Scott on Security

NASA powers down its last mainframe

2012-02-12T21:18:00.003-05:00

As reported today on Network World, NASA CIO Linda Cureton recently posted on her blog that this weekend, the Marshall Space Flight Center powered down NASA's last mainframe, the IBM Z9.

You might think that this "end of an era" post would result in cheering by the masses (not at IBM), but you'd be wrong. I was kind of surprised by the commentary this article received on Slashdot.

Satellite phone encryption cracked

2012-02-06T15:38:00.001-05:00

German academics report they have cracked two encryption systems (ETSI GMR-1 and GMR-2) used to protect satellite phone signals and that anyone with cheap computer equipment and radio could eavesdrop on calls over an entire continent.

It's common knowledge that governments and business with sensitive dealings use encrypted satellite phones for secure global communications. Hopefully, this paper will prompt the makers of the technologies in use work on a new security system.

VeriSign admits 2010 hack

2012-02-02T15:12:00.000-05:00

"Verisign has admitted in an SEC filing that it suffered numerous data breaches in 2010, but that management wasn’t informed by staff for nearly a year after they occurred."

That'll jump up and grab you, won't it? Things are not going so well at Symantec (owner of VeriSign), who has admitted a 2006 breach that resulted in stolen source code from anti-virus and remote access products. The company has just reported this latest breach in their quarterly SEC filing. See articles here and here.

So what does this mean? Well, we don't yet know. VeriSign/Symantec states that the DNS system -- of which they are one of several root name server operators -- was not compromised. But they didn't mention anything about VeriSign's SSL Certificate Authority business. You may recall that several CAs were penetrated in 2010 (I first wrote about this in September).

We can only hope that VeriSign's SSL Certificates haven't been exposed; because of the SSL process were corrupted, as one professional puts it, "you could create a Bank of America certificate or Google certificate that is trusted by every browser in the world".

There will be more to come.

Another really good description of SOPA and PIPA

2012-01-19T17:16:00.000-05:00

The Khan Academy has a really good video that explains what SOPA and PIPA are about, including why these policies represent a "shoot first, ask questions later" mentality.

Thanks to the Khan Academy for the content.

The myth of 4G

2012-01-19T16:07:00.002-05:00

There are no 4G networks anywhere in the world.

But if you believe what AT&T, Sprint, and Verizon are saying on television, they're already here and you can get a 4G phone today! There's a great article on CNN Money describing the state of the art.

The ITU defines 4G as a network capable of download speeds of 100 megabits per second (Mbps). As you can see, that ain't what we're getting...

Not surprisingly, the promise of 4G is more marketing hype than reality. The providers are actually rolling out 3GPP Long Term Evolution (LTE), with plans to eventually migrate to LTE Advanced in the future.

Call me when I can get 100 Mbps!

Best explanation of SOPA and PIPA I've heard

2012-01-18T21:33:00.000-05:00

Mitchell Baker of The Mozilla Foundation posted a really good analogy to help folks understand SOPA and PIPA. It's great.

Assume there's a corner store in your neighborhood that rents movies. But the movie industry believes that some or even all of the videos in that store are unauthorized copies, so that they're not being paid when people watch their movies. What should be done?
SOPA/PIPA do not aim at the people trying to get to the store, or even the store itself. The solution under the proposed bills is to make it as difficult as possible to find or interact with the store:

Maps showing the location of the store must be changed to hide it.
The road to the store must be blocked off so that it is difficult to physically get to there.
Directory services must delist the store’s phone number and address.
Credit card companies would have to cease providing services to the store.
Local newspapers would no longer be allowed to place ads for the video store.
To make sure it all happens, any person or organization who doesn’t do this is subject to penalties. Even publishing a newsletter that tells people where the store is would be prohibited by this legislation.

Now as Jeff Atwood recommends, substitute "corner store" for "Web site".

Tips to improve security monitoring

2012-01-18T21:22:00.001-05:00

I recently read a DarkReading article entitled "Five Principles To Improve Your Security Monitoring", but was disappointed at the lack of specificity in these recommendations. So that you don't have to read the whole thing, the principles are:

Know yourself
Know the terrain
Know where to defend
Know the enemy
Measure security, not work

Uh, OK? This sounds more like something from "The Art of War" than it does IT Security advice. Admittedly, that's what the article is going for; and it does have more detail accompanying these bullet points. I think a bit more explicit advice work better:

Take inventory of your systems and networks
Catalog what systems can be reached from the outside in, and from the inside out
Protect critical systems
Monitor global security intelligence and activities
Tabulate meaningful metrics

I really appreciate what the DarkReading article says about the last point, metrics - "companies should measure metrics that improve security, such as the number of vulnerabilities remediated". This, versus the number of vulnerabilities that exist. Capturing raw vulnerabilities "puts the security team on a treadmill, where they have to run faster every quarter to meet expectations".

Well said, that.

The dangers of defensive cyberweapons

2012-01-05T09:41:00.002-05:00

Recently, the team at Project Honeynet tweeted a link to news about Fujitsu's contract to develop a weaponized program used for cyberdefense. This isn't unheard of, but this news is interesting because of Fujitsus' program's ability to backtrack malware to its source and [supposedly] cripple it. In other words, the program "has the ability to disable the attacking program and collect relevant information".

This is an interesting development, and the Project Honeynet team's tweet asked if anyone had thoughts. Well, my thoughts immediately focused on the potential abuse of such an application. What if this cyberdefense weapon was obtained by hacktivists, online criminals, or malicious state actors?

The proverbial bad guys might be able to reengineer such a program to cripple a popular antivirus program, or a client firewall, or something like a Web server application, causing a denial of service attack.

I guess my concern is that anytime I hear about a weaponized program, or any application created to defeat the workings of another, the ole cliche pops into my head; "what if this falls into the wrong hands?" Folks smarter than me seem to agree.

Is your device running Carrier IQ?

2011-12-16T11:36:00.002-05:00

I found a great list on Gizmodo that outlines every carrier's phones running Carrier IQ. Good information...

Microsoft to begin silently updating IE in 2012

2011-12-15T15:32:00.000-05:00

Microsoft will begin a program next year to automatically and silently update Internet Explorer on all versions of Windows XP, Vista, and 7 next quarter.

It may be prudent to do some application testing before this happens. The good news is that Microsoft does provide their Internet Explorer 8 and Internet Explorer 9 Automatic Update Blocker toolkits, which can be deployed via SMS/GPO to give companies more control on how these changes are made internally.

Computer Virus Forces Hospital To Divert Ambulances

2011-12-11T21:48:00.001-05:00

Interesting article that I just read about a hospital in Georgia that has been dealing with a computer virus infection this weekend:

"Gwinnett Medical Center on Friday confirmed it has instructed ambulances to take patients to other area hospitals when possible after discovering a system-wide computer virus that slowed patient registration and other operations at its campuses in Lawrenceville and Duluth."

The point this article really illustrates is that the more we become dependent on computers in our lives, the more we are subject to their inadequacies. What also strikes me as funny is that the article mentions that the police haven't been engaged.

"Viruses are not an infrequent occurrence at the hospital, she said, but it’s never seen anything like this one. Law enforcement has not been contacted about the incident."

Why was that necessary to mention, Atlanta Journal-Constitution editors? There was a computer virus found, so there must be some nefarious group attacking the hospital?

Another Dutch CA Hacked

2011-12-08T09:41:00.001-05:00

Dutch Certificate Authority Gemnet has has been hacked and databases were accessed via PHP-MyAdmin which was rumored to have been configured to allow database access without a password. Here's a news article with more details, translated from Dutch.

No word yet on whether, like in the DigiNotar situation, folks should remove their trust in this CA from infrastructure systems and Web browsers, but I'm sure there'll be more to come before the week's end...

Carrier IQ update

2011-12-02T10:34:00.000-05:00

In a recent post, I briefly mentioned a blurb about CarrierIQ, tracking software recently revealed by a researcher in an interesting video showing how the tool tracks everything that you do on your smartphone. Presumably, this is done to collect information used to improve performance, etc. However, as many folks have mentioned the reality is this tool is capturing all kinds of data, almost like a full-blown keylogger.

Today, more information is being shared. Sure enough, CarrierIQ is running on iOS devices. You can find out if your device is running it by checking here.

Update 12/5/2011
Bruce Schneier posted his thoughts on this debacle, and of course they hit the mark. The points I think he made best are:

"Several things matter here: 1) what data the CarrerIQ app collects on the handset, 2) what data the CarrerIQ app routinely transmits to the carriers, and 3) what data can the CarrierIQ app transmit to the carrier if asked. Can the carrier enable the logging of everything in response to a request from the FBI? We have no idea."

In addition, Schneier shared that Apple claims to no longer support CarrierIQ in iOS 5.

Twitter acquires Whisper Systems

2011-11-30T10:28:00.001-05:00

Whisper Systems (brainchild of hacker/researcher Moxie Marlinspike) announced Monday that it’s been acquired by Twitter. Whisper Systems is all about encryption and security for the Android platform, so I'm not sure how this will fit into the Twitterverse, but we'll see. More information here.

Security and privacy triple-play

2011-11-29T20:55:00.001-05:00

In the news today are three pretty stunning and interesting articles. I've downloaded the Google paper for later reading, but I'm intrigued by their idea to provide openly the logs of issued Certificates. The Facebook article isn't too shocking; I read somewhere once that [with respect to free online services] if you can't see how the company is making money, then you're the product. Finally, check out the video of Carrier IQ. If this isn't 2011's version of Phorm, I don't know what is...

Google Researchers Propose Plan To Fix CA System
Facebook Settles With FTC, Admits Privacy Violations
Researcher’s Video Shows Secret Software on Millions of Phones Logging Everything

Terrible article about BGP outage Monday

2011-11-07T21:35:00.001-05:00

I cannot believe how poorly this article was written. Monday, a faulty routing statement was learned via BGP by several Juniper systems that core dumped, causing an issue with accessing some Internet resources. Here's what CNN Money wrote:

The seemingly indestructible Internet relies on a few backbone systems to keep traffic flowing smoothly. Sometimes, one of those systems blips -- and millions of devices get abruptly kicked offline.
That's what happened Monday morning, when a software glitch in the Internet's wonky sounding "Border Gateway Protocol" created a ripple effect that crashed data networks around the world.

Privacy Roundup

2011-11-04T11:00:00.002-04:00

A couple of interesting privacy related stories that I came across this week. The first two are certainly related. I think that the "carelessness" factor (first link) is mostly apathy because the tools provided to protect ones' privacy are so tough to use...

Learning more about SSL and Certificate Authorities

2011-09-09T11:20:00.002-04:00

So, you've been reading about Comodo, DigiNotar, GlobalSign, etc. You've seen how Mozilla, Microsoft, Adobe, and others have been removing their trust in these Certificate Authorities. You may have heard in the news that the SSL model is broken.

Well, what does that mean, exactly? I recently came across this Black Hat 2011 presentation by Moxie Marlinspike, a well-known security researcher and (I guess you could say) hacker. I highly recommend viewing his presentation, which highlights why the SSL and Certificate Authority system isn't working.

The presentation is called SSL And The Future Of Authenticity, and it runs about 48 minutes. Note that there are about 5.5 minutes of introductory stuff you can skip. If you even wanted to understand the current problem with SSL, this video really hits it on the head.

Disclaimer; Moxie claims to have a solution to the problem, and that solution is being actively debated.

Protecting your users from DigiNotar (and others)

2011-09-07T13:29:00.002-04:00

I've been posting recently about the DigiNotar issue, which as many security pros say, proves that the Certificate Authority trust model is broken. I'm not sure I agree with that totally.

The whole point of the ecosystem is that you have your Web site, and your Web site visitor, and they both trust the Certificate Authority to ensure that the transaction is legitimate. Sure, that trust is only as good as the reputation of the CA, and in the case of DigiNotar (and Comodo, and now GlobalSign) this trust is no longer valid. Does this mean that the entire third-party CA system is broken? Hardly.

Having done extensive business with Thawte, EnTrust, and VeriSign/Symantec, I'd have to say that there's still a solid place in the Internet world for this model. However, one thought might be that CAs need to be held to a higher standard, just like the root DNS server operators.

What do you think? Agree? Disagree?

I do have one recommendation. As you've no doubt read, Microsoft and Mozilla have updated their browsers to remove the inherent trust their products have in the DigiNotar Root Certificate. These updates are obviously crucial. However, if you operate a Web gateway or proxy server, you might want to look into explicitly adding the CRLs for these suspect CAs to your system. Here are the CRLs for GlobalSign, DigiNotar, and Comodo:

http://crl.globalsign.net/Root.crl
http://service.diginotar.nl/crl/root/latestCRL.crl
http://crl.comodo.net/UTN-USERFirst-Hardware.crl

By forcing your Web gateway or proxy server to honor these recently updated CRLs, you can be sure that any fraudulent SSL Certificate recently revoked will not be presented to your users. Definitely a smart step to take.

2011-07-13T13:45:00.000-04:00

From the Internet irony department...

"Mark Zuckerberg has decided to leave Google's new social network because he 'doesn't want to be tracked.' In other news, the Internet's irony meter has just exploded. Robert Scoble is now the most followed person on Google+ according to The Inquirer."

Wow.

Welcome back

2011-07-07T09:26:00.000-04:00

I have been busy at work and haven't posted anything in a really, really long time. So I've trashed my older posts and am going to start over again. I'll be posting quick blurbs on Twitter, and longer items here.

The software industry's CarFax?

2011-06-27T13:46:00.000-04:00

The U.S. DHS, in conjunction with SANS and Mitre, has just announced the Common Weakness Risk Analysis Framework (CWRAF) and he companion Common Weakness Scoring System (CWSS). The aims of these tools are to "offer a way for organizations to evaluate which software weaknesses pose the greatest risk" and to "prioritize unfixed vulnerabilities in their software." Sounds like a pretty good plan to me! Could this be the software equivalent of CarFax?

Microsoft Security Intelligence Report (SIR) for 2010 published

2011-06-23T21:30:00.000-04:00

Microsoft recently published their Security Intelligence Report (SIR) Volume 10, which covers the year 2010. According to Microsoft:

"The Security Intelligence Report (SIR) is an investigation of the current threat landscape. It analyzes exploits, vulnerabilities, and malware based on data from over 600 million systems worldwide, as well as internet services, and three Microsoft Security Centers."

This document is the most current edition covering all of 2010, and contains five sections:

Key Findings provides data and analysis produced by Microsoft security teams.
Reference Guide gives additional information for topics covered in the Key Findings.
Featured Intelligence spotlights the latest threat topic.
Global Threat Assessment provides deep dive telemetry by specific country or region.
Managing Risk offers methods for protecting your organization, software, and people.

I wanted to get this link out there, but note that I have not yet read this 89 page report. I will, though, and look forward to sharing my thoughts here.