ok, this is kinda funny... police "swoop" and catch a teenage hacker who has owned over a million computers and stolen millions of dollars...
yea, you are safer today, because this guy was a "whizzkid kingpin" behind "an international spybot ring"... i mean geeze, he took down an irc chat room b/c they kicked him out once...
(note: i wonder if spybot knows that the media has suddenly co-opted their name and made it synonymous to malware... /me smacks the ignorant ap and bbc tech reporters... sigh... i'm writing the bbc and ap to let them know...)
anyway, so this "very bright and very skilled" kid has been owning the heck outta the tubes... well, from what i gather, he is known for the creatively named "akbot" series of virii...
yes, these dangerous virii varients exploit uber-0days such as MS04-007 and MS04-011... according to sophos, the akbot-a varient was detected right about the begining of 2006... sooo, that's 1.5 years between vuln that this masterminds exploit release... really, he is dangerous... not a script kiddie who copied someone elses code and flipped some bits and got a series of variants named for his handle...
they say the feds thought he was extremely sophisticated, and that he used encryption to avoid AV detection, but this kinda flys in the face of the fact that there are multiple variant detections listed on av sites... i mean, virtually all malware is undetected by AV at some point in time, just b/c almost all AV is sig based... assuming they mean he used a packer/obfuscater like most malware authors...
i know i may be missing a lot of details, but this is what is being reported... i think it speaks to the lack of understanding of the severity of the infosec issues today if none of these articles mention these points...
i mean, one of those articles says "the FBI believes the raid has helped breakup the botnet network". yea, b/c the guy who logged into the IRC control channel isn't logging in anymore, so all of these infected computers have cleaned themselves of their infections? it is such old-world thinking to say "we've arrested the perp, so the crime is over"... how many of these 1,000,000+ infected machines just got akill through a dropper or some other vector, and have other malicious apps running... well, hrmm... since the vuln for this was patched 3 years ago, i'm gonna guess that a lot of em have other infections if they're hit w/ this... ;)
Friday, November 30, 2007
Thursday, November 29, 2007
sooo...
i sent that last box to the bit bucket (retaining a drive copy for further research when life lends me time)...
made some habbit and usage improvements... still some room for improvement beyond what i've done for sure... anywho... c'est la vie and all of that...
so i can't believe i didn't think of cracking passwords when i was hearing how the ps3 was rockin out at folding@home...
and looks like jdm is gonna be sad when he has to think up a new idea for his google os app competition... i still haven't figured a good one out yet... only spent like 10 min thinkin about it tho ;)
as for what is taking up most of my time... still the big project @ work... on rev 0.9.3-ish atm... mostly like little details left, and 3 or 4 mid sized hurdles...
i wish i posted sec links i didn't find on digg... sigh... i'm lame ;)
anywho, haven't moved much beyond hello-world on my first attempt at writing a firefox extension... think it'll be cool, but i gotta actually spend time workin on it...
that's it for now!
made some habbit and usage improvements... still some room for improvement beyond what i've done for sure... anywho... c'est la vie and all of that...
so i can't believe i didn't think of cracking passwords when i was hearing how the ps3 was rockin out at folding@home...
and looks like jdm is gonna be sad when he has to think up a new idea for his google os app competition... i still haven't figured a good one out yet... only spent like 10 min thinkin about it tho ;)
as for what is taking up most of my time... still the big project @ work... on rev 0.9.3-ish atm... mostly like little details left, and 3 or 4 mid sized hurdles...
i wish i posted sec links i didn't find on digg... sigh... i'm lame ;)
anywho, haven't moved much beyond hello-world on my first attempt at writing a firefox extension... think it'll be cool, but i gotta actually spend time workin on it...
that's it for now!
Thursday, November 15, 2007
/me sighs @ irony
so, as a great addition to my last post, today i come to find i have a malware issue on my windows box... blargh... glad i caught it...
it is a tad embarrassing, and i haven't had time yet to do an in-depth analysis to try to determine the extent of the damage. i've taken the basic steps to stop the bleeding, changed my passwords, and all of that... i've got a damn win box because i game, and then i get all lazy and use it for other things even though i have a perfectly capable nix box...
anyway, i know other sec profesionals who i respect who've been owned, so i'm tryin not to let it get me down... who knows if it'll ever come back to haunt me or not... anyway, i'm trying to use it as motivation to improve my setup at home, as well as some of my usage habits... part of the problem is that i do tech all day, and when i get home i'd just rather wrench on things or work on the house or play games... obviously that doesn't cut it, and i need to put in the time to make sure i'm covering my bases at home like i do every day at work... bleh bleh bleh... ><
anyway, here's why this reinforces my point. it looks like this thing came in over layer 7. despite not having the perfect setup, i think i probably do more than the avg user. my win box auto patches and auto reboots. i run av and anti-malware tools. i run no-script in firefox and try to be careful where i go and what i click. and my box still gets owned. imo, this doesn't bode well for the average user.
the very minor preliminary research i've done leads me to lean towards punkbuster running on CoD (the original) being the vector. the things i see correlate to a bit back when i was playing a game and 2 guys started chatting about stuff that made my ears perk-up in game... i wish i could remember what they said. anyway, they said something indicating they were about to do something, and then the server we're playin on hoses up. my box starts actin funky, so i kill the connection and bounce my box. i didn't dig any deeper than that at the time (just call me retardo).
anyway, cursory digging and i come to find that punkbuster has a slight history of vulnerabilities. There is a guy out there who apparently vigorously exploring this app... anyway, it sucks b/c from my understanding, pb runs at a really low level in order to be able to detect cheating. you've gotta be admin to run it, last time i checked (admitedly, a couple years ago), and apparently their app is coded like crap... sigh...
but yea... so none of my security steps kept pb up to date, and it looks like mb that's how i got popped... for what it's worth, running vista might've afforded me some protection b/c it has a better security model than xp, but i'm not even interested in messin w/ vista... from now on, my win box will only be for games, and i'm not gonna do anything else w/ it, and i'm not gonna give it connectivity to data and resources on other machines...
anyway, i'll post if i ever manage to dig any useful information from the traffic captures and forensics i've got on the pwnt box. i'm putting that stuff off at least a weak due to work and RW deadlines and pressures.
i'm thinking about writing an app to crawl vulnerability lists grepping for keywords of software that i run... i wonder if that already exists...
it is a tad embarrassing, and i haven't had time yet to do an in-depth analysis to try to determine the extent of the damage. i've taken the basic steps to stop the bleeding, changed my passwords, and all of that... i've got a damn win box because i game, and then i get all lazy and use it for other things even though i have a perfectly capable nix box...
anyway, i know other sec profesionals who i respect who've been owned, so i'm tryin not to let it get me down... who knows if it'll ever come back to haunt me or not... anyway, i'm trying to use it as motivation to improve my setup at home, as well as some of my usage habits... part of the problem is that i do tech all day, and when i get home i'd just rather wrench on things or work on the house or play games... obviously that doesn't cut it, and i need to put in the time to make sure i'm covering my bases at home like i do every day at work... bleh bleh bleh... ><
anyway, here's why this reinforces my point. it looks like this thing came in over layer 7. despite not having the perfect setup, i think i probably do more than the avg user. my win box auto patches and auto reboots. i run av and anti-malware tools. i run no-script in firefox and try to be careful where i go and what i click. and my box still gets owned. imo, this doesn't bode well for the average user.
the very minor preliminary research i've done leads me to lean towards punkbuster running on CoD (the original) being the vector. the things i see correlate to a bit back when i was playing a game and 2 guys started chatting about stuff that made my ears perk-up in game... i wish i could remember what they said. anyway, they said something indicating they were about to do something, and then the server we're playin on hoses up. my box starts actin funky, so i kill the connection and bounce my box. i didn't dig any deeper than that at the time (just call me retardo).
anyway, cursory digging and i come to find that punkbuster has a slight history of vulnerabilities. There is a guy out there who apparently vigorously exploring this app... anyway, it sucks b/c from my understanding, pb runs at a really low level in order to be able to detect cheating. you've gotta be admin to run it, last time i checked (admitedly, a couple years ago), and apparently their app is coded like crap... sigh...
but yea... so none of my security steps kept pb up to date, and it looks like mb that's how i got popped... for what it's worth, running vista might've afforded me some protection b/c it has a better security model than xp, but i'm not even interested in messin w/ vista... from now on, my win box will only be for games, and i'm not gonna do anything else w/ it, and i'm not gonna give it connectivity to data and resources on other machines...
anyway, i'll post if i ever manage to dig any useful information from the traffic captures and forensics i've got on the pwnt box. i'm putting that stuff off at least a weak due to work and RW deadlines and pressures.
i'm thinking about writing an app to crawl vulnerability lists grepping for keywords of software that i run... i wonder if that already exists...
Wednesday, November 14, 2007
the post i've been waiting to write
i hope it's not a letdown...
so i recently had a conversation w/ a buddy of mine... he is getting a new gig at a multi-national multi-billion company as a sort of security manager/architect/roadmapper/evangalist type of a thing... congratz to him again btw!
so, while we are talking, we get on the subject of where the heck should he put his efforts? i mean, in an org w/ thousands of hosts, if you are given the task to come in as part of a team w/ a mandate to re-do infosec, where the heck do you start?
my two cents was that you assume machines are going to get owned to shit, so you do two things... your segment your data as best you can, to mitigate the damage of inevitable leaks. 2nd, you assume that modern malware will infect you and that the modern "security software industry" won't be able to help you at all, and you do everything you can to separate data and functionality from your OS, so you can blow potentially kitted machines away on a whim...
anywho... we had this abstract conversation about the changing state of infosec... if you look at infosec perceptions vs infosec realities, you see that there is a schism between the two. the mainstream is still caught up in the hacker image of the disgruntled youth in his basement who has you in his sights and is clicking away on his keyboard, executing commands on hosts on your network.
this is what was happening on your network a few years back, but it isn't the primary threat you face today.
today you can get owned every which way from sunday, and the pwner will never notice that he could blackmail you about your 3 illegitimate children. he isn't going to read your email or im conversations. he probably isn't going to notice anything about you unless you trip some software if/then about your online banking acct, if that.
todays blackhat zombie-net operator doesn't care about you. he cares about the number of digits making up his zombie network. hell, you might get owned and not even have a purpose. maybe he'll use you for spam, or maybe for ddos, or maybe cull you for online banking stuff... even he doesn't know yet. he is building a network. he is building it bigger. he is widening the corridors, and adding more lanes...
i had problems explaining this to a previous employer... they were like "we don't handle cash, and we have a low profile. who would attack us?". my response that they had thousands of hosts around the world and many megs of inet bandwidth was met with blank stares. they couldn't wrap their heads around (and/or i failed to communicate) the fact that the currency being traded in blackhat circles had evolved yet again.
infosec is an arms race. as we find effective defense, the attackers find new attacks.
this really begins to suck in corp land. i'm sorry, but those tens of thousands of dollars you spent on firewalls won't protect you from modern vectors. and the tens of thousands of dollars you spent on AV won't protect you from modern malware. and your patch management infrastructure won't protect you from the latest vuln in the jar: protocol.
hell, most of you in corp land aren't doing anything proactive to defend against buffer and stack overflows, and those relatively modern and too-complex-for-joe-user defenses don't help against many modern attacks...
sucks, but it is farkin true. and the worst part is that you don't get much relief on the old stuff. similar to kaminsky saying (at bh/dc) that the best (/worst) part about design bugs is that they come back from the dead, so too do attack vectors. even though your firewall probably won't protect you from phishing, you can't throw it away when you buy a new tool that will.
the modern frontier is the application layer, which anyone reading this post probably has known for quite some time. this is virtually virgin defense territory, and we're seeing many diff types of attacks:
XSS
XSRF
media files that own you or annoy you
trusted web sites that own you
poor cookie/session handling that owns you
ok, so i'm running firefox (which i wish i could set to default for all of my corp users, but they run in-house ie-specific web-apps for business, soooo) with noscript, so i've gotta be safe. except that i always hit some popular site that requires scripting to function properly, and i decide to trust them so i don't need to click something everytime i hit the site. oh crap, they get owned, and now i'm unknowningly running an invisible iframe back to some chinese site. it isn't like i'm going to see a defacement or something. look at the recent site hacks, like the myspace alicia keys hack. they try to be subtle and blend in. did you get an official email from myspace warning you that you might have issues since your myspace page links to alicias? hell no... oh yea, and that one wasn't even a script, it was mostly social engineering...
i mean, how many hosts am i gonna get if i manage to insert a hostile script into (for example) break.com? out of the total staff of break.com, what percentage of employees do you think are worried about security as their primary job? what is the likelihood of an exploited vuln at their site over the next 12 months? say it exists in the wild for 8 hours... how many hosts will you get? 10,000? more? if break.com doesn't get owned in the next 12 months, how many other sites are out there that your users visit? do you allow outbound www? if so, you have a problem...
do you trust your online bank? i've done assessments on some banks, and i can tell you that my idea of security was incorrect. and your bank probably outsources everything having to do w/ money to some external entity that provides an app they use to run their business. that same app is used across many diff branches of banks. did i mention there is no ingress/egress network/transport layer filtering across those links? and if i can write a sploit that works on bank-x, it might work on bank-y or z...
and security is anything but constant. i know a site which looked pretty good. down the road, they overhaul their web server settings, and poof, raw ownage. clients who hit the site w/ scripting enabled were sent to china to run bad bad code. the javascript used cookies and http posts to send heartbeat info back to china to let the operator know the status of their ever growing network. does anyone beyond the few ppl who've seen this application level sploit know it exists? it isn't a major popular site, but the users who hit it number in the thousands. is there a methodology to inform those users that they are at risk? if there was, can we tell them how to scan their boxes to know they are clean? will up-to-date windows patches protect them? will ad-aware get it? spybot? will the owned site owners consider notification in any form??? did you know that xyz bank can get completely owned and probably never publicly say a word about it? not that your money will go away, but just that the integrity of their servers, which you visit and trust, was compromised and that you might be running malicious code...
the brave new world is that hostile domains pop up and drop off the map before commercial security white/black lists can find them. they run traffic over common ports (80), or within accepted protocols (http).
wow, what a rant... the other main worry is a targeted attacker. there are corps who offer services to spy on specific targets... hell, 5 years ago my infosec prof told me about companies he saw that existed to evesdrop on cell phones and data-mine trash. these people are out there, and you know what they say about the dedicated attacker, so here's hopin they aren't lookin at you... and hell, if they do, will you know if it is a misunderstanding or an attack?
anyway, i've wasted wayyyy too many electrons on your monitor saying this, but the point is just that if you're admining infosec anywhere today, your biggest threat is your employees running http to the web via port 80 and 443, and currently you probably don't have any reasonable way to protect your org from the myriad of threats you're faced with. i'm not chicken-little, but the state of things is less than optimal atm...
the attackers have shifted, and the defenders need to as well. we need out of the box OS and application design to limit the trouble users can get themselves into. as a wise man i know loves to say, we can't base our defense around hoping that people make good security decisions. we need to get to the point where we don't offer them the option to make bad choices.
so i recently had a conversation w/ a buddy of mine... he is getting a new gig at a multi-national multi-billion company as a sort of security manager/architect/roadmapper/evangalist type of a thing... congratz to him again btw!
so, while we are talking, we get on the subject of where the heck should he put his efforts? i mean, in an org w/ thousands of hosts, if you are given the task to come in as part of a team w/ a mandate to re-do infosec, where the heck do you start?
my two cents was that you assume machines are going to get owned to shit, so you do two things... your segment your data as best you can, to mitigate the damage of inevitable leaks. 2nd, you assume that modern malware will infect you and that the modern "security software industry" won't be able to help you at all, and you do everything you can to separate data and functionality from your OS, so you can blow potentially kitted machines away on a whim...
anywho... we had this abstract conversation about the changing state of infosec... if you look at infosec perceptions vs infosec realities, you see that there is a schism between the two. the mainstream is still caught up in the hacker image of the disgruntled youth in his basement who has you in his sights and is clicking away on his keyboard, executing commands on hosts on your network.
this is what was happening on your network a few years back, but it isn't the primary threat you face today.
today you can get owned every which way from sunday, and the pwner will never notice that he could blackmail you about your 3 illegitimate children. he isn't going to read your email or im conversations. he probably isn't going to notice anything about you unless you trip some software if/then about your online banking acct, if that.
todays blackhat zombie-net operator doesn't care about you. he cares about the number of digits making up his zombie network. hell, you might get owned and not even have a purpose. maybe he'll use you for spam, or maybe for ddos, or maybe cull you for online banking stuff... even he doesn't know yet. he is building a network. he is building it bigger. he is widening the corridors, and adding more lanes...
i had problems explaining this to a previous employer... they were like "we don't handle cash, and we have a low profile. who would attack us?". my response that they had thousands of hosts around the world and many megs of inet bandwidth was met with blank stares. they couldn't wrap their heads around (and/or i failed to communicate) the fact that the currency being traded in blackhat circles had evolved yet again.
infosec is an arms race. as we find effective defense, the attackers find new attacks.
this really begins to suck in corp land. i'm sorry, but those tens of thousands of dollars you spent on firewalls won't protect you from modern vectors. and the tens of thousands of dollars you spent on AV won't protect you from modern malware. and your patch management infrastructure won't protect you from the latest vuln in the jar: protocol.
hell, most of you in corp land aren't doing anything proactive to defend against buffer and stack overflows, and those relatively modern and too-complex-for-joe-user defenses don't help against many modern attacks...
sucks, but it is farkin true. and the worst part is that you don't get much relief on the old stuff. similar to kaminsky saying (at bh/dc) that the best (/worst) part about design bugs is that they come back from the dead, so too do attack vectors. even though your firewall probably won't protect you from phishing, you can't throw it away when you buy a new tool that will.
the modern frontier is the application layer, which anyone reading this post probably has known for quite some time. this is virtually virgin defense territory, and we're seeing many diff types of attacks:
XSS
XSRF
media files that own you or annoy you
trusted web sites that own you
poor cookie/session handling that owns you
ok, so i'm running firefox (which i wish i could set to default for all of my corp users, but they run in-house ie-specific web-apps for business, soooo) with noscript, so i've gotta be safe. except that i always hit some popular site that requires scripting to function properly, and i decide to trust them so i don't need to click something everytime i hit the site. oh crap, they get owned, and now i'm unknowningly running an invisible iframe back to some chinese site. it isn't like i'm going to see a defacement or something. look at the recent site hacks, like the myspace alicia keys hack. they try to be subtle and blend in. did you get an official email from myspace warning you that you might have issues since your myspace page links to alicias? hell no... oh yea, and that one wasn't even a script, it was mostly social engineering...
i mean, how many hosts am i gonna get if i manage to insert a hostile script into (for example) break.com? out of the total staff of break.com, what percentage of employees do you think are worried about security as their primary job? what is the likelihood of an exploited vuln at their site over the next 12 months? say it exists in the wild for 8 hours... how many hosts will you get? 10,000? more? if break.com doesn't get owned in the next 12 months, how many other sites are out there that your users visit? do you allow outbound www? if so, you have a problem...
do you trust your online bank? i've done assessments on some banks, and i can tell you that my idea of security was incorrect. and your bank probably outsources everything having to do w/ money to some external entity that provides an app they use to run their business. that same app is used across many diff branches of banks. did i mention there is no ingress/egress network/transport layer filtering across those links? and if i can write a sploit that works on bank-x, it might work on bank-y or z...
and security is anything but constant. i know a site which looked pretty good. down the road, they overhaul their web server settings, and poof, raw ownage. clients who hit the site w/ scripting enabled were sent to china to run bad bad code. the javascript used cookies and http posts to send heartbeat info back to china to let the operator know the status of their ever growing network. does anyone beyond the few ppl who've seen this application level sploit know it exists? it isn't a major popular site, but the users who hit it number in the thousands. is there a methodology to inform those users that they are at risk? if there was, can we tell them how to scan their boxes to know they are clean? will up-to-date windows patches protect them? will ad-aware get it? spybot? will the owned site owners consider notification in any form??? did you know that xyz bank can get completely owned and probably never publicly say a word about it? not that your money will go away, but just that the integrity of their servers, which you visit and trust, was compromised and that you might be running malicious code...
the brave new world is that hostile domains pop up and drop off the map before commercial security white/black lists can find them. they run traffic over common ports (80), or within accepted protocols (http).
wow, what a rant... the other main worry is a targeted attacker. there are corps who offer services to spy on specific targets... hell, 5 years ago my infosec prof told me about companies he saw that existed to evesdrop on cell phones and data-mine trash. these people are out there, and you know what they say about the dedicated attacker, so here's hopin they aren't lookin at you... and hell, if they do, will you know if it is a misunderstanding or an attack?
anyway, i've wasted wayyyy too many electrons on your monitor saying this, but the point is just that if you're admining infosec anywhere today, your biggest threat is your employees running http to the web via port 80 and 443, and currently you probably don't have any reasonable way to protect your org from the myriad of threats you're faced with. i'm not chicken-little, but the state of things is less than optimal atm...
the attackers have shifted, and the defenders need to as well. we need out of the box OS and application design to limit the trouble users can get themselves into. as a wise man i know loves to say, we can't base our defense around hoping that people make good security decisions. we need to get to the point where we don't offer them the option to make bad choices.
gov't snakeoil/fud... sigh...
ok, so unfortunately this article was dugg up...
it says:
ok, what a great start... now, this demo these brit feds did was for small business owners, who in my experience seem to have the infosec bar set pretty low... but, using an os release which was, what, 3 years ago??? and, should i assume that this means that no security patches released after 2004 were applied to this target machine?
and for my next trick, i shall pwn a fbsd 4 server running ssh, sendmail, and an ssl webserver! phear my fed leeetness... sigh...
erm, metasploit?
...
nessus? back to metasploit for this next one:
do you mean a cmd window? cause i kinda doubt even a 1337 govt h4x0r still boots into straight DOS...
well turns out the feds are trying to make a point...
ahh, brit tax dollars at work... soooo, using this information as a stepping stone, is it fair for me to deduce that said system probably won't boot up without the power cable plugged into an active electrical outlet?...
seriously though, is this the level that we believe infosec has w/ the populace? do we think that we haven't given most people the message that there are real threats out there, many of which are generally solved via windows update? or should i believe that since XP SP2 includes a "firewall" (a burning wall of bricks... quite impressive really... the burning security in the blinky thing scares off most of the germs in the tubes) it is difficult to integrate it into the business environment?
well, it does get worse...
ok, well the ms exec knows enough to know that an unpatched windows machine is vulnerable... i guess i can count this as a positive and raise the bar a tad off of the ground... but seriously, if there is _any_ ms exec who doesn't understand that unpatched security vulns can be exploited quickly and easily, then i'll go on the record as saying that whoever is responsible for internal evangilism at MS is utterly failing...
here's a genius idea... do a 10 min web-quiz for the people who run the #(@%&*@% company that makes the OS which runs most desktops on this planet...
oh, and i'd be remiss not to mention cnet and the author of this stellar article (which, btw, is what the nameless masses [who don't yet understand that patching is important] will read to find stuff out about infosec)... i can't believe that the technical prowess demonstrated in the article is what ZD considers appropriate for their infosec presence on the web... this "expert" writes pointless articles about unrealistic security ideas... they should just pick a schneier cryptogram blurb to publish once a month... cheaper and more effective...
i am now officially in a foul mood... sigh...
it says:
two members of the U.K. government intelligence group Serious Organized Crime Agency connected a machine running Windows XP with Service Pack 1 to an unsecured wireless network. The machine was running no antivirus, firewall, or anti-spyware software
ok, what a great start... now, this demo these brit feds did was for small business owners, who in my experience seem to have the infosec bar set pretty low... but, using an os release which was, what, 3 years ago??? and, should i assume that this means that no security patches released after 2004 were applied to this target machine?
and for my next trick, i shall pwn a fbsd 4 server running ssh, sendmail, and an ssl webserver! phear my fed leeetness... sigh...
Mick used a common, open-source exploit-finding tool he had downloaded from the Internet. SOCA asked ZDNet UK not to divulge the name of the tool.
erm, metasploit?
Mick found the IP address of his own computer by using the XP Wireless Network Connection Status dialog box
...
Using a different attack tool, he produced a security report detailing the vulnerabilities found on the system
nessus? back to metasploit for this next one:
Using the attack tool, Mick built a piece of malware in MS-DOS, giving it a payload that would exploit the flaw within a couple of minutes
do you mean a cmd window? cause i kinda doubt even a 1337 govt h4x0r still boots into straight DOS...
well turns out the feds are trying to make a point...
purely to point out that, if a system hasn't had patches, it's a relatively simple matter to hack into it
ahh, brit tax dollars at work... soooo, using this information as a stepping stone, is it fair for me to deduce that said system probably won't boot up without the power cable plugged into an active electrical outlet?...
seriously though, is this the level that we believe infosec has w/ the populace? do we think that we haven't given most people the message that there are real threats out there, many of which are generally solved via windows update? or should i believe that since XP SP2 includes a "firewall" (a burning wall of bricks... quite impressive really... the burning security in the blinky thing scares off most of the germs in the tubes) it is difficult to integrate it into the business environment?
well, it does get worse...
Nick McGrath, head of platform strategy for Microsoft U.K., was surprised by the incident.
"In the demonstration we saw, it was both enlightening and frightening to witness the seeming ease of the attack on the (Windows) computer," said McGrath. "But the computer was new, not updated, and not patched."
ok, well the ms exec knows enough to know that an unpatched windows machine is vulnerable... i guess i can count this as a positive and raise the bar a tad off of the ground... but seriously, if there is _any_ ms exec who doesn't understand that unpatched security vulns can be exploited quickly and easily, then i'll go on the record as saying that whoever is responsible for internal evangilism at MS is utterly failing...
here's a genius idea... do a 10 min web-quiz for the people who run the #(@%&*@% company that makes the OS which runs most desktops on this planet...
oh, and i'd be remiss not to mention cnet and the author of this stellar article (which, btw, is what the nameless masses [who don't yet understand that patching is important] will read to find stuff out about infosec)... i can't believe that the technical prowess demonstrated in the article is what ZD considers appropriate for their infosec presence on the web... this "expert" writes pointless articles about unrealistic security ideas... they should just pick a schneier cryptogram blurb to publish once a month... cheaper and more effective...
i am now officially in a foul mood... sigh...
Saturday, November 10, 2007
hushmail sec foo
ok, so i'm not a hushmail user, but i've been generally aware of them since back in the day...
anyway, this article about them assisting law enforcement by turning over unencrypted copies of emails is kinda interesting. at first glance one might be tempted to see this as a violation of their basic principles, but it doesn't seem like that's the issue...
the premise of HM is that they are just a medium for email crypted in public strong algorithms, and they never control keys, so they can't read the mails even if they want to.
this is yet another story of strong security measures being compromised by usage and design choices because the strong security was inconvenient and/or unwieldy... the workaround they created to become more user-friendly introduced (known) risk into the equation. in the newer easier to use system, they set up the crypo, and so briefly have the keys.
in this case, people using the new methodology were pwnt by law enforcement using legal channels to ask HM to store and use those keys to decrypt the mails. btw, the HM ToS does not protect illegal activity...
the article notes a fairly obvious potential flaw in the high security model as well. in the high sec method, you have to install and exec a java applet (which you get from HM) which does all of the crypto on your box instead of the server. well, if there is malicious code introduced into the applet, HM can gank your keys.
despite this, i think good and intuitive software design can mitigate the risk as well as the inconvenience... if i ever did anything beyond scripting in my basement nowadays (and play CoD4 w000000t!!!!), i'd consider writing a firefox plugin which did the heavy lifting on running the java applet, and also did checksums on the applet to make sure HM doesn't try to send you a modified copy later. functional reverse engineering and/or blackboxing the applet (if it isn't already oss?) would strengthen the whole thing too... poof, risk window of crypto compromise reduced...
geeze, and this isn't even the post i intended to write when i logged in... stay tuned... ;)
anyway, this article about them assisting law enforcement by turning over unencrypted copies of emails is kinda interesting. at first glance one might be tempted to see this as a violation of their basic principles, but it doesn't seem like that's the issue...
the premise of HM is that they are just a medium for email crypted in public strong algorithms, and they never control keys, so they can't read the mails even if they want to.
this is yet another story of strong security measures being compromised by usage and design choices because the strong security was inconvenient and/or unwieldy... the workaround they created to become more user-friendly introduced (known) risk into the equation. in the newer easier to use system, they set up the crypo, and so briefly have the keys.
in this case, people using the new methodology were pwnt by law enforcement using legal channels to ask HM to store and use those keys to decrypt the mails. btw, the HM ToS does not protect illegal activity...
the article notes a fairly obvious potential flaw in the high security model as well. in the high sec method, you have to install and exec a java applet (which you get from HM) which does all of the crypto on your box instead of the server. well, if there is malicious code introduced into the applet, HM can gank your keys.
despite this, i think good and intuitive software design can mitigate the risk as well as the inconvenience... if i ever did anything beyond scripting in my basement nowadays (and play CoD4 w000000t!!!!), i'd consider writing a firefox plugin which did the heavy lifting on running the java applet, and also did checksums on the applet to make sure HM doesn't try to send you a modified copy later. functional reverse engineering and/or blackboxing the applet (if it isn't already oss?) would strengthen the whole thing too... poof, risk window of crypto compromise reduced...
geeze, and this isn't even the post i intended to write when i logged in... stay tuned... ;)
Friday, November 2, 2007
bummer M$
when i first saw that MS is examining the javascript spec, i was kinda hopin there'd at least be a mention of security updates... all they seem to imply is embrace and extend... seems like mb part of a future FUD campaign... bummer :(
who knows tho...
who knows tho...
in other news
i'm retarded... moving on...
i bumped into trip-codes, which are an interesting route to authentication (but not authorization, right?)...
i wonder if you could build out a public infrastructure similar to pool.ntp.org and/or openid that allows for salted trips useful over multiple sites...
i'm still neck-deep in scripting, automation, design, etc... doin lots of stuff on the fly, tryin to keep my eye on the prize... gettin closer...
i bumped into trip-codes, which are an interesting route to authentication (but not authorization, right?)...
i wonder if you could build out a public infrastructure similar to pool.ntp.org and/or openid that allows for salted trips useful over multiple sites...
i'm still neck-deep in scripting, automation, design, etc... doin lots of stuff on the fly, tryin to keep my eye on the prize... gettin closer...
Subscribe to:
Posts (Atom)
