eWeek's "12 Scariest Applications"

eWeek.com posted a great list of 12 applications that are in common use but suffer from an assortment of vulnerabilities. The list has some applications that will surprise you. Don't be surprised that Internet Explorer is not on the list...for good or bad, they do have a reason.


Online identities and expert witnesses

For the astute readers who are looking for a future in expert testimony or may be pursuing to advance your career, some words of advice: be cautious about what you post online in online forums, especially about what questions you ask. During expert testimony, if the opposing counsel can't discredit your facts, they will attempt to discredit you. One method that has been used to do this is to Google your online activity and then try to use that against you. For example, if you post a perfectly innocent question early on in your career that any skilled professional should know the answer to, the opposing counsel can try to make you out to be a bumbling fool.

An associate of mine, in the forensics field, uses several online identities to bolster and protect his reputation. He uses his "professional identity" to answer other newbies' questions and present himself as an expert in the field and he uses his "throw away identities" to ask questions.



TouchGraph...visually representing web connections

Very interesting tool that helps show how subjects are linked with other subjects on the web. This is particularly useful for seeing how people are characterized on the web.
Try TouchGraph and see for yourself.



Hacked by YouTube...

This article from CBS News outlines the potential for malicious code to be found in online media sources, such as the video files served up by YouTube and similar video websites.

The take home message here is not so much that videos are getting corrupted...we knew that it was only a matter of time.  The real story is the focus on how creative and ingenius the cracker community is at spreading their malware.



Phishing attacks...

Interesting article:  Going Undercover in the Slimy World of Phishing in eWeek, that describes the criminal business of phishing.

Don't doubt that cyber crime is big business.



Hacking toolkits...IcePack

Interesting podcast on eWeek.com about IcePack, a hacking toolkit and the spread of hacking tool kits in general.

Some points that stuck out to me include:
* the value associated with malware...meaning the money that people will spend to buy malware
* the interplay between hackers in the community, who buy a toolkit and then modify it to spy on the hackers that they sell or give it to
* the growth in the malware industry in general



Infected even before you connect to the Internet???

Story in the Register about hard disks from Maxtor (recently acquired by Seagate) that come pre-formatted AND pre-infected.

Rumors on the street are that the virus that infects the hard disks from Maxtor steal gaming passwords and delete mp3's.




Wireless War "Walking" and WiGLE

Tim Wilson of Dark Reading shares his experiences during a walk around the White house scanning for open wireless networks.

Several points are pertinent for the astute reader:
* There are a ton of unsecured or poorly secured wireless networks in the world.  OK...so that is not a newsflash.
* The author refers to WiGLE, the wireless geographic logging engine.

Read the article and take a look at WiGLE.



From Bastille Linux to Bastille Unix

In case you hadn't heard, there was a change in name from Bastille Linux to Bastille Unix.

Apparently a domain-name squatter acquired the rights to the domain name that Bastille Linux was using.

He tried to get the original owners of the name to fork over big bucks to get the name back, but they are gonna rely upon the arbitration process to get the name back.

In the meantime, they are gonna take advantage of this opportunity to create a new web-site that reflects the changed nature of their product...

For a period of time, Bastille Linux has been ported to operating systems besides just Linux, so the name really didn't fit any more. They have changed the name to Bastille Unix.

If you have never heard of Bastille Linux, it is a script that walks through the security features of your operating system and either adjusts them for you or teaches you how and why to adjust them. Very good learning tool.


Honeypots...and the results...

For those who don't know, honeypots and honeynets are computers or networks set up to trap, monitor, or deflect malicious activity.  A researcher might set up a computer and leave some common vulnerabilities open on it and wait to see who comes knocking.  Once the bad guys finds that the computer is "open" they try different techniques to probe the box and take control of it.   The whole time, the system will track the behavior of the attacker to determine what they do and how...this can lead to some interesting developments learning what the bad guys are up to.

It was apparently a slow news day, but the following web-site:  SANS Internet Storm Center Diary put up a list of all the malicious code that they noted using one of their honeypots.

Neat stuff.



Comments on Slashdot - Re Ameritrade Fiasco...

I recently responded to a comment made on Slashdot about one of their articles. The article covered an audit made of Ameritrade's system and the fact that it had a 'back-door' in it. One of the readers made a comment that seems reasonable at first, but belies the difficulty of security a computer or a network.

Below is the text of my reply and here is a link to the original comment by mkraft and a link to the original Slashdot article.

mkraft: In reference to your statement "How does unauthorized code even get into a financial institution's systems? The banking systems should never be accessible via public networks, only private ones, so this should never have happened."

It, unfortunately, is not that easy. As soon as one computer is connected to another computer (via wireless, wired networks or 'sneaker-net'), problems with security start to cascade. If a computer has a USB port, a CD drive, DVD drive, or a network connection, it is nearly impossible to lock down - malware will find it's way onto the machine.

The U.S. and foreign governments spend a fortune trying to lock down some of their most sophisticated computers and networks and still they leak like a sieve.

Although we may wish that it were otherwise, we can hardly expect for a company whose bottom line is the profit margin, to spend all that it takes to secure even one computer...

Consider the magnitude of the problem:
- Keep the network holes plugged as much as possible
- Keep the operating system patched
- Keep all of the applications (including the off-the-shelf and home-grown applications) patched - Keep all security software patched and updated
- Most importantly, keep all employees from doing anything remotely silly or risky

Many of the items above, are nearly impossible to do well - for example...if a typical patch for a piece of software arrives ~5 days after the vulnerability is announced, what is the financial institution supposed to do for those 5 days? NOTE: the 5 days is a fictitious number - no one achieves that high a speed in issuing and applying patches...but it illustrates the point...

There is no way for an underpaid, overworked security staff to plug EVERY hole - especially in the world of zero day exploits. The hackers, on the other hand, have automated tools that can plug at the problem 24/7 until they find even one, overlooked hole...


Skoudis: finding malware on a Windows box...

Great article by Ed Skoudis on finding malware on a Windows computer.  This article covers a number of things that are fun for beginners in the field of information security:  how to use the command line in Windows and what to look for when investigating a Windows machine for infection or malware.


China gets hacked too!

Interesting article:  China claims hackers stole its secrets too about claims by the Chinese that they are experiencing hacking attacks. Some of the neater quotes include:

"Vice Minister of Information Industry Lou Qinjian claimed that the United States and other 'hostile' governments were attacking China's infrastructure..."

"In recent years, Party, government and military organs and national defense scientific reserach units have had many major cases of loss, theft and leakage of secrets, and the damage to national interests has been massive and shocking."
Nice to know that what goes around comes around...



Information Sharing

"FBI CIO: Culture inhibits info sharing" article in Federal Computer Week, by Wade-Hahn Chan about the FBI's reticence regarding sharing information. Chan quotes the FBI CIO regarding "...the intelligence community isn't used to the concept of sharing information and therefore worries about security leaks."

Sharing of information is a very tricky subject...and is tied to a number of interesting issues (these are only a few):

what are the technical requirements for an information sharing solution?
--> keeping bad guys out
--> keeping viruses and malware off the network
--> preventing inadvertant loss of classified data, either due to insiders or due to data leaks
who will be sharing the information?
--> how trustworthy is the network of the partner you are sharing your classified info with?
--> if you share info, what needs to be filtered out, so that they get "actionable" data but not the "crown jewels"
what types of information is being shared?
--> Does the receiving organization, country, company need to have this information or just parts of the information?
--> Can the information being shared lead to a "mosaic effect", where seeming trivial bits of information shared today, can be linked to other trivial bits of information shared yesterday or tomorrow, to allow the partner to infer too much?

Sharing information is not as easy as it might sound.



More Nmap...

This article also walks you through the process of running Nmap. Give it a try.




Came across an article that relates to Nmap, the network scanning tool. If you haven't tried Nmap, get it and give it a whirl. Very useful and effective.

Nmap helps identify many of the pertinent details associated with a network or system, including open ports, exposed operating systems, exposed services, etc.

Searchsecurity has a "manual" that can walk you through the process of setting it up and running it.



Risks associated with USB drives...

This article by John Zyskowski in Federal Computing Weekly is pretty old (2006), but it is even more relevant, as USB drives and USB thumbdrives continue to grow in popularity and in size. The article describes a number of the risks associated with loss of data:

  • data stored on USB drives/thumb drives that get stolen or lost
  • data stolen from desktops using the storage capability of thumb drives
One issue that was hinted at, but not really discussed was the risks associated with viruses, trojans and other malware that can be transferred to a computer when you insert a USB device.



Sony Rootkits - Redux

Several years ago, Sony produced some music CDs with rootkits in them. Hackers loved it. Music purchasers hated it. Infosec practitioners appreciated the extra business cleaning up the mess. Everyone pretty much agreed that it was a major business faux pas on Sony's part. Except, apparently, Sony, since they are a pretty much at it again.

Some folks never learn.



Suspicious Scans...

Reports in the news of suspicious scans potentially related to a product called ServerProtect. The article describes how there has been some recent increased scanning activity related to TCP port 5168, which is related to a remote procedure call service in ServerProtect. Apparently, a number of machines in a wide range of IP addresses have been scanning this port.

One of the interesting quotes is this:

"Trend Micro issued a warning of its own yesterday based on the ISC scanning alert to virtually beg ServerProtect users to patch ASAP. "We implore security administrators to apply the latest ServerProtect security patch avalable from Trend Micro as soon as possible to protect against any potential attack," read the warning."
It will be very interesting to see if a viable attack is levied in the near future on this vulnerability.



Why your internet connection was really down...

This company's ability to supply service to it's customers was drastically impacted because of two factors:
* someone discharged a firearm into their fiber optic lines
* they failed to provide redundant fiber lines

In the world of information assurance...we need to keep data safe (from crackers and bad guys), but we also need to keep it accessible to legitimate users. One of the ways to provide high assurance is to provide redundant capability:
* mirrored servers
* redundant paths from point A to B
* fail-over equipment

These guys did not have such capability in place and it cost them and ultimately it cost their customers and those people's customers, on down the chain.



The next world war?

This article by Jim Melnick in the Boston Globe covers some of the salient points associated with cyberwarfare...

It is only a matter of time before the United States and other world powers begin to see the onslaught of calibrated and calculated attacks, in much the same manner as was demonstrated in Estonia.

To quote Mr. Melnick: "Though many US websites are well-protected, a massive denial of service attack could leave many commercial and other sites reeling along the lines of what occurred in Estonia, but on a larger scale. Given that more of our daily lives today depends on the Internet, financial losses could be huge and would be accompanied by a corresponding loss of consumer confidence."
The article also covers some of the issues associated with attacks on infrastructure and military and governmental institutions...
"For 10 years, the federal government's information systems and critical infrastructures have remained a "high-risk" category as assessed by the Government Accountability Office."
The worst part of the equation...as it is in so many things related to security - we have to be successful in defending ourselves 100% of the time and they (the bad guys) only have to be successful once.



Trojan software hidden on Job Search web-sites...

Very nice article by Brian Prince on a Trojan malware that has infected a number of web sites, allegedly including Monster.com and other job search web sites.

Some quotes from Brian:

"The hackers behind the attack are running ads on the sites and injecting those ads with the Trojan. When an user views or clicks on one of the malicious ads, their PC is infected..."
Moral of the story: Even reliable, trusted sites can inadvertantly host malicious material or host links to sites that do.
"...all the information entered into their browser, such as financial information entered before it reaches SSL protected sites, is captured and sent off to the hacker's server..."
Moral of the story: one of the best ways to get encrypted data is to get it before it gets encrypted...
Brian quotes Don Jackson of SecureWorks: "This Trojan uses its own packer…it compresses and changes the code around," he said. "This packer is unique to this Trojan. It was written specifically for it, and the construction kit that produces the executables is very, very good at putting instruction substitutions, giving a long string of instructions for a simple task and putting garbage code or null operations in there, so that it is hard for anti-virus. Anti-virus has not been able to pick a stub…that they can identify reliably from file to file."
No moral here...just fascinating how well the creators have considered the issue of camouflaging their presence.



Forensics on a hacked Linux box...

The Holliday cracking article (sic) shows how one guy walked through doing forensics on a box. The interesting part of this discussion is two-fold...

first - seeing what the cracker/hacker did to the Linux box
second - seeing the range of comments on Bruce Schneier's website about how the "forensics analyst" went about his analysis - i.e. what to do, what not to do
The take home message for this:
* No computer is truly safe
* When doing forensics, the techniques you use and the decisions you make are gonna be second guessed endlessly.



Digital Armaments and cash for vulnerabilities...

I came across this web-site for Digital Armaments. These folks pay researchers for vulnerabilities. Find a problem, tell them about it and they give you compensation (and your name in lights, when they forward the information on to interested parties).

Capitalism at its best...get someone to do your work for you dirt cheap, and sell the results for as much as the market will bear. I applaud them for their ingenuity.

I am not sure of the inner workings of the company (i.e. who they sell their products to...what they do with the vulnerabilities...) therefore I can't comment on whether this firm's actions are good or bad - but the business model is certainly interesting.



Sourcefire and Nmap team up...

Sourcefire (the owners of Snort) and Insecure.org (the maker of Nmap) are teaming up to improve the abilities of Nmap to pinpoint vulnerabilities. Take a look at the article for more details...

If you haven't tried Snort yet or Nmap...give them a whirl...



Linux Command Directory

This website is a great resource for insight on Linux Commands. It comes from the book Linux in a Nutshell by O'Reilly.


Been a long time...

It has been quite a while since my last post. My time was fully committed to the task of searching for a new job. Which I found...

I am now working for a consulting firm in Maryland, doing information assurance/information security work.

This will enable me the opportunity to really focus my studies on InfoSec and hopefully pass some of that info on to you, my astute readers.



There is an interesting post on one of the many Google Blogs on how to search specific sites for data. In researching information security topics, it is often frustrating to use the default search box on certain websites. Many websites don't have decent indexing of their data and thus don't/can't offer effective search tools. Google has a way to overcome some of these limitations...

For example:

site:www.example.com sample
Would search the site www.example.com for the term "sample". Similarly,
site:insecure.org hacker
Will search the website insecure.org for the term "hacker".

Happy searching...


Only one main interface to the Internet???

Very interesting article about a potential plot to disrupt Britain's Internet access...One item that jumps out at me:

Raids by Metropolitan Police detectives found computer files indicating that terrorist suspects had targeted a high-security Internet "hub" in London that handles most of the Internet information that passes in and out of Britain, including London's businesses and stock exchange, the Sunday Times said.
The first question that comes to mind...is "Why does Britain have only one main hub to handle the majority of their Internet traffic?

This flies against the security principle of redundant systems.



Korean Hackers??? and how our hands are tied...

Josh Rogin at Federal Computer Week has another interesting article on recent attacks traced back to South Korean servers AND a good discussion on what elements of current United States Policies may be limiting our ability to respond to cyber attacks.

This question is becoming more critical all the time. Cyber attacks are increasing in number and in sophistication everyday. It is only a matter of time before someone initiates an attack that will catch us off-guard, much the way 9/11 caught us off-guard.

Air Force General Ronald Keys, Commander of Air Combat Command had several interesting points:

The recent UltraDNS attacks raised several questions for DOD policy makers, Keys said. “How do you react to that attack? How do you trace it back? What are the legalities included? What do you do when you do find them? It’s a huge challenge,” he said.
The enemy is no stranger to cyber attacks:
“We’re already at war in Cyberspace, have been for many years,” said Keys. Terrorists use the Internet extensively, through remotely detonated bombs, GPS, Internet financial transactions, navigation jamming, blogs, bulletin boards, and chat rooms.
This statement is the most intriguing - mostly because it is true:
Cyberspace is the only warfighting domain in which the U.S. has peer competitors, Keys said.

Chinese Hackers...

There is a great article in Federal Computer Week on Chinese hackers and their all-out attacks against the Department of Defense. One key point from the article, to ponder:

A recent Chinese military white paper states that China plans to be able to win an “informationized war” by the middle of this century.
Their innovation is also of interest...
China is also using more traditional hacking methods, such as Trojan horse viruses and worms, but in innovative ways.

For example, a hacker will plant a virus as a distraction and then come in “slow and low” to hide in a system while the monitors are distracted. Hackers will also use coordinated, multipronged attacks, the official added.
The field of information warfare may not be as "front-page picture-worthy" as bombed out husks of military equipment but it is just as real. The bad guys are out there!



Improving your memory

I have a real fondness for foreign language...by which I mean honest-to-goodness languages from foreign countries and languages that are just plain foreign, like programming languages.

For many astute readers, dealing with a topic such as information security can be like dealing with a foreign language...there are many new terms to remember and new definitions tied to terms you thought you already knew.

Trying to remember these or any other facts, can be difficult. Mindtools offers some tips on how to remember things. If you find that you can't remember material you've read, can't remember people's names, or can't remember computer geek terminology, try some of the tips they offer.



Know your target and what is beyond

There is an interesting story about a man who was mistaken for a large rodent and shot! Apparently, John Cheesman was snorkeling when someone saw him and mistook him for a large rodent, the Nutria. The guy, William Roderick, allegedly shot Cheesman in the head. Mr. Cheesman is apparently doing well and had the bullet fragments removed. Mr. Roderick is being charged with assault, being a felon in possession of a firearm, possession of methamphetamine and marijuana.

The take home message for the Astute Reader?

"Know your target and what is beyond" - This is a critical concept to understand, in all aspects of life, not just firearm safety. If you don't have a clear plan, when you enter into a venture, you are often doomed to failure...

This includes:

  • information security
  • personal goals
  • shopping trips
  • school and work assignments
  • career plans
  • finances
  • raising kids
If you don't have a good plan, then spend the time to make one...Franklin Covey's Mission Statement Builder might be a good place to start.



Hacked in 39 seconds...

Just a quick point of reference regarding how prevalent probes and scans are on the Internet.

When you connect to the Internet, your computer is almost immediately being scanned by the bad guys. The researchers in this article found that their test computers were assaulted 2,244 times in 24 hours, or an average of every 39 seconds.

What does the astute reader do to keep themselves safe? Keep your defenses up - anti-virus, firewalls, etc.



Denial of Service Attacks on Internet Servers...

The Domain Name Servers that support the Internet were subjected to a major Denial-of-Service (DoS) attack, earlier this week. Domain Name Servers translate domain names (such as www.google.com) into IP addresses that computers can recognize. The servers were flooded with bogus traffic that was intended to prevent legitimate traffic from reaching the servers, thus denying legitimate users from accessing the services they desire.

In this case, the attack was not overly successful, partly due to the redundancies in place to protect the servers. The graph shows "dropped queries" or traffic that did not make it to the 13 servers that form the backbone of the Internet. Red means >90% of traffic was dropped to a particular server. In this attack, only two of the servers were significantly interrupted.

This is not the first time such an attack has been attempted. For more information on DoS, take a look at my presentation (pdf) on a similar attack that occurred in 2002.

The graph comes from RIPE.



Dolphin Stadium web site hacked...

There is an article in ZDNet about an exploit on the website for Dolphin Stadium.

Apparently, the web server was hacked and the bad guys changed the web page to include a single line of code. That one line of code directs your computer to visit the bad guy's web site, in the background, where it then downloads a piece of malicious software, including a Trojan keystroke logger and a backdoor.

  • The keystroke logger records every keystroke you make (including your passwords and user IDs).
  • The backdoor grants the bad guy full access to your computer.
Further investigation of this issue has shown that other websites related to the Super Bowl were also infected and...hundreds of unrelated websites have also been infected...including the U.S. government's Center for Disease Control's website.

Yet another classic illustration of why it is so important to keep your systems patched and protected with up-to-date anti-virus files, etc. It doesn't take a visit to a shady web site to catch a nasty computer disease.



Using voice commands to take over your computer

Depending on who you ask, it might be an "exploit"...it might not. Speech recognition, that is.

It seems that computers with speech recognition capabilities are susceptible to accepting spoken commands. This has apparently been confirmed by Microsoft in relation to their new operating system, Vista.

Vista will accept spoken commands and execute them. What this means, is that a webpage, such as MySpace or a malicious computer program could play sounds that will interact with the speech recognition program, and initiate malicious activity on your computer, such as file deletions, etc.

Such a sound wave file would slip right by anti-virus software.

To be sure, there are a number of issues that need to be worked out...not the least of which is getting the commands to play when you are not at your computer to stop the process. But do not worry...it will not be long, before the bad guys figure out a way to do so...

One example...taken from the MySpace model...would be to play a typical wave file that has music for the first few minutes and then silence for 40 or 50 minutes, at which time the audio commands would begin to play.

Guess this could mean the end of the "open mike."

Another link related to this topic.



Wikipedia and Information Security

Interesting discussion on Slashdot about the online phenomena Wikipedia. For those who don't know yet, Wikipedia is an online encyclopedia that allows anyone, even you...the Astute Reader...to edit their content.

Many students rely heavily on Wikipedia to pad their research papers until they reach the minimum number of pages. The question becomes: should an encyclopedia (Wikipedia, Britannica, etc.) be used as a cited source in a research paper?

I weigh in with my thoughts on the matter in Slashdot's comments section.

So...what does this have to do with information security? Well...despite the fact that Wikipedia may not be reliable enough to serve as a major source in a graded paper, it is still a remarkable and generally reliable resource for research on any subject you can image.

Personally, I often turn to it to get a general overview on many topics, including infosec. Once I have a baseline on a topic, it is often easy to research certain topics in greater depth from primary sources...

Knowledge is one of our greatest defenses against insecurity - familiarize yourself with the sources of data that are available to you - Wikipedia being one of them. See also my article about vulnerabilities and sources of info on them.


Technorati Tags: ,


What threats are out there?

As you begin to explore information security, you will quickly find that there are more problems than you can possibly keep track of. Lucky, others are diligently engaged in tracking these things for you.

The web-sites listed below all contain details about vulnerabilities or security flaws in popular software and operating systems. It should be noted:

  • Some are more detailed than others.
  • Some have duplicate information.
  • Some have clean user interfaces.
  • Some have more detail, more info or more reliability in terms of particular vulnerabilities, however, no one source will have all the info you might want or expect.
  • Pretty much all of them allow cross-referencing via the use of standardized vulnerability names as defined by the Common Vulnerabilities and Exposures website.
Take a look at some of the problems that are out there and take a look at how some of the web-sites cover the same vulnerability.

Happy hunting.

X-Force Database (IBM Internet Security Systems)
National Vulnerability Database (National Institute of Standards and Technology)
SecurityFocus: Vulnerabilities
OSVDB (Open Source Vulnerability Database)
Vulnerability Notes Database (US-Computer Emergency Readiness Team)
Common Vulnerabilities and Exposures



Hash SHA-1 compromised...

This isn't really new news, but the hash SHA-1 (Secure Hash Algorithm-1) has been significantly compromised! So...what does that mean to you?

Hashes are a list of characters that "represent" the contents of a message or file and are intended to represent those contents uniquely. Hashes are expected to have two important properties:

  • If I have a hash value, I can't recreate the message or file in a reasonable amount of time
  • I should not be able to find two different files that create the same hash value
For example, take the word "HASH". If I use the following values for the letters in HASH


I can use a special formula to create a value that represents the word "HASH".

For example, my (totally fictitious) formula might be:
  • sum of the (locations X values)
Where I multiply a number that stands for the location of the letter within the word by the value of the letter and then take the sum of the results.
  • the first H is the first letter and has a value of 1.1 => 1 X 1.1 = 1.1
  • A is the second letter and has a value of 3.1 => 2 X 3.1 = 6.2
  • S is the third letter and has a value of 4.1 => 3 X 4.1 = 12.3
  • the last H is the fourth letter and has a value of 1.1 => 4 X 1.1 = 4.4
Adding all of these up gives me 24.0.

The letters SAHH would give me a value of
  • the first S is the first letter and has a value of 4.1 => 1 X 4.1 = 4.1
  • A is the second letter and has a value of 3.1 => 2 X 3.1 = 6.2
  • H is the third letter and has a value of 1.1 => 3 X 1.1 = 3.3
  • the last H is the fourth letter and has a value of 1.1 => 4 X 1.1 = 4.4
Adding all of these gives me...18.0, even though the letters in the word are the same...thus we can calculate the hash value and prove that the words are different.

Why is this important? A workable hashing algorithm can help prove that something has not changed since it was created. For example:
  • You send a contract to a client and they alter it slightly...something subtle that you wouldn't notice right away...compare the hash value of the two files and you can prove they altered it.
  • Many popular files are hosted on multiple sites (called mirrors), but those sites may not be controlled by the author of the file. Once you download the file, you can take the hash value and compare it to the hash value posted by the author - if they don't match, you can tell you have a file that was corrupted during the download or worse yet, has been tampered with by the bad guys.
  • Monitoring software on your computer can use hashes to tell that a virus or trojan has altered your files or programs, by periodically checking your current files against baseline values it keeps in a database. Any change to your program results in a different hash and your monitoring software can alert you to the change.
Now that SHA-1 has been compromised, there is the threat (albeit, very remote) that someone can create two different files that have the same value. The computing power and time necessary to do this are outside the realm of normal folks, so no need to panic yet. The folks at the National Institute of Standards and Technology (NIST) are working on creating a new hashing algorithm and should have one in about 3 years.

The take home message:
  • don't panic yet
  • look for hash values when you download files (especially from mirror sites)
  • compare the hash value of the file to the author's hash value
  • keep your eyes out for future versions of hash algorithms
For more info on hashes, see these articles/sites:
  1. Software to calculate hashes: HashCalc
  2. Example of a site that lists hash values of their software (the SHA-1 values are listed before each of the "filenames" that end in .iso)
  3. More details on hashes by Bruce Schneier
  4. NIST's write-up on SHA-1


Your computer, the Zombie

Even with sophisticated information security software installed, you can be at risk. Symantec, the computer security company, has several pieces of software that are vulnerable to variations of malicious code called "Spybot". Spybot opens a back door into your computer system and phones home to it's owner so that the owner can take control of your computer. When your computer gets taken over, it is called a zombie and mindlessly does whatever the attacker wants. Spybot affects older versions of Symantec Client Security and Symantec AntiVirus Corporate Edition. These are both used primarily in businesses. Spybot does not affect the Norton line of home computer security products.

A patch for this problem has been available for months.

What should the Astute Reader conclude from this? Even the professionals don't always get it right...and thus we need to rely on multiple means of defense:

  • antivirus software to find most of the viruses
  • firewall software to catch suspicious activity such as "phoning home"
  • anti-spam software to keep some virus infected email off your system, in the first place
  • anti-spyware software to pick up what the others might have missed

This principle of having a multilayer defense is called "defense-in-depth". It is similar to safety systems in your car: bumpers, crush zones, airbags, and seat belts all work together to absorb energy from a crash and minimize or prevent injury. Make sure YOU have all your protective gear in place.

For more details, see this article.


Technorati Tags: , ,


Phishing. No pole required.

Phishing is a crime being perpetuated on the unsuspecting computer user to gather private information. Phishing uses technical means such as e-mail, instant messaging (IM) or phone calls to request information such as passwords or login names. Phishing has been around for years, but is becoming more prevalent. Early attempts at phishing were used to steal access to people's online computer accounts (i.e. web-based email), which were then used to send spam or send out copies of pirated software.

Modern phishing often focuses on more direct means to financial gain...namely getting access to your bank, credit card or other financial accounts (i.e. PayPal, E-bay).

Victims of phishing will receive a message from the attacker that asks for specific personal or private information. For example:

  • Mr. Smith, due to problems with your PayPal account, we need to validate your username and password.
  • Ms. Wilson, we are upgrading our servers and need all account holders to provide additional important account information, such as date of birth and address.
Some of these messages can be extremely realistic looking, with authentic looking logos, etc. Many will include dire threats, like the PayPal example to the right. Click it for a larger version. The message will often provide a web-site to visit where the victim can input their data. Close examination of the web-site address (URL) will show that the web-site is not the real web-site. For example:
www.usabank.login.com might fool some people into believing they were really going to a login site associated with www.usabank.com.


Your Brain: Your best defense against phishing is to be constantly on guard. Companies have no need to ask you for your username or your password to revalidate your account, etc. If anyone asks you to provide additional information about yourself or account, after you have set up the account originally, then immediately contact the company directly using one of the following methods:
  • Use your browser and type in the real URL for the company you are dealing with and verify on their website whether they are changing their data gathering requirements (guaranteed...if they need more info from you, it will be listed on their homepage).
  • Find the phone number for the company (i.e. the number on the back of your credit card or on your company's true website) and give them a quick call.
Anti-phishing Technology: Other defenses include technologies that are being included with modern browsers such as Firefox 2 and Internet Explorer 7. Firefox uses as part of it's anti-phishing technology a list of known phishing sites. When you attempt to visit such a site, Firefox will notify you that the site is bogus. Firefox has a test site set up to allow you to see how their system works: http://www.mozilla.com/firefox/its-a-trap.html

As soon as you visit the site, Firefox will produce a warning notice that allows you to leave the site immediately or to ignore the warning. See example below.

Anti-spam Filters: Additionally, anti-spam filters for your email will help to keep most spam-based phishing messages out of your inbox in the first place.

Good luck and safe surfing.


Why ōKAMi?

Some of you may be asking...what does
ōKAMi mean...
ōkami comes from Japanese and means wolf. My Japanese friends chose this symbol to represent my name. Japanese symbols often come with multiple pronunciations. For example, the symbol for wolf has several pronunciations.

  • ōkami
  • rō
rō is how my Japanese friends pronounced my last name of Lowe. Thus when they went looking for a meaningful symbol to represent my name, they chose Wolf.

The image to the right is one way of drawing the symbol for wolf:



User Accounts at home and BIOS vs Windows logon

Many of my Astute Readers are familiar with the Windows logon process from their work computers. Some of you may not use a logon for your home computers. In addition, you may not know that there is an additional logon process, that uses a BIOS password, that you can use to slightly increase your level of protection (keyword: slightly).

Windows passwords and User Accounts

Why would you use a Windows password and separate User Accounts at home? Several reasons:
  • keep the kids from accessing, modifying or accidentally erasing your personal files.
  • keep out some of the less determined bad guys
  • keep out prying visitors (like the babysitter)
Windows allows you to set up user accounts on your computer. The user accounts come in several flavors: Administrator Accounts and Limited Accounts with certain restrictions. Administrators have the ability to install programs, delete files, modify files, etc. Limited Accounts with restrictions have significantly lower capabilities: they may not be able to read certain files or folders that you identify; they may not be able to delete files; they may not be able to install programs; etc. If you are logged in as an administrator, when a virus or trojan or the kids take control of your computer, the virus, trojan or little Billy can cause much greater damage.

Bottom line: for your everyday use (surfing the web, writing letters, playing music or games), you should have a Limited Account. For those rare times when you need more power (i.e. you need to install some software), you should use an Administrator Account. Both of these accounts should have strong passwords.
To set up User Accounts on your computer, try this Microsoft website.

BIOS passwords

The BIOS password is useful for providing a basic level of protection that can prevent passersby from using a CD or USB token to boot your computer and circumventing the Windows Logon process. This can provide you with some protection when you travel with your laptop and find yourself in situations where you leave your laptop unattended for short periods (i.e. at conferences, etc.).

It should be noted, that this will not keep out a determined cracker, and is not a secure line of defense. TechRepublic and SearchWindowsSecurity have articles that explain multiple ways to get past BIOS passwords.


Technorati Tags: , ,


Firewalls: the big picture

In fire protection, a firewall is a solid, fire resistive barrier that keeps fire burning on one side of the wall from burning valuable material on the other side of the wall. In computing, a firewall serves a similar purpose: separate bad guys and your valuable data. Firewalls come in two flavors: software (computer programs) or hardware (equipment or stand-alone boxes). There are benefits and disadvantages to both:

Software Firewalls:

  • Generally installed directly on your computer
  • Goes everywhere your computer goes (important if you use a laptop)
  • Often fairly inexpensive and/or free
  • Uses your computer's processor to do it's work, which can sometimes bog down your computer slightly (Modern computers should not be tremendously affected.)
Hardware Firewalls:
  • Installed physically on the cable or network that connects you to the Internet
  • Generally NOT portable (important if you use a laptop)
  • Does not use any of your computer's processing power to do it's job
  • Can be more expensive and takes up space on your desk
What do firewalls do:

Firewalls help separate two worlds. The world of the bad guys and your world. Firewalls work to keep traffic from traveling in both directions: keeps attacks out (inbound filtering) and keeps your private info in (outbound filtering).
  • Inbound filtering:
    • Probes and scans: bad guys often try to probe or scan your computer and your network to see what programs you have, what operating system you run, what ports you have open and what files or other information you have. With this info, they can
      decide which attacks would be most effective.
    • Flooding and Denial-of-Service: bad guys may try to prevent legitimate people from reaching your computer or network, by flooding your computer with traffic.
    • Bad or malformed traffic: some messages sent to your computer can actually cause your computer to lock up or crash, because it does not understand the message and gets "confused".
    • Storage: Some bad guys don't want anything off your computer, but they may want to put something on it. The bad guys will sometimes store pirated software or child porn images on other people's computers, so keeping the bad guys off your machine is critical

  • Outbound filtering:
    • Phone home: Just like E.T. wanted to "phone home" sometimes you will get infected by viruses or other junk from the bad guys. Often, these programs will want to phone home to get more instructions, to send your private info to the bad guys or to
      open up gateways so that more powerful programs can be installed secretly on your computer.
If you don't have a firewall installed, get one. Some of them include firewalls from Norton, McAfee, Comodo, Sunbelt/Kerio, ZoneAlarm, etc. Most are available for download off the Internet. Some are free. Some will cost you.



Security changes coming to your bank!

Banks will be instituting a variety of new identification and authorization methods in 2007. This article by Sherry Slater covers many of the ways and means that banks will be beefing up their security, apparently in response to guidelines issued by the Federal Financial Institutions Examination Council. Some of methods of choice include:

  • Pictures and phrases chosen by the user and displayed when
    they login - to prevent phishing attacks
  • Identifying the user's computer(s) based on unique
    identifiers - to prove the user's identity
  • Use of an expanded selection of questions - to
    prove the user's identity
  • Use of transaction tracking software - to red flag
    suspicious activity
  • One-time passwords - to authorize especially large
The second to last paragraph was probably the most pertinent:
"No amount of security and software on the bank’s part can make up for carelessness on customers’ parts, however."