eWeek.com posted a great list of 12 applications that are in common use but suffer from an assortment of vulnerabilities. The list has some applications that will surprise you. Don't be surprised that Internet Explorer is not on the list...for good or bad, they do have a reason.
Chalmer
For the astute readers who are looking for a future in expert testimony or may be pursuing to advance your career, some words of advice: be cautious about what you post online in online forums, especially about what questions you ask. During expert testimony, if the opposing counsel can't discredit your facts, they will attempt to discredit you. One method that has been used to do this is to Google your online activity and then try to use that against you. For example, if you post a perfectly innocent question early on in your career that any skilled professional should know the answer to, the opposing counsel can try to make you out to be a bumbling fool.
An associate of mine, in the forensics field, uses several online identities to bolster and protect his reputation. He uses his "professional identity" to answer other newbies' questions and present himself as an expert in the field and he uses his "throw away identities" to ask questions.
Chalmer
Very interesting tool that helps show how subjects are linked with other subjects on the web. This is particularly useful for seeing how people are characterized on the web.
Try TouchGraph and see for yourself.
Chalmer
This article from CBS News outlines the potential for malicious code to be found in online media sources, such as the video files served up by YouTube and similar video websites.
The take home message here is not so much that videos are getting corrupted...we knew that it was only a matter of time. The real story is the focus on how creative and ingenius the cracker community is at spreading their malware.
Chalmer
Interesting article: Going Undercover in the Slimy World of Phishing in eWeek, that describes the criminal business of phishing.
Don't doubt that cyber crime is big business.
Chalmer
Interesting podcast on eWeek.com about IcePack, a hacking toolkit and the spread of hacking tool kits in general.
Some points that stuck out to me include:
* the value associated with malware...meaning the money that people will spend to buy malware
* the interplay between hackers in the community, who buy a toolkit and then modify it to spy on the hackers that they sell or give it to
* the growth in the malware industry in general
Chalmer
Story in the Register about hard disks from Maxtor (recently acquired by Seagate) that come pre-formatted AND pre-infected.
Rumors on the street are that the virus that infects the hard disks from Maxtor steal gaming passwords and delete mp3's.
Nice.
Chalmer
Tim Wilson of Dark Reading shares his experiences during a walk around the White house scanning for open wireless networks.
Several points are pertinent for the astute reader:
* There are a ton of unsecured or poorly secured wireless networks in the world. OK...so that is not a newsflash.
* The author refers to WiGLE, the wireless geographic logging engine.
Read the article and take a look at WiGLE.
Chalmer
In case you hadn't heard, there was a change in name from Bastille Linux to Bastille Unix.
Apparently a domain-name squatter acquired the rights to the domain name that Bastille Linux was using.
He tried to get the original owners of the name to fork over big bucks to get the name back, but they are gonna rely upon the arbitration process to get the name back.
In the meantime, they are gonna take advantage of this opportunity to create a new web-site that reflects the changed nature of their product...
For a period of time, Bastille Linux has been ported to operating systems besides just Linux, so the name really didn't fit any more. They have changed the name to Bastille Unix.
If you have never heard of Bastille Linux, it is a script that walks through the security features of your operating system and either adjusts them for you or teaches you how and why to adjust them. Very good learning tool.
Chalmer
For those who don't know, honeypots and honeynets are computers or networks set up to trap, monitor, or deflect malicious activity. A researcher might set up a computer and leave some common vulnerabilities open on it and wait to see who comes knocking. Once the bad guys finds that the computer is "open" they try different techniques to probe the box and take control of it. The whole time, the system will track the behavior of the attacker to determine what they do and how...this can lead to some interesting developments learning what the bad guys are up to.
It was apparently a slow news day, but the following web-site: SANS Internet Storm Center Diary put up a list of all the malicious code that they noted using one of their honeypots.
Neat stuff.
Chalmer
I recently responded to a comment made on Slashdot about one of their articles. The article covered an audit made of Ameritrade's system and the fact that it had a 'back-door' in it. One of the readers made a comment that seems reasonable at first, but belies the difficulty of security a computer or a network.
Below is the text of my reply and here is a link to the original comment by mkraft and a link to the original Slashdot article.
---------------------------------------------------------------------
mkraft: In reference to your statement "How does unauthorized code even get into a financial institution's systems? The banking systems should never be accessible via public networks, only private ones, so this should never have happened."
It, unfortunately, is not that easy. As soon as one computer is connected to another computer (via wireless, wired networks or 'sneaker-net'), problems with security start to cascade. If a computer has a USB port, a CD drive, DVD drive, or a network connection, it is nearly impossible to lock down - malware will find it's way onto the machine.
The U.S. and foreign governments spend a fortune trying to lock down some of their most sophisticated computers and networks and still they leak like a sieve.
Although we may wish that it were otherwise, we can hardly expect for a company whose bottom line is the profit margin, to spend all that it takes to secure even one computer...
Consider the magnitude of the problem:
- Keep the network holes plugged as much as possible
- Keep the operating system patched
- Keep all of the applications (including the off-the-shelf and home-grown applications) patched - Keep all security software patched and updated
- Most importantly, keep all employees from doing anything remotely silly or risky
Many of the items above, are nearly impossible to do well - for example...if a typical patch for a piece of software arrives ~5 days after the vulnerability is announced, what is the financial institution supposed to do for those 5 days? NOTE: the 5 days is a fictitious number - no one achieves that high a speed in issuing and applying patches...but it illustrates the point...
There is no way for an underpaid, overworked security staff to plug EVERY hole - especially in the world of zero day exploits. The hackers, on the other hand, have automated tools that can plug at the problem 24/7 until they find even one, overlooked hole...
--
Chalmer
Great article by Ed Skoudis on finding malware on a Windows computer. This article covers a number of things that are fun for beginners in the field of information security: how to use the command line in Windows and what to look for when investigating a Windows machine for infection or malware.
Chalmer
Interesting article: China claims hackers stole its secrets too about claims by the Chinese that they are experiencing hacking attacks. Some of the neater quotes include:
"Vice Minister of Information Industry Lou Qinjian claimed that the United States and other 'hostile' governments were attacking China's infrastructure..."Nice to know that what goes around comes around...
"In recent years, Party, government and military organs and national defense scientific reserach units have had many major cases of loss, theft and leakage of secrets, and the damage to national interests has been massive and shocking."
"FBI CIO: Culture inhibits info sharing" article in Federal Computer Week, by Wade-Hahn Chan about the FBI's reticence regarding sharing information. Chan quotes the FBI CIO regarding "...the intelligence community isn't used to the concept of sharing information and therefore worries about security leaks."
Sharing of information is a very tricky subject...and is tied to a number of interesting issues (these are only a few):
what are the technical requirements for an information sharing solution?
--> keeping bad guys out
--> keeping viruses and malware off the network
--> preventing inadvertant loss of classified data, either due to insiders or due to data leaks
who will be sharing the information?
--> how trustworthy is the network of the partner you are sharing your classified info with?
--> if you share info, what needs to be filtered out, so that they get "actionable" data but not the "crown jewels"
what types of information is being shared?
--> Does the receiving organization, country, company need to have this information or just parts of the information?
--> Can the information being shared lead to a "mosaic effect", where seeming trivial bits of information shared today, can be linked to other trivial bits of information shared yesterday or tomorrow, to allow the partner to infer too much?
Sharing information is not as easy as it might sound.
Chalmer
Came across an article that relates to Nmap, the network scanning tool. If you haven't tried Nmap, get it and give it a whirl. Very useful and effective.
Nmap helps identify many of the pertinent details associated with a network or system, including open ports, exposed operating systems, exposed services, etc.
Searchsecurity has a "manual" that can walk you through the process of setting it up and running it.
Chalmer
This article by John Zyskowski in Federal Computing Weekly is pretty old (2006), but it is even more relevant, as USB drives and USB thumbdrives continue to grow in popularity and in size. The article describes a number of the risks associated with loss of data:
Several years ago, Sony produced some music CDs with rootkits in them. Hackers loved it. Music purchasers hated it. Infosec practitioners appreciated the extra business cleaning up the mess. Everyone pretty much agreed that it was a major business faux pas on Sony's part. Except, apparently, Sony, since they are a pretty much at it again.
Some folks never learn.
Chalmer
Reports in the news of suspicious scans potentially related to a product called ServerProtect. The article describes how there has been some recent increased scanning activity related to TCP port 5168, which is related to a remote procedure call service in ServerProtect. Apparently, a number of machines in a wide range of IP addresses have been scanning this port.
One of the interesting quotes is this:
"Trend Micro issued a warning of its own yesterday based on the ISC scanning alert to virtually beg ServerProtect users to patch ASAP. "We implore security administrators to apply the latest ServerProtect security patch avalable from Trend Micro as soon as possible to protect against any potential attack," read the warning."It will be very interesting to see if a viable attack is levied in the near future on this vulnerability.
This company's ability to supply service to it's customers was drastically impacted because of two factors:
* someone discharged a firearm into their fiber optic lines
AND
* they failed to provide redundant fiber lines
In the world of information assurance...we need to keep data safe (from crackers and bad guys), but we also need to keep it accessible to legitimate users. One of the ways to provide high assurance is to provide redundant capability:
* mirrored servers
* redundant paths from point A to B
* fail-over equipment
These guys did not have such capability in place and it cost them and ultimately it cost their customers and those people's customers, on down the chain.
Chalmer...
This article by Jim Melnick in the Boston Globe covers some of the salient points associated with cyberwarfare...
It is only a matter of time before the United States and other world powers begin to see the onslaught of calibrated and calculated attacks, in much the same manner as was demonstrated in Estonia.
To quote Mr. Melnick: "Though many US websites are well-protected, a massive denial of service attack could leave many commercial and other sites reeling along the lines of what occurred in Estonia, but on a larger scale. Given that more of our daily lives today depends on the Internet, financial losses could be huge and would be accompanied by a corresponding loss of consumer confidence."The article also covers some of the issues associated with attacks on infrastructure and military and governmental institutions...
"For 10 years, the federal government's information systems and critical infrastructures have remained a "high-risk" category as assessed by the Government Accountability Office."The worst part of the equation...as it is in so many things related to security - we have to be successful in defending ourselves 100% of the time and they (the bad guys) only have to be successful once.
Very nice article by Brian Prince on a Trojan malware that has infected a number of web sites, allegedly including Monster.com and other job search web sites.
Some quotes from Brian:
"The hackers behind the attack are running ads on the sites and injecting those ads with the Trojan. When an user views or clicks on one of the malicious ads, their PC is infected..."Moral of the story: Even reliable, trusted sites can inadvertantly host malicious material or host links to sites that do.
"...all the information entered into their browser, such as financial information entered before it reaches SSL protected sites, is captured and sent off to the hacker's server..."Moral of the story: one of the best ways to get encrypted data is to get it before it gets encrypted...
Brian quotes Don Jackson of SecureWorks: "This Trojan uses its own packer…it compresses and changes the code around," he said. "This packer is unique to this Trojan. It was written specifically for it, and the construction kit that produces the executables is very, very good at putting instruction substitutions, giving a long string of instructions for a simple task and putting garbage code or null operations in there, so that it is hard for anti-virus. Anti-virus has not been able to pick a stub…that they can identify reliably from file to file."No moral here...just fascinating how well the creators have considered the issue of camouflaging their presence.
The Holliday cracking article (sic) shows how one guy walked through doing forensics on a box. The interesting part of this discussion is two-fold...
first - seeing what the cracker/hacker did to the Linux boxThe take home message for this:
second - seeing the range of comments on Bruce Schneier's website about how the "forensics analyst" went about his analysis - i.e. what to do, what not to do
* No computer is truly safe
* When doing forensics, the techniques you use and the decisions you make are gonna be second guessed endlessly.
I came across this web-site for Digital Armaments. These folks pay researchers for vulnerabilities. Find a problem, tell them about it and they give you compensation (and your name in lights, when they forward the information on to interested parties).
Capitalism at its best...get someone to do your work for you dirt cheap, and sell the results for as much as the market will bear. I applaud them for their ingenuity.
I am not sure of the inner workings of the company (i.e. who they sell their products to...what they do with the vulnerabilities...) therefore I can't comment on whether this firm's actions are good or bad - but the business model is certainly interesting.
Chalmer
Sourcefire (the owners of Snort) and Insecure.org (the maker of Nmap) are teaming up to improve the abilities of Nmap to pinpoint vulnerabilities. Take a look at the article for more details...
If you haven't tried Snort yet or Nmap...give them a whirl...
Chalmer.
This website is a great resource for insight on Linux Commands. It comes from the book Linux in a Nutshell by O'Reilly.
Chalmer
It has been quite a while since my last post. My time was fully committed to the task of searching for a new job. Which I found...
I am now working for a consulting firm in Maryland, doing information assurance/information security work.
This will enable me the opportunity to really focus my studies on InfoSec and hopefully pass some of that info on to you, my astute readers.
Chalmer
There is an interesting post on one of the many Google Blogs on how to search specific sites for data. In researching information security topics, it is often frustrating to use the default search box on certain websites. Many websites don't have decent indexing of their data and thus don't/can't offer effective search tools. Google has a way to overcome some of these limitations...
For example:
site:www.example.com sampleWould search the site www.example.com for the term "sample". Similarly,
site:insecure.org hackerWill search the website insecure.org for the term "hacker".
Very interesting article about a potential plot to disrupt Britain's Internet access...One item that jumps out at me:
Raids by Metropolitan Police detectives found computer files indicating that terrorist suspects had targeted a high-security Internet "hub" in London that handles most of the Internet information that passes in and out of Britain, including London's businesses and stock exchange, the Sunday Times said.The first question that comes to mind...is "Why does Britain have only one main hub to handle the majority of their Internet traffic?
Josh Rogin at Federal Computer Week has another interesting article on recent attacks traced back to South Korean servers AND a good discussion on what elements of current United States Policies may be limiting our ability to respond to cyber attacks.
This question is becoming more critical all the time. Cyber attacks are increasing in number and in sophistication everyday. It is only a matter of time before someone initiates an attack that will catch us off-guard, much the way 9/11 caught us off-guard.
Air Force General Ronald Keys, Commander of Air Combat Command had several interesting points:
The recent UltraDNS attacks raised several questions for DOD policy makers, Keys said. “How do you react to that attack? How do you trace it back? What are the legalities included? What do you do when you do find them? It’s a huge challenge,” he said.The enemy is no stranger to cyber attacks:
“We’re already at war in Cyberspace, have been for many years,” said Keys. Terrorists use the Internet extensively, through remotely detonated bombs, GPS, Internet financial transactions, navigation jamming, blogs, bulletin boards, and chat rooms.This statement is the most intriguing - mostly because it is true:
Cyberspace is the only warfighting domain in which the U.S. has peer competitors, Keys said.Chalmer
There is a great article in Federal Computer Week on Chinese hackers and their all-out attacks against the Department of Defense. One key point from the article, to ponder:A recent Chinese military white paper states that China plans to be able to win an “informationized war” by the middle of this century.
China is also using more traditional hacking methods, such as Trojan horse viruses and worms, but in innovative ways.The field of information warfare may not be as "front-page picture-worthy" as bombed out husks of military equipment but it is just as real. The bad guys are out there!
For example, a hacker will plant a virus as a distraction and then come in “slow and low” to hide in a system while the monitors are distracted. Hackers will also use coordinated, multipronged attacks, the official added.
I have a real fondness for foreign language...by which I mean honest-to-goodness languages from foreign countries and languages that are just plain foreign, like programming languages.
For many astute readers, dealing with a topic such as information security can be like dealing with a foreign language...there are many new terms to remember and new definitions tied to terms you thought you already knew.
Trying to remember these or any other facts, can be difficult. Mindtools offers some tips on how to remember things. If you find that you can't remember material you've read, can't remember people's names, or can't remember computer geek terminology, try some of the tips they offer.
Chalmer
There is an interesting story about a man who was mistaken for a large rodent and shot! Apparently, John Cheesman was snorkeling when someone saw him and mistook him for a large rodent, the Nutria. The guy, William Roderick, allegedly shot Cheesman in the head. Mr. Cheesman is apparently doing well and had the bullet fragments removed. Mr. Roderick is being charged with assault, being a felon in possession of a firearm, possession of methamphetamine and marijuana.
The take home message for the Astute Reader?
"Know your target and what is beyond" - This is a critical concept to understand, in all aspects of life, not just firearm safety. If you don't have a clear plan, when you enter into a venture, you are often doomed to failure...
This includes:
Just a quick point of reference regarding how prevalent probes and scans are on the Internet.
When you connect to the Internet, your computer is almost immediately being scanned by the bad guys. The researchers in this article found that their test computers were assaulted 2,244 times in 24 hours, or an average of every 39 seconds.
What does the astute reader do to keep themselves safe? Keep your defenses up - anti-virus, firewalls, etc.
Chalmer
The Domain Name Servers that support the Internet were subjected to a major Denial-of-Service (DoS) attack, earlier this week. Domain Name Servers translate domain names (such as www.google.com) into IP addresses that computers can recognize. The servers were flooded with bogus traffic that was intended to prevent legitimate traffic from reaching the servers, thus denying legitimate users from accessing the services they desire.
In this case, the attack was not overly successful, partly due to the redundancies in place to
protect the servers. The graph shows "dropped queries" or traffic that did not make it to the 13 servers that form the backbone of the Internet. Red means >90% of traffic was dropped to a particular server. In this attack, only two of the servers were significantly interrupted.
This is not the first time such an attack has been attempted. For more information on DoS, take a look at my presentation (pdf) on a similar attack that occurred in 2002.
The graph comes from RIPE.
Chalmer
There is an article in ZDNet about an exploit on the website for Dolphin Stadium.
Apparently, the web server was hacked and the bad guys changed the web page to include a single line of code. That one line of code directs your computer to visit the bad guy's web site, in the background, where it then downloads a piece of malicious software, including a Trojan keystroke logger and a backdoor.
Yet another classic illustration of why it is so important to keep your systems patched and protected with up-to-date anti-virus files, etc. It doesn't take a visit to a shady web site to catch a nasty computer disease.
Chalmer
Depending on who you ask, it might be an "exploit"...it might not. Speech recognition, that is.
It seems that computers with speech recognition capabilities are susceptible to accepting spoken commands. This has apparently been confirmed by Microsoft in relation to their new operating system, Vista.
Vista will accept spoken commands and execute them. What this means, is that a webpage, such as MySpace or a malicious computer program could play sounds that will interact with the speech recognition program, and initiate malicious activity on your computer, such as file deletions, etc.
Such a sound wave file would slip right by anti-virus software.
To be sure, there are a number of issues that need to be worked out...not the least of which is getting the commands to play when you are not at your computer to stop the process. But do not worry...it will not be long, before the bad guys figure out a way to do so...
One example...taken from the MySpace model...would be to play a typical wave file that has music for the first few minutes and then silence for 40 or 50 minutes, at which time the audio commands would begin to play.
Guess this could mean the end of the "open mike."
Another link related to this topic.
Chalmer
Interesting discussion on Slashdot about the online phenomena Wikipedia. For those who don't know yet, Wikipedia is an online encyclopedia that allows anyone, even you...the Astute Reader...to edit their content.
Many students rely heavily on Wikipedia to pad their research papers until they reach the minimum number of pages. The question becomes: should an encyclopedia (Wikipedia, Britannica, etc.) be used as a cited source in a research paper?
I weigh in with my thoughts on the matter in Slashdot's comments section.
So...what does this have to do with information security? Well...despite the fact that Wikipedia may not be reliable enough to serve as a major source in a graded paper, it is still a remarkable and generally reliable resource for research on any subject you can image.
Personally, I often turn to it to get a general overview on many topics, including infosec. Once I have a baseline on a topic, it is often easy to research certain topics in greater depth from primary sources...
Knowledge is one of our greatest defenses against insecurity - familiarize yourself with the sources of data that are available to you - Wikipedia being one of them. See also my article about vulnerabilities and sources of info on them.
Chalmer
Technorati Tags: information security, wikipedia
As you begin to explore information security, you will quickly find that there are more problems than you can possibly keep track of. Lucky, others are diligently engaged in tracking these things for you.
The web-sites listed below all contain details about vulnerabilities or security flaws in popular software and operating systems. It should be noted:
This isn't really new news, but the hash SHA-1 (Secure Hash Algorithm-1) has been significantly compromised! So...what does that mean to you?
Hashes are a list of characters that "represent" the contents of a message or file and are intended to represent those contents uniquely. Hashes are expected to have two important properties:
Phishing is a crime being perpetuated on the unsuspecting computer user to gather private information. Phishing uses technical means such as e-mail, instant messaging (IM) or phone calls to request information such as passwords or login names. Phishing has been around for years, but is becoming more prevalent. Early attempts at phishing were used to steal access to people's online computer accounts (i.e. web-based email), which were then used to send spam or send out copies of pirated software.
Modern phishing often focuses on more direct means to financial gain...namely getting access to your bank, credit card or other financial accounts (i.e. PayPal, E-bay).
Victims of phishing will receive a message from the attacker that asks for specific personal or private information. For example:
Many will include dire threats, like the PayPal example to the right. Click it for a larger version. The message will often provide a web-site to visit where the victim can input their data. Close examination of the web-site address (URL) will show that the web-site is not the real web-site. For example:
Some of you may be asking...what does ōKAMi mean...
ōkami comes from Japanese and means wolf. My Japanese friends chose this symbol to represent my name. Japanese symbols often come with multiple pronunciations. For example, the symbol for wolf has several pronunciations.
In fire protection, a firewall is a solid, fire resistive barrier that keeps fire burning on one side of the wall from burning valuable material on the other side of the wall. In computing, a firewall serves a similar purpose: separate bad guys and your valuable data. Firewalls come in two flavors: software (computer programs) or hardware (equipment or stand-alone boxes). There are benefits and disadvantages to both:
Software Firewalls:
Banks will be instituting a variety of new identification and authorization methods in 2007. This article by Sherry Slater covers many of the ways and means that banks will be beefing up their security, apparently in response to guidelines issued by the Federal Financial Institutions Examination Council. Some of methods of choice include:
