Although I didn’t attend, I tried to keep track of all the keynotes, and blog submissions of last weekends Toorcon 9 (October 19-21). Here you will find a brief synopsis of what took place, or at least what I came to find of interest. As more information
becomes available I will continue to post.

[Cafe Latte Attack]
A shame if your still using WEP…

Vivek Ramachandran’s Cafe Latte attack was one of the last talks. It’s fairly simple and deals with cracking WEP keys from unassociated laptops. First your WEP honeypot tells the client that it has successfully associated. The next thing the client does is broadcast a WEP encrypted ARP packet. By flipping the bits in the ARP packet you can replay the WEP packet and it will appear to the client to be coming from an IP MAC combo of another host on the network. All of the replies will have unique IVs and once you get ~60K you can crack it using PTW. The bit flipping is the same technique used in the fragmentation attack, but Cafe Latte requires generation of far fewer packets. – Hackaday

You can read about the Cafe Latte attack on AirTight Networks.

Download of the Presentation – PowerPoint Presentation Link
View the presentaion via Google Video Link

OK, this one is just theoretical…

I’m betting you know someone that you worry about having their identity stolen by going to a phishing site. We all do. Now there is a cute little game to help educate them:

Anti-Phishing Phil is an interactive game that teaches users how to identify phishing URLs, where to look for cues in web browsers, and how to use search engines to find legitimate sites.
Anti-Phishing Phil was developed by members of the CMU Usable Privacy and Security Laboratory with funding from the US National Science Foundation (Cyber Trust initiative) and ARO/CyLab.

OK, so the game isn’t so much “fun” as it is “cute”. However, it is a step in the right direction in terms of educating people.

Peter’s post yesterday about Wish-It-Was-Two-Factor authentication reminds us why educating the public about strong authentication is so hard. It’s because banks are lying to their customers.

“You know it’s really us—when you see your SiteKey, you can be certain you’re at the valid Online Banking Web site at Bank of America, and not a fraudulent look-alike site. Only enter your Passcode when you see the SiteKey image and image title you selected.”

Actually, that’s not the case as a successful attack was made public in April of this year.

Our friends over at worse than failure have posted a pretty funny article about implementing “bank-level security”.

The idea behind Two-Factor authentication isn’t too complicated. Simply (1) verify that a user knows something, and (2) verify that he physically has something. This could be done with a (1) name and password, and (2) one of those key fob things or even a print-out of one-time use codes.
Banks, however, weren’t too happy with the requirement of implementing such “costly” changes and instead chose to invent the Wish-It-Was Two-Factor authentication. In this method of authentication, they (1) verify that a user knows something, and (1, again) verify that a user knows something else.

Two-factor security does not mean you know your password and your high school mascot; it means you know something and have something. Hopefully the FFIEC will consider holding banks more stringently to their standard.

Someone asked me a question yesterday and I initially wanted to just point them at a document or website rather than type out my explanation. Unfortunately, 5 minutes of searching yielded no results. So, below is my guide to the difference between renewal, re-key, and re-issuance of an X.509 public key certificate.

• Renewal is when all the identifying information and the public key from the old certificate are duplicated in the new certificate, but there is a different (longer) validity period.

• Re-key is when all the identifying information from the old certificate is duplicated in the new certificate, but there is a different public key and (usually) a different validity period.

• Re-issuance is when a certificate holder registers for a new certificate, but there is an opportunity to change the identifying information (e.g. new email address, new last name, etc.) or other information (corrected certificate policies, modified key usage, etc.) from what was in the old certificate. The new certificate also has a different public key and a different validity period from the old certificate. ( Thanks to Carl Wallace for suggesting the addition of non-ID information changes. )

OK, so that’s one page for my as-yet unwritten book on PKI. I welcome ideas for other pages!

I presented at the MS-HUG Tech Forum today in Redmond. The title of my presentation was Saving Lives with PKI and SAFE Digital Signatures, and it provided information about Microsoft’s Identity Management solutions and the Office 2007 SAFE Signature Plugin we wrote. I co-presented with Avi Ben-Menahem, Lead Program Manager for PKI and Smart Card technologies at Microsoft.

The presentation is available for download in pptx and pdf formats.

I welcome any comments or questions!

As posted first in Les Jordan’s Life Sciences Developers and Architects blog, you can now download the SAFE Signing Interface for Office 2007 from http://www.codeplex.com/safe.

The project is the result of a collaboration between Gemini Security Solutions and Microsoft, and the result provides a fully SAFE-compliant digital signature interface. It’s open source, so you are welcome to download the code, enhance it as you wish, and (hopefully) share your changes back to Codeplex.

To learn more about SAFE, go to http://www.safe-biopharma.org.

The Windows Vista Security blog has a great post entitled FAQ: Why can’t I bypass the UAC prompt? which provides good answers to the common questions around User Account Control. It also gives some insight on why Microsoft made the design decisions that they did.

We expect that in ordinary day-to-day usage, users should rarely, if ever, see elevation prompts, since most should rarely, if ever, have to perform administrative tasks – and never in a well-managed enterprise. Elevation prompts are to be expected when setting up a new system or installing new software. Beyond that, they should be infrequent enough that they catch your attention when they occur, and not simply trigger a reflexive approval response.

UAC is a great feature and too many people cite it as a reason for not moving to Vista, or disable it once they have moved to Vista. I’ve been running Vista full-time for about a month now. Yes, while I set up the system and installed applications and drivers, UAC got on my nerves. Now, I only see it when I infrequently perform administrative tasks like installing software or changing system settings. I view this as a good thing.

The Wall Street Journal had an article today on Ten Things your IT Department Won’t Tell You
(I was able to access it without a username, but YMMV). First off, the article is talking about circumventing your company’s IT security policies – in many cases, this means say goodbye to your job. In other cases, it means serious legal trouble for you and your company.

All companies have sensitive information – formulas, financial data, processes, etc – for example, the Coca-Cola formula. This information is labeled sensitive or secret for a reason. In the case of companies, this information makes or breaks the company. In the case of the government, it protects everyone in the country. In a lot of cases, these policies are protecting your social security number, credit card information, or identity.

There are two ways this information can get out of the company. 1) Someone breaks into the company (physically or over the network) and steals it. 2) They find the information in the “public”. Many of the tactics given in the WSJ article make it easier for the above to happen.

Let’s just go through the tactics one by one and why policies tend to prohibit that particular action.

1. Sending Giant Files. Yeah, it’s annoying that company mail servers can’t send files as large as Gmail can, but disk space, and the capability of backing up that disk are not cheap. Most servers use SCSI disks, which run about twice what those cheap consumer grade disks you buy from CompUSA do. Most employees do not need to be sending larger than 5MB files (the typical quota). If your company or job requires you to be sending larger files – tell your IT department, and tell them why! They can adjust the quotas to better fit with your business needs. Placing your files on an external server such as YouSendIt allows people other than your intended recipient to read the file. And, unless the company is taking precautions, anyone who can break into those servers can also read it. Many company policies permit files/information t leave their network if they’re encrypted, so at least encrypt the data before you send it out of your network!

2. Using software your company won’t allow. There are typically two reasons for this one. 1) Companies want their employees to work, and installing video games on company computers won’t get much work done. 2) A lot of software has spyware that will make your system vulnerable. Take for example the recent Pfizer case where an employee’s spouse installed P2P software and SSNs were shared. Point is, the IT department vets all the “approved” software to make reasonably sure that there is no spyware or other malicious software along for the ride. What you can do: If you need a specific piece of software to do your work, talk to your manager and your IT department about it. If you really need it for your job, you’d be surprised at what they’ll let you install. If there’s just something you have to have that IT won’t approve – there’s probably a darn good reason.

3. Visiting blocked web sites. There are many web sites that other people may feel offended by, and it’s a legal liability to allow you to visit those sites. The whole, you’re supposed to be at work thing comes into play here as well. If you should be surfing for work, you probably have access. Web sites sometimes take advantage of bugs in browsers to retrieve information they shouldn’t have access to. And if your company is like most larger companies, they aren’t always running the most up-to-date software. They’re really trying to protect you as best they can. If you need to get to a blocked site for work purposes, talk to the IT department, they can probably work something out with you.

4. OK, this one I agree to on principal, privacy nut that I am. You should always clear your cookies and browsing history, whether on your work machine or home machine. But here we get back to your company has the right to watch all traffic going in and out of the computer/laptop/network. If you know you shouldn’t be doing it, removing your browser cache isn’t going to help.

5. Accessing your work computer from home. OK, this one I have a major problem with. If you can search your files, so can other people. I don’t care if you have a password on it. Unless you know what you’re doing, the password probably isn’t strong enough. Also, even the metadata (Title, author, etc) of a document can be considered sensitive. Imagine a company memo titled “Details of how the hackers broke in and stole all of our customer’s SSNs.doc” With some of the naming conventions I’ve seen, this title isn’t that far-fetched. Just the existence of that file is a lawsuit waiting to happen. If you need to access your work files from home, 1) get yourself a company asset – laptop or desktop to use for it, and 2) get some kind of secure connection to your office, whether that’s dial-up or a VPN. Most companies have remote access for their employees, and if they don’t, consider whether you really need to access the files from home. On top of that, unless you are a security expert (and even if you are), your home computer is not as well protected as a company system is. It’s just another opportunity for the sensitive information to be stolen.

6. Posting company information to a public server. If you do this, you deserve to be fired. The place you’re posting to may not have the same protections as your company servers, or even your company laptop. Most of these don’t even use SSL to transfer your files. You are not the only one with access to these servers.

7. Tracking employee communications. The article is right – this option is to catch people who are sending company information out. In many cases, you have to send company information out. In all these cases, you should use encryption. In the course of my typical day, I send about 10-15 e-mails to clients or co-workers discussing client confidential information. There are places for transmitting information, but make sure you know what they are and if you have the right/permission to send that information. The extremely long legal disclaimer at the bottom of your e-mail does absolutely nothing. If someone wants to keep/use that information, they’ll just ignore it.

8. NEVER EVER forward your company e-mail to a 3rd party service. Many policies require e-mail to be deleted after 90 days. There is an actual legal reason for this (one I don’t necessarily agree with, but it’s there). If there’s no e-mail trace, it didn’t happen. It’s called plausible deniability aka Cover Your Ass. The archiving requirements of the third party may not agree with your company’s. Also, the access to the e-mail isn’t controlled as tightly. I’m sure many of you have heard of people losing their gmail/yahoo/hotmail account passwords – which someone else just helped themselves to. The web-mail services are good, but are they as good as your company’s? Are you willing to take that chance? On top of that – anyone who’s watching their mail server logs closely, will notice that you’re forwarding to outside the company, then you’ll be handed your pink slip pretty darn soon.
If you need to access your e-mail from home, that’s what a laptop and dial-up or VPN is for.

9. Plugging external devices – whether USB, Blackberry, etc into your work computer may or may not be covered in your security policies. The primary reason for forbidding this is that you can bring viruses and spyware into the company. Then this software has free reign of your network to find and share sensitive files. It’s not just your security you’re trusting any more, but everyone else’s as well. And last I checked, not everyone’s a security expert – that’s why I still have a job

10. I can’t really help you with this except to suggest you find another job where you’re challenged enough to not be bored.

Most companies have really good reasons for the security policies they adopt. Find the IT group and ask why a policy is why it is. If they can’t tell you, find out who can. If no one can, maybe it’s a bad policy, and should be changed. IT security people realize that you have to get your work done too, so if a policy is interfering with you getting your work done, approach them and ask how you can do the same thing within their policies. Most of them are more than willing to work with you to let you get your work done.