jump to navigation

Thus Begineth a New Chapter in my Career September 30, 2009

Posted by fvter in General, Personal Status.
Tags: , , , , ,
1 comment so far

Tomorrow [1 October 2009], I am embark on a new job and role. I am moving away from the general IT consultant & internal architect role in the big corporate environment to a more focused architect/consultant role for a security software company. I will be more focused on helping customers pull together IdM solutions using the company’s product.

This will be an interesting change providing a much more focused activity on one specific subset of security but I hope to carry on exploring the vast and interesting subject that security is. My last position lasted almost 10years and in itself was quite interesting considering the variety of activities and projects I was involved in. This new position will be just as challenging if not more as I will be participating in the growth of this company as it evolves internationally (they are already a major player in the domain in this country and are planning to expand heavily in the rest of Europe, middle-east and the US).

On the other side and for my personal growth, I am still working on a few things including passing my GCIH (that happens next wednesday), doing the CISSP (end of October) and continuing to look at developing for the iPhone & Android platforms. Hopefully, I will also be able to finalize a couple of blog entries I am working on the subject of the real-time web, a micro-blogging feature request and some thoughts on Vanish.

Wish me luck!


A Fun Way to Understand AES! September 23, 2009

Posted by fvter in Security, Technology.
Tags: , , ,
add a comment

Constantly on the look out for information on encryption and better understanding of the mechanisms behind algorithms, I was amused to discover this morning the MoserWare’s A Stick Figure Guide to the Advanced Encryption Standard (AES).

The information presented is significantly accurate but presented in a humorous plain cartoon format. Quite enjoyable! What was interesting is that it goes back to the history of how AES came about and presents a basic overview of how block ciphers work…

Application Updates Tops Cyber Security Risk, Real World Fix is More Complex September 17, 2009

Posted by fvter in Security, Technology.
Tags: , , , , ,
add a comment

A few days ago, SANS released it’s new Top Cyber Security Risks report with a new interesting twist to the usual well-explored risks (such as web server vulnerabilities). The new risk that is highlighted quite effectively is the problem of application vulnerabilities which have had an increase and become much more visible. A good example of this has been the ongoing reports of vulnerabilities in Adobe products such as Flash and Acrobat.

[kyte.tv appKey=MarbachViewerEmbedded&uri=channels/7802/567425&tbid=k_28&p=p/s&height=436&width=416]

Part of the issue that is highlighted by the report is the slow turn-around to deploy application patches/updates to reduce the risks and fix certain vulnerabilities. This is in fact no surprise! Having spent a number of years in the corporate IT security environment the application update process is a bigger dilemma than one might think. There a number of factors that impede an effective and complete application patching process be it for a few thousand  to 10’s or 100’s of thousands of an installed client base. Some of these issues can be highlighted by the three following concepts:

  • Online availability of clients to receive the updates, making it more difficult to get an effective deployment rate;
  • Patches for versions that are in-use might not exists and upgrading to new versions presents other challenges such as budgets, compatibility with other applications, continued functionality support for the business solutions;
  • Patches (or upgrades) can break or change features that are relied upon by business solutions or process effectively breaking the latter and presenting an impediment on business ability to work effectively.

For a corporate IT security team a balance has to be achieved between the need to carry out effective patching or upgrading versus the need to let the business continue to work as effectively and efficiently as possible. This is the hard truth, patching to mitigate vulnerabilities is not necessarily the best solution for a business if it breaks functionality or impedes the business process!

An effective IT security team will understand this and works towards an acceptable compromise that balances the risks versus the business’ ability to carry on efficiently through policies and process that mitigate the risks or control/patch the vulnerabilities. Notably, the report section on best practices for mitigation and control provides a number of effective risk management techniques that start by understanding the applications that present risks and building an effective defense plan…

Related Links:

«Sign-In with Twitter»: Should we be Scared? April 22, 2009

Posted by fvter in Rants, Security, Technology, Web.
Tags: , , , ,
add a comment

Last week, Twitter opened up it’s «sign-in with Twitter» open authentication or OAuth service under the radar. To be fair to Twitter, the news last week was more focused on the one million follower story and the arrival of big media names onto the service. Now, I’ve always been an advocate of using OAuth type services (I personally use OpenID as much as possible) to both simplify a user’s life and to avoid the problem of password re-use.

It also goes to Twitter‘s credit to move in this direction and to provide this type of service to ease the integration of external applications as well as make it easier for user’s to provide their Twitter information.

Disclaimer: I have not had the time and that’s not likely to change in the near future to fully investigate and examine the security of the Twitter OAuth service. The following rant is purely about Twitter‘s current public track record…

[kyte.tv appKey=MarbachViewerEmbedded&uri=channels/7802/412971&tbid=k_16&premium=false&height=334&width=319]

Twitter‘s public track record of securing and making a reliable service is less than top par. My top 3 frontal issues that have been discussed, re-discussed and overall made serious news for Twitter can be summed up with this list:

  • The service has a huge history of availability issues, well rather non-availability in times of high traffic although this hasn’t occurred in a while it’s bound to happen again seeing the growth patterns of late;
  • The security has a number of times criticized the continued use of basic-authentication (inc. accepting base64 password encoding) to use the service. The problem being that this is an easy way to grab the user’s password which would break or poke serious holes in the OAuth service;
  • There have been a repeat number of XSS attacks and worms including the most recent mikkey work which last over two weeks in its different iterartions.

These three points push me to think on whether or not I would be able to really trust such a service. Will I be able to use it at all times? Am I sure the authentication might not lead to a password leak? Am I sure that the OAuth won’t be replayable? Can I be sure that the OAuth session isn’t being misdirected or stolen somehow in XSS or via a worm? Makes me wonder if the service will actually provide a decent and safe mechanism for authentication and whether or not my credentials are going to be safe :- scary……

Related Links:

A Friend’s Blog Got p0wnd March 17, 2009

Posted by fvter in Security, Technology.
Tags: , ,
1 comment so far

I spent a good part of today investigating a javascript injection that a friend of mine suffered on his personal blog site. It turned out that this is nothing more than a typical adbot/scriptjacking malware infection. The actual injection code is an obfuscated iframe that tries to download a HTTP browser attack tool. The code is inserted in the page build (usually via the wordpress function framework, the style-sheet or even maybe a rogue module) and looks something like this:

malicious javacode

malicious javacode

The obfuscation resolves to a call that pulls a source script from a website hosted at add-block-filter.info and by then tries to either retrieve stored passwords & cookies or hijack open webpages. More generally targeting e-mail services to send out spam ( your typical adbotnet behaviour).

Tracking back the domain name, it came back to a know malware pusher 7addition.info/8addition.org. So in most likelyhood a new variant of script injection attack whish is picked up & revealed a known trojan downloader javascript iframe infection (at least reported by a few AV vendors e.g: trojan-downloader.js.iframe.ah). In this case, the trojan goes on to contact 2 other malware sites at firstgate.ru & benyodil.cn whom in turn download 3 additional malware infections to continue the pownage:

  • a malicious flash file which is in fact a download exploit (e.g: Exploit.SWF.Downloader.ks);
  • another html based script which is fact a trojan download agent and also sends out spam asking you to visit a site or click on a video link(e.g: Trojan-Downloader.HTML.Agent.np);
  • and finally, a packer javascript html agent which installs a BHO (browser helper object) that turns off the firewall and other windows services (e.g: Packed.JS.Agent.ad).

That’s as far as I went with the malicious activity…

Before investigating, my friend and I exchanged a few messages regarding him being p0wnd. He was trying to figure out what had been the root of his infection. Although he blames it on a combination of Twitter/Hotmail and a few other sites, seeing the root of the malicious software that gets pushed I would say that he original got hit from visiting an already infected site or from clicking on some weird website with flash videos (he does love to visit those). Interestingly enough, I think I can track back part of his problem to the 13th of march or a few days before. At that time I received an e-mail from him that was unusual:

I didn’t really pay attention to it but maybe should have and warned him at that time of the possible hijacking of his info. He learnt a few things (like not using the same password for his different services). I learnt for myself that when I see a friend sending a weird message to me to get on the ball and warn him/her.
Some more advice I offered is to:

  1. Update with regularity his personal blog framework;
  2. Recommend also to be careful about using the remember me option on some of these websites as the stored cookies give these clickjack malware a fair bit of leverage.

In These Times, Can You Protect the Business From Insider Threat March 5, 2009

Posted by fvter in Security, Technology.
Tags: , , , ,
add a comment

This post & thoughts are a reflection on my experience and years of dealing with the problem of identity management and how to relate a user versus his roles and responsibilities in the IT infrastructure and how this affects the departure processes (or exit procedures).

As the economic recession goes into it’s darkest times, businesses are making the hard choice of letting people go. The IT organisation is typically an area were decision makers take the opportunity to trim the fat. However an important part of decision making process, that can be easily overlooked, needs to be a good understanding of the risk involved in letting go of certain categories of IT staff and how their roles and responsibilities can potentially create a serious exposure footprint.

Why would HR & the security officers need to establish this risk analysis? The simple answer is that businesses need to ensure that staff who potentially hold the keys to the kingdom are not irate when they leave. The risk here is that an irate ex-employee with key information to be able to access the infrastructure may be tempted to take action in frustration or revenge. This unfortunate (and let me be clear sometimes illegal) type of action potentially involves damage  that can range anywhere from serious data leakage to denial of services hampering a company’s ability to do business.
A few examples scenario of a departing IT staff’s role versus what they can do could involve:

  • A network engineer (remember the San Francisco city network incident) who has extensive knowledge of the network configuration and holds some of the common super-user password could place back-doors allowing him to later bring down the network, redirect traffic out of the corporate network releasing sensitive information, or even using the network as a way-point for other types of illegal activities.
  • How about a server system administrator who has local administrator access to boxes and can place a backdoor allowing for remote acces and thus the ability to grab information or even stop critical business applications.
  • But even more critical (at least from my experience) is surely a security engineer, the knowledge of the security profile and accesses that have been made available to that profile makes this the highest risk footprint. To do the job, he/she has gained knowledge that renders the infrastructure critically vulnerable.

So the question that begs to be said out-loud is can a company avoid any issues?

The real protection that a company can achieve is to have a comprehensive identity management process and tool. Identity Management [IdM] is about a lot more than just being able to determine who works in the company which unfortunately is the baseline thinking or the minimal implementation that gets carried out. It’s also about being able to link a person to his/her role and authorizations. A well implemented IdM process and infrastructure will ensure that a person in the organization has a well defined role. That well defined role will correctly identify his/her authorizations and access rights. The ability to correctly define those authorizations provides a safeguard and a well-defined means to not only properly implement an exit procedure but also help evaluate a risk profile based on that persons footprint in the organization. The well-defined profile will ensure that the user is correctly matched to the tools & resources required for the job: no more, no less. This same correlation can then be used in the exit procedure to quickly identify and revoke all accesses. There are of course many more benefits for day-to-day operations to a complete IdM environment but that may be the subject of an alternate post.

The simplistic answer or quick fix if a comprehensive IdM is not in place is to make sure that the person leaves on good terms. The important part is to evaluate the risk versus the cost versus the potential loss. Unfortunately that is a short term strategy and somewhat impractical.

Related Links