Like we really needed this.

Hacker’s Blog

August 15, 2007

Rational Security: Security Innovation?

Filed under: Philosophy,Security — Hacker @ 8:50 am

Some people think that they are the lunatic fringe. Mr Hoff states: Nobody really believes that security can be innovative, do they? I do.

The next thing we’ll be hearing is that rational security = security innovation or to simplify: Rational = Innovation. What could be further from lunacy?

Quite simply, in a changing environment it is irrational not to innovate. It is obvious that security is a changing environment. When was the last time the threats were consistent over time?

Now some would have you believe that constant change is itself irrational and therefore any response to it must necessarily be also. In Mathematics, 1 / 3 is rational while the square root of 3 is irrational. Both cannot be represented in decimal form by a finite number of digits, but with one third the digits repeat.

Consistency makes being rational easy. The hard work of working out a solution only needs to be performed once. Then a simple lookup can occur. To make consistency a requirement for rationality reduces rationality to automata. Not much use being rational then.

Innovation does not mean anything goes. New techniques must work to be innovative. Innovation is also not randomly trying new things. That’s luck. Innovation must be rational.

Therefore real security must be innovative.

For one to accept innovation the new ideas must be rationalized, otherwise they are seen as just random gibberish. The seven deadly sins of problem solving referred to by Hoff are all ways that keep us from being able to accept new ideas. This applies whether the solution is ours or someone else’s. (Many who lack self-confidence invert the Not Invented Here rule).

The most important aspect being innovative or to accepting innovation is that it takes time for our brains to adjust. If someone has just presented something to you that sounded rational, but doesn’t sit well in your gut, then that is when it is apparent that more time is needed. Given time, one should be able to either accept the new idea, or determine where the flawed assumption was buried. Often this type of rationalization is a background process, and “sleeping on it” is a perfectly valid approach.

It seems that people keep buying new security technology, so by their actions they must believe that innovation is necessary for security. Mr. Hoff isn’t so much presenting a new approach to security as explaining how the accepted approach is not well understood. The reality is that just about everybody believes that security can be innovative, they just don’t know it.

It is also critical to remember that if the solution doesn’t seem to fit, perhaps the problem was defined wrong. That explains why router ACLs are not acceptable network security tools 99.9% of the time.

• • •
 

March 25, 2006

CamZak.com / Google hack: Stop spam with ‘Infinite’ e-mail addresses with GMail

Filed under: Security — Hacker @ 6:54 pm

Interesting approach to tracking how spammer’s have found your address if you have a gmail account, though it does have a flaw. CamZak.com / Google hack: Stop spam with ‘Infinite’ e-mail addresses with GMail

I have been doing something similar for years with my own domain and a catch-all address. Of course, having a catch-all address itself attracts lots of SPAM, but those end up being relatively easy to filter as they come in.

One problem with the gmail method is that if it became popular, spammers would figure it out and simply drop the post-plus portion. Therefore best way to use this effectively, is to always use a ‘+something’ for your personal emails.

• • •
 

March 8, 2006

David Adams’ MobileStartup.com: Now they’re gluing the SIM cards in!

Filed under: Clueless — Hacker @ 1:25 pm

This is just too funny to pass up.

David Adams’ MobileStartup.com: Now they’re gluing the SIM cards in!

There is nothing more I can add to Mr. Adams insghtful analysis.

• • •
 

February 28, 2006

Frankly Common Insecurity – Computerworld

Filed under: Clueless,Security — Hacker @ 9:16 am

Let me begin by saying that I have a deep respect for Frank Hayes understanding of general IT issues. However, Mr. Hayes just doesn’t get security as seen again in Common Insecurity. Mr. Hayes suggests that virtualization would have helped separate the data frrom the three different agencies so that a breach of one would not have breached the others. He also suggests that virtualization can make security easier. Both are incorrect in this scenario.
Cain & Abel poses a threat here because of its sniffing and cracking abilities. The sniffer can grab packets to any of the virtual systems, so it is a threat to all. The cracking tools threat would only be limited to one system if the accounts used to manage each virtual system were different.

Having separate systems for common functionality also complicates other security matters, such as patching, system monitoring, and the budget for high end OS security hardening tools which are licensed by the instance. Virtualization allows for some separation, but does not simplify everything. It is much better to consolidate systems doing the same thing with the same security requirements, just as a Bank’s safe deposit box is generally better than a safe at home. Cost is a significant factor here. The banks is able to spread the high security costs across many more customer’s without adding large risks.
Perhaps Mr Hayes does not recognize that this server is serving a common function, that of credit card processing, in a Service Oriented Architecture like system. This seems to be the case and led him down the path of separating these systems. Neverless, his points on virtualization and security are naive and the problem is much deeper than he considers here.

• • •
 

They just don’t get it: N.H. Breach May Have Exposed Credit Card Data – Computerworld

Filed under: Security — Hacker @ 8:49 am

I suppose it’s too much to ask for organizations who have weak security programs to understand real risk. Here is a fine example, a Security swiss army knife like tool was found on a server that processed Credit Card transactions. So what do we do? Panic!

N.H. Breach May Have Exposed Credit Card Data – Computerworld Admittedly, the article says that a person is being investigated, but that’s not the focus. The tool is being blamed and not the person.

Cain & Abel has several capabilites. Amongts them are password / hash cracking and sniffing. Now if sniffing is considered the threat here, then I’d expect that the server and LAN have no other sniffing tools installed. Otherwise the smart attacker would just grab packets and crack offline. Cain & Abel alos has the ability to turn poorly configured switches into hubs. If this is the threat, then the target was not the system Cain & Abel was running on.

If the cracking is considered the threat, then all the evidence is right there on the system. It should be easy to determine what was going on.

Cain & Abel also has some useful tools for troubleshooting, such as a TCP Traceroute capability. Those trying to troubleshoot connectivity across several firewalls need tools like this to do so. It is very likely that this server was involved in such communications and needed that troubleshooting capability. Of course, if all this end’s up being is some sysdamin installing something that shouldn’t have been installed, then we won’t ever hear about this again, because that is not news.

• • •
 

February 18, 2006

Security Awareness and Spear Phishing

Filed under: Security — Hacker @ 4:50 pm

Sometimes I am drawn into irony like a gawker to a highway accident. I know I should just focus on the road and keep moving, but I just can’t help to stop and look. Today’s ironic  accident was my employer’s quarterly security awareness newsletter. I’m sure they tried really hard, but the system just conspired against them.

The newsletter is a pdf, which one has to download from the intranet. To advertise its availability, they sent out an HTML formatted email with a link to the intranet page where the pdf could be obtained. In a newsletter article about Spear Phishing it says:

Don’t click on Web links within e-mail messages.
It is far safer to note the address
and retype it yourself in your browser
address window.

But wait, didn’t you just set me up to do that by sending me the HTML email? Why not use plain text, which even if linkified by the email client, is exactly as displayed.

Of course I had to hack the original email to change the underlying URL to point to this blog. I then sent that out to internally. Odds are, if you are reading this, it is because you clicked on that link.

Cheers.

• • •
 

February 2, 2006

Communications experts warn of VoIP security issues

Filed under: Security — Hacker @ 9:23 pm

I always find it interesting when academics rant about some security issue that really isn’t tied to reality. Communications experts warn of VoIP security issues. Upon reading the news brief it is apparent that VoIP is not the issue, it’s DDOS and the lack of controls on our peer to peer Internet.

At first I thought “Well they are communications experts and not security experts”. Then I looked at the members and Ross Anderson is in there. Mr. Anderson probably knows more about security than I ever will, so perhaps its just me.

You see, if I had a whole bunch of bots around the net, and had compromised their owner’s VoIP software, I would not be using it to coordinate DDOS attacks. I’d be SPITting all over the place. Especially the ones that had accounts to access the PSTN. The thing is, one can avoid SPAM by not using email, or not using it much. No one with a phone can avoid SPIT. If this ever takes off, it will be very very bad.

Update: CommunicationsResearch.net news release on their site is now missing. Other URLs: VoipInfoBlog, PhotonicsFiber.com

And a telling tale of what might have happened here. It’s a very interesting story of how the polictics of vulnerability disclosure is a field of landmines.

It also may indicate my original comments are a bit harsh, but the original press release itself at fault for that.

• • •
 

January 30, 2006

The sky is falling! Virtually

Filed under: Security — Hacker @ 4:32 pm

Late last year VMWare released a very cool new tool called the VMWare player. There are now so many cool things that one can do with VMWare that it boggles the mind.

Of course a lot of them are big security problems. Big enough to make the whole USB Drive/ipods are evil scare a while back look, well, as silly as the whole thing was. I’m not going to start listing all of the obnoxious things I can do with VMWare just yet. I don’t want the panic to get started before I get the chance to build some of them out and have some fun.

However, for the record, I do proclaim that VMWare and the portability of VMWare player is a significant technology change that now opens many security holes. Way more than just copying files around.

• • •
 

January 26, 2006

Real Security – A different perspective about information security

Filed under: Personal,Security — Hacker @ 2:35 pm

Wow, one of my security heroes has a blog and it looks a whole lot better than mine.

Real Security – A different perspective about information security

This reminds me that I really need to keep in tough with people better.

Hopefully, once again, I’ll be borrowing from Jim to make myself look competent. This time for my blogs design evolution.

• • •
 

January 23, 2006

Phishing Prevention for Dummies

Filed under: Security — Hacker @ 7:42 pm

It seems that too many online institutions still don’t get the phishing threat. Take a look at this email from an ISP that puts more bait on phishers’ hooks than cutting of phishing lines.

Dear ISP Subscriber,

ISP is committed to providing you with a safe and secure
online experience — and we’d like to share some important
information to help you avoid online scams and safeguard your
computer from viruses, spyware, and other security threats.

********************************
PROTECT YOURSELF WITH THESE TIPS
********************************
1. Be wary of opening email from people you don’t know. Even
if you know the sender, use caution before opening a message
with a strange subject line or an unexpected attachment.

Hmmm. Do I know you “Support”?

2. Choose your passwords carefully and keep them safe. For tips
on creating secure passwords, please visit:
http://www.ISP.net/password

Gee, that link looks safe. It’s always good to prime the clicking finger with good links first.

3. Never email your password, or sensitive personal information,
such as your credit card number, Social Security number, secret
word, or PIN.

More thoughtful good advice. This has got to be real.

4. Never click on a link in an email that asks you to submit
sensitive information, as the link can redirect you to a
fraudulent Web site designed to steal that information. To
ensure that a site is legitimate, always type the Web address
into your browser.

Gosh darn it, if that ain’t the pig’s potato I don’t know my cow pie’s from my Aunt Lucille’s mincemeat.

************************************************
INSTALL FREE ISP PROTECTION CONTROL CENTER
************************************************
The ISP Protection Control Center is your one,
easy-to-use program that provides everything you need to stay
safe online, including:

*Single scan for spyware and viruses

*AntiVirus and Firewall software with automatic updates to
ensure you’re protected against the latest online threats

*Spyware Blocker — detects and disables invasive programs that
secretly install themselves on your computer and track your
online activities

*ISP Toolbar — sits above your Web browser and includes
our exclusive Pop-Up Blocker and ScamBlocker, which prevents you
from visiting Web sites that are on our “scam list”

The Protection Control Center is available through our FREE
TotalAccess software. If you have not installed TotalAccess, you
can download the software or order a free CD copy at:
http://www.ISP.net/home/software

Gee, what great software. I should get that installed right away. Let me click on that link, which must be good since this whole message seems as caring and honest as ol’ Preacher Morganstern and if that dear man were still alive would probably be in the sermon this Sunday. Halleluhah.

Once you’ve installed TotalAccess, or if you already have the
software, you may need to run the Update Service to install
the ISP Protection Control Center. On the TotalAccess
Task Panel, just click on “Toolbox,” then “Check for Updates.”

Yessirree. I want every piece of software I own to automagically go out and patch itself without me knowing a damn thing about how it works or if it is secure.

******************************
VISIT THE MYSECURITY WEB PAGE
******************************
The mySecurity Web page has all the information you need to
protect your PC and your privacy online:

http://www.ISP.net/mysecurity

**********
NEED HELP?
**********
If you have questions, you can trade real-time messages with a
friendly Live Chat representative:

http://support.ISP.net/chat

We look forward to providing you with a safe and enjoyable
online experience for years to come.

Sincerely,

ISP Support

************************************************************
This is an Administrative Message from ISP. It is
not spam. From time to time, ISP will send you such
messages in order to communicate important information about
your subscription.
************************************************************

If the sarcasm didn’t come through clear enough, I’ll try a favored method from the 419′ers:

DEAR .COM

YOU MAY BE SUPRISED TO LEARN THAT SENDING YOUR USERS EMAIL ANY WITH CLICKABLE LINKS IS JUST TRAINING THEM TO FALL FOR PHISHING. I SHARE THIS WITH YOU BECAUSE I TRUST YOU’RE A LITTLE BIT SMARTER THAN THE PHISHERS AND MIGHT WISE UP BEFORE THEY START SENDING EMAIL THAT LOOKS JUST LIKE THIS. PLEASE AT LEAST ENCOURAGE THE USE HTTPS.

• • •
 
Next Page »
Like we really needed this.