October 01, 2005
September 14, 2005
Humor on the homefront
Dilbert has a very funny comic that I think all information security professionals should read and chuckle to themselves while drinking their grande vanilla latte in the morning (trying to wake up.) Or that just might be me...
As you may have noticed, I haven't posted anything in almost a month. That is due to some recent changes in my life: starting a new job, taking on a new role in an organization, and other projects that I'm working on that will keep me busy for the next two years or so.
As time permits I'll return to blogging but only time will tell.
August 18, 2005
My favorite search queries
In reviewing my web logs I found these jems in the referral search terms:
* "if my wireless laptop connected to a neighbors network how can i tell if they are spying on me"
* "yahoo mail can i trace who stole my password"
* "how to build a proton pack"
Reverse Engineering the Bagel Virus
Infosecninja writes:
- The following paper was written by Konstantin Rozinov and describes the steps that he took to reverse engineer the first variant of the bagel virus. The really great thing about the paper is that he goes into fine details regarding what was done, and he also describes a lot of x86 concepts and talks a lot about the stack. This is good reading for anyone that wants to get a better handle on how you go about reversing anything.
Link: http://rozinov.sfs.poly.edu/papers/bagle_analysis_v.1.0.pdf
Jericho Forum: Friend or Foe?
De-perimeterization: Jericho Forum misses the mark
- Hiding behind a catchy buzzword ("de-perimeterization") and a heap of undebatable aphorisms, the Jericho Forum proposes to be the thought leader on network security in the 21st century. At best, Jericho will help to raise awareness of the usefulness of a defense-in-depth network security strategy. More likely, the forum will end up on the scrap heap of unrealized ideas and wasted effort.
De-perimeterization is the way to go for network security
- The Jericho Forum is all about "de-perimeterization," which involves re-appraising where security controls are positioned. Businesses moving to the Jericho world need to change their thinking away from the "edge" mentality, based on controlled denial of access through firewalls.
Jericho Forum web site.
Comparing Edwardian period "security" to Internet Security
Dave Piscitello revises and publishes an unpublished book chapter section by section.
- Internet security is often described in military terms. Many of these originate from the castle building vocabulary of England during the reign of Edward II. I've always found this analogy interesting. Recently, I received an email from someone who read an article I wrote in the TISC newsletter, entitled Server vs. Client-based Protection. In that article, I made a brief reference to Edwardian period castles.
MSN Password Decrypter
Just for the fun of it...
This tool will decrypt the MSN password stored by the Windows operating system.
Ideal-to-Realized Security Assurance In Cryptographic Keys
Everyone asks me encryption questions regarding key rotation, storage and destruction. WindowsSecurity.com has an article beginning the encryption key conversation.
- In the first installment of this two-part series, we'll cover key length, and relative concerns, such as entropy and how password etiquette affects key space complexity. We'll look at how the length of the key doesn't inherently equate to the security of the key, and why security isn't even just about keys, at all.
The right coprocessor can help with encryption
IBM's Big iron lessons, Part 6:
- Encryption is a key aspect of security for any application or system. Furthermore, encryption is algorithmically complex, requiring significant resources for implementation, and most often, significant hardware acceleration. In this sixth and final installment to the Big iron lessons series, you'll get a review of the modern history of crypto and the encoding hardware and software techniques developed for mainframes that can show you the way forward.
W32/IRCbot worm beats Sasser record
PC World writes how fast a vulnerability morphs from alert to worm.
- According to McAfee's AVERT antivirus team, the IRCbot.worm!MS05-039 worm has emerged in the wild seven days following the initial announcement of the Microsoft vulnerability, demonstrating the fastest time between the announcement of a vulnerability and the success of a mass propagating exploit - even faster than Sasser, which took 14 days.
Internet worms attack each other to build massive botnets
Cory Doctorow of Boing Boing writes:
This week's storm of Windows worms is compounded by the fact that rival botnet gangs have written worms that attack each other, targetting one-another's compromised zombies and converting them to part of their own botnets.
- "We seem to have a botwar on our hands," Hypponen said Wednesday. "There appear to be three different virus-writing gangs turning out new worms at an alarming rate, as if they were competing to build the biggest network of infected machines."
The first worm, dubbed Zotob, appeared on Sunday and appeared to have faded Monday. However, several Zotob offshoots and another new worm, Bozori, were subsequently unleashed. New versions of pre-existing threats Rbot, Sdbot, CodBot and IRCBot also began wriggling their way into computers. Systems at CNN, ABC and The New York Times were hit.
There is already too much coverage of the Zotob worm (technical details here, here, and here) to blog about, but the above was an interesting story to read. It reminded me of the book Master of Deception.
The Register (UK) calls it Worm War II.
ComptuerWorld says Computer virus writers at war.
New Cryptanalytic Results Against SHA-1
Schneier is blogging like crazy, but there's so much news to blog about.
- Xiaoyun Wang, one of the team of Chinese cryptographers that successfully broke SHA-0 and SHA-1, along with Andrew Yao and Frances Yao, announced new results against SHA-1 yesterday at Crypto's rump session. (Actually, Adi Shamir announced the results in their name...
Meanwhile, NIST is holding a workshop in late October to discuss what the security community should do now. The NIST Hash Function Workshop should be interesting, indeed. (Here is one paper that examines the effect of these attacks on S/MIME, TLS, and IPsec.)
Here are Xiaoyun Wang's two papers from Crypto this week: "Efficient Collision Search Attacks on SHA-0" [PDF] and "Finding Collisions in the Full SHA-1Collision Search Attacks on SHA1" [PDF]. And here are the rest of her papers.
SF-Bay InfraGard meeting @ Google
Today was the SF-Bay InfraGard meeting at Google headquarters in Mountain View, CA. About 40 people convened on Building ## (censored) for a morning meeting about physical security of the Golden Gate Bridge, BART, and various threat reporting agencies.
There are blue shirted security guys all over the place yet they blend in well. If you are on Google property for more than 5 minutes without a badge you are approached by one of them. Even within the buildings they pop out of the woodwork and question who you are and why you are there.
But the environment is a very friendly place. The walls are decorated with high resolution photos of fire spinners. The hallways have huge white boards (as shown below). There are decorative book shelves throughout the building with books on all computer and 'national geographic' topics.
My favorite was the "micro kitchens". These are mini kitchens decorated like the display models in IKEA but fully stocked with Odwalla, breakfast cereals, food, drink, and even places to cook it all. We were told there is a micro kitchen no more than 150 steps from all employees! Thus resulting in the "Google 15" referring to the 15 pounds that all employees gain once employed.
Here are some photos of the Google Master Plan. (Taken from jurvetson's flickr and blogged about by Scoble.)
August 17, 2005
E-Mail Interception Decision Reversed
Bruce Schneier has a nice post on this topic. It appears he participated and I agree with his last paragraph on the importance of this court decision.
--- [Schneier] ---
Is e-mail in transit communications or data in storage? Seems like a basic question, but the answer matters a lot to the police. A U.S. federal Appeals Court has ruled [PDF] that the interception of e-mail in temporary storage violates the federal wiretap act, reversing an earlier court opinion.
The case and associated privacy issues are summarized here. Basically, different privacy laws protect electronic communications in transit and data in storage; the former is protected much more than the latter. E-mail stored by the sender or the recipient is obviously data in storage. But what about e-mail on its way from the sender to the receiver? On the one hand, it's obviously communications on transit. But the other side argued that it's actually stored on various computers as it wends its way through the Internet; hence it's data in storage.
The initial court decision in this case held that e-mail in transit is just data in storage. Judge Lipez wrote an inspired dissent in the original opinion. In the rehearing en banc (more judges), he wrote the opinion for the majority which overturned the earlier opinion.
The opinion itself is long, but well worth reading. It's well reasoned, and reflects extraordinary understanding and attention to detail. And a great last line:
- If the issue presented be "garden-variety"... this is a garden in need of a weed killer.
I participated in an Amicus Curiae ("friend of the court") brief [PDF] in the case. Here's another amicus brief [PDF] by six civil liberties organizations.
There's a larger issue here, and it's the same one that the entertainment industry used to greatly expand copyright law in cyberspace. They argued that every time a copyrighted work is moved from computer to computer, or CD-ROM to RAM, or server to client, or disk drive to video card, a "copy" is being made. This ridiculous definition of "copy" has allowed them to exert far greater legal control over how people use copyrighted works.
Terrorists, Steganography, and False Alarms
Bruce Schneier blogs that the worries about terrorists hiding messages in things such as images, documents, and television broadcasts are false alarms.
- The first sign that something was amiss came a few days before Christmas Eve 2003. The US department of homeland security raised the national terror alert level to "high risk". The move triggered a ripple of concern throughout the airline industry and nearly 30 flights were grounded, including long hauls between Paris and Los Angeles and subsequently London and Washington.
But in recent weeks, US officials have made a startling admission: the key intelligence that prompted the security alert was seriously flawed. CIA analysts believed they had detected hidden terrorist messages in al-Jazeera television broadcasts that identified flights and buildings as targets. In fact, what they had seen were the equivalent of faces in clouds - random patterns all too easily over-interpreted.
[Schneier]
- It's a signal-to-noise issue. If you look at enough noise, you're going to find signal just by random chance. It's only signal that rises above random chance that's valuable.
And the whole notion of terrorists using steganography to embed secret messages was ludicrous from the beginning. It makes no sense to communicate with terrorist cells this way, given the wide variety of more efficient anonymous communications channels.
I first wrote about this in September of 2001.
I have to agree, there are many more efficient ways of communicating this information. Even in a presentation Elonka gave at Defcon in 2002 showed that, yes there was a threat but no evidence could actually link the threat to a single act or usage of steganography for terrorist activities. (Although she got quite a bit of traction out of this presentation giving it at 20 different places between 2002-2003. That being said, I liked the presentation, especially the usage of stego to embed a secret message within the presentation.)
I need a fringe topic like this to associate with current high profile issues of the day so I can get on the speaking circuit more often.
