Hacker’s Blog

Let me begin by saying that I have a deep respect for Frank Hayes understanding of general IT issues. However, Mr. Hayes just doesn’t get security as seen again in Common Insecurity. Mr. Hayes suggests that virtualization would have helped separate the data frrom the three different agencies so that a breach of one would not have breached the others. He also suggests that virtualization can make security easier. Both are incorrect in this scenario.
Cain & Abel poses a threat here because of its sniffing and cracking abilities. The sniffer can grab packets to any of the virtual systems, so it is a threat to all. The cracking tools threat would only be limited to one system if the accounts used to manage each virtual system were different.

Having separate systems for common functionality also complicates other security matters, such as patching, system monitoring, and the budget for high end OS security hardening tools which are licensed by the instance. Virtualization allows for some separation, but does not simplify everything. It is much better to consolidate systems doing the same thing with the same security requirements, just as a Bank’s safe deposit box is generally better than a safe at home. Cost is a significant factor here. The banks is able to spread the high security costs across many more customer’s without adding large risks.
Perhaps Mr Hayes does not recognize that this server is serving a common function, that of credit card processing, in a Service Oriented Architecture like system. This seems to be the case and led him down the path of separating these systems. Neverless, his points on virtualization and security are naive and the problem is much deeper than he considers here.

I suppose it’s too much to ask for organizations who have weak security programs to understand real risk. Here is a fine example, a Security swiss army knife like tool was found on a server that processed Credit Card transactions. So what do we do? Panic!

N.H. Breach May Have Exposed Credit Card Data – Computerworld Admittedly, the article says that a person is being investigated, but that’s not the focus. The tool is being blamed and not the person.

Cain & Abel has several capabilites. Amongts them are password / hash cracking and sniffing. Now if sniffing is considered the threat here, then I’d expect that the server and LAN have no other sniffing tools installed. Otherwise the smart attacker would just grab packets and crack offline. Cain & Abel alos has the ability to turn poorly configured switches into hubs. If this is the threat, then the target was not the system Cain & Abel was running on.

If the cracking is considered the threat, then all the evidence is right there on the system. It should be easy to determine what was going on.

Cain & Abel also has some useful tools for troubleshooting, such as a TCP Traceroute capability. Those trying to troubleshoot connectivity across several firewalls need tools like this to do so. It is very likely that this server was involved in such communications and needed that troubleshooting capability. Of course, if all this end’s up being is some sysdamin installing something that shouldn’t have been installed, then we won’t ever hear about this again, because that is not news.

Sometimes I am drawn into irony like a gawker to a highway accident. I know I should just focus on the road and keep moving, but I just can’t help to stop and look. Today’s ironic  accident was my employer’s quarterly security awareness newsletter. I’m sure they tried really hard, but the system just conspired against them.

The newsletter is a pdf, which one has to download from the intranet. To advertise its availability, they sent out an HTML formatted email with a link to the intranet page where the pdf could be obtained. In a newsletter article about Spear Phishing it says:

Don’t click on Web links within e-mail messages.
It is far safer to note the address
and retype it yourself in your browser
address window.

But wait, didn’t you just set me up to do that by sending me the HTML email? Why not use plain text, which even if linkified by the email client, is exactly as displayed.

Of course I had to hack the original email to change the underlying URL to point to this blog. I then sent that out to internally. Odds are, if you are reading this, it is because you clicked on that link.

Cheers.

I always find it interesting when academics rant about some security issue that really isn’t tied to reality. Communications experts warn of VoIP security issues. Upon reading the news brief it is apparent that VoIP is not the issue, it’s DDOS and the lack of controls on our peer to peer Internet.

At first I thought “Well they are communications experts and not security experts”. Then I looked at the members and Ross Anderson is in there. Mr. Anderson probably knows more about security than I ever will, so perhaps its just me.

You see, if I had a whole bunch of bots around the net, and had compromised their owner’s VoIP software, I would not be using it to coordinate DDOS attacks. I’d be SPITting all over the place. Especially the ones that had accounts to access the PSTN. The thing is, one can avoid SPAM by not using email, or not using it much. No one with a phone can avoid SPIT. If this ever takes off, it will be very very bad.

Update: CommunicationsResearch.net news release on their site is now missing. Other URLs: VoipInfoBlog, PhotonicsFiber.com

And a telling tale of what might have happened here. It’s a very interesting story of how the polictics of vulnerability disclosure is a field of landmines.

It also may indicate my original comments are a bit harsh, but the original press release itself at fault for that.