Steve's Views Rotating Header Image

Why not to give admin or root access by default

[This is a reply to why setting your OS to give admin (root) access without a password on your computer is a not a good idea. It appeared on a Pardus review.]

Your argument is very understandable and is shared by most people. Not to be flippant about your knowledge, but it is from a very limited understanding of security, or shall we say how computers are hacked.

For example, needing to enter a password means that a remote hole in an application running as non root will not have root access automatically.

Thinking you are secure when you really don’t know what makes something insecure is folly.

Breaking into a computer it’s not done by “playing by the rules”. But is done by doing things “wrong”. As an example, back when IP firewalls came out they had rules about who’s allowed access simply by IP.

The firewall has to allow replies to requests back in or is useless. So it looked to see if the inbound packets followed the TCP rules of a reply, and if so allowed it access. That was broken by not following the standard TCP rules and they in effect gained access by saying here’s your reply. The firewall allowed the new connection thinking it was a reply.

After that we got stateful inspection which tracks outbound requests, and can therefor tell if a reply originated from an internal request or not. This is a very old example but the principle still holds true. Holes are found by doing the unusual and often wrong thing.

Take buffer overflows, they have been the most commonly used method. Which consists of writing a lot more information into a field than is expected. The poorly written program cannot process the extra information and they end up someplace in memory where it is executed, resulting in illegal access. This is a simplified view but still holds true.

When you think security, unless you have actually seen not one but how many illicit accesses are gained, don’t make the mistake in thinking that you even have a clue of what is or is not secure. It takes a LOT more than that. What’s even worse is that new holes are discovered all the time. Thus, you need to think in concepts of secure methods. Security becomes not if they can get in but finding the balance of secure vs productive methods of operating. Adding multiple levels of secure behavior with the final level being users who follow the established rules and has some respect for it all.

Look up some challenge when someone said we’ll pay you X dollars if you can break in. Then see how they did it. There were f.ex. a challenge on a shopping cart where it had some 600,000 attempts with a few successful entries. They were so ingenious nobody not experienced in real hands on hacking would have figured it out.

A bad but typical poor security example is from the early days on NT. Microslop claimed NT had received a government security rating. What they did not tell us was it required that the floppy and network card was disabled.

This false sense of security was then promoted by others, like those who wanted to defend their poor choice in OS or with an inflated self importance, by promoting how secure it was. Subsequently others who knew they themselves did not understand security listen to those who knew even less and believed they actually had a secure OS.

Security is a pain in the butt, which simply has to be balanced with the pain of loosing confidential info or loss of operation, and must not be done by coffee shop security wanna bees.

At the very best you end up shooting yourself and others in the foot with your ignorance. There are plenty of places where you can find discussions by pros discussing holes in various programs and what not. Spend some time with them and get a feel of things. (See Full disclosure, bug track. Crypto-Gram by Bruce Schneier is a very informative list for a layman. You’ll find good links and info on insecure.org.)
Good luck!

John Ridley, Virginia Tech, Iraq and the news media

There is a huge misunderstanding as to what constitutes news worthy.

The argument that people have the right to know is so abused it is not funny.

I’d say to anyone ruining peoples lives for no other reason than it being news worthy or the right for the people to know, let’s display Your used underwear on national news. After all, we have the right to know what kind of lives the people who bring us all this important news, lives!

The news media have removed dignity from the media as John Ridley pointed out on MSNBC. I’ve not followed what he stands for, but he’s certainly were dead on with that comment.

By never headlining terrorist or other criminal actions in the news, the acts would loose value. Terror requires news to be really successful. If news also got a proper balance, where good things that affects the whole nation is headlined and bad things that affects some single family is on page 22, we would slowly be improving peoples values.

If we did not make all the scary things that happened to some family look like the norm, Americans would not be so afraid or each other and be more caring. Which would snowball and raise our overall quality of lives.

Sure, it would take some time to “un-educate” people, but the price would be worth it. My family have gone for years without TV and newspapers and guess what! We are a very happy family. We are not afraid of our neighbors and we commit random acts of kindness to complete strangers. My kid complained when I removed the TV, but after a month I got a thank you, and a hug for caring.

A silly question is being asked about why Cho killed all these people at Virginia Tech. Which is why did he do it?

I call it silly because it is very obvious. In the previous last eight school shootings, including Columbine, the shooter(s) were on mind altering drugs. Just like Cho. People keep thinking that drugs=good, even though it’s very clear that people on drugs do crazy things. Ah, you say, these are prescription drugs!

True, but have you looked at what those drugs do? Did you know why many of those drugs now carry the black danger label? There is no coincident that Cho was so homocidial. People need to wake up to the side effects of these mind altering drugs and reach for natural solutions!

During a quick survey I found that there are a lot of natural solutions. In my experience drugs NEVER actually address the real why. They only address the symptoms. For the last 30 years I’ve never taken even a headache pill. When I have an headache it’s usually for not eating or drinking well or enough. Eating and or drinking water has always handled it. Of course I don’t drink sodas with dinner (or almost ever). When I eat it’s usually fairly healthy. If you pack yourself full of sugars you should expect headaches and poor health.

Having traveled across several continents and looked into the nooks and crannies of life I can tell you that Americans are being spoonfed bad news relative to most other countries.

I wondered why that was, and realized that the pursuit of money has been too much for most editors, including a lot of other people. Messed up education in homes and schools have done a good job. In our attempts to be politically correct, we’ve lost sight of what is really important. I’m not saying you should be rude and so on. But things have gone too far in many areas.

In the vying for your attention, editors have lost track of all things valuable to man. I’m talking about integrity, responsibility, decency, humanity and most other valuable attributes most people natively have in common.

Then we have the misdirects that is being done by those defending our war in Iraq. What is the first thing a person done who’s guilty of something? He or she tries to turn attention away from themselves. Accusing you for their own crime is typical.

The same can be observed by those defending the war by calling you un-american, against our troops and so on. What is bad is to send our troops into Iraq on false pretenses and properly care for them. Playing the troop card is in really poor taste and nothing but an attempt to turn the attention away from themselves.

Now, if you instead put attention and expanded upon great things that people did to each other, accomplishments and resolutions of problems, guess what? We’d have happier people and a greater nation.

The saying, you get what you put your attention on, applies. Let’s try to focus a bit more on all the good and positive things that people do every day. Let’s make bad news a little less important, and share more positive than negative news with others.

Why Windows is less secure then Linux

It’s one thing to know by your own experience, another to be told by others.
Sometimes you run into something that communicates very well. Like images. Here’s an article that does just that. It communicates graphically in a way that is hard to put in words.

Why Windows is less secure than Linux by ZDNet‘s Richard Stiennon
— Windows is inherently harder to secure than Linux. There I said it. The simple truth.

Many millions of words have been written and said on this topic. I have a couple of pictures. The basic argument goes like this. In its long evolution, Windows has grown so complicated that it is harder to secure. Well these images make the point very well. Both images are a complete map of the system calls that occur when a web server serves up a single page of html with a single picture. The same page and picture.

A system call is an opportunity to address memory. A hacker investigates each memory access to see if it is vulnerable to a buffer overflow attack. The developer must do QA on each of these entry points. The more system calls, the greater potential for vulnerability, the more effort needed to create secure applications.

This is a comparison between Linux and their web server and Windows and their webserver. The first picture is of the system calls that occur on a Linux server running Apache.

syscallapachesmall

This second image is of a Windows Server running IIS.

syscalliissmall

The difference is clear. Thanks to Sana Security for generating and providing these images.

Please note that 1. I am not a journalist. 2. I do not work for ZDnet. 3. I am an independant blogger. 4. This is a blog entry not a news article.

DRM is not for stopping piracy…

In an article in ARS Technica (http://arstechnica.com/news.ars/post/20070115-8616.html)
we find the headline “Privately, Hollywood admits DRM isn’t about piracy”.

This is a very telling article showing what we have been thinking all along, Hollywood studios execs knows a lot about greed and avarice [An excessive or inordinate desire of gain; greediness for wealth].

It is one thing to mass produce illegal copies of movies for profit, quite another to watch a DVD movie when and where you decide. As we see the studios want to not only have a say of when and where you watch your legally obtained DVD, but actually control it.

For example I never believed that CD sale went down because of piracy. Besides from organized mass piracy, the people who does most of the copying are students, known for being poor. People who cannot afford to buy a lot, but with a great interest in music.

The smart thing to do is to get people educated and used to listening to music. Make it easy so that when they enter the profitable part of their life, they are already avid music lovers. I loved the idea of being able to discover some new music online and go out and buy the CD. Now you don’t dare looking for music. Subsequently I don’t buy any. I listen to radio and my existing collection instead.

When Napster hit the world sales of CDs went up, not down. When Napster went down so did CD sales.

But avarice seem to have this side effect of not being able to see clearly. Even if it is staring you in the face. So rather than fostering music lovers they sue pre-teens and senior citizens for tens of thousand dollars and use scare tactics to make them settle out of court.

Having big dollars makes it possible to go after average people who usually have no possibility to mount an effective defense. Their only hope is to settle out of court.

That turns out to be their only safe way of making money as they are rapidly discovering that the courts are starting to notice that they don’t actually have any good evidence that the alleged pirate IS a pirate. They have only gotten this far by screaming foul play and playing on lawmakers dislike of crime. In reality one might successfully argue that the real criminals may very well be the ones doing the suing.

MPAA head Jack Valenti actually lobbied to have the discretion to erase your hard drive if they detected foul play. We know what disaster that would have been as they have a very high rate of false detections.

Just look at Microslob, eh soft, ability to turn out safe software. They want you to trust them to manage what you run on your computer. To make sure nothing illegal occurs. Feel like a criminal yet? If you create people like criminals you will get more criminals. Again, blinded by avarice.

Never mind someone breaking through their “safety” schemes and taking over your computer.

The only way these things get a hold in society is because people are in general naive and too lazy to pay attention. There was a group lobbying for ten years for something which turns out to be quite insane like the ability to pick up anyone off the street for drug treatments. But after ten years a government was ready to let it pass because “they have tried for so long” and felt sorry for them.

Fortunately some people who cared discovered what was about to happen and managed to stop it by running a hard campaign educating the senators what they were about to pass.

We will be abused as long as we are ignorant and uncaring about each other. Usually all it takes is for someone to stand up and say something to open a door for a handling. But too many people just look the other way. A good saying goes something like “The price of freedom is the constant alertness and willingness to fight back”. Don’t let 9/11 or lazy ignorance turn this into a police state. Stand up and do something about it!

ESR -“unethical to use closed source software”

What would be unethical is to unlawfully take and use s/w not licensed to be so obtained/used/shared.

There’s nothing remotely counter survival in making and selling closed source s/w. There’s a choice to use it or not, and that’s about it.

ESR (Eric S. Raymond) would like everyone to think it’s unethical, but he’s simply over promoting a way of life. His way of life.

Closed source s/w has and does help a ton of people to live better lives. Just like open source does.

Society lives and breathes through exchange. You contribute and receive exchange for it. Closed or open source will hardly fit the bill as unethical.

Arguing that society would look much better with only open source s/w is like saying society would look a lot better with only free food, or free plumbing. Saying that non-free food or plumbing is unethical does not work either, as long as these people produce and charge a fair price.

It all comes down to this idea that ESR would seemingly want to see money disappear. Which would bring us waaay back to when you had to swap products & services to exchange with others.

Money was a great evolutionary step, unless you are incompetent and unwilling to produce and like to live by being a freeloader. (It used to be easy to get a night of free food and lodging in earlier days.) A society functions so much better through this idea that money will give you value for your products and services. I never liked the idea of dragging livestock and what nots around.

For example. You cannot travel very well without money. Let’s say you produce a lot of value in one community. It could be said that you have credit with people as you and your products/services are well known. But then as soon as you leave how do you retain that value?

Today’s society could certainly work in theory on open source only. Without any money being charged for software. The problem is that some people make a living coding, and it would be very unethical to stop them from their choice of earning an honest living. Just like it would be to stop a farmer from doing the same. A better way would be to allow for other types of exchanges to freely exist, for those who so choose. The important parts are production and exchange.

For those of us using open source, we should probably be more interested in contributing back, than harassing people about closed source. You offer it and to the degree it is contributed back to that degree it will be successful. Certainly a lot of good is and will continue to come out of open source.

What does Windows 2000, XP and Vista have in common?

What does Windows 2000, XP and Vista have in common?

They don’t ship with a decent word processor, never mind office suit.

Fortunately that does not have to be a bad thing. Thanks to the efforts of the OpenSource community we have choices. One of them is OpenOffice. This suit can read and write MS Office files and actually includes a bit more.

How much does it cost?

This is the fun thing. Thanks to the different philosophy of OpenSource you don’t have to pay anything. That’s right, it’s available for free. OpenSource developers make money on after sales efforts like support, training and modifications. Sometimes OpenSource applications and Operating Systems, are simply a facilitator to enable other products and or services.

Here you can read the OpenOffice license. It is only slightly different than the General Purpose License (GPL) that Linux follows, and is intended for certain software libraries. But the idea is the same. The freedom to use it the way you see fit.

Fortunately for us, OpenSource is usually good enough to be used even in enterprises, where downtime is not acceptable. You can read about efforts from companies like IBM, HP, Novell, RedHat & Google, just to mention a few, whom have poured their expertise into supporting and furthering what they see as the next great thing after sliced bread.

Unlike commercial software, the openness of OpenSource allows anyone and everyone to see the code and modify it as they see fit. Bugs can be noticed by anyone and fixed without the the threat of lawsuit. An organization can find an OpenSource application that is close to their needs and modify it as needed. As long as those modifications are kept “in-house” you don’t even have to share them. It’s only when you distribute modified OpenSource code outside your own organization that you have to license your altered code under the GPL.

This user have been using it since it’s early days and have never looked back.

Mouse Rage Syndrome

This is one of the dumbest things I’ve heard in a long time!

It has NOTHING to do with the websites, the Internet or anything else.

Take a guy who’s inept at something, anything. Let’s say fishing. He does not know how to attach the hook, that a bait can help or which bait is appropriate at the type of fish. He gets the idea to go fishing to impress his new girlfriend or whatever. He tells her he’s going to bring home some nice fish.

Now let him at it for long enough time and after enough frustration you may notice a quickening of the heart, profuse sweating, and furious tossing around and bashing the equipment. In extreme cases, the ailment can be identified by loud screaming.

Does that mean we have a new “fishing syndrome”?

No, all it means is that the guy is overwhelmed, frustrated or whatever. Nothing a good rest, or a walk cannot fix. Maybe some food and a rest is really what he needs. Then someone showing him how to fish.

Maybe you are at work and you told your tough boss that You’re The Man for the job, but you find there’s something you don’t understand and cannot get it right. As the deadline approaches and you’re still fighting to get it done you may notice a quickening of the heart, profuse sweating, and furious tossing around and bashing the equipment. In extreme cases, the ailment can be identified by loud screaming.

These “syndromes” are nothing but another attempt to make you think you suffer from a syndrome of sorts, but fortunately it’s nothing we can’t fix with the right psychotropic drug treatment. Unfortunately a lot of people have bought into that pseudo science. Which mostly lines someones pockets.

Did you know that during the world war in Britain not a single case of insanity was reported? But somehow here we all suffer from something unheard of 50 years ago. And Somehow it can all be treated with some drug!?

Actually the content of handbook used for billing treatments is voted in. They don’t scientifically discover some ailment but vote it in by popular vote. Yeah, Mouse Rage Syndrome my foot!

Teenscreen Fright

Wow!

Now this got me really scared! Some guys who are receiving money from the drug companies are doing suicide interviews to see if our school kids are in risk of committing suicide. Schools in turn receive more money for each kid on drugs!

First off I never thought about suicide as a child, I know of no normal child that has.

Secondly, steering them into evaluating suicide is not what you want to do.

Third, what constitutes a suicide indicator? Well questions like have you ever felt scared? Or uncomfortable in front of people? They offer kids pizza and movie tickets if they take these tests. Which will then label them for life.

Fortunately there is a lot of awareness coming up on these scam artists nationwide.

There is a teen screen link on Youtube. Check it out!

To mine, and many other parents, relief teen screen is running into very strong opposition all over the country and is not doing well at all. Some of the people at the top of teen screen is also being found lying to bodies like the US Congress.

A deeper insight into security – CRYPTO-GRAM

Here’s a reprint of Crypto-Gram by Bruce Schneier. His newsletter is one of the most read on the subject. It is a strongly recommended reading for all who care about themselves and others.

Schneier also gives a good insight into how to motivate security in any area. (See Aligning Interest with Capability, below.)

Here in it’s entirety is:

CRYPTO-GRAM

June 15, 2006

by Bruce Schneier
Founder and CTO
Counterpane Internet Security, Inc.
schneier@counterpane.com
http://www.schneier.com
http://www.counterpane.com

A free monthly newsletter providing summaries, analyses, insights, and
commentaries on security: computer and otherwise.

For back issues, or to subscribe, visit
.

You can read this issue on the web at
. These same essays
appear in the “Schneier on Security” blog:
. An RSS feed is available.

** *** ***** ******* *********** *************

In this issue:
The Value of Privacy
Movie-Plot Threat Contest Winner
Crypto-Gram Reprints
Diebold Doesn’t Understand the Security Threat
News
Hacking Computers Over USB
The Doghouse: KRYPTO 2.0
Counterpane News
Aligning Interest with Capability
Comments from Readers

** *** ***** ******* *********** *************

The Value of Privacy

Last month, revelation of yet another NSA surveillance effort against
the American people rekindled the privacy debate. Those in favor of
these programs have trotted out the same rhetorical question we hear
every time privacy advocates oppose ID checks, video cameras, massive
databases, data mining, and other wholesale surveillance measures: “If
you aren’t doing anything wrong, what do you have to hide?”

Some clever answers: “If I’m not doing anything wrong, then you have no
cause to watch me.” “Because the government gets to define what’s
wrong, and they keep changing the definition.” “Because you might do
something wrong with my information.” My problem with quips like these
— as right as they are — is that they accept the premise that privacy
is about hiding a wrong. It’s not. Privacy is an inherent human right,
and a requirement for maintaining the human condition with dignity and
respect.

Two proverbs say it best: “Quis custodiet ipsos custodes?” (“Who
watches the watchers?”) and “Absolute power corrupts absolutely.”

Cardinal Richelieu understood the value of surveillance when he
famously said, “If one would give me six lines written by the hand of
the most honest man, I would find something in them to have him
hanged.” Watch someone long enough, and you’ll find something to arrest
— or just blackmail — him with. Privacy is important because without
it, surveillance information will be abused: to peep, to sell to
marketers, and to spy on political enemies — whoever they happen to be
at the time.

Privacy protects us from abuses by those in power, even if we’re doing
nothing wrong at the time of surveillance.

We do nothing wrong when we make love or go to the bathroom. We are not
deliberately hiding anything when we seek out private places for
reflection or conversation. We keep private journals, sing in the
privacy of the shower, and write letters to secret lovers and then burn
them. Privacy is a basic human need.

A future in which privacy would face constant assault was so alien to
the framers of the Constitution that it never occurred to them to call
out privacy as an explicit right. Privacy was inherent to the nobility
of their being and their cause. Of course being watched in your own
home was unreasonable. Watching at all was an act so unseemly as to be
inconceivable among gentlemen in their day. You watched convicted
criminals, not free citizens. You ruled your own home. It’s intrinsic
to the concept of liberty.

For if we are observed in all matters, we are constantly under threat
of correction, judgment, criticism, even plagiarism of our own
uniqueness. We become children, fettered under watchful eyes,
constantly fearful that — either now or in the uncertain future —
patterns we leave behind will be brought back to implicate us, by
whatever authority has now become focused upon our once-private and
innocent acts. We lose our individuality, because everything we do is
observable and recordable.

How many of us have paused during conversations in the past
four-and-a-half years, suddenly aware that we might be eavesdropped on?
Probably it was a phone conversation, although maybe it was an e-mail
or instant message exchange or a conversation in a public place. Maybe
the topic was terrorism, or politics, or Islam. We stop suddenly,
momentarily afraid that our words might be taken out of context, then
we laugh at our paranoia and go on. But our demeanor has changed, and
our words are subtly altered.

This is the loss of freedom we face when our privacy is taken from us.
This was life in the former East Germany, or life in Saddam Hussein’s
Iraq. And it’s our future as we allow an ever-intrusive eye into our
personal, private lives.

Too many wrongly characterize the debate as “security versus privacy.”
The real choice is liberty versus control. Tyranny, whether it arises
under threat of foreign physical attack or under constant domestic
authoritative scrutiny, is still tyranny. Liberty requires security
without intrusion, security plus privacy. Widespread police
surveillance is the very definition of a police state. And that’s why
we should champion privacy even when we have nothing to hide.

A version of this essay originally appeared on Wired.com.
http://www.wired.com/news/columns/0,70886-0.html

Daniel Solove comments:
http://www.concurringopinions.com/archives/2006/05/is_there_a_good.html
or http://tinyurl.com/nmj3u

** *** ***** ******* *********** *************

Movie-Plot Threat Contest Winner

I can tell you one thing, you guys are really imaginative. The
response to my Movie-Plot Threat Contest was more than I could imagine:
892 comments. I printed them all out — 195 pages, double sided — and
spiral bound them, so I could read them more easily. The cover read:
“The Big Book of Terrorist Plots.” I tried not to wave it around too
much in airports.

I almost didn’t want to pick a winner, because the real point is the
enormous list of them all. And because it’s hard to choose. But after
careful deliberation, the winning entry is by Tom Grant. Although
planes filled with explosives is already cliche, destroying the Grand
Coulee Dam is inspired. Here it is:

“Mission: Terrorize Americans. Neutralize American economy, make
America feel completely vulnerable, and all Americans unsafe.

“Scene 1: A rented van drives from Spokane, WA, to a remote setting in
Idaho and loads up with shoulder-mounted rocket launchers and a couple
of people dressed in fatigues.

“Scene 2: Terrorists dressed in ‘delivery man’ garb take over the UPS
cargo depot at the Spokane, WA, airport. A van full of explosives is
unloaded at the depot.

“Scene 3: Terrorists dressed in ‘delivery man’ garb take over the UPS
cargo depot at the Kamloops, BC, airport. A van full of explosives is
unloaded at the depot.

“Scene 4: A van with mercenaries drives through the Idaho forests en
route to an unknown destination. Receives cell communiqué that
locations Alpha and Bravo are secured.

“Scene 5: UPS cargo plane lands in Kamloops and is met at the depot by
terrorists who overtake the plane and its crew. Explosives are loaded
aboard the aircraft. The same scene plays out in Spokane moments
later, and that plane is loaded with explosives. Two pilots board
each of the cargo planes and ask for takeoff instructions as night
falls across the West.

“Scene 6: Two cargo jets go airborne from two separate locations. A
van with four terrorists arrives at its destination, parked on an
overlook ridge just after nightfall. They use infrared glasses to scope
the target. The camera pans down and away from the van, exposing the
target. Grand Coulee Dam. The cell phone rings and notification comes
to the leader that ‘Nighthawks alpha and bravo have launched.’

“Scene 7: Two radar operators in separate locations note with alarm
that UPS cargo jets they have been tracking have dropped off the radar
and may have crashed. Aboard each craft the pilots have turned off
navigational radios and are flying on ‘manual’ at low altitude. One
heading South, one heading North.

“Scene 8: Planes are closing in on the ‘target’ and the rocket
launcher crew goes to work. With precision they strike lookout and
defense positions on the dam, then target the office structures
below. As they finish, a cargo jet approaches from the North at high
velocity, slamming into the back side of the dam just above the
waterline and exploding, shuddering the earth. A large portion of the
center-top of the dam is missing. Within seconds a cargo plane coming
from the South slams into the front face of the dam, closer to the
base, and explodes in a blinding flash, shuddering the earth. In
moments, the dam begins to fail, and a final volley from four rocket
launchers on the hill above helps break open the face of the dam. The
40-mile-long Lake Roosevelt begins to pour down the Columbia River
Valley, uncontrolled. No warning is given to the dams downriver, other
than the generation at G.C. is now offline.

“Scene 9: Through the night, the surging wall of water roars down the
Columbia waterway, overtopping dam after dam and gaining momentum (and
huge amounts of water) along the way. The cities of Wenatchee and
Kennewick are inundated and largely swept away. A van of renegades
retreats to Northern Idaho to hide.

“Scene 10: As day breaks in the West, there is no power from Seattle
to Los Angeles. The Western power grid has failed. Commerce has ground
to a halt west of the Rocky Mountains. Water is sweeping down the
Columbia River gorge, threatening to overtop Bonneville dam and wipe
out the large metro area of Portland, OR.

“Scene 11: Bin Laden releases a video on Al Jazeera that claims
victory over the Americans.

“Scene 12: Pandemonium, as water sweeps into a panicked Portland,
Oregon, washing all away in its path, and surging water well up the
Willamette valley.

“Scene 13: Washington situation room…little input is coming in from
the West. Some military bases have emergency power and sat phones, and
are reporting that the devastation of the dam infrastructure is
complete. Seven major and five minor dams have been destroyed.
Re-powering the West coast will take months, as connections from the
Eastern grid will have to be made through the New Mexico Mountains.

“Scene 14: Worst U.S. market crash in history. America’s GNP drops
from the top of the charts to 20th worldwide. Exports and imports cease
on the West coast. Martial law fails to control mass exodus from
Seattle, San Francisco, and L.A. as millions flee to the east. Gas
shortages and vigilante mentality take their toll on the panicked
populace. The West is ‘wild’ once more. The East is overrun with
millions seeking homes and employment.”

Congratulations, Tom. I’m still trying to figure out what you win.

Contest rules and all entries:

Announcing: Movie-Plot Threat Contest

Update, including selection criteria:

Movie Plot Threat Contest: Status Report

Winning entry:

Announcing: Movie-Plot Threat Contest

** *** ***** ******* *********** *************

Crypto-Gram Reprints

Crypto-Gram is currently in its ninth year of publication. Back issues
cover a variety of security-related topics, and can all be found on
. These are a selection
of articles that appeared in this calendar month in other years.

Internet Attack Trends:
http://www.schneier.com/crypto-gram-0506.html#1

U.S. Medical Privacy Law Gutted:
http://www.schneier.com/crypto-gram-0506.html#9

Breaking Iranian Codes:
http://www.schneier.com/crypto-gram-0406.html#1

The Witty Worm:
http://www.schneier.com/crypto-gram-0406.html#9

The Risks Of Cyberterrorism:
http://www.schneier.com/crypto-gram-0306.html#1

Fixing Intelligence Failures:
http://www.schneier.com./crypto-gram-0206.html#1

Honeypots and the Honeynet Project
http://www.schneier.com/crypto-gram-0106.html#1

Microsoft SOAP:
http://www.schneier.com/crypto-gram-0006.html#SOAP

The Data Encryption Standard (DES):
http://www.schneier.com/crypto-gram-0006.html#DES

The internationalization of cryptography policy:
http://www.schneier.com/crypto-gram-9906.html#policy
and products:
http://www.schneier.com/crypto-gram-9906.html#products

The new breeds of viruses, worms, and other malware:
http://www.schneier.com/crypto-gram-9906.html#viruses

Timing attacks, power analysis, and other “side-channel” attacks
against cryptosystems:
http://www.schneier.com/crypto-gram-9806.html#side

** *** ***** ******* *********** *************

In the long term, corporate data mining efforts are more of a privacy
risk than government data mining efforts. And here’s an off-the-shelf
product from IBM:
http://www-306.ibm.com/common/ssi/fcgi-bin/ssialias?subtype=ca&infotype=
an&appname=iSource&supplier=649&letternum=ENUSA06-0519 or
http://tinyurl.com/q29er

The UK Intelligence and Security Committee has issued a report on the
July 7 terrorist bombings in London:
http://www.cabinetoffice.gov.uk/publications/reports/intelligence/isc_7j
uly_report.pdf or http://tinyurl.com/hazzn
The UK government has issued a response:
http://www.cabinetoffice.gov.uk/publications/reports/intelligence/govres
_7july.pdf or http://tinyurl.com/j8q5x
About the Intelligence and Security Committee:
http://www.cabinetoffice.gov.uk/intelligence/index.asp

From a list of 100,000 passwords for a German dating site, we learn
that “123456” works 1.4% of the time and that 2.5% of all passwords
begin with “1234.” Interesting.
http://www.heise.de/newsticker/meldung/73396

Bank defends its bad security by saying that everyone else does it, too.
http://blogs.zdnet.com/Ou/?p=226

Interesting essay about how EU law would treat the NSA’s collection of
everyone’s phone records.
http://www.concurringopinions.com/archives/2006/05/the_nsa_phone_c.html
or http://tinyurl.com/mpv6d

Animated political cartoon on NSA eavesdropping. And a song, too.
http://www.newsday.com/news/opinion/ny-wh-nsawiretapping,0,1906650.flash
or http://tinyurl.com/rg57v

You can audit “Welcome to Practical Aspects of Modern Cryptography”:
University of Washington, Winter 2006, by Josh Benaloh, Brian
LaMacchia, and John Manferdelli. The course materials and videos of
the lectures are online.
http://www.cs.washington.edu/education/courses/csep590/06wi/
http://www.cs.washington.edu/education/courses/csep590/06wi/lectures/

Fascinating interview with a debit card scammer. Moral: securing this
system isn’t going to be easy.
http://smallworldpodcast.com/?p=391

And some comments from a fake ID salesman, in case you thought
hard-to-forge national ID cards would solve the problem:
http://www.cbsnews.com/stories/2006/06/02/ap/national/mainD8I07PHG0.shtm
l or http://tinyurl.com/rafve

“How to Avoid Going to Jail under 18 U.S.C. Section 1001 for Lying to
Government Agents.”
http://library.findlaw.com/2004/May/11/147945.html

Nice article discussing the hype, and reality, over the threat of
homebrew chemical weapons.
http://www.theregister.co.uk/2006/06/04/chemical_bioterror_analysis/

Just hide this gadget in someone’s car or briefcase — or maybe sew it
into his coat — and then track his every move using GPS. You have to
recover the device to play it back, but presumably the next generation
will be queryable remotely.
http://www.thinkgeek.com/gadgets/security/8212/?cpg=cj

The U.S. government is asking ISPs to save personal data about you, in
case they need access to it.
http://www.latimes.com/technology/la-fi-internet2jun02,0,622125.story?co
ll=la-home-headlines or http://tinyurl.com/zpzvz
Note that the Justice Department invoked two of the Four Horsemen of
the Internet Apocalypse: child pornographers and terrorists. If they
can figure out how to work kidnappers and drug dealers in, they can
probably do anything they want.

From “Assassination in the United States: An Operational Study of
Recent Assassins, Attackers, and Near-Lethal Approachers,” (a 1999
article published in the “Journal of Forensic Sciences”): “Few
attackers or near-lethal approachers possessed the cunning or the
bravado of assassins in popular movies or novels. The reality of
American assassination is much more mundane, more banal than
assassinations depicted on the screen. Neither monsters nor martyrs,
recent American assassins, attackers, and near-lethal approachers
engaged in pre-incident patterns of thinking and behaviour.” The quote
is from the last page. The whole thing is interesting reading.
http://www.secretservice.gov/ntac/ntac_jfs.pdf

Interesting law review article by Helen Nissenbaum: “Privacy as
Contextual Integrity.”
http://crypto.stanford.edu/portia/papers/RevnissenbaumDTP31.pdf

New directions in chemical warfare: chemicals that make enemy soldiers
sexually irresistible to each other, attract swarms of enraged wasps,
or cause “severe and lasting halitosis”:
http://www.newscientist.com/article.ns?id=mg18524823.800
Technology always gets better; it never gets worse. There will be a
time, probably in our lifetimes, when weapons like these will be real.

NSA surveillance cartoon:
http://www.ibiblio.org/Dave/Dr-Fun/df200605/df20060517.jpg

Interesting paper on the security of contactless smartcards:
http://www.chi-publishing.com/samples/ISB0903HH.pdf

Wireless surveillance camera detector:
http://www.brickhousesecurity.com/dd9000.html

Great article comparing the barrier Israel is erecting to protect
itself from the West Bank with the hypothetical barrier the U.S. would
build to protect itself from Mexico: “No wonder the [Israeli] fence is
considered a good deal by those living on its western side. But
applying this model to the U.S.-Mexico border will not be easy. U.S.
citizens will find it hard to justify such tough measures when their
only goal is to stop people coming in for work — rather than
preventing them from trying to commit murder. And the cost will be more
important. It’s much easier to open your wallet when someone is
threatening to blow up your local cafe.”
http://www.slate.com/id/2143104/

$1M VoIP scam:
http://www.networkingpipeline.com/news/188702745

NIST has just published “Recommendation for Random Number Generation
Using Deterministic Random Bit Generators.”
http://csrc.nist.gov/publications/nistpubs/index.html

The NSA is combing through MySpace:
http://www.newscientisttech.com/article/mg19025556.200-pentagon-sets-its
-sights-on-social-networking-websites.html or http://tinyurl.com/fk3z6

** *** ***** ******* *********** *************

Hacking Computers Over USB

I’ve previously written about the risks of small portable computing
devices; how more and more data can be stored on them, and then lost or
stolen. But there’s another risk: if an attacker can convince you to
plug his USB device into your computer, he can take it over. From CSO
Magazine:

“Plug an iPod or USB stick into a PC running Windows and the device can
literally take over the machine and search for confidential documents,
copy them back to the iPod or USB’s internal storage, and hide them as
“deleted” files. Alternatively, the device can simply plant spyware, or
even compromise the operating system. Two features that make this
possible are the Windows AutoRun facility and the ability of
peripherals to use something called direct memory access (DMA). The
first attack vector you can and should plug; the second vector is the
result of a design flaw that’s likely to be with us for many years to
come.”

The article has the details, but basically you can configure a file on
your USB device to automatically run when it’s plugged into a
computer. That file can, of course, do anything you want it to.

Recently I’ve been seeing more and more written about this attack. The
Spring 2006 issue of 2600 Magazine, for example, contains a short
article called “iPod Sneakiness” (unfortunately, not online). The
author suggests that you can innocently ask someone at an Internet cafe
if you can plug your iPod into his computer to power it up — and then
steal his passwords and critical files.

And about someone used this trick in a penetration test:

“We figured we would try something different by baiting the same
employees that were on high alert. We gathered all the worthless vendor
giveaway thumb drives collected over the years and imprinted them with
our own special piece of software. I had one of my guys write a Trojan
that, when run, would collect passwords, logins and machine-specific
information from the user’s computer, and then email the findings back
to us.

“The next hurdle we had was getting the USB drives in the hands of the
credit union’s internal users. I made my way to the credit union at
about 6 a.m. to make sure no employees saw us. I then proceeded to
scatter the drives in the parking lot, smoking areas, and other areas
employees frequented.

“Once I seeded the USB drives, I decided to grab some coffee and watch
the employees show up for work. Surveillance of the facility was worth
the time involved. It was really amusing to watch the reaction of the
employees who found a USB drive. You know they plugged them into their
computers the minute they got to their desks.

“I immediately called my guy that wrote the Trojan and asked if
anything was received at his end. Slowly but surely info was being
mailed back to him. I would have loved to be on the inside of the
building watching as people started plugging the USB drives in,
scouring through the planted image files, then unknowingly running our
piece of software.”

There is a partial defense. From the first article:

“AutoRun is just a bad idea. People putting CD-ROMs or USB drives into
their computers usually want to see what’s on the media, not have
programs automatically run. Fortunately you can turn AutoRun off. A
simple manual approach is to hold down the “Shift” key when a disk or
USB storage device is inserted into the computer. A better way is to
disable the feature entirely by editing the Windows Registry. There are
many instructions for doing this online (just search for ‘disable
autorun’) or you can download and use Microsoft’s TweakUI program,
which is part of the Windows XP PowerToys download. With Windows XP you
can also disable AutoRun for CDs by right-clicking on the CD drive icon
in the Windows explorer, choosing the AutoPlay tab, and then selecting
‘Take no action’ for each kind of disk that’s listed. Unfortunately,
disabling AutoPlay for CDs won’t always disable AutoPlay for USB
devices, so the registry hack is the safest course of action.”

In the 1990s, the Macintosh operating system had this feature, which
was removed after a virus made use of it in 1998. Microsoft needs to
remove this feature as well.

But it’s only a partial defense. In the penetration test, they didn’t
use AutoRun. They just created a sufficiently enticing file, and the
people who found the USB drives manually invoked the executable.

http://www.csoonline.com/read/050106/ipods.html
http://www.darkreading.com/document.asp?doc_id=95556&WT.svl=column1_1
http://www.darkreading.com/boards/message.asp?msg_id=134658

My previous essay:

Risks of Losing Portable Devices

** *** ***** ******* *********** *************

The Doghouse: KRYPTO 2.0

The website is hysterical:

“Proof of the Krypto security !
Which would be, if one would try one of Krypto coded file unauthorized
to decode.
A coded file with the length of 18033 indications has therefore
according to computation, 256 bits highly 18033 indications =
6,184355814363201353319227173630ë+43427
file possibilities. Each file possibility has exactly 18033 indications
byte.
Multiplied by the number of file possibilities then need results in the
memory.
Those are then: 1,1152248840041161000440562362208e+43432 byte.
Those are then: 1,038634110245961789082788150963è+43423 Giga byte data
quantity.
That is a number with 43424 places.
I can surely maintain as much memory place give it in the whole world
not never.
And the head problem now is, which is now the correctly decoded file.
Who it does not know can only say there. That does not know so exactly !
They can code naturally naturally also still successively several
times, even up to
the infinity.”

Machine translated (on the website; not by me) from German into
English. My head hurts just trying to read that.

http://kryptochef.net/index2e.htm

** *** ***** ******* *********** *************

Counterpane News

Schneier is speaking at the FIRST Conference in Baltimore on June 30:
http://www.first.org/conference/2006/

Interview with Bruce Schneier:
http://www.sevendaysvt.com/features/2006/tales-from-the-cryptographer.html

Counterpane announced two pretty cool service agreements:
http://www.counterpane.com/pr-20060605.html

Network World wrote about Counterpane at the Gartner Security Conference:
http://www.networkworld.com/news/2006/060506-gartner-security.html

** *** ***** ******* *********** *************

Aligning Interest with Capability

Have you ever been to a retail store and seen this sign on the
register: “Your purchase free if you don’t get a receipt”? You almost
certainly didn’t see it in an expensive or high-end store. You saw it
in a convenience store, or a fast-food restaurant, or maybe a liquor
store. That sign is a security device, and a clever one at that. And
it illustrates a very important rule about security: it works best when
you align interests with capability.

If you’re a store owner, one of your security worries is employee
theft. Your employees handle cash all day, and dishonest ones will
pocket some of it for themselves. The history of the cash register is
mostly a history of preventing this kind of theft. Early cash
registers were just boxes with a bell attached. The bell rang when an
employee opened the box, alerting the store owner — who was presumably
elsewhere in the store — that an employee was handling money.

The register tape was an important development in security against
employee theft. Every transaction is recorded in write-only media, in
such a way that it’s impossible to insert or delete transactions. It’s
an audit trail. Using that audit trail, the store owner can count the
cash in the drawer, and compare the amount with the register tape. Any
discrepancies can be docked from the employee’s paycheck.

If you’re a dishonest employee, you have to keep transactions off the
register. If someone hands you money for an item and walks out, you
can pocket that money without anyone being the wiser. And, in fact,
that’s how employees steal cash in retail stores.

What can the store owner do? He can stand there and watch the
employee, of course. But that’s not very efficient; the whole point of
having employees is so that the store owner can do other things. The
customer is standing there anyway, but the customer doesn’t care one
way or another about a receipt.

So here’s what the employer does: he hires the customer. By putting up
a sign saying “Your purchase free if you don’t get a receipt,” the
employer is getting the customer to guard the employee. The customer
makes sure the employee gives him a receipt, and employee theft is
reduced accordingly.

There is a general rule in security to align interest with
capability. The customer has the capability of watching the employee;
the sign gives him the interest.

In Beyond Fear, I wrote about ATM fraud; you can see the same mechanism
at work:

“When ATM cardholders in the US complained about phantom withdrawals
from their accounts, the courts generally held that the banks had to
prove fraud. Hence, the banks’ agenda was to improve security and keep
fraud low, because they paid the costs of any fraud. In the UK, the
reverse was true: The courts generally sided with the banks and assumed
that any attempts to repudiate withdrawals were cardholder fraud, and
the cardholder had to prove otherwise. This caused the banks to have
the opposite agenda; they didn’t care about improving security, because
they were content to blame the problems on the customers and send them
to jail for complaining. The result was that in the US, the banks
improved ATM security to forestall additional losses–most of the fraud
actually was not the cardholder’s fault — while in the UK, the banks
did nothing.”

The banks had the capability to improve security. In the US, they also
had the interest. But in the UK, only the customer had the
interest. It wasn’t until the UK courts reversed themselves and
aligned interest with capability that ATM security improved.

Computer security is no different. For years I have argued in favor of
software liabilities. Software vendors are in the best position to
improve software security; they have the capability. But,
unfortunately, they don’t have much interest. Features, schedule, and
profitability are far more important. Software liabilities will change
that. They’ll align interest with capability, and they’ll improve
software security.

One last story. In Italy, tax fraud used to be a national hobby. (It
may still be; I don’t know.) The government was tired of retail stores
not reporting sales and paying taxes, so they passed a law regulating
the customers. Any customer having just purchased an item and stopped
within a certain distance of a retail store, had to produce a receipt
or they would be fined. Just as in the “Your purchase free if you
don’t get a receipt” story, the law turned the customers into tax
inspectors. They demanded receipts from merchants, which in turn
forced the merchants to create a paper audit trail for the purchase and
pay the required tax.

This was a great idea, but it didn’t work very well. Customers,
especially tourists, didn’t like to be stopped by police. People
started demanding that the police prove they just purchased the
item. Threatening people with fines if they didn’t guard merchants
wasn’t as effective an enticement as offering people a reward if they
didn’t get a receipt.

Interest must be aligned with capability, but you need to be careful
how you generate interest.

This essay originally appeared on Wired.com.
http://www.wired.com/news/columns/0,71032-0.html

** *** ***** ******* *********** *************

Comments from Readers

There are hundreds of comments — many of them interesting — on these
topics on my blog. Search for the story you want to comment on, and
join in.

http://www.schneier.com/blog

** *** ***** ******* *********** *************

CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
insights, and commentaries on security: computer and otherwise. You
can subscribe, unsubscribe, or change your address on the Web at
. Back issues are also
available at that URL.

Comments on CRYPTO-GRAM should be sent to
schneier@counterpane.com. Permission to print comments is assumed
unless otherwise stated. Comments may be edited for length and clarity.

Please feel free to forward CRYPTO-GRAM to colleagues and friends who
will find it valuable. Permission is granted to reprint CRYPTO-GRAM,
as long as it is reprinted in its entirety.

CRYPTO-GRAM is written by Bruce Schneier. Schneier is the author of
the best sellers “Beyond Fear,” “Secrets and Lies,” and “Applied
Cryptography,” and an inventor of the Blowfish and Twofish
algorithms. He is founder and CTO of Counterpane Internet Security
Inc., and is a member of the Advisory Board of the Electronic Privacy
Information Center (EPIC). He is a frequent writer and lecturer on
security topics. See .

Counterpane is the world’s leading protector of networked information –
the inventor of outsourced security monitoring and the foremost
authority on effective mitigation of emerging IT threats. Counterpane
protects networks for Fortune 1000 companies and governments
world-wide. See .

Crypto-Gram is a personal newsletter. Opinions expressed are not
necessarily those of Counterpane Internet Security, Inc.

Copyright (c) 2006 by Bruce Schneier.

Viruses, Worms, Firewalls and Security

There are some things to be aware of when it comes to firewalls. Here’s a technical description brought down to layman language. I’m taking certain technical liberties (or inaccuracies) to keep it simple.

The best of firewalls cannot block what is looking like legitimate communication. All it does is block access to most, and let some through.

Network communication is done with compact data called a packet. If you imagine a truck with its paperwork showing where to pick it up and where to deliver it. This is called header information. Then in the back is the payload. The data that is being transmitted.

Usually it takes many trucks / packets to deliver all the data as the typical payload only carries about 1500 bytes. (One byte being one character, or letter, number or symbol.) A typical web page should not contain more than about 100,000 bytes (100K). The reason is the time it takes to download across the Internet. Too much takes too long. Of course that number is going up as more and more people are able to download larger amounts due to increasing transmission speeds.

OK, so we have the header information telling the driver where to deliver the 1500 or so bytes of payload. It does contain various other little tidbits but we don’t have to worry about it.

If you visit a website, you are now sending out a truck with the request to get a webpage from your computer to a remote server online. When the page shows up on your monitor that means the remote server delivered information through the firewall to your computer.

The modern firewall keeps track of outgoing requests, noting the time, origin and destination. Then if a reply returns it checks to see if it’s from a requested destination within the timeframe. This is called stateful inspection.

On network communication there is a standard method of starting up a connection. A packet is sent out saying I’m an origination. I wish to start a communication.

It’s received and another packet is returned back to the originating computer saying I got your request. Next the originator would send a new communication saying here is what I want from you. Which in turn is acknowledged. This is referred to as handshaking. If both shake then both knows all is well and a connection can be go on.

All the time there is a stream of packets flowing from each side with requests and acknowledgments, ensuring they are in good communication with each other.

Older firewalls simply looked to see if a packet arrived that said it was a response to an established connection. Not having any notes of requests that went out the firewall would not know any better and let it in. These days probably all firewalls do statefull inspection.

Real crackers (criminal hackers) are people who knows things like exactly how network communications should work and try to find flaws in implementations so that they can gain additional access or information out of a device.

A hacker (knowledgeable computer person) is a person who knows things like exactly how network communications should work and try to find flaws in implementations so that they can gain additional access or information out of a device.

Wait a minute! That’s the same definition!

The difference is really how it is used. Being a hacker is a good thing because you can find faults and fix them. A cracker has criminal intent. The definitions tend to float around but the criminal intent is a pretty good definition.

So what a cracker might do is hack into a website and plant some instructions that when executed installs some software on your computer.

When you then visit the website you happily download the page and his instructions into your computer. Where your browser faithfully executes the instructions.

The result is limited to the capabilities of your browser and what your computer will let the browser do.

Under windoze you can quite easily get it to give away total control of the computer. That has a lot to do with the fact that the user is usually running as the Administrator. Whom has full unfettered access to the computer.

Never mind all the various security design flaws that microsoft has made in its quest for functionality.

When you run as a user with limited access the viral instructions have limited capabilities too. This is a good thing. 🙂

So always run as a normal user! Only run as root when needed, and never browse the Internet as root.

Now, there are actually more than one type of firewall.

The most common one is called a packet filter. It filters packets according to IP address and port, source and destination. A good one can also filter according to the type of packet.

It looks at where it came from, where it’s going and executes the filter rule that covers that request.

Another type is called proxy firewall. It receives a requests and then generates its own requests to the remote server. When it comes back it receives it and generates its own reply.

This method stops bad requests hidden within a good request. The firewall acts like a proxy for you. You have given it rights to do things for you. Not unlike an efficient secretary.

Then we have application firewalls. It looks at what the application is trying to do and decides according to what it has learned to be normal acceptable behavior. When a computer tries to do things differently, which a cracker almost always does, it’s noted and the packets are stopped.

Due to the relative effectiveness of modern packet filters that is the most prevalent one. Ideally you have all three. Forming several layers that all have to be circumvented to gain access.

Application firewalls are usually pretty expensive. They need to know a lot and work very fast.

The network industry has seen a lot of developments where devices gain new capabilities, like a router having a firewall and a switch built-in.

(A switch is a communication hub. It lets different computers get together and access each other. It used to be called hub. The problem with hubs were that when a packet arrived at the hub it was regenerated to all ports on the hub. Generating a lot of extra noise as it was usually only one computer that needed to receive it.

A switch knows who is connected, and can route packets to the correct port and not simply broadcast it to all, all the time. A great improvement.

A typical attack by a cracker is often to first establish what type of device is it reaching. What brand and model would be nice to know. With that information he can then see what known vulnerabilities there are. Then try to exploit them.

Exploits always entails doing things wrong. (Unless it’s a really really dumb flaw.) The cracker will do the unexpected in hopes to break the “concentration” of the device, find a flaw in the software, causing some unusual response.

The most common one is called bugger overflow if you type poorly. For all others its called buffer overflow.

A buffer is a place which temporarily holds information, before it moves along. A data entry field is a good example. It may ask for the name of someone. By entering maybe 1000 characters the program may get overwhelmed and simply continue writing all of it into memory. These 1000 bytes would not be random characters, but actual instructions.

All data to be processed must be in memory (RAM) where the processor can get to it. Now if you can get viral instructions into memory it can be executed.

Basically programmers must ensure they put limits on data entry fields to avoid this.

There are of course lots of ways to do the unexpected. Which is why most people will think they are safe when they simply don’t realize the possibilities available to a cracker.

Attempting to break through a firewall by doing the normal thing will seldom work. Unless it’s misconfigured. Having found a flaw he gains unexpected access, which is then used to get further in.

Sometimes a cracker might take 20 steps, sequentially through various cracks found along the way. Following a path that nobody else would ever have though of even trying. By being really knowledgable about computers he manages what is considered impossible by almost everyone. He is by all means very skilled.

The typical mindset of a cracker is also not that of a normal citizen. To him, or very occasionally her, information (or data) is his if he can reach it. It’s your failure to close all the doors, and letting him in. Once reached it’s his, like a rescued ship at sea belongs to the salvager.

A lot of crackers don’t break anything once in. They may even tell you about how they got in, trying to be helpful to society. I know several network managers who never reported the guy as he helped him secure his network.

Below crackers or black hats as they are often known, we have wanna be crackers. They don’t have the know how and are simply running small programs which are written to take advantage of known flaws. These small programs are often called scripts. Basically a series of manual instructions. These wanna bee’s are called script kiddies. (Usually a cracker is a young boored kid, trying to have some fun.)

Enters organized crime stage left.

A few years ago organized crime in Russia realized the potential they have in the Internet. Being in a country in upheaval it was easy to find kids to do the dirty work for a few Rubles.

Soon organized crime worldwide had crackers on their payroll.

A computer Virus is a program that will take advantage of an ignorant user. A virus by definition needs to be executed by a user to work. Thus email attachments became the most popular method of spreading viruses. People are too curious and too willing to be ignorant about things that affect them.

A worm however, is a virus which does not require a user to execute it. It will spread automatically to computers which have some particular flaw in them.

Thanks to the money of organized crime viruses and in particular worms have gotten very sophisticated. Often running some smoke screen as to its actual intent. They also spread across the world at an increasing speed and efficiency.

This has created a digital universe which is very dangerous. It has raised the stakes at both sides, but is still very successful mostly due to ignorance.
Most software developers respond pretty fast to flaws in their code. Poorly or not maintained at all, computers is the breeding ground for viral code to work.

Keeping security patches up to date and having multiple layers of security in place is vital. Simply installing a firewall does not cut it.

You need to know about your vulnerabilities.

This is a problem all in itself as most people have no idea at all as how to approach the problem. Fortunately there are very good open source solutions which can detect past successful attacks, locate flawed configurations and programs.

One very good program is called Nessus. It detects about 10,000 known vulnerabilities across platforms. Others are SNORT which sees attacks in progress, and Tripwire which notices when programs are modified, added or deleted.

Tripwire should be installed after a fresh install and before any network connection is established to ensure you have a “virgin” system.

SNORT can be installed at any time after Tripwire, and Nessus is run after each change in hard or software.

Of the three Tripwire is the most important, then Nessus and finally SNORT.

If you depend on your computer educate yourself a little bit all the time. In time you will quickly cease to be a clueless victim and start being aware of your digital surroundings.

Ensure Linux firewall is running on each Linux box. Use Zonealarm under windows.

Pay attention to changes, like a slower computer, network, Internet connection. Investigate the reason for the change.

There are logs which tells you what has transpired. [Note that a good cracker will erase his trail form the log files. But a too clean log can also be a sign.] If you think you might be “owned” disconnect your network and investigate.

Have a plan of what to do in writing so that the steps are easy to execute.

If you can’t do it find someone who can.

This has to be part of any business plan as a known expense. And on that note, some bad numbers. To keep up with all the threats is a 40 hour / week job.

If you own a business you might not be able to afford a full time security consultant. It may not even be needed if you only have a couple of computers and don’t offer any services like hosting a web server. And have limited Internet activities. But someone needs to keep an eye on it.

What you don’t know will probably bite you sooner or later.

Security is a tradeoff. You spend as much time and resources as is practical. The more security the less functioning things tend to get. Install a good infrastructure and find a good workable balance.

Then have a standard written routine of what to do if violated. Steps that has to be taken, like shutting down the network. Rebuild server, restore backups, check for covert physical devices connected to your internal network. In some states you have to notify clients if you store sensitive information.

You may have backup hard disks ready to take over. This way someone can audit the violated servers/computers once you have recovered all. It will leave the evidence intact on the original disk(s). Having identified the method of access you can now correct it. (There are very good forensics tools under Open Source which are used by security and law officials.)

Unfortunately it’s a pretty big subject. You can subscribe to news from many good sources.

Bruce Schneier is one such expert. He has a newsletter at:
http://www.schneier.com and http://www.counterpane.com

He will educate you about views and practical activities based on real life examples.

https://secure1.securityspace.com/secnews/subscribe.html tracks security issues.

CERT is a good government list to subscribe too:
http://www.us-cert.gov/cas/signup.html

There are high traffic security lists such as Full Disclosure and Bugtraq. A list of tools and readings can be found on:
http://seclists.org/

Be safe,