ClaudeWilliam

Configure ALL the Systems

2010-02-15T13:19:00.006-05:00

On a recent internal penetration test two basic issues were identified when reviewing automated scan results. The first a series of web servers with odd IP allocations. No vulnerabilities were reported for the web server, but they were in an IP block on a segment that was primarily network infrastructure. In addition, the operating system was listed as 'EthernetBoard OkiLAN 8100e'. A bit of Google time with the manufacturer information and it was clear that this was a management interface for a fibre channel card; in this case, a set enabling a SAN.

Thirty seconds with the card manual gave up the following:

A couple of seconds later and I was an a position to reconfigure and restart the the SAN fibre channel cards. Hilarity would not follow.

A few minutes later the second issue of this type was revealed. The punchline of this one was username 'apc' password 'apc', and the ability to turn off power to a set of servers. This information is also easily obtainable with a quick search.

Is any of this new? No. The fact that this issue is so old is actually what I found shocking. In reality, combos like root::Password and vendor::vendor are among the first that are tried when a new interface is found. The only reason I've highlighted the ability to look up this information is to demonstrate that it's available to anyone researching the device.

As a pentester, I made the client aware and moved on. Relative to the other items we found (Domain Admin was enjoyed by all), it's likely that the readout won't warrant more than a passing comment. In addition, when the inventory of web servers is performed, do you think that "FibreChannel Card 01" will appear on the list? Right. So when the internal audit comes looking for appropriate hardening and configuration, what's the likelihood this is making onto the list? Right again.

However, these issues scream "Disgruntled employee. Please come play with me!". I don't want to be a harbinger of FUD, but while the chances are minimal the risk is there. It would take a few minutes to disable the HTTP interface or change the password (set Password xxx, pg 107 of the manual if you were wondering). This is basic due diligence, and an hour learning how to protect the device seems a sound investment.

The biggest issue however, is knowing to look for this in the first place. When I asked the client about these issues, the answer was predictable. We had no idea those interfaces were even there.

Malicious Social Networking

2009-05-27T08:45:00.005-04:00

I've had the chance to talk with Jason about a paper he's writing to explore the ideas of weaknesses in social interactions created in Web2.0. The issues aren't necessarily new, but nuanced with the technologies we have and have not embraced.

Fully embraced public identity management? Not embraced. Full public key non repudiation schemes? Not Embraced. Full disclosure of who you are and what you are doing? Fully embraced.

I'm taking a liberty here in hopes that in his further vetting of the concepts, my terms get picked up.

Identity Cloning (Enders Attack) - The creation of a new digital identity that appears to belong to another person.

Identity Reflection - The copying of the content of the original identity to the created identity. After trust is built in the new identity, subltle changes are introduced for a specified purpose.

Identity Aggregation - The concentration of information from several digital identities to create an identity on a new forum. This would most likely lead to information leakage or identity hijacking.

Security Fitness in Lean Times

2009-03-24T14:55:00.009-04:00

I recently had the opportunity to spend a little downtime with a colleague who does a lot of writing and thinking about security. As we talked about what crashing economies, tightening budgets, and 2009 in general might mean to IT security, he made an interesting statement. There is no such thing as a security diet pill.

We'd seen so many security programs fail, not because of a lack of resources, but because of a lack of discipline or understanding. They had been operating like someone who is furiously trying to get in shape purchasing fitness products and diet books in bulk. The results were exactly what you'd expect, some initiatives worked great for a short while. However in time most became exercises in installing the newest exciting product or were abandoned all together due to the pace of business. Technology was courted as a series of solutions instead what it is, a tool for getting the most out of the work you put in.

So here we are with the same goal we've had for a while. The budgets are shrinking and the problem isn't. Time to put our feet up on the dusty weight bench, have a cheeseburger, and resign ourselves to the way things are, right?

Or maybe we can look at this as an opportunity. Perhaps this is a good time to take stock.

Measuring initiatives by the budgets they carry or the technology they purchased isn't going to resonate with upper management the way it once might have. Fiscal tightness will start to require security fitness. We know the tools are laying around, we bought them all. Now may be a good time to make sure we're using them the best we can. Now is a good time to make sure we're putting in the work.

See your Doctor Before Starting any Program

What are your true security strengths? What are your weaknesses? What are you trying to protect? Are all your assets of equal value? The answers to these questions should be your guide going forward. This is also the point where you need to ensure you're taking an honest look at the situation. With the resources you've already amassed, what is your capability? Politics has no place here.

Set Realistic Goals

If you don't even have and IDS in place, don't create a mandate that every packet in the network will be tracked by next quarter. Understand the limitations imposed by your business, your current capability, and your culture. Realize that changes, especially ones involving adding restrictions or controls, take time to adopt. The bright side is that your first goal is to use the technology and systems you've already paid for more efficiently. Install the IDS. Update it. Tune it. Integrate the data with your vulnerability scanner to create a more accurate risk profile.

Maintain a Healthy Diet

Fear, Uncertainty, and Doubt are the hallmarks of an unhealthy security diet. News channels propagate this. Conferences do their share. Industry trade magazines don't help. The net result is security programs that think they are being reactive to cutting edge threats, but are never truly increasing their over all security. Gartner declares IDS is dead; IPS is the new future. You mean IDS with blocking? So everyone upgrades and tears out the infrastructure. Attention isn't paid to the original problem. Nobody ever upgrades the signatures. Nobody ever looks at the alerts. Before you spend resources looking into Vishing attacks, ask yourself if you have any assets exposed by attacks on an automated call system? Is that exposure more critical than the current initiatives?

There's no Substitute for Exercise

I haven't seen anyone talking about security as a continuous process lately. I've heard about programs, initiatives, even sprints. At its core though, security is something that should be part of the organization and the culture. Evaluation and improvement of the system should be done through continuous movement. Small steps with a commonly understood purpose. The guidance of Security Offices should become integrated into the business operations of the organization. Monitoring the effectiveness and providing honest, actionable feedback should become routine. Eventually, testing of the system will become a non-event. It's already in shape.

Unwrapping the MacGPG installation

2009-01-03T10:51:00.006-05:00

There's a promising bit of software available at http://macgpg.sourceforge.net/. Unfortunately, the installation of version 2.0.9 had to manipulate various .plist files on the system, and for all users. This makes the system much more difficult to use, and potentially breaks any customizations to the environment.

The authors of MacGPG have been very responsive to reports of issues, and are in the process of creating an uninstall script. The purpose of this blog post is to dig into how this software runs in the system, and learn a little about OSX 10.4 along the way.

So what's running?

$ ps aux | grep gpg
******* 6986 0.0 -0.0 29644 308 ?? Ss 10:46AM 0:00.01 gpg-agent --daemon --write-env-file
******* 7025 0.0 -0.0 27376 420 p1 S+ 10:47AM 0:00.01 grep gpg

You'll notice that this process is started for any user of the system, not just the user that installed the software. From the manpage:

gpg-agent is a daemon to manage secret (private) keys independently from any protocol. It is used as a backend for gpg and gpgsm as well as for a couple of other utilities. The usual way to run the agent is from the ~/.xsession file: eval `gpg-agent --daemon` If you don't use an X server, you can also put this into your regular startup file ~/.profile or .bash_profile. It is best not to run multi- ple instance of the gpg-agent, so you should make sure that only one is running: gpg-agent uses an environment variable to inform clients about the communication parameters. You can write the content of this envi- ronment variable to a file so that you can test for a running agent. This short script may do the job: if test -f $HOME/.gpg-agent-info && kill -0 `cut -d: -f 2 $HOME/.gpg-agent-info` 2>/dev/null; then GPG_AGENT_INFO=`cat $HOME/.gpg-agent-info` export GPG_AGENT_INFO else eval `gpg-agent --daemon` echo $GPG_AGENT_INFO >$HOME/.gpg-agent-info fi Note that the new option --write-env-file may be used instead.

You should have a .gpg-agent-info file in your home directory, but there isn't a .bashrc or .profile file. We do however have a .MacOSX directory. Inside there should be a file called environment.plist with the following:

GPG_AGENT_INFO
/tmp/gpg-pIhMQu/S.gpg-agent:6986:1

This is confirmed running lsof -p 6986 gives the following:

**********:~ *******$ lsof -p 6986
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
gpg-agent 6986 ******* cwd VDIR 14,2 1122 2 /
gpg-agent 6986 ******* txt VREG 14,2 4247824 1429308 /usr/local/bin/gpg-agent
gpg-agent 6986 ******* txt VREG 14,2 1797576 163657 /usr/lib/dyld
gpg-agent 6986 ******* txt VREG 14,2 4398204 1368964 /usr/lib/libSystem.B.dylib
gpg-agent 6986 ******* txt VREG 14,2 1231864 1368744 /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
gpg-agent 6986 ******* txt VREG 14,2 801160 1090767 /usr/lib/libobjc.A.dylib
gpg-agent 6986 ******* txt VREG 14,2 1455656 1368830 /usr/lib/libicucore.A.dylib
gpg-agent 6986 ******* txt VREG 14,2 304580 1110847 /usr/lib/libncurses.5.4.dylib
gpg-agent 6986 ******* 0r VCHR 3,2 0t0 62268292 /dev/null
gpg-agent 6986 ******* 1w VCHR 3,2 0t0 62268292 /dev/null
gpg-agent 6986 ******* 2w VCHR 3,2 0t0 62268292 /dev/null
gpg-agent 6986 ******* 3r 0x051bdd60 file struct, ty=0x3, op=0x384768
gpg-agent 6986 ******* 4r 0x051bdbb0 file struct, ty=0x6, op=0x3833ec
gpg-agent 6986 ******* 5w 0x051bd8f0 file struct, ty=0x6, op=0x3833ec
gpg-agent 6986 ******* 6u unix 0x03bb9720 0t0 /tmp/gpg-pIhMQu/S.gpg-agent

This looks a bit weird though. Why in /tmp? Why have the nonce appended to the path? We also have some timeline information. 6986 corresponds to the PID of gpg-agent at that time, so that PID was already assigned when the environment.plist was written. On my system in /tmp I have the following:

drwx------ 3 ******* wheel 102 Jan 2 10:39 gpg-wJ3ihI
drwx------ 3 ******* wheel 102 Jan 2 11:45 gpg-m2uq2i
drwx------ 3 ******* wheel 102 Jan 3 10:46 gpg-pIhMQu

According to last, this corresponds to login times. Each of these folders contains the exact same thing, S.gpg-agent, a socket link.

We also know that the gpg-agent is executed on login. A .plist file isn't present, however in OSX the defaults system shows us how the application is started:

************:~/Library/Preferences root# defaults read com.apple.loginwindow LoginHook
/usr/local/sbin/gpg-login.sh
************:~/Library/Preferences root# defaults read com.apple.loginwindow LogoutHook
/usr/local/sbin/gpg-logout.sh

Uninstalling version 2.0.9

We should be able to stop the agent from running by removing the login and logout hooks using defaults. First we want to stop the running process:

kill -9 6986 (change to your PID)

Remove the hooks:

sudo defaults delete com.apple.loginwindow LoginHook
sudo defaults delete com.apple.loginwindow LogoutHook

Reading the hooks should now give the following:

defaults read com.apple.loginwindow LoginHook
2009-01-03 18:22:49.320 defaults[7836]
The domain/default pair of (com.apple.loginwindow, LoginHook) does not exist

Logging out and back in then running ps aux | grep gpg should confirm that the gpg-agent is no longer running. We can now remove the binaries and scripts left on the system we found in the first part of the analysis:

rm /usr/local/sbin/addgnupghome
rm /usr/local/sbin/applygnupgdefaults
rm /usr/local/sbin/gpg-login.sh
rm /usr/local/sbin/gpg-logout.sh

rm -r /tmp/gpg-*

rm /usr/local/bin/gpg-agent
rm /usr/local/bin/gpg-connect-agent
rm /usr/local/bin/gpg2
rm /usr/local/bin/gpgconf
rm /usr/local/bin/gpgkey2ssh
rm /usr/local/bin/gpgparsemail
rm /usr/local/bin/gpgsm
rm /usr/local/bin/gpgsm-gencert.sh
rm /usr/local/bin/gpgv2

rm -r ~/.gnupg
rm ~/.gpg-agent-info

Finally, remove the GPG agent key from the environment.plist file by deleting these two lines:

GPG_AGENT_INFO
/tmp/gpg-pIhMQu/S.gpg-agent:6986:1

Logout and log back in to confirm that everything is starting correctly with no errors.

Data on the Markets

2008-09-28T18:58:00.010-04:00

I've been interested in the markets for some time, but only recently have begun reading about methods for selecting investing ideas in earnest. One of the books I got was JJ Cramer's Real Money. Overall, I found it a great book; extremely enjoyable and pragmatic. Of particular interest was a graph on page 115, which shows a nice graph of GDP annual growth. The purpose of the graph is to demonstrate the cyclical nature of established economies.

In a nutshell, GDP growth as a percentage is an indicator of which phase our economy is in, waxing or waning, etc. In Cramer's graph, a sine wave is shown oscillating between 4-5% and -1%. At different phases of the economy, different sectors come in and out of favor. As an example, as we move from -1% to 5% (coming out of a recession) paper and chemicals come into favor as medicine and supermarkets go out of favor. On the reverse side we sell the chemicals and paper and pick up those staple stocks again.

Pretty simple, we should all have a picture of this on the wall and use this as a base mid-risk strategy for a portion of our portfolio. So lets get started....where are we on the graph?

First thing is to find some data. After poking around the Internet for a while I came across http://www.bea.gov/national/index.htm. From there I was able to get some data into excel, and graph out 2000 chained dollar annual GDP. Being a bit naive I eagerly anticipated my nice sine wave with a little maker for "You are Here".

Instead, I got the following:

Eh, crap. So the next step is to take the baskets of stocks that should represent the correct cycles and map them against this curve. Hopefully it'll smooth things out, but that's an excercise for another day.

On the plus side, I think this is was worth doing, and something I'll continue to do. Without looking for myself, I might have been tempted to believe things were a lot simpler, and because of that, be a lot more willing to take someones statement "we're on the up side of the curve".

Now a reasonable and informed response will be, "Really? Why do you think that?"

Information in Modern Enterprises

2008-09-23T11:46:00.005-04:00

It was late. A long day of talking and thinking and meeting had brought us to a nearly empty airport terminal with nothing much to do for a couple of hours before our flight. A coworker of mine and I started talking about the day, which led to the company, which led to our position in the world as GRC pundits and thought leaders.

We debated GRC a bit. What is it exactly? We debated our current offerings a bit. Are they still relevant and why do companies keep failing at the same things over and over? Eventually we came to the core question. What is the purpose of security in the modern enterprise. Why should anyone care about security at all?

The discussion ended up sparking the following:

Q: What is the core currency of security as we refer to it? What is the key asset that we are concerned with?

Information. We are concerned with all elements or systems that create, process, transmit, store, or consume information. We also understand that all information is not equally valuable.

Q: What are the key criteria to determining the value of information?

Actionable. Can the information directly lead to decisions or actions? The closer the information is to readily triggering an action, the more valuable. There may also be a concept of potential here. Particular bits of information may be unprocessed, and like ore turns to metals turns to tools, you may consider some unprocessed information more valuable based on its potential to drive decisions or actions.

Accurate. How well does the information you have represent the system you are making decisions about? We can also refer to this as internal or external integrity, depending on whether or not the information concerns a system outside of your own.

Timely. How close is the information being consumed relative to the time it would take to make a decision and execute. Answering this question will likely create one or more windows or ranges that represent varying value. If the information is about a decision in the distant future, it may be nearly useless. If it comes so close to an event you can take no action, it is equally useless. Interestingly, nearly all information about events in the past contains some value if it can be trended and correlated with events and outcomes.

Proprietary. How widely known is the information? The value that comes from information being proprietary is derived from the advantage any possible decisions or actions can have over other actors. Even if the information is completely exclusive, if it provides no advantage it is of limited value.

Q: How do these attributes relate to work that needs to be done?

The actions related to information; creation, processing, transmitting, storing, and consuming; all impact one or more attributes. The systems used to perform these actions become the concern of information security specialists. Specifically, identifying key criteria for the confidentiality, integrity, and availability of these systems.

Q: Is there a single framework or mapping that can overlay these concepts onto an organization?

Currently, no. In fact, there likely isn't going to be one in the future either. This is largely due to the specific requirements of individual organizations. Each business treats their information in a somewhat specialized manner. They perform unique operations on unique bits of data. Because of these differences each organization will have different weights and tolerances related to attributes and systems related to their information.

Q: Can we at least begin to group enterprises together along commonalities?

Perhaps. The first attempt at this is listed below. The application to operations and practices is where work still needs to be done.

Corporations: Primarily concerned with the internal and external integrity of their information. Corporations will rely largely on internally generated information or public information. In order to manage and adhere to regulations they need to be sure information about themselves is accurate. In order to determine appropriate actions they need to be able to have an accurate view of the world in which they operate.
Intelligence Services: Sourcing seems to be a huge concern. While integrity is an issue, it seems to be most critical during the aggregation and correlation phases. Given the amount of information someone has to sift through to create a picture, which items the concentrate on and which they ignore is critical. Once an actionable work product is created, ensuring the proprietary nature of that work is key.
Government Agencies: Each one seems to have unique needs. However, all of them need to ensure compliance with regulations. Unfortunately, regulations are derived from policy or law, and as such suffer from the issues of applying a lowest common denominator to all groups, or a once size fits all approach that does not create the maximum benefit for anyone.

Of Pundits and Bandits; Justifying Consulting

2008-09-11T16:40:00.000-04:00

I got a request from a friend recently who is working on her Master in Information Services. As part of one of their projects, she needs to analyze the pros and cons of outsourcing, in sourcing, and of course, consulting. In trying to get to exactly what she was looking for the core question seemed to be, are the fees that consultants charge worth it.

I hesitated. Not because I doubt for a second that the good ones are, but because of the complexity of the question. However, speaking specifically for the type of work I do the argument goes something like this.

While security work is commonly considered highly specialized, there are a number of activities that can be done by someone internally. Vulnerability scanning, running MSBA against a host, etc.

However, you still need someone who can interpret the results, prioritize them, level set them against business risks and goals, fit solutions into operations, and overall, be a trusted advisor in the process of keeping up your security posture.

Add to this the relationships in the modern enterprise between compliance requirements, security best practices, PII, governance, and IT efficiency, and well, things get complex.

We're still in scope for an in-house resource, but we're probably talking about someone that has a full time job related to these tasks. If they're going to be in house, you may have a training program in place. If you do, starting salary around 65-70K a year in metro areas is reasonable. If you don't, you're looking at 100K - 150K for an experienced person, or a bit less if you have significant work/life benefits. Figure the average employee costs the company 150% to 200% of salary including health, stock, insurance, etc.

Unfortunately, you might not have 40 hours of work queued up if you're a smaller organization. So, you're paying a lot for some part time work. Even at 150$ to 250$ an hour, it may be more cost effective to hire a contractor for point engagements.

But what if you are a larger company. You do have in house training. You have way more than 40 hours a week of work. Occasionally you may want to double check. Especially in security, occasional validation that you're as good as you think you are isn't just prudent, it's necessary. In these cases bringing a group in for point engagements is still a good idea.

In the end it's the trade off between paying to keep an expert on staff versus renting an expert's time when you need it. Also keep in mind that security experts have a large body of knowledge that needs to be refreshed continuously. If you have someone work on the same problems continuously their skills may need refreshing.

Triage and Recovery in Enterprise Networks

2008-08-07T06:14:00.000-04:00

It's not uncommon. You're called in to perform some level of penetration test within an enterprise, and before long, you're describing some level of significant compromise to the client. After the disbelief and shock you begin to dig into how this could be possible. The client assures you that their team is working hard. In fact, they're practically killing themselves securing the network.

What's the problem?

The time and effort of the organization is completely consumed by tactical activities focused on point problems and solutions. Is a system vulnerable? How can I tell? What should I do? What other systems are like this one? How can I tell these systems are also vulnerable?

Attacking the problem of enterprise security in this manner is time consuming and costly. Furthermore, it typically doesn't lead to improvements in the company's policies and procedures. Rather, the experience of the individuals can lead to a feeling that things are improving. Lessons learned are discussed with management. Tasks take less time to achieve. Unfortunately, the improvement is only incremental, and relative to ad-hoc systems. The environment is still focused on tactical problems, and the knowledge is tribal; held with the people. When they leave, the system will have to teach another expert.

When this is overlaid on top of traditional trends in funding and attention paid to security departments the situation becomes more untenable. When is the most attention paid to security? Immediately after an incident. The fire drill begins, fingers are pointed, and stress levels are high. Suddenly full buy in from management comes with a substantial budget to fix the issues that are seen as most critical. As time passes from the original event, point solutions that have sprung up are not maintained, or the rough edges from rapid integration are not smoothed out and fully adopted into the larger system.

The pressing nature of this immediate threat can lead to mistakes in how to address the larger issues. Widely scoped preventative measures are bypassed in favor of short term quick wins.

Everyone picks the low hanging fruit and nobody takes time to build a ladder.

The result is highly tasked people, large expenditures with minimal ROI related to overall security posture, ad-hoc operations, and tribal knowledge of the systems. Everyone agrees there are better ways to do things, and they'll get right on it if they have the time.

So what's to be done?

Organizations need to have the operational discipline to stay focused on the security of an organization after the initial shock of the incident has worn off. Strategic initiatives should be investigated and run in parallel with tactical issues. Given a conflict, the strategic initiatives should take precedence. In turn strategic projects must be run with clear goals, deadlines, and expectations communicated widely to the tactical teams. Of the two, strategic groups should be held more tightly to their advertised goals and time lines.

What are the steps to develop initiatives?

Many organizations may feel that they already are working on strategic initiatives. After all, we're installing a Vulnerability Scanner so we don't have to scan each system anymore; isn't that strategic? Possibly, depending on the homework you've done.

Have you given your tactical teams the time, resources, and cover to perform root cause analysis?
Have you assigned a person or group to aggregate root cause findings and analyze them?
Has management performed a risk assessment for the business to understand which information and processes are critical to operations, and which are not?
Have you compared the risk analysis with the root cause findings to determine which items, if fixed or changed, would prevent the largest number of point issues while still supporting business processes?

Pro Choice and National Security

2008-04-30T10:06:00.000-04:00

For a moment table the ethical, religious, and moral debates surrounding the pro-life / pro-choice debate. For a moment, try and take a look at the issue as a pure legality, an event that is either lawful or not. If you can take a pause and do that, consider an oddity I've recently come across.

In the 1960's a handler by the name of Clarridge obtained and handed off abortion pills to a Polish trade official named Adamski. The motivation behind the Adamski's choice was based on a forced repatriation back to Poland to have their child, something neither wanted to do. Because of the legalities involved, a handler was able to enlist a spy.

In the 1950's a GRU officer named Pyotr Popov was a walk in (or perhaps drop in, as the contact was via planted envelope) for the CIA. Though his motivations may have been complex Frederick Hitz cites in "The Great Game" that Popov's immediate need was money for an abortion.

There are a great many cases of recruitment that do not involve such a charged topic. However, it seemed interesting that if one were so inclined, they could make the argument that legal, affordable abortion is a matter of national security.

Someone might stand up in Congress and say something like, "There is documented case evidence that this particular activity, above the current social stigma, if made illegal would provide leverage to the enemies of this State for the purpose of recruiting otherwise trusted citizens."

If you find that a reasonable statement, take pause. Conspiracy theories aside, the idea that something regarding life, religion, and choice could be rolled up into National Security conversations with a reasonable statement should cause you to look at other rhetoric.

What would be the true increase or decrease to national security if Roe v. Wade were overturned? How about any other arguments that are made working backwards from the method. And that's the key.

As long as you buy arguments formed cause -> method -> effect therefor !method -> !effect, then you will by definition always be reactive and myopic. An attacking force will always look for the lowest cost method to achieve their goals. There may have been many other ways to achieve the same result for a determined attacker.

From liquids on a plane, to having your phone calls recorded, to having your web surfing proxied by your company, or your ISP. Just because the arguments given are reasonably phrased, ask yourself if they rational and proactive? Or is someone trying to put together an argument based on limited data points that you shouldn't buy.

It's every citizen's responsibility to look at these arguments of security critically. Furthermore, it would be irresponsible and Machiavellian to allow a false argument to carry your cause to victory. How you win is just as important as winning itself. Why? Maybe tomorrow the argument you set precedent for is used against, rather than for you.

Google!

2008-03-28T21:33:00.000-04:00

It's happened, I no longer have any ideas that haven't already been thought of by someone at Google. Want to select some text and sms it to your phone cause you just seem to never have a pen and paper around your desk? Don't bother learning how to code it up yourself, cause you can already download it at http://www.google.com/tools/firefox/sendtophone/ Can't wait for my next project they've already thought of.

Road Trips

2008-03-22T17:20:00.000-04:00

Defcon: 36° 8'5.23"N; 115° 9'46.77"W; 1218110400

Having missed my local fill of shmoo, setting the sites on Vegas in the summer to catch up with folks I rarely see outside of these things.

Soft Walls in Security

2007-11-17T08:53:00.000-05:00

As necessity is the mother of invention, sometimes tragedy reveals what we need. A few years ago I ran across some work in aviation aimed at preventing another September 11. The system was called Soft Walls (http://softwalls.eecs.berkeley.edu/), and the general idea was a proxy would exist within the avionics of commercial aircraft. This system would create virtual borders around critical areas, providing forced feedback against a pilots yoke.

The specific implementation of this plan introduces a number of security challenges, but the idea itself fits well with what security should feel like. You only feel the restrictions of the system as you try to do something questionable. The harder you try and perform restricted activity, the harder the system pushes back.

Security fails the masses by design

2007-10-12T12:38:00.000-04:00

In studying other subjects the idea of functional art was a common theme. Imagine a glass door along a glass wall in a peaceful room. There are few surfaces in the room, so you're struck with the lines of the floor meeting the wall, wall meeting the ceiling, etc. To keep with the theme you place a single horizontal metal bar on the door as the handle. Elegant and beautiful in its simplicity.

Now do you push or pull that door to get out?

The flaw is in the design itself, and the attempt to keep things simple causes a complexity for each new person that tries to exit.

A password is just that. A shared secret word that is likely common in the spoken language. It can be remembered without writing it down or used in a sentence. This password is also considered insecure in modern computing systems.

Instead of passwords most systems have migrated to an authentication token. Typically a string of characters including upper and lower case, special symbols, and numbers. While this string may resemble a word to make memorization easier, it is not actually a word. However a confusion still exists with many new users, who are presented with the request to create a password, and select something like "pencil".

The issue is in the fact that the design hasn't been changed. It's still called a password, and the essential implementation hasn't changed. There's still a horizontal bar on the door, but now there's a sticker that says pull.

Responsibility should be taken to understand these fundamental design flaws as we come across them in practice. and wherever possible, resist the temptation to fix the problem with a sign or a memo. This requires more effort and time, and will not always be possible, but a goal to be pursued none the less.

Portable Information Scheme

2007-03-17T09:39:00.000-04:00

I've talked to a few folks lately and a common theme had come up. Portable personal information.

For whatever reason we seem to have a lot of things to keep in our memories lately. Too much. So shortcuts need to be found. As an example lets take a single scenario, sending flowers to mom.

You're on a business trip, find a nice little spot around 6 to have a drink, a bite to eat, and to unwind. The phone rings, dad, so you decide to chat. Yep, things are good; no, not too busy; tomorrow? yeah, i forgot; getting right on it. Deep sigh, attempt to dry the ice, and start thinking about the task at hand.

You need a couple of things, credit card and mom's address at a minimum. Login to the online florist of choice might help. At one point in time you might have pulled out your address book, walked to the nearest florist, and pulled out a checkbook. A few years ago you might even have pulled out your palm pilot, taken out that one credit card you use for online transactions, and walked over to the nearest cyber cafe.

Today you want to use a virtual credit card number. You also don't want to walk around with the IT utility belt full of blackberry, pager, two cell phones, and a PDA. Most modern corporate IT policies make no pretense about the fact that everything on your company supplied system belongs to the company. This goes for the phone too, since everyone needs to have that smartphone with email capability. Attached to the corporate network? Belongs to the company.

So, how to I get access to my sensitive personal information anywhere I want to be? Thoughts?

Apple XGrid for Common Security Tasks

2007-02-27T19:10:00.000-05:00

Having some old G5 towers around and a handful of G4 laptops we're making an attempt at setting the systems up into an XGrid cluster, then configure the system for common security related tasks including rainbow table creation, key cracking, etc. This would act as a proof of concept open lab environment with removable componants (laptops).

Background Reading:
http://unu.novajo.ca/simple/archives/000022.html
http://www.macdevcenter.com/pub/a/mac/2004/05/11/xgrid_pt1.html?page=1
http://www.macdevcenter.com/pub/a/mac/2005/08/23/xgrid.html
http://developer.apple.com/hardwaredrivers/hpc/xgrid_intro.html
http://mekentosj.com/widgets/xgrid/
http://www.macresearch.org/the_xgrid_tutorials_part_i_xgrid_basics
http://lists.apple.com/archives/Xgrid-users/

The XGrid is up and running with laptops able to come and go. Now I just need something to process.