Facebook As Biggest Security Threat

Yes, I know… ‘Another Network World article’, you say. Yes, because lately they have been hitting trends fairly accurately…. read on!
This article outlines a Sophos survey of businesses that  ranks Facebook as the biggest threat simply (at 60% surveyed) because it has become the biggest social network, followed by MySpace (t 18%, then Twitter at17%. Well, I tend to agree with that reasoning, but think the threat is somewhat limited on a couple of levels. In more secure environments in the financial industry, we have seen much broader implementation of Websense that keeps employees out of such sites through filtering or outright implementation of white lists that completely block access to such sites. So the 60% of businesses out there are probably not dialed into the fact that a network appliance or proper proxy server implementations ‘almost completely’ eliminate this threat – which is scarier. Okay, okay, I won’t get into about how most CIOs are warmed over MBAs and aloof.
The next point of the article points out the new security setup within Facebook, which suggests that users are more likely to share more information because it is more secure as a web application. Yes and no. Yes, because I can see Joe Le End-User migrating to Facebook, using default settings, and boasting about the move to a more secure social web site. But no, because I think that Facebook, and the Facebook community in general, did a good job of communicating the security and privacy changes.
Not that the paper-pushers are going to disappear, as we’ll always need policies and guidelines, but the future of security will strongly be based on three fundamental skills – the ability to monitor and analyze  the health of your environment (logging analysis, metrics, and overall analytics), the ability to prevent bad configuration and code implementation (configuration management and code review), and the ability to train and keep end-users informed. The last point I credit Facebook with during the last software security change.
The ability of IT and development organizations to pursue proper code review and configuration management is almost depressing every time I have a review of this facet. I cannot count how many times I have seen a sign-off on a code release, knowing full well that the person signing knows nothing about the program, the code, much less the overall potential impact on the systems.

Share on Facebook

Suck Your Guts In – Full Body Scanner Coming To An Airport Near You!

Well, from looking at the news and some of the evaluation discussions coming through here in Japan, it appears that at least Japan and the US will be implementing body scanners for boarding processing in the next year. Bruce Schneier touches on this subject a couple times throughout his blog, but in Japan’s case, I have some very reliable insight to some of the considerations by local officials. Of course, Japanese throw the latest, greatest technical solution at something as a CYA move all the time. Nobody wants to be responsible for a bad decision, so little thought goes into the big picture if it will keep an airplane from getting blown to pieces. This article shows that US may be leaning in that direction more. Now, the only two gaping holes in airport security are DHS thugs manning the gates and cargo.
Any comments welcome!!

Share on Facebook

Smart Google? Dumb Google?

I was in the office yesterday and in passing conversation Google’s recent actions became the subject of conversation. “Dumb move”, came from across the table, which made me think a bit. Since I had heard the news last week, I was thinking nothing but smart move, so this came as a surprise and caused me to think about it for a while, hence, this blog posting.
DUMB
The first dumb point that comes from this is that Google just shot themselves in the foot in the largest internet population in the world. The recent news profiles China as the largest internet ‘market’, but I think different. While the user population may be there, it is by far not the largest spending market, so let’s start calling it the most populous internet market. Now that we put this into perspective, Google may have made a dumb move in this large market, but probably does not see the revenue return per user that it realizes in other markets.
The other argument for dumb was that Google’s continued survival in the market would be very difficult if it did decide to stay in China. Now that Google made the pull-out threat, their market share would fall even more because current and future potential advertisers do not know if they will stay in the market. This impact would only be temporary, and Google has the coffers to stand the test of time if they decide to continue playing in the market.
The last dumb argument is when Google setup in China four years ago, they upset many groups around the globe by abiding by China censorship regulations. Since that whole debate and the effects of all that backlash have ceded, why make this move and go through another lashing again?
SMART
This is where I lean a bit more for a couple reasons that are personal in nature – humanity, human rights, and security. While the smart arguments are fewer, I think they are stronger. They draw the line and stand up for what is right.
One smart argument is the opposite of the last dumb argument – stop the censorship and let the Chinese people live free of oppression and carry the right to freedom of press and freedom of speech. Let the Chinese people decide what views they want to hear and what political stances they want to assume.
This is related to the next smart argument, which is the artist underground in China. Artists in China have so much talent that is oppressed by the communist state. If the Chinese people were allowed to express their views openly, and engage in open debate, a renaissance would evolve in art, technology, and society. This is what I would look forward to in a free, open China.
The last smart argument is that of security, which is the very reason why I take the liberty to publish this blog posting. If, in fact, the hack that penetrated Google’s systems was state-sponsored, then this is a very good place for a multi-national company to draw the line. THIS IS WHERE THE UNITED STATES SHOULD HAVE DRAWN THE LINE TWO YEARS AGO!! China’s cyber military capability is far beyond the US from an offensive perspective, and I think it is time to test their defensive capabilities. Not to start a cold war or anything, but when we discover state-sponsored snooping on our networks, we should retaliate in the same under-handed manner. Yes, Mom’s voice goes off in the back of my head: “Two wrongs don’t make a right!” Well, that is true, but sitting ducks get blown away is the appropriate answer when it comes to attacks.
The code for the Google hack was immediately made public and a Metasploit exploit has also been produced. Two days ago I went through the code and it appears to be rather unsophisticated; pretty much like what would be required in phishing. Send some starter code and get the user to visit a web set that will complete the exploit. So this means a Google employee reacted to an email that got them hacked? Back to the security education argument….
If you have any comments, or smart/dumb argument suggestions that I may have missed, post something.
On, on…. 73s.

Share on Facebook

Ubiquitous Security – 2010 Brings Focus To Mobile Issues

It’s no secret that I have been focusing on wireless security issues over the past two years, and I have been very vocal about how ‘wireless’ is not limited to wireless LAN. We are approaching a turning point where securing organizations will require even more emphasis on ID management and access control to establish accountability for effective monitoring, thereby establishing metrics based upon and sound measurement processes. Overall, the future challenge for governance will move from writing policy and pushing paper to sound statistical analysis (see more at securitymetrics.org), intricate log analysis, and stronger technical skills among security professionals. Introduction of mobile devices makes this even more challenging. Data leakage exploit issues in this new decade will focus (are focused on) on mobile devices and spurious emissions from environments. These are two avenues of opportunity that attackers will exploit for gaining access to secure environments.
First, because the research and results on spurious emissions are piece-meal at best, which means the opportunity exists across all environments – the next step is a matter of developing an exploit methodology, framework, or tool for such attacks. Probably done and operational right now. A lot of time has been given to attackers on this issue because the security community has hardly addressed it; a lot of time that attackers have available. Unfortunately, I believe in the coming months we are going to see the fruits of this attack vector development, with such attacks becoming a major issue within the next two years. More on this later.

Happy reading! If you have any comments, please post one. 73, 73s.

Share on Facebook

God Mode – The Only Way To Admin Windows

Now people with alternative intentions in mind can get a promotion beyond administrator and become…. won’t say it to stay on good terms with …. This ZDNet Japanese article was released late last night, so don’t know if the English press caught on yet or not – here is the synopsis.

In Japanese, But It Is The Control Panel And Everything Else

In a nutshell, if you create a directory in Windows XP, Vista, and Win7 and name it “GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}” without the quotes, then open that folder, all of the control panel, system admin tools, and everything you need to take control of a locked down system becomes available. We’ve tried it and it works quite well
There is a saving grace to this flaw, however. If your domain policies are properly setup, any changes that happen will only be temporary. I think a logout is required for those policies to be re-reinforced, so systems can stay pawned as long as you stay logged in…. which most hackers do.
UPDATE: Just found out that this ZDNet article was originally from CBS Interactive in the US.
UPDATE 2: A friend of mine just reported the it doesn’t work with XP, just Vista and Win7.

Share on Facebook

Scanned Bankruptcy Filing Documents On WWW

This article just sent my eyes rolling across the top of my eye sockets. Anybody who has worked in a secure development environment can read between the lines. Here is my take on the situation:
In notification letters made public Thursday, the bank said it had redacted sensitive information in Chapter 13 bankruptcy proof-of-claim forms that were filed electronically, but that the information turned out to be viewable “as a result of the deficiency in the software used to save imaged documents.” Well, I think that somebody sourced the software, procured the software, then installed the software, but prior to installation and acceptance, there was no information risk review or security review as part of the sigh-off process. What do you think? Or, there is an information security professional that hides behind paperwork out there looking for another job?
An HSBC spokeswoman declined to elaborate on the cause of the problem, but said “a limited number of customers” were affected. HSBC has “no reason to believe customers’ personal information may have been compromised,” Uh huh…. the last time I checked, until a bankruptcy is announced as a result of the filing, your name attached to an intimate piece of knowledge is personally identifiable information (PII) that is covered by most privacy law. What she was trying to say was that no PII was released that would allow the poor victim’s identities to get hacked and ripped away from them into a bludgeon of further financial damage – to paraphrase, ‘heck, they are going bankrupt anyway!’

Share on Facebook

Keyboards – Serial Analysis Using FTD232RL

First, for those friends at work and personal, you cannot just tap into a USB bus connection of any type and analyze like you can a serial connection. If you have to ask why with a condescending voice as if you could make it happen, then keep to yourself and study USB protocol.
Now that is out of the way, let me take a sentence or two to explain. USB is not serial and does not even compare to serial in a couple of areas. Timing on a USB bus is determined by the protocol version, hence 10 Mbs, 100 Mbs and faster all depending on whether you are using 1.0, 2.0 or whatever version. In serial communications, the implementer sets the timing to a baud rate. Next, what is on the bus is on the bus, so the exchange is not one-to-one in USB as it is with serial. The device identification (HID) is established by the host, and the USB host determines which traffic is for which device that is communicating over the bus. In other words, the USB host (computer) controls all communication, not the implementation of the device.
So one would ask why does a USB to PS2 converter just consist of the four pins of a USB connector tied into four pins of a PS2 connector? I too asked this question and performed a bit of analysis, including busting apart a couple of these adapters to see if a tiny ‘conversion’ chip was inside. This is very, very funny now that I understand better. The reason this kind of pin-to-pin connection works is because the computer (USB host) identifies the device as a PS2 device when it is plugged into the computer, and the computer speaks serial to the device. When the USB plug is used to connect the keyboard, the computer recognizes the keyboard as a USB device and the USB device chip in the keyboard talks to the PC accordingly.

What all this means is that if you run a straight wire tap into a USB-to-USB keyboard connection, you are going to get a lot of garbage from other devices running through the same host controller, you are going to have timing problems, and it will be virtually impossible for a PIC, AVR, or any micro controller to keep up with analysis and filtering due to computing limitations. If this has not made things clear, and you want to know more, I suggest a visit to this forum.

Now, onto the next step. How about running a straight wire tap from a USB-to-USB connection into an FTDI USB to serial conversion chip that is powered by the USB bus itself then analyze the serial exchange? Here is a quick mash up thrown together in Eagle late last night. Will spend some time this morning on the breadboard putting this together. The first thing of concern when reviewing this is whether the USB host (computer) will try to enumerate the FTDI chip and load the driver, which is what we don’t want – so may have to install some diodes or something to make sure the communication on goes one way from keyboard to FTDI chip and out the serial port. Another area of concern is whether the FTDI chip will perform the serial conversion without being enumerated by the computer. Stay tuned. Or, comment with some suggestions, because I really do need all the help I can get.

Share on Facebook

Going For The GROL

Yes, in a couple of weeks will be sitting for the US FCC General Radio Operator License test. Have spent a good chunk of the past couple weeks studying for the test, especially Element 3, which covers a lot of formulas that I studied in the Marine Corps, college, the studied again for the amateur Extra certification. However, the GROL Element 3 takes it to the next level by covering just about every angle of every formula related to AC electronics out there. Not only is this a good intellectual challenge, it is a very good review of the basics that will provide a solid foundation of ‘understanding’.
A couple of people have asked about what I am going to do with such a certification….. well, in the IT world and in the related security issues that surround such a world, I do not think that the technology is going to get less wireless. In fact, I see wireless connections further propagating the corporate environment, including further use of satellites, greater use of microwave links between buildings, and greater wireless LAN implementation as the protocol security improves.
Have been fairly lucky with call sign assignments in that I have liked the call signs that get assigned – NH2GX and JG1FXZ, but was wondering what kind of call sign gets assigned when one becomes a commercial operator. Whoa! Study for the test and past the exam first…. don’t count your chickens before they hatch…. and all that.

Share on Facebook

Some Starting To Look At Satellite Comms…

It was refreshing to check email last week to find that an European client has initiated an RFP process that will lead to hiring some experts to review the security of their satellite communications. Back in the day, everybody was saying, it’s a satellite link so we don’t have to worry about encryption.
Those days have been long, long over, but despite that situation, I hardly see anybody reviewing satellite communications for security holes. It seems practicable since POS data, credit card clearing data, SCADA, RFID product tracking, and a bunch of other juicy information travels via satellite.
Well, you can guess who raised their hand for working on that RFP! So here I am getting ready for a conference call with a European counterpart to prepare for the proposal. Really am looking forward to this one….

Was tinkering with Mixi (the Japanese social networking site) last night and decided I needed an icon to go with my online name – Musen Yagi. In Japanese, ‘musen’ means wireless and ‘yagi’ means goat. This name has a couple of meanings. First, it goes well with climbing mountains and using radio equipment, and since goats are typically mountain climbers, I thought that would be a good fit. Next Yagi is the name of a high gain, directional antenna design developed in Japan that is used all over the world – another good fit! Anyway, here is what I came up with (so far) for a logo. Tried not to infringe on copyright where possible.

Wireless Goat

Share on Facebook

The Monthly Binary Report

Been a while since I last posted, but it has been even longer since I started up my NewsFire RSS reader on the Mac. Lately I have just been sorting and reviewing news on iGoogle since I have to use Macs and Windows PCs. Well, this morning the Secunia security report for last month popped up and here is a summary. The most critical vulnerabilities for June are all MS, Windows, or related software. In a nutshell, Windows Print Spooler, VLC Media Player, and MS Direct Show.
Despite advances in code review, code review tools, fuzzing analysis, and the plethora of secure coding tools, some vector always remains open because newer, more secure code relies on some module that is not secure. For example, look at each of these vulnerabilities from the Secunia report. One vulnerability is due to use of an SMB module. The next vulnerability is from execution of a QuickTime parser… the pattern is clear. Consistently attackers are going after the least common denominator, which at this point, is older code that newer software relies upon.

Share on Facebook