Steve's Views Rotating Header Image

Security

The threat from email

TRACE (Threat Research and Content Engineering) is a group of Marshal security analysts who constantly monitor and respond to Internet security threats. TRACE provides a service to Marshal customers as part of standard product maintenance. The service includes updates to Marshal’s unique, proprietary anti-spam technology, SpamCensor. TRACE analyzes spam, phishing and Internet security trends and provides frequent automated updates to Marshal customers. TRACE also provides “Zero Day” security protection to secure Marshal customers against new email and virus exploits the day they emerge.

There are several terms that are typical in this area:

Phishing, is a play on the word fishing, and does pretty much the same but for information instead of fish. By gathering information from computers and or people they gain enough of an edge to gain access and control over others computers.

Malware is software which is written to basically help cyber-criminals gain information and access to other peoples computers and networks. It might be hiding in web code (html) or some attachment like an mp3 or pdf file.

A Botnet is a network of “contaminated” computers that are under the control of the cyber-criminals. It is used to send bulk emails and to conduct mass attacks.

“It would be incomplete to discuss spam without commenting on the
malware and criminal activity that sustains it. Distributing spam and
malware is firmly in the domain of professional criminals looking for
financial gain. In the last six months, cyber-criminals have, unfortunately,
reached new heights of sophistication and capability.

“Not only have the large botnets taken over in terms of spam volume, they
have also evolved to reach new levels of sophistication. During the middle
of 2007, the Storm botnet grew rapidly following mass spamming of emails
containing links to websites hosting malicious code. The websites not
only hosted executable files that could be downloaded by users, but they
also hosted malicious code that attempted to exploit a number of different
known browser vulnerabilities.

The above are quotes from www.marchal.com. The link points to a page where you can read the whole report, and others.

In the report Marshal talks about cyber-criminals, “They operate in a thriving underworld marketplace where services, software tools, and software development are freely bought and sold. Computer skills are no longer necessary to execute cybercrime.”

They point out that in a recent case a botnet was rented out for $200/week which a spammer can use to send 100 million spam messages. With the considerable income from naive Internet shoppers a lot of money can and is made, which is of course what is attracting people who feel unable to earn an honest income.

Big sites are also hacked to help distribute the malware. MySpace, monster.com are but two examples. By generating a large amount of accounts with gmail, hotmail and the like they are able to spam from these accounts in bulk.

I strongly recommend that if nothing else you read the conclusion and recommendations at the last two pages. (marshal.com)

Why not to give admin or root access by default

[This is a reply to why setting your OS to give admin (root) access without a password on your computer is a not a good idea. It appeared on a Pardus review.]

Your argument is very understandable and is shared by most people. Not to be flippant about your knowledge, but it is from a very limited understanding of security, or shall we say how computers are hacked.

For example, needing to enter a password means that a remote hole in an application running as non root will not have root access automatically.

Thinking you are secure when you really don’t know what makes something insecure is folly.

Breaking into a computer it’s not done by “playing by the rules”. But is done by doing things “wrong”. As an example, back when IP firewalls came out they had rules about who’s allowed access simply by IP.

The firewall has to allow replies to requests back in or is useless. So it looked to see if the inbound packets followed the TCP rules of a reply, and if so allowed it access. That was broken by not following the standard TCP rules and they in effect gained access by saying here’s your reply. The firewall allowed the new connection thinking it was a reply.

After that we got stateful inspection which tracks outbound requests, and can therefor tell if a reply originated from an internal request or not. This is a very old example but the principle still holds true. Holes are found by doing the unusual and often wrong thing.

Take buffer overflows, they have been the most commonly used method. Which consists of writing a lot more information into a field than is expected. The poorly written program cannot process the extra information and they end up someplace in memory where it is executed, resulting in illegal access. This is a simplified view but still holds true.

When you think security, unless you have actually seen not one but how many illicit accesses are gained, don’t make the mistake in thinking that you even have a clue of what is or is not secure. It takes a LOT more than that. What’s even worse is that new holes are discovered all the time. Thus, you need to think in concepts of secure methods. Security becomes not if they can get in but finding the balance of secure vs productive methods of operating. Adding multiple levels of secure behavior with the final level being users who follow the established rules and has some respect for it all.

Look up some challenge when someone said we’ll pay you X dollars if you can break in. Then see how they did it. There were f.ex. a challenge on a shopping cart where it had some 600,000 attempts with a few successful entries. They were so ingenious nobody not experienced in real hands on hacking would have figured it out.

A bad but typical poor security example is from the early days on NT. Microslop claimed NT had received a government security rating. What they did not tell us was it required that the floppy and network card was disabled.

This false sense of security was then promoted by others, like those who wanted to defend their poor choice in OS or with an inflated self importance, by promoting how secure it was. Subsequently others who knew they themselves did not understand security listen to those who knew even less and believed they actually had a secure OS.

Security is a pain in the butt, which simply has to be balanced with the pain of loosing confidential info or loss of operation, and must not be done by coffee shop security wanna bees.

At the very best you end up shooting yourself and others in the foot with your ignorance. There are plenty of places where you can find discussions by pros discussing holes in various programs and what not. Spend some time with them and get a feel of things. (See Full disclosure, bug track. Crypto-Gram by Bruce Schneier is a very informative list for a layman. You’ll find good links and info on insecure.org.)
Good luck!

Why Windows is less secure then Linux

It’s one thing to know by your own experience, another to be told by others.
Sometimes you run into something that communicates very well. Like images. Here’s an article that does just that. It communicates graphically in a way that is hard to put in words.

Why Windows is less secure than Linux by ZDNet‘s Richard Stiennon
— Windows is inherently harder to secure than Linux. There I said it. The simple truth.

Many millions of words have been written and said on this topic. I have a couple of pictures. The basic argument goes like this. In its long evolution, Windows has grown so complicated that it is harder to secure. Well these images make the point very well. Both images are a complete map of the system calls that occur when a web server serves up a single page of html with a single picture. The same page and picture.

A system call is an opportunity to address memory. A hacker investigates each memory access to see if it is vulnerable to a buffer overflow attack. The developer must do QA on each of these entry points. The more system calls, the greater potential for vulnerability, the more effort needed to create secure applications.

This is a comparison between Linux and their web server and Windows and their webserver. The first picture is of the system calls that occur on a Linux server running Apache.

syscallapachesmall

This second image is of a Windows Server running IIS.

syscalliissmall

The difference is clear. Thanks to Sana Security for generating and providing these images.

Please note that 1. I am not a journalist. 2. I do not work for ZDnet. 3. I am an independant blogger. 4. This is a blog entry not a news article.

A deeper insight into security – CRYPTO-GRAM

Here’s a reprint of Crypto-Gram by Bruce Schneier. His newsletter is one of the most read on the subject. It is a strongly recommended reading for all who care about themselves and others.

Schneier also gives a good insight into how to motivate security in any area. (See Aligning Interest with Capability, below.)

Here in it’s entirety is:

CRYPTO-GRAM

June 15, 2006

by Bruce Schneier
Founder and CTO
Counterpane Internet Security, Inc.
schneier@counterpane.com
http://www.schneier.com
http://www.counterpane.com

A free monthly newsletter providing summaries, analyses, insights, and
commentaries on security: computer and otherwise.

For back issues, or to subscribe, visit
.

You can read this issue on the web at
. These same essays
appear in the “Schneier on Security” blog:
. An RSS feed is available.

** *** ***** ******* *********** *************

In this issue:
The Value of Privacy
Movie-Plot Threat Contest Winner
Crypto-Gram Reprints
Diebold Doesn’t Understand the Security Threat
News
Hacking Computers Over USB
The Doghouse: KRYPTO 2.0
Counterpane News
Aligning Interest with Capability
Comments from Readers

** *** ***** ******* *********** *************

The Value of Privacy

Last month, revelation of yet another NSA surveillance effort against
the American people rekindled the privacy debate. Those in favor of
these programs have trotted out the same rhetorical question we hear
every time privacy advocates oppose ID checks, video cameras, massive
databases, data mining, and other wholesale surveillance measures: “If
you aren’t doing anything wrong, what do you have to hide?”

Some clever answers: “If I’m not doing anything wrong, then you have no
cause to watch me.” “Because the government gets to define what’s
wrong, and they keep changing the definition.” “Because you might do
something wrong with my information.” My problem with quips like these
— as right as they are — is that they accept the premise that privacy
is about hiding a wrong. It’s not. Privacy is an inherent human right,
and a requirement for maintaining the human condition with dignity and
respect.

Two proverbs say it best: “Quis custodiet ipsos custodes?” (“Who
watches the watchers?”) and “Absolute power corrupts absolutely.”

Cardinal Richelieu understood the value of surveillance when he
famously said, “If one would give me six lines written by the hand of
the most honest man, I would find something in them to have him
hanged.” Watch someone long enough, and you’ll find something to arrest
— or just blackmail — him with. Privacy is important because without
it, surveillance information will be abused: to peep, to sell to
marketers, and to spy on political enemies — whoever they happen to be
at the time.

Privacy protects us from abuses by those in power, even if we’re doing
nothing wrong at the time of surveillance.

We do nothing wrong when we make love or go to the bathroom. We are not
deliberately hiding anything when we seek out private places for
reflection or conversation. We keep private journals, sing in the
privacy of the shower, and write letters to secret lovers and then burn
them. Privacy is a basic human need.

A future in which privacy would face constant assault was so alien to
the framers of the Constitution that it never occurred to them to call
out privacy as an explicit right. Privacy was inherent to the nobility
of their being and their cause. Of course being watched in your own
home was unreasonable. Watching at all was an act so unseemly as to be
inconceivable among gentlemen in their day. You watched convicted
criminals, not free citizens. You ruled your own home. It’s intrinsic
to the concept of liberty.

For if we are observed in all matters, we are constantly under threat
of correction, judgment, criticism, even plagiarism of our own
uniqueness. We become children, fettered under watchful eyes,
constantly fearful that — either now or in the uncertain future —
patterns we leave behind will be brought back to implicate us, by
whatever authority has now become focused upon our once-private and
innocent acts. We lose our individuality, because everything we do is
observable and recordable.

How many of us have paused during conversations in the past
four-and-a-half years, suddenly aware that we might be eavesdropped on?
Probably it was a phone conversation, although maybe it was an e-mail
or instant message exchange or a conversation in a public place. Maybe
the topic was terrorism, or politics, or Islam. We stop suddenly,
momentarily afraid that our words might be taken out of context, then
we laugh at our paranoia and go on. But our demeanor has changed, and
our words are subtly altered.

This is the loss of freedom we face when our privacy is taken from us.
This was life in the former East Germany, or life in Saddam Hussein’s
Iraq. And it’s our future as we allow an ever-intrusive eye into our
personal, private lives.

Too many wrongly characterize the debate as “security versus privacy.”
The real choice is liberty versus control. Tyranny, whether it arises
under threat of foreign physical attack or under constant domestic
authoritative scrutiny, is still tyranny. Liberty requires security
without intrusion, security plus privacy. Widespread police
surveillance is the very definition of a police state. And that’s why
we should champion privacy even when we have nothing to hide.

A version of this essay originally appeared on Wired.com.
http://www.wired.com/news/columns/0,70886-0.html

Daniel Solove comments:
http://www.concurringopinions.com/archives/2006/05/is_there_a_good.html
or http://tinyurl.com/nmj3u

** *** ***** ******* *********** *************

Movie-Plot Threat Contest Winner

I can tell you one thing, you guys are really imaginative. The
response to my Movie-Plot Threat Contest was more than I could imagine:
892 comments. I printed them all out — 195 pages, double sided — and
spiral bound them, so I could read them more easily. The cover read:
“The Big Book of Terrorist Plots.” I tried not to wave it around too
much in airports.

I almost didn’t want to pick a winner, because the real point is the
enormous list of them all. And because it’s hard to choose. But after
careful deliberation, the winning entry is by Tom Grant. Although
planes filled with explosives is already cliche, destroying the Grand
Coulee Dam is inspired. Here it is:

“Mission: Terrorize Americans. Neutralize American economy, make
America feel completely vulnerable, and all Americans unsafe.

“Scene 1: A rented van drives from Spokane, WA, to a remote setting in
Idaho and loads up with shoulder-mounted rocket launchers and a couple
of people dressed in fatigues.

“Scene 2: Terrorists dressed in ‘delivery man’ garb take over the UPS
cargo depot at the Spokane, WA, airport. A van full of explosives is
unloaded at the depot.

“Scene 3: Terrorists dressed in ‘delivery man’ garb take over the UPS
cargo depot at the Kamloops, BC, airport. A van full of explosives is
unloaded at the depot.

“Scene 4: A van with mercenaries drives through the Idaho forests en
route to an unknown destination. Receives cell communiqué that
locations Alpha and Bravo are secured.

“Scene 5: UPS cargo plane lands in Kamloops and is met at the depot by
terrorists who overtake the plane and its crew. Explosives are loaded
aboard the aircraft. The same scene plays out in Spokane moments
later, and that plane is loaded with explosives. Two pilots board
each of the cargo planes and ask for takeoff instructions as night
falls across the West.

“Scene 6: Two cargo jets go airborne from two separate locations. A
van with four terrorists arrives at its destination, parked on an
overlook ridge just after nightfall. They use infrared glasses to scope
the target. The camera pans down and away from the van, exposing the
target. Grand Coulee Dam. The cell phone rings and notification comes
to the leader that ‘Nighthawks alpha and bravo have launched.’

“Scene 7: Two radar operators in separate locations note with alarm
that UPS cargo jets they have been tracking have dropped off the radar
and may have crashed. Aboard each craft the pilots have turned off
navigational radios and are flying on ‘manual’ at low altitude. One
heading South, one heading North.

“Scene 8: Planes are closing in on the ‘target’ and the rocket
launcher crew goes to work. With precision they strike lookout and
defense positions on the dam, then target the office structures
below. As they finish, a cargo jet approaches from the North at high
velocity, slamming into the back side of the dam just above the
waterline and exploding, shuddering the earth. A large portion of the
center-top of the dam is missing. Within seconds a cargo plane coming
from the South slams into the front face of the dam, closer to the
base, and explodes in a blinding flash, shuddering the earth. In
moments, the dam begins to fail, and a final volley from four rocket
launchers on the hill above helps break open the face of the dam. The
40-mile-long Lake Roosevelt begins to pour down the Columbia River
Valley, uncontrolled. No warning is given to the dams downriver, other
than the generation at G.C. is now offline.

“Scene 9: Through the night, the surging wall of water roars down the
Columbia waterway, overtopping dam after dam and gaining momentum (and
huge amounts of water) along the way. The cities of Wenatchee and
Kennewick are inundated and largely swept away. A van of renegades
retreats to Northern Idaho to hide.

“Scene 10: As day breaks in the West, there is no power from Seattle
to Los Angeles. The Western power grid has failed. Commerce has ground
to a halt west of the Rocky Mountains. Water is sweeping down the
Columbia River gorge, threatening to overtop Bonneville dam and wipe
out the large metro area of Portland, OR.

“Scene 11: Bin Laden releases a video on Al Jazeera that claims
victory over the Americans.

“Scene 12: Pandemonium, as water sweeps into a panicked Portland,
Oregon, washing all away in its path, and surging water well up the
Willamette valley.

“Scene 13: Washington situation room…little input is coming in from
the West. Some military bases have emergency power and sat phones, and
are reporting that the devastation of the dam infrastructure is
complete. Seven major and five minor dams have been destroyed.
Re-powering the West coast will take months, as connections from the
Eastern grid will have to be made through the New Mexico Mountains.

“Scene 14: Worst U.S. market crash in history. America’s GNP drops
from the top of the charts to 20th worldwide. Exports and imports cease
on the West coast. Martial law fails to control mass exodus from
Seattle, San Francisco, and L.A. as millions flee to the east. Gas
shortages and vigilante mentality take their toll on the panicked
populace. The West is ‘wild’ once more. The East is overrun with
millions seeking homes and employment.”

Congratulations, Tom. I’m still trying to figure out what you win.

Contest rules and all entries:

Announcing: Movie-Plot Threat Contest

Update, including selection criteria:

Movie Plot Threat Contest: Status Report

Winning entry:

Announcing: Movie-Plot Threat Contest

** *** ***** ******* *********** *************

Crypto-Gram Reprints

Crypto-Gram is currently in its ninth year of publication. Back issues
cover a variety of security-related topics, and can all be found on
. These are a selection
of articles that appeared in this calendar month in other years.

Internet Attack Trends:
http://www.schneier.com/crypto-gram-0506.html#1

U.S. Medical Privacy Law Gutted:
http://www.schneier.com/crypto-gram-0506.html#9

Breaking Iranian Codes:
http://www.schneier.com/crypto-gram-0406.html#1

The Witty Worm:
http://www.schneier.com/crypto-gram-0406.html#9

The Risks Of Cyberterrorism:
http://www.schneier.com/crypto-gram-0306.html#1

Fixing Intelligence Failures:
http://www.schneier.com./crypto-gram-0206.html#1

Honeypots and the Honeynet Project
http://www.schneier.com/crypto-gram-0106.html#1

Microsoft SOAP:
http://www.schneier.com/crypto-gram-0006.html#SOAP

The Data Encryption Standard (DES):
http://www.schneier.com/crypto-gram-0006.html#DES

The internationalization of cryptography policy:
http://www.schneier.com/crypto-gram-9906.html#policy
and products:
http://www.schneier.com/crypto-gram-9906.html#products

The new breeds of viruses, worms, and other malware:
http://www.schneier.com/crypto-gram-9906.html#viruses

Timing attacks, power analysis, and other “side-channel” attacks
against cryptosystems:
http://www.schneier.com/crypto-gram-9806.html#side

** *** ***** ******* *********** *************

In the long term, corporate data mining efforts are more of a privacy
risk than government data mining efforts. And here’s an off-the-shelf
product from IBM:
http://www-306.ibm.com/common/ssi/fcgi-bin/ssialias?subtype=ca&infotype=
an&appname=iSource&supplier=649&letternum=ENUSA06-0519 or
http://tinyurl.com/q29er

The UK Intelligence and Security Committee has issued a report on the
July 7 terrorist bombings in London:
http://www.cabinetoffice.gov.uk/publications/reports/intelligence/isc_7j
uly_report.pdf or http://tinyurl.com/hazzn
The UK government has issued a response:
http://www.cabinetoffice.gov.uk/publications/reports/intelligence/govres
_7july.pdf or http://tinyurl.com/j8q5x
About the Intelligence and Security Committee:
http://www.cabinetoffice.gov.uk/intelligence/index.asp

From a list of 100,000 passwords for a German dating site, we learn
that “123456” works 1.4% of the time and that 2.5% of all passwords
begin with “1234.” Interesting.
http://www.heise.de/newsticker/meldung/73396

Bank defends its bad security by saying that everyone else does it, too.
http://blogs.zdnet.com/Ou/?p=226

Interesting essay about how EU law would treat the NSA’s collection of
everyone’s phone records.
http://www.concurringopinions.com/archives/2006/05/the_nsa_phone_c.html
or http://tinyurl.com/mpv6d

Animated political cartoon on NSA eavesdropping. And a song, too.
http://www.newsday.com/news/opinion/ny-wh-nsawiretapping,0,1906650.flash
or http://tinyurl.com/rg57v

You can audit “Welcome to Practical Aspects of Modern Cryptography”:
University of Washington, Winter 2006, by Josh Benaloh, Brian
LaMacchia, and John Manferdelli. The course materials and videos of
the lectures are online.
http://www.cs.washington.edu/education/courses/csep590/06wi/
http://www.cs.washington.edu/education/courses/csep590/06wi/lectures/

Fascinating interview with a debit card scammer. Moral: securing this
system isn’t going to be easy.
http://smallworldpodcast.com/?p=391

And some comments from a fake ID salesman, in case you thought
hard-to-forge national ID cards would solve the problem:
http://www.cbsnews.com/stories/2006/06/02/ap/national/mainD8I07PHG0.shtm
l or http://tinyurl.com/rafve

“How to Avoid Going to Jail under 18 U.S.C. Section 1001 for Lying to
Government Agents.”
http://library.findlaw.com/2004/May/11/147945.html

Nice article discussing the hype, and reality, over the threat of
homebrew chemical weapons.
http://www.theregister.co.uk/2006/06/04/chemical_bioterror_analysis/

Just hide this gadget in someone’s car or briefcase — or maybe sew it
into his coat — and then track his every move using GPS. You have to
recover the device to play it back, but presumably the next generation
will be queryable remotely.
http://www.thinkgeek.com/gadgets/security/8212/?cpg=cj

The U.S. government is asking ISPs to save personal data about you, in
case they need access to it.
http://www.latimes.com/technology/la-fi-internet2jun02,0,622125.story?co
ll=la-home-headlines or http://tinyurl.com/zpzvz
Note that the Justice Department invoked two of the Four Horsemen of
the Internet Apocalypse: child pornographers and terrorists. If they
can figure out how to work kidnappers and drug dealers in, they can
probably do anything they want.

From “Assassination in the United States: An Operational Study of
Recent Assassins, Attackers, and Near-Lethal Approachers,” (a 1999
article published in the “Journal of Forensic Sciences”): “Few
attackers or near-lethal approachers possessed the cunning or the
bravado of assassins in popular movies or novels. The reality of
American assassination is much more mundane, more banal than
assassinations depicted on the screen. Neither monsters nor martyrs,
recent American assassins, attackers, and near-lethal approachers
engaged in pre-incident patterns of thinking and behaviour.” The quote
is from the last page. The whole thing is interesting reading.
http://www.secretservice.gov/ntac/ntac_jfs.pdf

Interesting law review article by Helen Nissenbaum: “Privacy as
Contextual Integrity.”
http://crypto.stanford.edu/portia/papers/RevnissenbaumDTP31.pdf

New directions in chemical warfare: chemicals that make enemy soldiers
sexually irresistible to each other, attract swarms of enraged wasps,
or cause “severe and lasting halitosis”:
http://www.newscientist.com/article.ns?id=mg18524823.800
Technology always gets better; it never gets worse. There will be a
time, probably in our lifetimes, when weapons like these will be real.

NSA surveillance cartoon:
http://www.ibiblio.org/Dave/Dr-Fun/df200605/df20060517.jpg

Interesting paper on the security of contactless smartcards:
http://www.chi-publishing.com/samples/ISB0903HH.pdf

Wireless surveillance camera detector:
http://www.brickhousesecurity.com/dd9000.html

Great article comparing the barrier Israel is erecting to protect
itself from the West Bank with the hypothetical barrier the U.S. would
build to protect itself from Mexico: “No wonder the [Israeli] fence is
considered a good deal by those living on its western side. But
applying this model to the U.S.-Mexico border will not be easy. U.S.
citizens will find it hard to justify such tough measures when their
only goal is to stop people coming in for work — rather than
preventing them from trying to commit murder. And the cost will be more
important. It’s much easier to open your wallet when someone is
threatening to blow up your local cafe.”
http://www.slate.com/id/2143104/

$1M VoIP scam:
http://www.networkingpipeline.com/news/188702745

NIST has just published “Recommendation for Random Number Generation
Using Deterministic Random Bit Generators.”
http://csrc.nist.gov/publications/nistpubs/index.html

The NSA is combing through MySpace:
http://www.newscientisttech.com/article/mg19025556.200-pentagon-sets-its
-sights-on-social-networking-websites.html or http://tinyurl.com/fk3z6

** *** ***** ******* *********** *************

Hacking Computers Over USB

I’ve previously written about the risks of small portable computing
devices; how more and more data can be stored on them, and then lost or
stolen. But there’s another risk: if an attacker can convince you to
plug his USB device into your computer, he can take it over. From CSO
Magazine:

“Plug an iPod or USB stick into a PC running Windows and the device can
literally take over the machine and search for confidential documents,
copy them back to the iPod or USB’s internal storage, and hide them as
“deleted” files. Alternatively, the device can simply plant spyware, or
even compromise the operating system. Two features that make this
possible are the Windows AutoRun facility and the ability of
peripherals to use something called direct memory access (DMA). The
first attack vector you can and should plug; the second vector is the
result of a design flaw that’s likely to be with us for many years to
come.”

The article has the details, but basically you can configure a file on
your USB device to automatically run when it’s plugged into a
computer. That file can, of course, do anything you want it to.

Recently I’ve been seeing more and more written about this attack. The
Spring 2006 issue of 2600 Magazine, for example, contains a short
article called “iPod Sneakiness” (unfortunately, not online). The
author suggests that you can innocently ask someone at an Internet cafe
if you can plug your iPod into his computer to power it up — and then
steal his passwords and critical files.

And about someone used this trick in a penetration test:

“We figured we would try something different by baiting the same
employees that were on high alert. We gathered all the worthless vendor
giveaway thumb drives collected over the years and imprinted them with
our own special piece of software. I had one of my guys write a Trojan
that, when run, would collect passwords, logins and machine-specific
information from the user’s computer, and then email the findings back
to us.

“The next hurdle we had was getting the USB drives in the hands of the
credit union’s internal users. I made my way to the credit union at
about 6 a.m. to make sure no employees saw us. I then proceeded to
scatter the drives in the parking lot, smoking areas, and other areas
employees frequented.

“Once I seeded the USB drives, I decided to grab some coffee and watch
the employees show up for work. Surveillance of the facility was worth
the time involved. It was really amusing to watch the reaction of the
employees who found a USB drive. You know they plugged them into their
computers the minute they got to their desks.

“I immediately called my guy that wrote the Trojan and asked if
anything was received at his end. Slowly but surely info was being
mailed back to him. I would have loved to be on the inside of the
building watching as people started plugging the USB drives in,
scouring through the planted image files, then unknowingly running our
piece of software.”

There is a partial defense. From the first article:

“AutoRun is just a bad idea. People putting CD-ROMs or USB drives into
their computers usually want to see what’s on the media, not have
programs automatically run. Fortunately you can turn AutoRun off. A
simple manual approach is to hold down the “Shift” key when a disk or
USB storage device is inserted into the computer. A better way is to
disable the feature entirely by editing the Windows Registry. There are
many instructions for doing this online (just search for ‘disable
autorun’) or you can download and use Microsoft’s TweakUI program,
which is part of the Windows XP PowerToys download. With Windows XP you
can also disable AutoRun for CDs by right-clicking on the CD drive icon
in the Windows explorer, choosing the AutoPlay tab, and then selecting
‘Take no action’ for each kind of disk that’s listed. Unfortunately,
disabling AutoPlay for CDs won’t always disable AutoPlay for USB
devices, so the registry hack is the safest course of action.”

In the 1990s, the Macintosh operating system had this feature, which
was removed after a virus made use of it in 1998. Microsoft needs to
remove this feature as well.

But it’s only a partial defense. In the penetration test, they didn’t
use AutoRun. They just created a sufficiently enticing file, and the
people who found the USB drives manually invoked the executable.

http://www.csoonline.com/read/050106/ipods.html
http://www.darkreading.com/document.asp?doc_id=95556&WT.svl=column1_1
http://www.darkreading.com/boards/message.asp?msg_id=134658

My previous essay:

Risks of Losing Portable Devices

** *** ***** ******* *********** *************

The Doghouse: KRYPTO 2.0

The website is hysterical:

“Proof of the Krypto security !
Which would be, if one would try one of Krypto coded file unauthorized
to decode.
A coded file with the length of 18033 indications has therefore
according to computation, 256 bits highly 18033 indications =
6,184355814363201353319227173630ë+43427
file possibilities. Each file possibility has exactly 18033 indications
byte.
Multiplied by the number of file possibilities then need results in the
memory.
Those are then: 1,1152248840041161000440562362208e+43432 byte.
Those are then: 1,038634110245961789082788150963è+43423 Giga byte data
quantity.
That is a number with 43424 places.
I can surely maintain as much memory place give it in the whole world
not never.
And the head problem now is, which is now the correctly decoded file.
Who it does not know can only say there. That does not know so exactly !
They can code naturally naturally also still successively several
times, even up to
the infinity.”

Machine translated (on the website; not by me) from German into
English. My head hurts just trying to read that.

http://kryptochef.net/index2e.htm

** *** ***** ******* *********** *************

Counterpane News

Schneier is speaking at the FIRST Conference in Baltimore on June 30:
http://www.first.org/conference/2006/

Interview with Bruce Schneier:
http://www.sevendaysvt.com/features/2006/tales-from-the-cryptographer.html

Counterpane announced two pretty cool service agreements:
http://www.counterpane.com/pr-20060605.html

Network World wrote about Counterpane at the Gartner Security Conference:
http://www.networkworld.com/news/2006/060506-gartner-security.html

** *** ***** ******* *********** *************

Aligning Interest with Capability

Have you ever been to a retail store and seen this sign on the
register: “Your purchase free if you don’t get a receipt”? You almost
certainly didn’t see it in an expensive or high-end store. You saw it
in a convenience store, or a fast-food restaurant, or maybe a liquor
store. That sign is a security device, and a clever one at that. And
it illustrates a very important rule about security: it works best when
you align interests with capability.

If you’re a store owner, one of your security worries is employee
theft. Your employees handle cash all day, and dishonest ones will
pocket some of it for themselves. The history of the cash register is
mostly a history of preventing this kind of theft. Early cash
registers were just boxes with a bell attached. The bell rang when an
employee opened the box, alerting the store owner — who was presumably
elsewhere in the store — that an employee was handling money.

The register tape was an important development in security against
employee theft. Every transaction is recorded in write-only media, in
such a way that it’s impossible to insert or delete transactions. It’s
an audit trail. Using that audit trail, the store owner can count the
cash in the drawer, and compare the amount with the register tape. Any
discrepancies can be docked from the employee’s paycheck.

If you’re a dishonest employee, you have to keep transactions off the
register. If someone hands you money for an item and walks out, you
can pocket that money without anyone being the wiser. And, in fact,
that’s how employees steal cash in retail stores.

What can the store owner do? He can stand there and watch the
employee, of course. But that’s not very efficient; the whole point of
having employees is so that the store owner can do other things. The
customer is standing there anyway, but the customer doesn’t care one
way or another about a receipt.

So here’s what the employer does: he hires the customer. By putting up
a sign saying “Your purchase free if you don’t get a receipt,” the
employer is getting the customer to guard the employee. The customer
makes sure the employee gives him a receipt, and employee theft is
reduced accordingly.

There is a general rule in security to align interest with
capability. The customer has the capability of watching the employee;
the sign gives him the interest.

In Beyond Fear, I wrote about ATM fraud; you can see the same mechanism
at work:

“When ATM cardholders in the US complained about phantom withdrawals
from their accounts, the courts generally held that the banks had to
prove fraud. Hence, the banks’ agenda was to improve security and keep
fraud low, because they paid the costs of any fraud. In the UK, the
reverse was true: The courts generally sided with the banks and assumed
that any attempts to repudiate withdrawals were cardholder fraud, and
the cardholder had to prove otherwise. This caused the banks to have
the opposite agenda; they didn’t care about improving security, because
they were content to blame the problems on the customers and send them
to jail for complaining. The result was that in the US, the banks
improved ATM security to forestall additional losses–most of the fraud
actually was not the cardholder’s fault — while in the UK, the banks
did nothing.”

The banks had the capability to improve security. In the US, they also
had the interest. But in the UK, only the customer had the
interest. It wasn’t until the UK courts reversed themselves and
aligned interest with capability that ATM security improved.

Computer security is no different. For years I have argued in favor of
software liabilities. Software vendors are in the best position to
improve software security; they have the capability. But,
unfortunately, they don’t have much interest. Features, schedule, and
profitability are far more important. Software liabilities will change
that. They’ll align interest with capability, and they’ll improve
software security.

One last story. In Italy, tax fraud used to be a national hobby. (It
may still be; I don’t know.) The government was tired of retail stores
not reporting sales and paying taxes, so they passed a law regulating
the customers. Any customer having just purchased an item and stopped
within a certain distance of a retail store, had to produce a receipt
or they would be fined. Just as in the “Your purchase free if you
don’t get a receipt” story, the law turned the customers into tax
inspectors. They demanded receipts from merchants, which in turn
forced the merchants to create a paper audit trail for the purchase and
pay the required tax.

This was a great idea, but it didn’t work very well. Customers,
especially tourists, didn’t like to be stopped by police. People
started demanding that the police prove they just purchased the
item. Threatening people with fines if they didn’t guard merchants
wasn’t as effective an enticement as offering people a reward if they
didn’t get a receipt.

Interest must be aligned with capability, but you need to be careful
how you generate interest.

This essay originally appeared on Wired.com.
http://www.wired.com/news/columns/0,71032-0.html

** *** ***** ******* *********** *************

Comments from Readers

There are hundreds of comments — many of them interesting — on these
topics on my blog. Search for the story you want to comment on, and
join in.

http://www.schneier.com/blog

** *** ***** ******* *********** *************

CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
insights, and commentaries on security: computer and otherwise. You
can subscribe, unsubscribe, or change your address on the Web at
. Back issues are also
available at that URL.

Comments on CRYPTO-GRAM should be sent to
schneier@counterpane.com. Permission to print comments is assumed
unless otherwise stated. Comments may be edited for length and clarity.

Please feel free to forward CRYPTO-GRAM to colleagues and friends who
will find it valuable. Permission is granted to reprint CRYPTO-GRAM,
as long as it is reprinted in its entirety.

CRYPTO-GRAM is written by Bruce Schneier. Schneier is the author of
the best sellers “Beyond Fear,” “Secrets and Lies,” and “Applied
Cryptography,” and an inventor of the Blowfish and Twofish
algorithms. He is founder and CTO of Counterpane Internet Security
Inc., and is a member of the Advisory Board of the Electronic Privacy
Information Center (EPIC). He is a frequent writer and lecturer on
security topics. See .

Counterpane is the world’s leading protector of networked information –
the inventor of outsourced security monitoring and the foremost
authority on effective mitigation of emerging IT threats. Counterpane
protects networks for Fortune 1000 companies and governments
world-wide. See .

Crypto-Gram is a personal newsletter. Opinions expressed are not
necessarily those of Counterpane Internet Security, Inc.

Copyright (c) 2006 by Bruce Schneier.

Viruses, Worms, Firewalls and Security

There are some things to be aware of when it comes to firewalls. Here’s a technical description brought down to layman language. I’m taking certain technical liberties (or inaccuracies) to keep it simple.

The best of firewalls cannot block what is looking like legitimate communication. All it does is block access to most, and let some through.

Network communication is done with compact data called a packet. If you imagine a truck with its paperwork showing where to pick it up and where to deliver it. This is called header information. Then in the back is the payload. The data that is being transmitted.

Usually it takes many trucks / packets to deliver all the data as the typical payload only carries about 1500 bytes. (One byte being one character, or letter, number or symbol.) A typical web page should not contain more than about 100,000 bytes (100K). The reason is the time it takes to download across the Internet. Too much takes too long. Of course that number is going up as more and more people are able to download larger amounts due to increasing transmission speeds.

OK, so we have the header information telling the driver where to deliver the 1500 or so bytes of payload. It does contain various other little tidbits but we don’t have to worry about it.

If you visit a website, you are now sending out a truck with the request to get a webpage from your computer to a remote server online. When the page shows up on your monitor that means the remote server delivered information through the firewall to your computer.

The modern firewall keeps track of outgoing requests, noting the time, origin and destination. Then if a reply returns it checks to see if it’s from a requested destination within the timeframe. This is called stateful inspection.

On network communication there is a standard method of starting up a connection. A packet is sent out saying I’m an origination. I wish to start a communication.

It’s received and another packet is returned back to the originating computer saying I got your request. Next the originator would send a new communication saying here is what I want from you. Which in turn is acknowledged. This is referred to as handshaking. If both shake then both knows all is well and a connection can be go on.

All the time there is a stream of packets flowing from each side with requests and acknowledgments, ensuring they are in good communication with each other.

Older firewalls simply looked to see if a packet arrived that said it was a response to an established connection. Not having any notes of requests that went out the firewall would not know any better and let it in. These days probably all firewalls do statefull inspection.

Real crackers (criminal hackers) are people who knows things like exactly how network communications should work and try to find flaws in implementations so that they can gain additional access or information out of a device.

A hacker (knowledgeable computer person) is a person who knows things like exactly how network communications should work and try to find flaws in implementations so that they can gain additional access or information out of a device.

Wait a minute! That’s the same definition!

The difference is really how it is used. Being a hacker is a good thing because you can find faults and fix them. A cracker has criminal intent. The definitions tend to float around but the criminal intent is a pretty good definition.

So what a cracker might do is hack into a website and plant some instructions that when executed installs some software on your computer.

When you then visit the website you happily download the page and his instructions into your computer. Where your browser faithfully executes the instructions.

The result is limited to the capabilities of your browser and what your computer will let the browser do.

Under windoze you can quite easily get it to give away total control of the computer. That has a lot to do with the fact that the user is usually running as the Administrator. Whom has full unfettered access to the computer.

Never mind all the various security design flaws that microsoft has made in its quest for functionality.

When you run as a user with limited access the viral instructions have limited capabilities too. This is a good thing. 🙂

So always run as a normal user! Only run as root when needed, and never browse the Internet as root.

Now, there are actually more than one type of firewall.

The most common one is called a packet filter. It filters packets according to IP address and port, source and destination. A good one can also filter according to the type of packet.

It looks at where it came from, where it’s going and executes the filter rule that covers that request.

Another type is called proxy firewall. It receives a requests and then generates its own requests to the remote server. When it comes back it receives it and generates its own reply.

This method stops bad requests hidden within a good request. The firewall acts like a proxy for you. You have given it rights to do things for you. Not unlike an efficient secretary.

Then we have application firewalls. It looks at what the application is trying to do and decides according to what it has learned to be normal acceptable behavior. When a computer tries to do things differently, which a cracker almost always does, it’s noted and the packets are stopped.

Due to the relative effectiveness of modern packet filters that is the most prevalent one. Ideally you have all three. Forming several layers that all have to be circumvented to gain access.

Application firewalls are usually pretty expensive. They need to know a lot and work very fast.

The network industry has seen a lot of developments where devices gain new capabilities, like a router having a firewall and a switch built-in.

(A switch is a communication hub. It lets different computers get together and access each other. It used to be called hub. The problem with hubs were that when a packet arrived at the hub it was regenerated to all ports on the hub. Generating a lot of extra noise as it was usually only one computer that needed to receive it.

A switch knows who is connected, and can route packets to the correct port and not simply broadcast it to all, all the time. A great improvement.

A typical attack by a cracker is often to first establish what type of device is it reaching. What brand and model would be nice to know. With that information he can then see what known vulnerabilities there are. Then try to exploit them.

Exploits always entails doing things wrong. (Unless it’s a really really dumb flaw.) The cracker will do the unexpected in hopes to break the “concentration” of the device, find a flaw in the software, causing some unusual response.

The most common one is called bugger overflow if you type poorly. For all others its called buffer overflow.

A buffer is a place which temporarily holds information, before it moves along. A data entry field is a good example. It may ask for the name of someone. By entering maybe 1000 characters the program may get overwhelmed and simply continue writing all of it into memory. These 1000 bytes would not be random characters, but actual instructions.

All data to be processed must be in memory (RAM) where the processor can get to it. Now if you can get viral instructions into memory it can be executed.

Basically programmers must ensure they put limits on data entry fields to avoid this.

There are of course lots of ways to do the unexpected. Which is why most people will think they are safe when they simply don’t realize the possibilities available to a cracker.

Attempting to break through a firewall by doing the normal thing will seldom work. Unless it’s misconfigured. Having found a flaw he gains unexpected access, which is then used to get further in.

Sometimes a cracker might take 20 steps, sequentially through various cracks found along the way. Following a path that nobody else would ever have though of even trying. By being really knowledgable about computers he manages what is considered impossible by almost everyone. He is by all means very skilled.

The typical mindset of a cracker is also not that of a normal citizen. To him, or very occasionally her, information (or data) is his if he can reach it. It’s your failure to close all the doors, and letting him in. Once reached it’s his, like a rescued ship at sea belongs to the salvager.

A lot of crackers don’t break anything once in. They may even tell you about how they got in, trying to be helpful to society. I know several network managers who never reported the guy as he helped him secure his network.

Below crackers or black hats as they are often known, we have wanna be crackers. They don’t have the know how and are simply running small programs which are written to take advantage of known flaws. These small programs are often called scripts. Basically a series of manual instructions. These wanna bee’s are called script kiddies. (Usually a cracker is a young boored kid, trying to have some fun.)

Enters organized crime stage left.

A few years ago organized crime in Russia realized the potential they have in the Internet. Being in a country in upheaval it was easy to find kids to do the dirty work for a few Rubles.

Soon organized crime worldwide had crackers on their payroll.

A computer Virus is a program that will take advantage of an ignorant user. A virus by definition needs to be executed by a user to work. Thus email attachments became the most popular method of spreading viruses. People are too curious and too willing to be ignorant about things that affect them.

A worm however, is a virus which does not require a user to execute it. It will spread automatically to computers which have some particular flaw in them.

Thanks to the money of organized crime viruses and in particular worms have gotten very sophisticated. Often running some smoke screen as to its actual intent. They also spread across the world at an increasing speed and efficiency.

This has created a digital universe which is very dangerous. It has raised the stakes at both sides, but is still very successful mostly due to ignorance.
Most software developers respond pretty fast to flaws in their code. Poorly or not maintained at all, computers is the breeding ground for viral code to work.

Keeping security patches up to date and having multiple layers of security in place is vital. Simply installing a firewall does not cut it.

You need to know about your vulnerabilities.

This is a problem all in itself as most people have no idea at all as how to approach the problem. Fortunately there are very good open source solutions which can detect past successful attacks, locate flawed configurations and programs.

One very good program is called Nessus. It detects about 10,000 known vulnerabilities across platforms. Others are SNORT which sees attacks in progress, and Tripwire which notices when programs are modified, added or deleted.

Tripwire should be installed after a fresh install and before any network connection is established to ensure you have a “virgin” system.

SNORT can be installed at any time after Tripwire, and Nessus is run after each change in hard or software.

Of the three Tripwire is the most important, then Nessus and finally SNORT.

If you depend on your computer educate yourself a little bit all the time. In time you will quickly cease to be a clueless victim and start being aware of your digital surroundings.

Ensure Linux firewall is running on each Linux box. Use Zonealarm under windows.

Pay attention to changes, like a slower computer, network, Internet connection. Investigate the reason for the change.

There are logs which tells you what has transpired. [Note that a good cracker will erase his trail form the log files. But a too clean log can also be a sign.] If you think you might be “owned” disconnect your network and investigate.

Have a plan of what to do in writing so that the steps are easy to execute.

If you can’t do it find someone who can.

This has to be part of any business plan as a known expense. And on that note, some bad numbers. To keep up with all the threats is a 40 hour / week job.

If you own a business you might not be able to afford a full time security consultant. It may not even be needed if you only have a couple of computers and don’t offer any services like hosting a web server. And have limited Internet activities. But someone needs to keep an eye on it.

What you don’t know will probably bite you sooner or later.

Security is a tradeoff. You spend as much time and resources as is practical. The more security the less functioning things tend to get. Install a good infrastructure and find a good workable balance.

Then have a standard written routine of what to do if violated. Steps that has to be taken, like shutting down the network. Rebuild server, restore backups, check for covert physical devices connected to your internal network. In some states you have to notify clients if you store sensitive information.

You may have backup hard disks ready to take over. This way someone can audit the violated servers/computers once you have recovered all. It will leave the evidence intact on the original disk(s). Having identified the method of access you can now correct it. (There are very good forensics tools under Open Source which are used by security and law officials.)

Unfortunately it’s a pretty big subject. You can subscribe to news from many good sources.

Bruce Schneier is one such expert. He has a newsletter at:
http://www.schneier.com and http://www.counterpane.com

He will educate you about views and practical activities based on real life examples.

https://secure1.securityspace.com/secnews/subscribe.html tracks security issues.

CERT is a good government list to subscribe too:
http://www.us-cert.gov/cas/signup.html

There are high traffic security lists such as Full Disclosure and Bugtraq. A list of tools and readings can be found on:
http://seclists.org/

Be safe,

Color In Email Dangerous!

“What’s so wrong with using colors and different fonts in email?

This is a question I’m frequently being asked. People say that they feel their messages are more interesting, more effective and in short better, thanks to nicely formatted emails.

Obviously they are right, it’s true!

Unfortunately it’s not the whole picture. (Bare with me, this is easily explained, but takes a few words.)

The design of the Internet did not take into account criminal abuses and activities. Both large and small crime organizations have discovered the criminal potential of the Internet. People in general are naive and like to think the best of people. Which certainly applies to at least 80-98%. It’s that last minor percent that creates the problems for the rest of us.

We have viruses, which are small programs written to take advantage of 1) naive users and 2) commonly existing conditions that allows this program to spread and infect others too. Once infected it causes destruction. A virus by definition requires a user to activate it.

Then we have worms. They are like viruses but they don’t require any user to activate them. They utilize design flaws that can be used automatically, to do their destructive deeds. (In the rest of the document I don’t differentiate between viruses and worms, but I want you to know the difference.)

Depending on how well a computer has been made and configured, the damage may be big or small. A viruses typically spreads VERY fast across the Internet. Wrecking destruction and chaos.

So what does this have to do with colored emails you may ask?

Let me set the scene. When you format the email you are using something which adds instructions that can be understood by the email recipient. These instructions are formatted using the same code as is being used to create the web pages on the Internet.

It uses text that contains links, which when clicked on takes you to another location. This is known as HyperText. The pages are formatted using something called a Markup Language as it allows you to create a layout for a formatted page. Together it’s called HTML. (Hyper Text Markup Language.)

When you start changing colors etc, your email program are using html instructions to do so.

When you have your email program configured to display html emails, you cannot see the instructions that make up the email. These instructions can, and do in the case of viruses, cause destruction. It’s that destructive code that damages your computer, and then spreads to your friends.

Viruses are like chain-mail. They are also primarily infecting through email.

An effective way of not getting infected is to not process the html code in emails. You can turn it off by changing the settings in your email program (Insert instructions for Outlook & O.Express.). It often also applies to pictures. Flaws in the design of the instructions that displays pictures, allows them to contain destructive instructions. Any attached file can obviously also contain viruses.

This paints a sore and dangerous picture. What is one to do?

Frankly, unless you want to be part of the problem you have one recourse. Educate all your friends and relatives about these notes and stop using html in emails.

Using anti-virus software does not fully solve the problem as they are always one step behind the virus writers. The ability to identify a virus as a virus depends on the virus to be found first. With a small exceptions, this requires the virus to be detected before they can even start protecting users against it.

So you see the anti-virus effort is no guarantee at all. It is however a vital start.

Various security tools used to block unwanted communication does not detect viruses either as they are hidden inside what looks like legitimate html emails. Or they are hidden inside html pages on the Internet.

As it is all web pages are also potential carriers of destructive instructions (instructions are also called code regardless of being destructive or not. Programmers usually refers to instructions as code.)

What I’m saying here is that simply visiting the wrong web site could infect you. If that occurs then make sure you contact their ISP and notify them. (Link to how to identify someones ISP.

[This is how you identify the ISP behind a web site. Go to www.internic.net/whois.html and enter the domain name (for example infectedsite.com). At the bottom of the result it says DNS servers. Make a note of the dotted number (for example 123.234.123.123) next to DNS1. Then goto http://arin.net and enter the number in the top window where it says Search Whois). In the result OrgName: will be the heading for the ISP. They will usually have an email address for abuse. Like abuse@isp.com. Send them an email with as many specifics as you have of what happened.]

There are website so infected that they will destroy windows completely and turn it into a door stop. Your only recourse is to completely erase your computer and reinstall windows. (There are other options besides windows but that is beyond this document.)

To be on the Internet and try to remain ignorant is at a minimum dangerous. There were at some point various areas like in Los Angeles, Detroit and New Orleans, where you don’t let women and children walk at night or even during the day. Unfortunately the Internet can be the same for your computer, and any information it may contain.

What you CAN do is to cut down on your vulnerability profile. To cut down on things that are most prone to cause damage. First step is to not write html emails, or display them. Educate friends and family and help creating a grass root activity.

Make sure you have up to date anti-virus software, which checks for updates daily, not weekly or monthly. Keep your computer up to date with security patches.

Finally if you install a program called tripwire you can detect any changes done to files. Tripwire is a program which takes notes of all files and recognizes any changes made to them, and notifies you.

Preferably Tripwire should be installed as soon as the system is built, so as to not allow any existing condition to remain hidden.

All these steps are additional work. But for most of us it’s better than being infected. Plus you become part of the solution, not the problem,as your computer is less likely to spread viruses. More than once have I seen computers becoming reinfected by computers that were infected by that computer in the first place. Or as they say, “What goes around comes around”.

Plus, you would not walk around in traffic, or the bad part of town without paying attention to your surroundings. Be aware of your computers behavior and note if it changes. You may have been infected or broken into.