rijndael.  Cryptographic algorithms that made a contribution to, or are descended from, Rijndael are described in chapter eleven.

This book is intended for serious students of cryptographic algorithm design: it is highly demanding text, and requires a background in the formal study of number theory and logic.  Given that, it does provide some fascinating examination of both the advanced cryptanalytic attacks, and the design of algorithms to resist them.

copyright Robert M. Slade, 2009    BKDRJNDL.RVW   20091129