jump to navigation

A Fun Way to Understand AES! September 23, 2009

Posted by fvter in Security, Technology.
Tags: , , ,
add a comment

Constantly on the look out for information on encryption and better understanding of the mechanisms behind algorithms, I was amused to discover this morning the MoserWare’s A Stick Figure Guide to the Advanced Encryption Standard (AES).

The information presented is significantly accurate but presented in a humorous plain cartoon format. Quite enjoyable! What was interesting is that it goes back to the history of how AES came about and presents a basic overview of how block ciphers work…

Advertisements

Application Updates Tops Cyber Security Risk, Real World Fix is More Complex September 17, 2009

Posted by fvter in Security, Technology.
Tags: , , , , ,
add a comment

A few days ago, SANS released it’s new Top Cyber Security Risks report with a new interesting twist to the usual well-explored risks (such as web server vulnerabilities). The new risk that is highlighted quite effectively is the problem of application vulnerabilities which have had an increase and become much more visible. A good example of this has been the ongoing reports of vulnerabilities in Adobe products such as Flash and Acrobat.

[kyte.tv appKey=MarbachViewerEmbedded&uri=channels/7802/567425&tbid=k_28&p=p/s&height=436&width=416]

Part of the issue that is highlighted by the report is the slow turn-around to deploy application patches/updates to reduce the risks and fix certain vulnerabilities. This is in fact no surprise! Having spent a number of years in the corporate IT security environment the application update process is a bigger dilemma than one might think. There a number of factors that impede an effective and complete application patching process be it for a few thousand  to 10’s or 100’s of thousands of an installed client base. Some of these issues can be highlighted by the three following concepts:

  • Online availability of clients to receive the updates, making it more difficult to get an effective deployment rate;
  • Patches for versions that are in-use might not exists and upgrading to new versions presents other challenges such as budgets, compatibility with other applications, continued functionality support for the business solutions;
  • Patches (or upgrades) can break or change features that are relied upon by business solutions or process effectively breaking the latter and presenting an impediment on business ability to work effectively.

For a corporate IT security team a balance has to be achieved between the need to carry out effective patching or upgrading versus the need to let the business continue to work as effectively and efficiently as possible. This is the hard truth, patching to mitigate vulnerabilities is not necessarily the best solution for a business if it breaks functionality or impedes the business process!

An effective IT security team will understand this and works towards an acceptable compromise that balances the risks versus the business’ ability to carry on efficiently through policies and process that mitigate the risks or control/patch the vulnerabilities. Notably, the report section on best practices for mitigation and control provides a number of effective risk management techniques that start by understanding the applications that present risks and building an effective defense plan…

Related Links:

To Reader or Not? Can we Really Do Without It? June 10, 2009

Posted by fvter in Security, Technology.
Tags: , ,
add a comment

Yesterday being the 2nd Tuesday of the month, saw the usual slew of update notices from the regular culprits. However, a new actor came into play this month: Adobe! The first appearance of what has been nicknamed «Adobe Black Tuesday Updates». This actually represents Adobe’s commitment to having a regular patching schedule to address security issues, bugs and whatever else needs to be fixed.

Adobe since late last year has been hard with a slew of vulnerabilities in their products but more so in their flagship Reader product. The root cause of the issue was the inclusion of JavaScript and related bugs in that provided a vector for exploit. The vulnerabilities have been covered to a great extent on the intrawebs and there isn’t really much more to add. Adobe attempt to take a rational approach to the issue and sent out advisories on how to take palliative actions (by disabling JavaScript support in the product) until proper patching could be done.

The push that some security experts (including some prominent figures such as Mikko H. Hyppönen from F-Secure, Paul Asadoorian from Pauldotcom.com) to abandon or adopt alternate products and formats is just not realistic! The biggest criticism to Adobe has been why use JavaScript in what is essentially an electronic paper format. This attitude neglects the important factor that the technology is there for a reason. In most cases that reason is based on identified business/customer needs and those same customers have built solutions which need the scripting to continue to function effectively.

A number of business and government organizations have adopted the additional scripting capabilities to make the documents more interactive and to facilitate the content entry/usage for their users at a time when Web2.0 was far-away. A lot of interesting solutions have been explored and created using this dynamic document capability such as automated tax reporting forms, real-time report generation, … There are and probably will be a continued need to support this type of scripting technology to give documents more interactivity and to breach the divide between static data and the ability to have near real-time solutions for reporting and information manipulation.

Could Adobe have handled this better? probably but they have embarked on a road to manage the risks more effectively! Could a solution other than JavaScript be used? from a technical point of view most likely but practically Java is a well-adopted programming language.

The underlying hard truth though is that calling for the dropping of one or another product is just not constructive and in most cases will go against the end-user’s business goals! More constructiveness is needed to achieve solutions that help end-users minimize the risks but at the same time continue to allow them to streamline business process with the solutions at hand.

Related Links:

«Sign-In with Twitter»: Should we be Scared? April 22, 2009

Posted by fvter in Rants, Security, Technology, Web.
Tags: , , , ,
add a comment

Last week, Twitter opened up it’s «sign-in with Twitter» open authentication or OAuth service under the radar. To be fair to Twitter, the news last week was more focused on the one million follower story and the arrival of big media names onto the service. Now, I’ve always been an advocate of using OAuth type services (I personally use OpenID as much as possible) to both simplify a user’s life and to avoid the problem of password re-use.

It also goes to Twitter‘s credit to move in this direction and to provide this type of service to ease the integration of external applications as well as make it easier for user’s to provide their Twitter information.

Disclaimer: I have not had the time and that’s not likely to change in the near future to fully investigate and examine the security of the Twitter OAuth service. The following rant is purely about Twitter‘s current public track record…

[kyte.tv appKey=MarbachViewerEmbedded&uri=channels/7802/412971&tbid=k_16&premium=false&height=334&width=319]

Twitter‘s public track record of securing and making a reliable service is less than top par. My top 3 frontal issues that have been discussed, re-discussed and overall made serious news for Twitter can be summed up with this list:

  • The service has a huge history of availability issues, well rather non-availability in times of high traffic although this hasn’t occurred in a while it’s bound to happen again seeing the growth patterns of late;
  • The security has a number of times criticized the continued use of basic-authentication (inc. accepting base64 password encoding) to use the service. The problem being that this is an easy way to grab the user’s password which would break or poke serious holes in the OAuth service;
  • There have been a repeat number of XSS attacks and worms including the most recent mikkey work which last over two weeks in its different iterartions.

These three points push me to think on whether or not I would be able to really trust such a service. Will I be able to use it at all times? Am I sure the authentication might not lead to a password leak? Am I sure that the OAuth won’t be replayable? Can I be sure that the OAuth session isn’t being misdirected or stolen somehow in XSS or via a worm? Makes me wonder if the service will actually provide a decent and safe mechanism for authentication and whether or not my credentials are going to be safe :- scary……

Related Links:

A Friend’s Blog Got p0wnd March 17, 2009

Posted by fvter in Security, Technology.
Tags: , ,
1 comment so far

I spent a good part of today investigating a javascript injection that a friend of mine suffered on his personal blog site. It turned out that this is nothing more than a typical adbot/scriptjacking malware infection. The actual injection code is an obfuscated iframe that tries to download a HTTP browser attack tool. The code is inserted in the page build (usually via the wordpress function framework, the style-sheet or even maybe a rogue module) and looks something like this:

malicious javacode

malicious javacode

The obfuscation resolves to a call that pulls a source script from a website hosted at add-block-filter.info and by then tries to either retrieve stored passwords & cookies or hijack open webpages. More generally targeting e-mail services to send out spam ( your typical adbotnet behaviour).

Tracking back the domain name, it came back to a know malware pusher 7addition.info/8addition.org. So in most likelyhood a new variant of script injection attack whish is picked up & revealed a known trojan downloader javascript iframe infection (at least reported by a few AV vendors e.g: trojan-downloader.js.iframe.ah). In this case, the trojan goes on to contact 2 other malware sites at firstgate.ru & benyodil.cn whom in turn download 3 additional malware infections to continue the pownage:

  • a malicious flash file which is in fact a download exploit (e.g: Exploit.SWF.Downloader.ks);
  • another html based script which is fact a trojan download agent and also sends out spam asking you to visit a site or click on a video link(e.g: Trojan-Downloader.HTML.Agent.np);
  • and finally, a packer javascript html agent which installs a BHO (browser helper object) that turns off the firewall and other windows services (e.g: Packed.JS.Agent.ad).

That’s as far as I went with the malicious activity…

Before investigating, my friend and I exchanged a few messages regarding him being p0wnd. He was trying to figure out what had been the root of his infection. Although he blames it on a combination of Twitter/Hotmail and a few other sites, seeing the root of the malicious software that gets pushed I would say that he original got hit from visiting an already infected site or from clicking on some weird website with flash videos (he does love to visit those). Interestingly enough, I think I can track back part of his problem to the 13th of march or a few days before. At that time I received an e-mail from him that was unusual:

I didn’t really pay attention to it but maybe should have and warned him at that time of the possible hijacking of his info. He learnt a few things (like not using the same password for his different services). I learnt for myself that when I see a friend sending a weird message to me to get on the ball and warn him/her.
Some more advice I offered is to:

  1. Update with regularity his personal blog framework;
  2. Recommend also to be careful about using the remember me option on some of these websites as the stored cookies give these clickjack malware a fair bit of leverage.

In These Times, Can You Protect the Business From Insider Threat March 5, 2009

Posted by fvter in Security, Technology.
Tags: , , , ,
add a comment

This post & thoughts are a reflection on my experience and years of dealing with the problem of identity management and how to relate a user versus his roles and responsibilities in the IT infrastructure and how this affects the departure processes (or exit procedures).

As the economic recession goes into it’s darkest times, businesses are making the hard choice of letting people go. The IT organisation is typically an area were decision makers take the opportunity to trim the fat. However an important part of decision making process, that can be easily overlooked, needs to be a good understanding of the risk involved in letting go of certain categories of IT staff and how their roles and responsibilities can potentially create a serious exposure footprint.

Why would HR & the security officers need to establish this risk analysis? The simple answer is that businesses need to ensure that staff who potentially hold the keys to the kingdom are not irate when they leave. The risk here is that an irate ex-employee with key information to be able to access the infrastructure may be tempted to take action in frustration or revenge. This unfortunate (and let me be clear sometimes illegal) type of action potentially involves damage  that can range anywhere from serious data leakage to denial of services hampering a company’s ability to do business.
A few examples scenario of a departing IT staff’s role versus what they can do could involve:

  • A network engineer (remember the San Francisco city network incident) who has extensive knowledge of the network configuration and holds some of the common super-user password could place back-doors allowing him to later bring down the network, redirect traffic out of the corporate network releasing sensitive information, or even using the network as a way-point for other types of illegal activities.
  • How about a server system administrator who has local administrator access to boxes and can place a backdoor allowing for remote acces and thus the ability to grab information or even stop critical business applications.
  • But even more critical (at least from my experience) is surely a security engineer, the knowledge of the security profile and accesses that have been made available to that profile makes this the highest risk footprint. To do the job, he/she has gained knowledge that renders the infrastructure critically vulnerable.

So the question that begs to be said out-loud is can a company avoid any issues?

The real protection that a company can achieve is to have a comprehensive identity management process and tool. Identity Management [IdM] is about a lot more than just being able to determine who works in the company which unfortunately is the baseline thinking or the minimal implementation that gets carried out. It’s also about being able to link a person to his/her role and authorizations. A well implemented IdM process and infrastructure will ensure that a person in the organization has a well defined role. That well defined role will correctly identify his/her authorizations and access rights. The ability to correctly define those authorizations provides a safeguard and a well-defined means to not only properly implement an exit procedure but also help evaluate a risk profile based on that persons footprint in the organization. The well-defined profile will ensure that the user is correctly matched to the tools & resources required for the job: no more, no less. This same correlation can then be used in the exit procedure to quickly identify and revoke all accesses. There are of course many more benefits for day-to-day operations to a complete IdM environment but that may be the subject of an alternate post.

The simplistic answer or quick fix if a comprehensive IdM is not in place is to make sure that the person leaves on good terms. The important part is to evaluate the risk versus the cost versus the potential loss. Unfortunately that is a short term strategy and somewhat impractical.

Related Links

Don’t U H8! January 30, 2009

Posted by fvter in Rants, Security.
add a comment

The first in a series of video-blogs (me thinks)! And I am opening it up with my favorite subject – a rant!
Yesterday I discovered that the company was pushing out a new security policy on mobile devices that are connecting to the corporate exchange environment! I don’t have a problem with this security policy and am all for it! The problem was that a proper change management process was not carried out and thus those who would have preferred to opt-out couldn’t!
So I spent the better half of today removing the security policies (by hand) on my devices. I even bricked my HTC in the process and was forced to reload from scratch…[PS: You can add to the discussion in this Seesmic thread]

[kyte.tv appKey=MarbachViewerEmbedded&uri=channels/7802/331558&tbid=k_2&premium=false&height=445&width=425]

gMail IMAP Weirdness February 5, 2008

Posted by fvter in Bugs, Security, Technology.
1 comment so far

gMail WeirdnessThe other day after logging onto one of my gMail accounts via the IMAPS protocol, I noticed something strange in the folder hierarchy. A bin directory has appeared in the [Google Mail] folder hierarchy. Why is this significant? Well it highlights the fact that the IMAP solution they are using is in most likelihood a unix based platform. And it potentially also highlights a configuration error.

If it is a configuration error, the worry will be that a potential hole exists in the security and the system could eventually be hacked…

Kerviel/Societe Generale & Information Security & Insider Threat January 30, 2008

Posted by fvter in Security, Technology.
1 comment so far

The story of Jerome Kerviel and the Société Générale bank has made a lot of news in the past couple of weeks. Outside of the €4.9billion in losses, I was wondering if you were aware that the story has an information security twist.
So Kerviel was official charge this weekend and you may or may not be aware but he was charged on one interesting point: «introduction dans un système de traitement automatisé de données» which very basically translates to «hacking into a computer system».
In the story there are different things going on including whether or not the boss were aware of the situation and whether or not he did this himself. What has been quickly passed over in this story because of the large sums, are the following facts that as IT/IS security professional make me shiver:

  • Kerviel was original hired in the back-office of the bank to do data process and in all probability was able to gain complete knowledge on how and what information is stored and processed concerning the validation of transactions
  • He progressed in his job profile to a trader but the question is was his privileges to the systems revoked or changed to reflect his new profile?
  • How did he hide all these transactions, the current assumption is that he used his knowledge of the systems to do this and seems to be corroborated with his statements to police!

What I find interesting is that this hacking charge reveals something that as security professionals, we all talk about but many business just do not know how to properly address from policies to procedures and how to protect the issue of Information Security as well as the Insider Threat.

There is a good article in the French newspaper “Le Monde” about the current situation from the 29th of January 2008 after his audience with the police – only in French (sorry). The article in fact quotes bits and pieces of the statement he made to the French police. One paragraph in particular relates to one of the methods that he used to obscure his fraudulent activities:

« J’ai alors fourni de faux justificatifs de saisie sur ces opérations, à savoir de faux mails. J’ai réalisé un faux mail en utilisant les possibilités qui me sont offertes par notre messagerie interne, à savoir une fonction qui me permet de réutiliser l’en-tête d’un mail qui m’est expédié en changeant le contenu du texte qui m’est envoyé. Il me suffisait alors de taper le texte que je souhaitais et le mail avait toute l’apparence d’un document original. »

Roughly translated, “At that point, I provided false reports and justifications on those financial operations, i.e. forged emails. I constructed a forged email by using features of our internal email system. It is indeed possible to re-use the header of an email I have received while changing the body. Then, I just had to type the body of the email I actually wanted and the email looked like a perfectly genuine one.”

Now as long as most e-mail correspondence between parties continues to remain in a non digitally signed manner, it is indeed trivial to alter its content before forwarding it – or even come up with a fake one from scratch.

This shows some of the flaws that continue to be present and visible in the lack of information security how many authentication and authorization processes are obviously flawed in their implementations and aren’t necessarily used for information protection.

Business are still very much in the dark on what type of information security they need to implement. This situation proves that companies are still in the dark on how to ensure the basic Ws over their information: Who, What, Why and When! Essentially being able to understand the actions, manipulations and access of critical or important information! Kind of shows that the weakest link for indepth security continues to be the protection of the information!

The story of Jerome Kerviel and the Société Générale bank has made a lot of news in the past couple of weeks. Outside of the €4.9billion in losses, I was wondering if you were aware that the story has an information security twist.
So Kerviel was official charge this weekend and you may or may not be aware but he was charged on one interesting point: «introduction dans un système de traitement automatisé de données» which very basically translates to «hacking into a computer system».
In the story there are different things going on including whether or not the boss were aware of the situation and whether or not he did this himself. What has been quickly passed over in this story because of the large sums, are the following facts that as IT/IS security professional make me shiver:

  • Kerviel was original hired in the back-office of the bank to do data process and in all probability was able to gain complete knowledge on how and what information is stored and processed concerning the validation of transactions
  • He progressed in his job profile to a trader but the question is was his privileges to the systems revoked or changed to reflect his new profile?
  • How did he hide all these transactions, the current assumption is that he used his knowledge of the systems to do this and seems to be corroborated with his statements to police!

What I find interesting is that this hacking charge reveals something that as security professionals, we all talk about but many business just do not know how to properly address from policies to procedures and how to protect the issue of Information Security as well as the Insider Threat.

There is a good article in the French newspaper “Le Monde” about the current situation from the 29th of January 2008 after his audience with the police – only in French (sorry). The article in fact quotes bits and pieces of the statement he made to the French police. One paragraph in particular relates to one of the methods that he used to obscure his fraudulent activities:

« J’ai alors fourni de faux justificatifs de saisie sur ces opérations, à savoir de faux mails. J’ai réalisé un faux mail en utilisant les possibilités qui me sont offertes par notre messagerie interne, à savoir une fonction qui me permet de réutiliser l’en-tête d’un mail qui m’est expédié en changeant le contenu du texte qui m’est envoyé. Il me suffisait alors de taper le texte que je souhaitais et le mail avait toute l’apparence d’un document original. »

Roughly translated, “At that point, I provided false reports and justifications on those financial operations, i.e. forged emails. I constructed a forged email by using features of our internal email system. It is indeed possible to re-use the header of an email I have received while changing the body. Then, I just had to type the body of the email I actually wanted and the email looked like a perfectly genuine one.”

Now as long as most e-mail correspondence between parties continues to remain in a non digitally signed manner, it is indeed trivial to alter its content before forwarding it – or even come up with a fake one from scratch.

This shows some of the flaws that continue to be present and visible in the lack of information security how many authentication and authorization processes are obviously flawed in their implementations and aren’t necessarily used for information protection.

Business are still very much in the dark on what type of information security they need to implement. This situation proves that companies are still in the dark on how to ensure the basic Ws over their information: Who, What, Why and When! Essentially being able to understand the actions, manipulations and access of critical or important information! Kind of shows that the weakest link for indepth security continues to be the protection of the information!

Update 31-Jan: Another article on the hacking: French trader accused of hacking.

IR DoS: Wake Up! January 13, 2008

Posted by fvter in Security, Technology.
add a comment

 A lot of virtual ink has flowed on the confession from Gizmodo regarding the stunt they pulled with TV-B-Gone utility with most of the articles appearing recently describing from unprofessional to a crime. Now before I continue, I would like to make a small disclaimer: «I don’t condone what happened, don’t approve it and certainly would not recommend this be done».

What Gizmodo pulled demonstrates a very basic DoS (denial of service) attack. The DoS is achievable because of the ease in which it is possible to obtain the right control codes. The prime issues are based on the fact that most of these systems work with «open» and well documented standards (e.g. many manufactures always use the same code for turning off their devices thus a controller from one manufacturer is able to turn off different  devices from that same manufacturer) as well as a primal flaw in wireless communications protocols security. TV-B-Gone like a universal remote works on the premise that it is easy to learn, store and replay the remote controls IR sequences. These sequences are equal to the codes that control the target device.

So where is the problem: The receiving device does not validate the issuer… The receiver in fact is an open listen mode thus any IR sequence that is correctly formatted and contains the right code will active the associated command. There is in fact no handshaking or confirmation between the receiver and the emitter.

In their DoS Attack, Gizmodo demonstrated that this one way command issuance process is in fact a big security flaw and could be avoided by not using such an open unidirectional protocol. Manufacturer could in fact avoid openness through simple methods such as encrypting the protocol, using a handshake protocol, using a knocking protocol or some other form of authentication between the transmitter and the receiver.

Unfortunately this then becomes a debate between security, complexity, cost to produce and return on investment. This attack may actually wake manufacturers up and decide to actually address this flaw! To demonstrate how serious this can eventually get, it appears a kid in Poland managed to crash the trams with an IR hack.