R$A
If true, this just leaves me speechless....
The VMware hardening guide for vSphere 5.5 has been released and is available here: https://www.vmware.com/support/support-resources/hardening-guides.html
You know I'm referring to passwords right?
Also from the article:
"studies suggest red-haired women tend to choose the best passwords and men with bushy beards or unkempt hair, the worst."Did that study include *nix admins?
We've probably all done it. I have. You know you have too. Go on, admit it!
Done what you ask? Scrounged around for some free WiFi when travelling. With data roaming costs being so high, free wifi can be a blessing - except when it's a curse!
Here's a fun article from tripwire highlighting how easy it can be to capture credentials from unwitting travellers at an airport and how poor the information security practices in some hotels can be.
What Nabil describes in his article about default passwords and poorly segmented networks pretty much matches some of the stuff I've seen when travelling. What makes it worse is when the place is charging a small fortune for daily internet access - where is that money going? Not on security apparently!
Long story short - don't let down your guard even when connected to 'safe' networks and VPN is your friend!
Oh and Nabil's http://www.toolswatch.org/ page is pretty cool too. Go check it out!
This is a nice rundown on Microsoft EMET's functionality and its strengths and weaknesses. I've been running EMET for about 6 months, its very unobtrusive and I'm yet to see it cause an issue with the applications that I run. I believe the more recent versions are also able to be managed with MS System Center for larger environments.
Microsoft have expanded their mitigation bypass bounty to include not just bypass techniques researched and developed specifically for the program, but also bypass techniques observed in the wild, thereby vastly increasing the number of researchers looking and the chance of finding something novel.
Today’s news means we are going from accepting entries from only a handful of individuals capable of inventing new mitigation bypass techniques on their own, to potentially thousands of individuals or organizations who find attacks in the wild. Now, both finders and discoverers can turn in new techniques for $100,000.Increasing the chance of finding a novel technique is only the first benefit that Microsoft hope to gain from this expansion, as they point out in the quote below they are also hoping to have an influence on the underground vulnerability markets, increasing the costs to those looking to buy exploits. This is a nice use of market forces to drive security benefit, artificially increasing the cost to the bad guys, I wonder who has more money... (and no, I'm not going down the rabbit hole of nation state actors)
This evolution of our bounty programs is designed to further disrupt the vulnerability and exploit markets. Currently, black markets pay high prices for vulnerabilities and exploits based on factors that include exclusivity and longevity of usefulness before a vendor discovers and mitigates it.The use of market forces to drive up the cost of exploits ties in quite nicely with some discussions I've been having recently about raising the entry criteria for attackers, be it at a micro level such as what you might be doing in your organisation or a macro level such as what Microsoft are doing here. Attempting to 'raise the bar' for adversaries, either by technical or financial means is nothing new, this is the point of every security control or bug bounty program. What is different from other bounty programs with this effort and its predecessor is that Microsoft is incentivising researchers to find new defensive strategies rather than individual vulnerabilities with point solutions, effectively eliminating whole classes of vulnerabilities.
Interesting concept, and one that's probably well over due, but I get the feeling it may be a little like implementing DNSSEC or IPv6... Who knows, maybe the Snowden leaks will provide the push necessary to overcome the inertia.
http://arstechnica.com/business/2013/10/silent-circle-and-lavabit-launch-darkmail-alliance-to-thwart-e-mail-spying/
http://www.darkmail.info/
So I saw this today:
Google will allow its advertisers to use your image and comments in ads for their products, via a new feature called Shared Endorsements. This change raises privacy concerns for some people, and if you use Google Plus, the company's competitor to Facebook, you need to understand these changes.From November 11, the names, images and comments of Google Plus users will be available to Google advertisers for incorporation into the advertisements that appear when users run searches on the site. The changes are reflected in new Terms of Service that are understood to be accepted whenever you use Google services.
Interesting TED Talk on privacy and one which highlighted in my mind an interesting crossover that exists in the Information Security industry. Information Security professionals are often in an excellent position to breach privacy, and are often called upon to do tasks that do just that (though only in an ethical and responsible manner). On the flip side and possibly as a result of the above, they are often the strongest proponents of improved privacy controls and the most outspoken critics of those that breach them.
Following on from my Storing Passwords post, here is an excellent and far more comprehensive discussion of password storage (albeit in a .NET context) from Troy Hunt.
A while back, one of the guys here at work set up an open source collaboration web app to exchange some files with a customer, being an inquisitive chap I thought I'd take a wander through the source code to see how it fared from a security stand point. My first port of call for these sort of things is usually to have a look at how they're doing authentication and in this case they're doing (arguably) the right thing or, at least better than a number of other web apps out there and storing an individually salted sha1 hash of the password, they also offer the option of LDAP integration, so far so good.
The code for validating password complexity when setting passwords turned out to be a bit more interesting, the user’s password is stored with the other user details in the user table in MySQL, but there is also a password table, and the passwords in it don't look like sha1 hashes... A little more digging through the code reveals this table to be a password history table, but this doesn't explain why the passwords aren't just stored as hashes, there are also a couple of functions with ominous names called within the password reset code (cp_encrypt and cp_decrypt) that take the password as a parameter... eeek! Also, testing confirms that not just the history, but also the current password is stored in this table.
1: function cp_encrypt($password, $time){
2: //appending padding characters
3: $newPass = rand(0,9) . rand(0,9);
4: $c = 1;
5: while ($c < 15 && (int)substr($newPass,$c-1,1) + 1 != (int)substr($newPass,$c,1)){
6: $newPass .= rand(0,9);
7: $c++;
8: }
9: $newPass .= $password;
10:
11: //applying XOR
12: $newSeed = md5(SEED . $time);
13: $passLength = strlen($newPass);
14: while (strlen($newSeed) < $passLength) $newSeed.= $newSeed;
15: $result = (substr($newPass,0,$passLength) ^ substr($newSeed,0,$passLength));
16:
17: return base64_encode($result);
18: }
1: function cp_decrypt($password, $time){
2: $b64decoded = base64_decode($password);
3:
4: //applying XOR
5: $newSeed = md5(SEED . $time);
6: $passLength = strlen($b64decoded);
7: while (strlen($newSeed) < $passLength) $newSeed.= $newSeed;
8: $original_password = (substr($b64decoded,0,$passLength) ^ substr($newSeed,0,$passLength));
9:
10: //removing padding
11: $c = 1;
12: while($c < 15 && (int)substr($original_password,$c-1,1) + 1 != (int)substr($original_password,$c,1)){
13: $c++;
14: }
15: return substr($original_password,$c+1);
16: }
As I mentioned in a previous blog post I'm doing a bit of lecturing for an undergraduate degree in Network Security, this semester I'm teaching Enterprise Security. This week we covered Security Engineering and were discussing, among other things, the psychology/ behavioural economics of Phishing. Rather than try and explain the incentives and mentality at play when someone clicks on a phishing link I thought I'd take a more practical approach and carry out a small simulated phishing campaign.
Using the Simple Phishing Toolkit, an excellent but sadly abandoned open source tool for running educational Phishing campaigns, I set out to phish the students under the guise that their Moodle platform had been upgraded with a number of bug and security fixes and a link to click to see a full list of the changes. The tool provides the capability to have a dummy login form, even providing an inbuilt scraper to automate the building of the form, I stopped short of this however, mainly due to time constraints. For the purposes of this exercise just clicking on the phishing link was enough to get you marked as a victim. After all, these are students who are studying security and should know better than to click on a links in an email without validating the destination and visiting a malicious site is often enough.
Having set up the campaign and pushed out the emails I went off to do some other jobs that needed doing, I didn't really expect to get too many hits on the link, it pointed at a dynamic IP and I didn't really think they would find a list of updates to Moodle worth clicking through for ( a theory that was subsequently confirmed when I spoke to them in the lecture). As it turns out either I'm a better phisherman than I give myself credit for or this group of students is a gullible bunch, 12 out of a total 32 students clicked on the link (see chart below). Given that a couple of those 32 students seem to have given up checking course related emails, the percentage may be even higher. Those that clicked on the link were redirected to a phishing education page (also supplied in SPT) with a video on phishing from Symantec.
It's been quiet around here lately as I've been travelling and extremely busy with work. However it's time to get back to blogging on a semi-regular basis (I don't know what Richard's excuse is!)
While checking out the new IOS7 features recently (although I've yet to upgrade) I came across this gem:
Apps can now be configured to automatically connect to VPN when they are launched. Per app VPN gives IT granular control over corporate network access. It ensures that data transmitted by managed apps travels through VPN — and that other data, like an employee's personal web browsing activity, does not.Now that's a nice feature (and about time), especially in the BYOD era. Speaking of BYOD, I recently had a chance to meet a number of Security managers from around the world and BYOD was a hot topic. However here in Japan it is not even on the radar for many organizations. A Logicalis research paper [pdf] from last year showed Japan as significantly trailing other markets in regards to corporate IT actively promoting BYOD and, perhaps unsurprisingly, leading the pack in the measure of 'IT don't know about it but we're doing it anyway'.
As we move into the age of the Internet of Things, expect to see more and more stories like this one, where a luxury toilet firm here in Japan have developed a Android-app controlled 'smart toilet'. The problem? All the toilets are hardcoded to a PIN of 0000 -- allowing anyone with the app (in bluetooth range) to control the toilet.
While the actual benefits of a Android-app controlled toilet escape me at present (and the impact of an attack is admittedly pretty minor), the poor security in the execution is unfortunately all too common. Today it's a toilet, tomorrow implanted medical devices (actually that is also today...).
The toilet pales in comparison to the Smart TV Hacking [pdf] research from Korea. Which is extra creepy if you're watching your smart TVon your smart toilet...
Remember when getting hacked was a bad thing? Now apparently it is a marketing opportunity!
US Food chain Chipolte faking it's twitter account being hacked to generate 'buzz' as a marketing exercise.
Of course while others have claimed twitter accounts were hacked to cover up embarrassing behavior, this is the first time I've seen someone making a claim of being hacked as marketing.....
After a few recent high-profile data breaches, and all the global cyberwar press, here in Japan a Cyber Defence Unit (CDU) is being created, but not without what appears to be warranted criticism.
No word on whether it will also include animal handlers for their incident investigation team.
I think I speak for us all when I say we expected any Japanese military (or SDF) related unit with the word "cyber" in it's name to include more of this kind of thing...!
It's a few months old, but there's an interesting article at that home of Internet satire, The Onion on how they were hacked.
It's always good to see when companies are able to disclose some of these details so the rest of us can learn from their misfortune.
Irony: Emails about Governments snooping on private data used to distribute malware that allows criminals snoop on your private data...
SANS have put out this nice poster of useful pen-testing resources.
Threat Post has an article about some researchers who have found that iOS 6 default mobile hotspot random passwords are not so random after all (there are 1,842 different words) and therefore not too hard to brute force. Additonally...
“It should be noted that all generated keys are only valid for the lifetime of a single session and that generation of those keys only relies on the PSK,” the paper said. “This implies that the security level of the whole mobile hotspot depends on the quality of the passphrase.”The original paper "Usability vs. Security: The Everlasting Trade-Off in the Context of Apple iOS Mobile Hotspots" is here [pdf]. The title says it all - this is a true example of Usability vs. Security, and as too often seems to be the case, security loses.
Following on from my previous post on 'gaming the system', a friend sent me this link to Frank Abagnale Junior - the man played by Leonardo DiCaprio in "Catch me if you can" - giving the closing keynote at the RSA APAC conference (youtube).
It's an interesting talk to hear how someone with a hacker mindset in the 60s was able to social engineer and defeat some of the security systems of the day...just by not following 'the rules'.
John McAfee has posted an "instructional" video on "How to uninstall McAfee Antivirus" (youtube).
I'm sure the McAfee marketing department are appreciating his efforts...
I do enjoy stories of people gaming systems. This one came up today of a man who took advantage of a National Australia Bank promotion to earn 380,000 frequent flyer points for $70. The bank offered 100 frequent flyer points per purchase - but failed to state a minimum purchase value. A whole lot of 1c purchases later and the guy had 380,000 points -- before the bank noticed and closed the loophole!
It kinda reminds me of the (in)famous Pepsi promotion in the US in the 90s where they offered a Harrier Jump Jet as the prize for collecting 7,000,000 pepsi points. When a guy bought the points for $700,000 and went to claim his multi-million dollar jet the result was -- a lawsuit!
At least in the NAB case, the guy got to keep the points!
The lesson? Imaginative people will always find a way to game the system if the reward is worth the effort!
The 2013 OWASP top 10 has been released, and sad to say the number one spot has not changed since the last top 10 in 2010.....Injection!
OWASP Top 10 – 2013
|
A1 – Injection
|
A2 – Broken Authentication
and Session Management
|
A3 – Cross-Site Scripting
(XSS)
|
A4 – Insecure Direct
Object References
|
A5 – Security
Misconfiguration
|
A6 – Sensitive Data
Exposure
|
A7 – Missing Function
Level Access Control
|
A8 – Cross-Site Request
Forgery (CSRF)
|
A9 – Using Known
Vulnerable Components
|
A10 – Unvalidated
Redirects and Forwards
|
The NY Times has an interesting article on the hacking culture in China. It is especially interesting in the context of the Business Week article from the following day titled How the US Government hacks the world.
And just so the non-governmental types don't feel left out, a friend passed me the LA Times article on 'hacking back', a topic which seems to have become more and more of a discussion point recently.
Perhaps we'll end up taking a leaf out of the history books and start issuing Letters of Marque to Cyber-privateers!
Not so new, but here [pdf] is an interesting bit of research I only saw recently on Zero-Day attacks by some Symantec staff.
Zero-day attacks last on average 312 days, and up to 30 months, and they typically a ffect few hosts.... After the disclosure of zero-day vulnerabilities, the volume of attacks exploiting them increases by up to 5 orders of magnitude.
So it looks like Australia may finally have a data breach notification law. It was back in 2011 when the Government started really discussing this again and at that time I wrote a little about it and posted to links to an interesting point/counterpoint as to whether these laws work. While I think the jury may still be out, I hope some law is better than no law and at the very least we get something reasonable that makes sense.
(am I setting the bar too high here?)
At the same time "China" is reported to have hacked the Australian Government, including stealing plans for the new ASIO Headquarters - but it seems we forgive them, so all is OK.
I wonder if/what the Government would have to report if the new laws were in place already?
National Cyber Security Awareness week is this week (20-24 May). Full details here.
Think this might be kind of like letting my 2 year old guard the bikkie tin...
http://www.zdnet.com/cn/chinas-kingsoft-unveils-cloud-based-apt-product-7000015424/
I sense this is not going to be without it's challenges or challengers...
http://www.reuters.com/article/2013/05/15/us-cyber-summit-flaws-idUSBRE94E11B20130515?irpc=932
Privacy is getting more and more attention in Australia, with the Privacy Commissioner recently stating:
"Information security is clearly a significant privacy issue and has emerged as a major challenge for us all. These incidents tell us that 'privacy by design' is essential. Organisations need to build privacy into business as usual practices and new projects"
Here's an interesting article on the motivation of Chinese hackers.
To quote a famous Chinese historical figure:
This also aligns with a timely point in the just-released Verizon Data Breach Report for 2013 - "we’re convinced of the critical importance of understanding your enemy"“If you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle” --Sun Tzu.
Security is fundamentally about people, and everything we know about people is relevant to security. -- B. Schneier
Someone asked me about this today, so I thought I'd add a link. for a while now Microsoft have regularly published an excel spreadsheet with all the details on their patches. It is quite useful as a quick reference!
It's available here under "Download Detailed Bulletin Information". Or direct link is here.
I recently came across this rather interesting story (wired.com) about a guy who added secret compartments to vehicles. End of the story is, despite the fact what he did may not technically be illegal, he got 24 years in prison as some of his clients were (without his knowledge - although he may have suspected) major drug smugglers. At the same time, the two guys in charge of the drug smuggling operation got much shorter sentences - go figure!
The article ends with the comment:
The (hacker) culture’s libertarian ethos holds that creators shouldn't be faulted if someone uses their gadget or hunk of code to cause harm; the people who build things are under no obligation to meddle in the affairs of the adults who consume their wares.Interesting food for thought. To what extent is the creator responsible for the use of his/her creation?
But Alfred Anaya’s case makes clear that the government rejects that permissive worldview. The technically savvy are on notice that they must be very careful about whom they deal with, since calculated ignorance of illegal activity is not an acceptable excuse.
Apparently March 31st was World Backup Day! (http://www.worldbackupday.com/)
Although the date has passed, backing up your data = good! Losing your data because you had no backup = bad!
So go and take a few minutes to ensure your data is backed up.
Seeing the recent Telstra video about how amazingly internet-connected the world will be reminded me of a recent blog post by Pure Hacking CTO Ty Miller called "Hacking in the year 2030".
While the Telstra video is all 'minority report-esque', it doesn't seem too far fetched - although I can imagine the fun to be had messing up with a friend's shopping list by hacking their garbage can.
Ty's vision of the future may come off as a little grim, but I can't say I disagree with it. In the last decade we haven't managed to eliminate SQL Injection as a vulnerability, but it could be argued that we've made the impact of SQLi exploitation worse by making so much more information available through the ever-increasing plethora of vulnerable websites. As we rely more and more on the internet and our connected devices multiply exponentially (with the associated exponential growth in the number of connections those devices make with each other; and everything around them) the number of ways to subvert and compromise those systems will similarly grow, as will the impact of malicious actions.
Deleting the 1995 version of Sandra Bullock in "The Net" may have seemed ridiculously far-fetched at the time, but the social networking revolution has more and more people interacting with people they've never met than ever before - going as far as 'dating' and 'mourning the death' of a girlfriend who never existed.
Deleting Sandra in 2013 or 2030 may be easier than ever! (Expect a Hollywood remake!)
As a side note this article is a fun look at how you can blame Minority Report for far more than just being a bad film.
This was sent to me by a friend is an interesting read about a recent massive DDoS (distributed denial-of-service) attack that was aimed at Spamhaus.
The attack was a type of DNS-recursion amplification attack [pdf] that uses bogus queries to DNS servers to massively amplify the amount of bandwidth consumed by the attackers to over 300Gbps at times.
Cloudflare have another great explanation of this type of attack here.
The website at http://openresolverproject.org/ can be used to help you identify if you have DNS servers configured to allow recursion, and provides some configuration suggestions (such as rate limiting)
.
http://arstechnica.com/security/2013/03/cisco-switches-to-weaker-hashing-scheme-passwords-cracked-wide-open/
This was from a little while back, but I hadn't got around to posting it yet. Dan Kaminsky offering a different view of passwords:
"You know what's amazing about passwords? They totally work," Kaminsky said. "The fundamental 'win' of a password over other technologies is its utter simplicity and mobility."
An easier way to make passwords more secure, Kaminsky said, is to mandate 12-character passwords, but make them all lowercase letters so users can create passphrases that are long but easy to remember. Increasing the length of passwords and thereby making them harder to crack is critical, he added, but it has to be done in a way that doesn't overly tax the human memory.He certainly brings up a good point. The problem may not be passwords, but bad passwords. And why do we get bad passwords? The same reason we get single passwords used across multiple systems or people using their birthdays as PIN numbers - "Password1" or "P@ssw0rd" is easier to remember that "w4dHu92#".
Release candidate for the 2013 OWASP Top 10:
http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013%20-%20RC1.pdf
I heard this term for the first time the other day, and while I think there are several analogies from the Titanic that can be drawn upon for describing concepts in information security, perhaps few are as apt as this. It implies, of course, the futility of rushing around making minor adjustments in the face of impending disaster. Counteracting this requires you to have a broad picture of the security issues in your area of responsibility so you can focus on avoiding the iceberg toward which you are currrently heading at full steam. It means focussing on the highest risk issues first and letting the minutiae go for another day. If you are a network operations guy this means doing away with unencrypted protocols for administration before changing the enable secret on the router, if you are a developer it means fixing the SQL Injection vulnerability on the login form of your app before fixing the difficult to exploit XSS bug on a page only accessible post authentication.
The US State Department has a very effective model for this which they use for vulnerability management in their unclassified network, it is described in some detail here. There are three main components to this system, continuous monitoring, a weighted scoring system and continuous feedback to both those responsible for making changes and those reponsible for overseeing the security of the organisation. Interestingly it lists as one of it's objectives 'inspiring competition' which I think could be a very useful way of incentivising security initiatives, but that's a topic for another post. The key component as it relates to this post is the continuous nature of the feedback, administrators are sent one task (the highest priority for the systems which they are responsible for) to remediate on a daily basis. The scoring system operates at a operates at a host, site and enterprise level, allowing the feedback to occur at all levels safely guiding the ship around the icebergs.
While the scheme described above does its best to objectify the security changes to be made, situations will vary and what is critical in one context will be less so in another, the important thing is that you do the assessment and make the changes in a sensible order. Sometimes business pressures or regulatory compliance will mean that these priorities will be changed but at least the trade off is understood. If you are placed in a position where you need to meet a compliance requirement perhaps use it as an opportunity to make material gains in your security posture i.e. comply with spirit of the law and the letter.
So it seems I will be lecturing 'Mobile Computing and Security' for Northern Sydney Institute of TAFE's Bachelor of Network Security this semester. It should be an interesting challenge and I'm quite looking forward to it. It seems like a pretty good program they run, with a mix of industry certifications and a good broad range of more traditional university type subjects.
Now this is really interesting, especially if you're using onscreen virtual keyboards to prevent MITM capture of keystrokes.
And according to Spider.io: "The vulnerability is already being exploited by at least two display ad analytics companies across billions of page impressions per month".
Interesting look at some of the security architecture in the new Mega site
http://fail0verflow.com/blog/2013/megafail.html
I think the key message here is that if you are going to implement cryptographic systems, even standards based ones, you need to understand the limitations of that particular implementation and it's correct uses.
This is just plain funny
http://securityblog.verizonbusiness.com/2013/01/14/case-study-pro-active-log-review-might-be-a-good-idea/
Nice description of why regex based blacklists are bad
http://deadliestwebattacks.com/2013/01/14/a-lesser-xss-attack-greater-than-your-regex-security/
First post for 2013. The plan is to hopefully be a bit more active after a slow 2012!
I came across this interesting article that has the details of an interview with Bruce Schneier.
While I pretty much agree with Bruce and especially like Bruce's last comment: "Is my data more secure with you than it is with me?", I think the problems begin with the follow-up to that question - which is "prove it".
Now 'proving security' is fraught with danger (and is most likely an impossible task), but while you may have a good understanding of what you do - or don't do - from a security perspective, it's the lack of details that cloud providers will supply on their security practices (other than to say "we use military-grade encryption" or "we follow industry best practices") that always concerns me.
"Trust us" seems to be the mantra from a number of cloud or SaaS providers and trust them we have, sometimes with less than stellar results.
Before signing over the keys to the kingdom to cloud providers, I think it's important to get a good understanding of exactly how they protect your data, what will happen if they do suffer a breach (at what point do they notify you? When they suspect something happened or 2 weeks later when they've confirmed the breach?) and what you can can do to protect your data (such as encrypt everything and keep the keys to yourself).
Disclaimer: The views and opinions expressed here are those of the authors only and in no way represent the views, positions, or opinions of any previous, current, or future employers, clients, or associates.