Kirt Cathey, NH2GX, JG1FXZ
Security and Electronics from Japan
InfoSec, Electronics, and Japan
This page is a logging of my security analysis, electronics projects, Japan insights, and comment otherwise. I often rant, so please comment and provide different views or ideas.
-
Facebook As Biggest Security Threat
Posted on February 3rd, 2010 No commentsYes, I know… ‘Another Network World article’, you say. Yes, because lately they have been hitting trends fairly accurately…. read on!
This article outlines a Sophos survey of businesses that ranks Facebook as the biggest threat simply (at 60% surveyed) because it has become the biggest social network, followed by MySpace (t 18%, then Twitter at17%. Well, I tend to agree with that reasoning, but think the threat is somewhat limited on a couple of levels. In more secure environments in the financial industry, we have seen much broader implementation of Websense that keeps employees out of such sites through filtering or outright implementation of white lists that completely block access to such sites. So the 60% of businesses out there are probably not dialed into the fact that a network appliance or proper proxy server implementations ‘almost completely’ eliminate this threat – which is scarier. Okay, okay, I won’t get into about how most CIOs are warmed over MBAs and aloof.
The next point of the article points out the new security setup within Facebook, which suggests that users are more likely to share more information because it is more secure as a web application. Yes and no. Yes, because I can see Joe Le End-User migrating to Facebook, using default settings, and boasting about the move to a more secure social web site. But no, because I think that Facebook, and the Facebook community in general, did a good job of communicating the security and privacy changes.
Not that the paper-pushers are going to disappear, as we’ll always need policies and guidelines, but the future of security will strongly be based on three fundamental skills – the ability to monitor and analyze the health of your environment (logging analysis, metrics, and overall analytics), the ability to prevent bad configuration and code implementation (configuration management and code review), and the ability to train and keep end-users informed. The last point I credit Facebook with during the last software security change.
The ability of IT and development organizations to pursue proper code review and configuration management is almost depressing every time I have a review of this facet. I cannot count how many times I have seen a sign-off on a code release, knowing full well that the person signing knows nothing about the program, the code, much less the overall potential impact on the systems.
-
Suck Your Guts In – Full Body Scanner Coming To An Airport Near You!
Posted on January 31st, 2010 No commentsWell, from looking at the news and some of the evaluation discussions coming through here in Japan, it appears that at least Japan and the US will be implementing body scanners for boarding processing in the next year. Bruce Schneier touches on this subject a couple times throughout his blog, but in Japan’s case, I have some very reliable insight to some of the considerations by local officials. Of course, Japanese throw the latest, greatest technical solution at something as a CYA move all the time. Nobody wants to be responsible for a bad decision, so little thought goes into the big picture if it will keep an airplane from getting blown to pieces. This article shows that US may be leaning in that direction more. Now, the only two gaping holes in airport security are DHS thugs manning the gates and cargo.
Any comments welcome!! -
IT Auditors and Logging Systems
Posted on January 28th, 2010 No commentsI’ve tackled this subject a couple of times in recent posts in a cursory manner, but feel that it is probably time to elaborate on the subject. An IT auditor’s challenge out in the field is not getting any less complex. Systems are evolving to become seamless, integrated cloud services to the end-user, while the internals of such systems are integrated in a complex computing architecture. The risks associated with this complexity are amplified when the professionals that are checking the integrity of these systems do not understand the technology, have no practical administration or configuration experience, and do not have the necessary knowledge to understand how these systems interact. Even if from the lowest, impractical level, knowing where to look and how to analyze the data related to system interactions is probably the most important skill for an IT or security auditor.
Let’s explain this importance using an analogy that many of us can relate to – the financial auditor or accountant. An accountant studies two years of double-entry accounting. The first year is basic required knowledge related to generally accepted accounting principles (GAAP), and the second year is accounting related to public entities, sometimes termed budget accounting, and beginning finance. The third year accounting student then moves into more exotic accounting principles related to tax, studies audit principles and other important subjects.
After this accounting student finishes studying, graduates, and moves on to prepare for, or passes, the CPA examination, he/she assumes employment at an accounting firm and achieves the necessary experience and becomes a Chartered Accountant or a Certified Public Accountant. Then after two or more years of auditing while employed with an accounting firm, most accountants lose touch of the details of double-entry accounting. They know how to check the transactions for correctness quite effectively, but if you hand them a cancelled check and ask them which account gets debited and which account gets credited, most have to think hard before they answer. An uncertified bookkeeper sitting in the accounting office at a company can usually answer that question quicker and more accurately.
Back to the subject….. just like an accountant, in order to audit systems, an IT auditor needs the necessary knowledge foundation to be able to check at a low level, system interactions and how those interactions are logged. With enterprise GRC and products that check high-level systems controls on a real-time basis, the IT auditors role of checking such controls will fade. Furthermore, fewer clients are willing to pay for paper IT auditors that walk in and only review paperwork related to systems management. The future of the IT auditor is an individual that can provide services that demonstrate a technical foundation.
One example, is the recently growing subject of security metrics; which a subject that covers how we holistically measure the security of our environments. An IT auditor that does not understand systems interaction, log review, and in some cases, code review, will never be able to successfully deliver such services NOR evaluate such systems. Another example are the real-time reporting systems that are currently implemented around products such as ArcSight. If you do not know the logging systems and system interaction in that case, it would be impossible to analyze the proper setup of such systems. The future of audit is leaning more toward a low-level systems technician with strong statistical math skills.
I discuss the future of our profession (both IT audit and security) on these terms and many Big Four partners laugh… a scary reaction that confirms the degree that some who are ‘leading’ our profession are out of touch. -
Takashimaya Department Stores Going LED
Posted on January 20th, 2010 No comments
The Nikkei headlines this morning, as I read it on the page facing me in the train, says that Takashimya Department Stores in Japan has announced that they will replace major location lighting with LED. The target is to replace and install some 150,000 units by 2012, reducing electricity costs to one-fifth of current expenditure. This will include locations in Tokyo and Osaka, a total of 18 locations nationwide. The Japanese article I looked up on the web is here. There is also an English headline here but that just links to the Nikkei pay-to-read site. -
Smart Google? Dumb Google?
Posted on January 18th, 2010 No commentsI was in the office yesterday and in passing conversation Google’s recent actions became the subject of conversation. “Dumb move”, came from across the table, which made me think a bit. Since I had heard the news last week, I was thinking nothing but smart move, so this came as a surprise and caused me to think about it for a while, hence, this blog posting.
DUMB
The first dumb point that comes from this is that Google just shot themselves in the foot in the largest internet population in the world. The recent news profiles China as the largest internet ‘market’, but I think different. While the user population may be there, it is by far not the largest spending market, so let’s start calling it the most populous internet market. Now that we put this into perspective, Google may have made a dumb move in this large market, but probably does not see the revenue return per user that it realizes in other markets.
The other argument for dumb was that Google’s continued survival in the market would be very difficult if it did decide to stay in China. Now that Google made the pull-out threat, their market share would fall even more because current and future potential advertisers do not know if they will stay in the market. This impact would only be temporary, and Google has the coffers to stand the test of time if they decide to continue playing in the market.
The last dumb argument is when Google setup in China four years ago, they upset many groups around the globe by abiding by China censorship regulations. Since that whole debate and the effects of all that backlash have ceded, why make this move and go through another lashing again?
SMART
This is where I lean a bit more for a couple reasons that are personal in nature – humanity, human rights, and security. While the smart arguments are fewer, I think they are stronger. They draw the line and stand up for what is right.
One smart argument is the opposite of the last dumb argument – stop the censorship and let the Chinese people live free of oppression and carry the right to freedom of press and freedom of speech. Let the Chinese people decide what views they want to hear and what political stances they want to assume.
This is related to the next smart argument, which is the artist underground in China. Artists in China have so much talent that is oppressed by the communist state. If the Chinese people were allowed to express their views openly, and engage in open debate, a renaissance would evolve in art, technology, and society. This is what I would look forward to in a free, open China.
The last smart argument is that of security, which is the very reason why I take the liberty to publish this blog posting. If, in fact, the hack that penetrated Google’s systems was state-sponsored, then this is a very good place for a multi-national company to draw the line. THIS IS WHERE THE UNITED STATES SHOULD HAVE DRAWN THE LINE TWO YEARS AGO!! China’s cyber military capability is far beyond the US from an offensive perspective, and I think it is time to test their defensive capabilities. Not to start a cold war or anything, but when we discover state-sponsored snooping on our networks, we should retaliate in the same under-handed manner. Yes, Mom’s voice goes off in the back of my head: “Two wrongs don’t make a right!” Well, that is true, but sitting ducks get blown away is the appropriate answer when it comes to attacks.
The code for the Google hack was immediately made public and a Metasploit exploit has also been produced. Two days ago I went through the code and it appears to be rather unsophisticated; pretty much like what would be required in phishing. Send some starter code and get the user to visit a web set that will complete the exploit. So this means a Google employee reacted to an email that got them hacked? Back to the security education argument….
If you have any comments, or smart/dumb argument suggestions that I may have missed, post something.
On, on…. 73s. -
Helicopter Project – Eye In The Sky
Posted on January 17th, 2010 No commentsThis posting has nothing to do with security, but everything to do with electronics and building devices. If you’re looking for a fun personal project, read on! Helicopter flying skills required.
A couple weeks ago, a friend called and said he was driving into Akihabara, Tokyo, and asked if I wanted to join for the ride. Akihabara is known as the ‘electric town’ within the Tokyo metropolis. In Aki (as we call it, short for Akihabara) you can find everything from good deals on normal consumer electronics to PIC micro controllers, components, and anything else, including toy guns, dolls, and English maid garbed girls hailing customers. Will try and include some Aki video some time. Smugwimp, my friend, said he wanted to go to an remote control model store to find something to build a camera stabilizer thing-a-majig, but once he said that, I thought about how long I have wanted to get into RC models. Since I was a kid, I’ve wanted to fly RC airplanes and helicopters – especially helicopters. We took a trip to Aki and both of us purchased a tiny indoor helicopter for practice.
Of course, I promptly destroyed my helicopter, smashing it into walls, television, doors, children, myself, so that $90 investment is parked on top of the bread machine awaiting new parts. So I went into Akihabara a few days later and visited Futaba for a look, and picked up another bigger version.
Well, as the story goes, another week later, I found this even bigger RC super store. I visited this store and just had to get the big one. I had to have one of those nice alloy, carbon fiber, tough, fast, shiny 400 or 500 series. helicopters. After about 15 minutes of wandering around and looking for parts for the two other choppers that were crashed, I picked up the box for an Align 450, went to the counter and asked for a beefy battery, speed controller, charger, connectors, and servos. On top of the $450 for the kit, the additional accessories and necessary parts totaled another $200. I thought about it, then proceeded to put everything back, which obviously upset the store clerk. Whatever.
I got on the train, came back home, then noticed this RC forum where they talk about many, many Chinese knock-offs sold out of Hong Kong by an online store called Hobby King. They sell the 500 version of the model I almost purchased above for a mere $67. Of course, there is a price to pay in more building, greater inspection and quality control before flight, and greater attention to detail inspecting bearings. Well on my online journey, I found this forum thread that covers all the shortcomings of the knock-off version and clearly tells you what else to upgrade and purchase while building in order to produce a good stock version of the model.
So far, here is what I’ve put together and should be flying by next weekend….
The next step is to mount a GoPro camera on the front nose.
73s…. -
Too Many Generalists – Internal Auditor Magazine Example
Posted on January 13th, 2010 No commentsForewarning – this is yet another rant. The views expressed herein are personal and do not reflect any viewpoint of my current employer. But I do feel bad because we have an advertisement right on the facing page of the article that I point out in this posting…. In my seven years as a member of the IIA and a Certified Internal Auditor, the IIA has not once responded to inquiry emails nor answered their phone when I have a question, so don’t feel so bad about what I am about to point out.
A couple days ago I decided it was time to clean up the stack of Internal Auditor, ISACA, ISSA, QST, Nuts-n-Volts and other magazines that have accumulated, so I packed them all in my brief case. The motivation then becomes one of lightening my load, so I read them and stack them at the office – a good unload location. While in the train the other day I pulled December’s issue of Internal Auditor and read through the table of contents. This is the way that I read magazines, hardly ever reading cover-to-cover, but picking out topics of interest and going on to the next publication.
With all the buzz about cloud computing and virtualization, one article that caught my interest was titled “The New Age of Virtualization” on page 25. I excitedly turned to the article, read through the introductory lines on the basics, then came to the section titled ‘Auditing Virtual Machines’, where there were eight sub-sections: security, segregation of duties, change management, configuration management, data integrity, disaster recovery, training.
Not one of these sub-sections points out in detail the uniqueness of these audit areas as it pertains to virtual environments. Even the security and segregation of duties sections do not point out that virtual disk systems shared between virtual systems should be evaluated. Change management applies to all systems – virtual or not, and same for configuration management. In data integrity, however, the authors finally point out the issues of cross-partition access in a single sentence; which is a subject deserving much more attention. Then disaster recovery and training …. ditto – same for all systems.
Of course, what should I expect from a magazine like Internal Auditor? The title alone makes us yawn. However, many internal auditors do perform IT audits and any of those audits are increasingly on virtual systems, making this subject very important. The more I read articles from ‘thought leaders’ and the more that I see how services are delivered (by other teams), the more I realize that many consultants out there are delivering expensive fluff.
On, on…. 73s, and please comment. -
Ubiquitous Security – 2010 Brings Focus To Mobile Issues
Posted on January 6th, 2010 No commentsIt’s no secret that I have been focusing on wireless security issues over the past two years, and I have been very vocal about how ‘wireless’ is not limited to wireless LAN. We are approaching a turning point where securing organizations will require even more emphasis on ID management and access control to establish accountability for effective monitoring, thereby establishing metrics based upon and sound measurement processes. Overall, the future challenge for governance will move from writing policy and pushing paper to sound statistical analysis (see more at securitymetrics.org), intricate log analysis, and stronger technical skills among security professionals. Introduction of mobile devices makes this even more challenging. Data leakage exploit issues in this new decade will focus (are focused on) on mobile devices and spurious emissions from environments. These are two avenues of opportunity that attackers will exploit for gaining access to secure environments.
First, because the research and results on spurious emissions are piece-meal at best, which means the opportunity exists across all environments – the next step is a matter of developing an exploit methodology, framework, or tool for such attacks. Probably done and operational right now. A lot of time has been given to attackers on this issue because the security community has hardly addressed it; a lot of time that attackers have available. Unfortunately, I believe in the coming months we are going to see the fruits of this attack vector development, with such attacks becoming a major issue within the next two years. More on this later.
Second, managing connectivity with ubiquitous devices will present the greatest challenge to access control and data leakage immediately. We are looking front and center at that issue as these lines are typed.
In an earlier blog posting I mentioned that the focus of my research in the first half of 2010 would be on mobile issues. This time around, in order to keep people engaged, I decided not to go off on the deep end and create some RF circuits, pull out radios, spectrum analyzers, clustered cracking systems, document frequency hopping analysis tools, and all the other ‘technical’ stuff. Instead, start out at the high level and work a little deeper, revealing some insights as research progressed.
To this end, last week I pulled out my favorite internet search and research programs – DEVONagent and DEVONthink – to compile some ‘high’ level reading material that addresses the security of mobile devices. The word ‘ubiquitous’ sounds so nice, free, and leaky; which is why I like to use the word when referring to enterprise mobile security. Overall, we are approaching an age of cell phone lock-down in enterprise environments. Exactly how those systems are locked down and how such lockdown methods align with the business objectives (that were the impetus for mobile device introduction) is going to tell a very interesting tale in the coming months, years.
Here is a nice little reading list of documents that address the mobile security issues. Some of the links are at bitpipe and such, so a registration and login may be required, but all have free access. Also, some are very vendor focused, but worth a read. Especially the BlackBerry document by Research In Motion.
On ZDNet, this Forrester survey is a good place to start. “Firms Are Not Keeping Pace With A Twofold Challenge: Mobile Device Management And Security” is a section heading that is worth a read if you have any doubt about what is ahead. The meat of the report is on page 7 and 8, but the conclusion is also worth a read. Basically, we need to manage mobile devices more like we manage personal computers, we need to secure this part of our environments immediately, and a mobile business strategy needs to be better defined.
Here goes.
Reference Document:Security Behind BlackBerry – A bit dated but not a whole lot has changed in BlackBerry security recently.
The Security Paradox – A McAfee document, but the statistics are interesting.
Mobile Security Report 2009 – Another McAfee document, but good information.
Maximum Damage Malware Attack in Mobile Wireless Networks – An attack design document. Heavy math, so don’t read in bed or late at night. Okay, okay, not so high level, but here it is.
Security Aspects In A Packet Data Network – A white paper that is worth a read.
Subverting the security base of GSM – I posted about this about a week ago when this was announced. It is a very recent research result, so worth a read.Happy reading! If you have any comments, please post one. 73, 73s.
-
God Mode – The Only Way To Admin Windows
Posted on January 6th, 2010 No commentsNow people with alternative intentions in mind can get a promotion beyond administrator and become…. won’t say it to stay on good terms with …. This ZDNet Japanese article was released late last night, so don’t know if the English press caught on yet or not – here is the synopsis.
In Japanese, But It Is The Control Panel And Everything Else
In a nutshell, if you create a directory in Windows XP, Vista, and Win7 and name it “GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}” without the quotes, then open that folder, all of the control panel, system admin tools, and everything you need to take control of a locked down system becomes available. We’ve tried it and it works quite well
There is a saving grace to this flaw, however. If your domain policies are properly setup, any changes that happen will only be temporary. I think a logout is required for those policies to be re-reinforced, so systems can stay pawned as long as you stay logged in…. which most hackers do.
UPDATE: Just found out that this ZDNet article was originally from CBS Interactive in the US.
UPDATE 2: A friend of mine just reported the it doesn’t work with XP, just Vista and Win7. -
WorkPapers – Latest Version Now Freeware
Posted on January 1st, 2010 No commentsThis title is a bit misleading since I stopped development of this software back in late 2006. Recent reports indicate that version still runs on the latest OS X and all versions of Windows, so due to an overwhelming number of requests from potential users for me to hurry up and setup a Sourceforge site and pull the registration encryption, we are now offering the software for download (both Mac and Windows) with a free version registration key. Workpapers was designed to be a personal audit software for teams in small to medium sized practices. All of the data calls in the software are generic SQL based on Real Software’s SQLite, so scalability into larger environments is possible with just a bit tweaking. Of course, this does not imply that if I put on my programmers hat and start developing again, that future versions will be free as well;-)
Always thought this logo applied to audit.
This is the Workpapers logo that we put together about seven years ago. Time really flies when you’re having fun!! It’s funny how when you are caught up in independent software development, how you think and feel a lack of appreciation, but when you set the project down, all these people come out of the woods asking for another version, want to buy no matter what, or just want a registration code so they can break free of the unregistered limitations. Workpapers and the related registration code is available from my Projects Page.
