C-SPAN recently aired a discussion with Eugene “Spaf” Spafford, a computer science professor at Purdue University (also know for his work in analyzing the Morris Worm of 1988).

The interview touches on many aspects of the computer industry, specifically with regards to security and privacy, and offers some interesting perspectives on a lot of the issues we deal with today. The question-and-answer session is very informative and should be generally easy to follow for people unfamiliar with computer security.

Topics discussed include everything from the capability of the Internet’s infrastructure to withstand a localized attack, to the controversial “pay-per email” theory of reducing spam.

One specific item of interest mentioned by Professor Spafford was the idea of endpoint security. When asked about the concept of developing a new infrastructure for the Internet as a means to address security and privacy concerns, Spafford stated that the current “open” platform is beneficial because it allows us to innovate. Also, there could be untapped potential in our current infrastructure that we might forgo if we decide to engineer a new Internet. He goes on to say that security problems are “really at the endpoints.” In other words, a significant cause of the security problems we face have a lot to do with poorly designed applications, lack of user education, the non-standard process of applying patches, law enforcement shortcomings, and other important issues unrelated (or only marginally related) to the current infrastructure itself.

I agree with Professor Spafford; even a newly designed Internet could suffer from these same problems. It would certainly be preferable to concentrate on fixing these “endpoint” issues first.

The interview is a half-hour long and very educational.

Pop quiz! Be honest as you answer these questions:

Well, if you answered anything other than C for the above questions, let me introduce you to your worst nightmare: sslstrip.  The author of this program realized that most people don’t type in the https prefix, and don’t look closely for padlock icons; people don’t care about security, they just expect it to work.  Most of the time, the way you get to SSL pages is by clicking on links, or being redirected with an HTTP 302 status.

sslstrip takes advantage of this, and transparently hijacks HTTP traffic, replacing all HTTPS links and redirects with look-alikes.  It even can supply a favicon which looks like a browser’s lock icon.

It’s pretty evil, actually. Of course it requires that the attacker running sslstrip has already compromised your network, through ARP spoofing, DNS poisoning, or otherwise having your traffic routed to the attacker. Good luck noticing if it’s being used against you. The author used it on a TOR node — note that TOR is generally used by people that are paranoid by their privacy and security — and collected 254 passwords over a 24 hour period.

What’s the fix? As far as I’m concerned, there isn’t one. It’s a design flaw with the way most “secure” websites work today. Do you have ideas on how to prevent this attack? Let us know in the comments.

When you notice suspicious activity on your Windows system, it’s a good bet that whatever malware has breached your security measures has configured some mechanism to automatically launch the misbehaving process after a reboot. The Autoruns utility is very useful for finding and eliminating those items that allow malware to run without any user action.

Read the rest of this entry »

I came across an interesting news article about a new version of WarGames. I actually liked WarGames. I didn’t realize it at the time, but it’s what I call a quintessential “hacking” movie. Granted, a lot of what “hackers” do isn’t really glamorous enough to make it to the big screen, but there are a few movies and books that I would say accurately portray what hackers do rather than making a media sensation about it.

The first on my list is WarGames. Slightly dated, but it goes through the process a hacker would go through to find a computer (they’d just use the Internet now, not only war-dialing), and then learn as much about the computer as they could (going to the library, doing research, etc.). Then, they work on getting into it. This is the part that the movies/books typically skip over, however WarGames at least shows the stacks of papers and soda cans in his bedroom. The specific vulnerability used in the movie is uncommon these days (a backdoor) but not unheard of.

The second, although not purely information security related, is Sneakers. It’s about a tiger team (it’s like penetration testing for physical security) which, you may have noticed, is directly related to information security, since once you have a physical machine, you generally have access to the information on it. It also talks about gathering information about a corporation/network/system before breaking into it.

The last recommendation would be for the book The Cuckoo’s Egg, by Cliff Stoll. It’s not fiction, but it reads like fiction. It’s his true account of how he caught members of the Chaos Computer Club breaking into his systems. You don’t need to have any technical knowledge in order to enjoy it, but it talks about the “other side” – protecting systems.

There are several other movies and books that I have been recommended but can’t comment on because I haven’t seen/read them yet. Swordfish is apparently halfway accurate, and 21 is another real story that I haven’t seen yet. Two of Mitnick’s books have also been recommended to me, but again, I haven’t gotten around to reading them yet.

Today’s tutorial is nothing new, but I just thought I’d share some recent experience with Microsoft’s PowerShell. I’ve been playing around with PowerShell (PS) for a little while now, nothing too extravagant. I’m not an administrator, so I don’t have hundreds of little tasks I have to do on a daily basis (unless I can write a script to help me wake up and get ready in the morning.. C:\>Set-TeethClean ? ) – Anyways, I was recently assigned the rudimentary task of searching through the Windows Certificate store and finding all CAs that were signed with MD5. If MD5 rings a bell it’s most likely because of this.

I really didn’t want to go through the list one by one, double-clicking, then selecting the Details tab. So, I decided there had to be an easy way to parse this information. My first idea was to fire up Visual Studio and write a quick C# app to do this as it has built-in Certificate Store classes/functions. This seemed too cumbersome, but I still wanted to leverage the .NET framework for the same features. PowerShell it was then.

Read the rest of this entry »

A recent security incident involving embedded executables in GIF images reminded me of the art of steganography. This is the science of hiding secret messages, often in plain sight or in a way that only intended recipients even know a message exists.

Such techniques could be as simple as writing a message using disappearing ink, or as complex as deliberately inducing errors in quantum data to encode private data (I love quantum steganography; it’s so bad [pdf]).

Here, I will describe one of many ways to hide a simple text file inside of a JPEG image. All you need to have is access to the command line and a RAR or ZIP file archiving program such as WinZip or WinRAR.

1. Make a simple text file in any text editor (for this example, we’ll call it “secret.txt”)
2. Rar or zip the text file and save it as “secret.rar” or “secret.zip”
3. Get a JPEG image (“coverimage.jpg”)
4. Open a command prompt and type: “copy /b coverimage.jpg + secret.rar newimage.jpg”

In essence, you are concatenating two binary files, with the image data at the beginning. The file “newimage.jpg” should now contain a hidden message, yet it will still appear to be a simple picture to those who don’t examine its contents. To view the message, the recipient need only open the image as if it were a regular rar or zip file and extract the concatenated compressed archive.

To illustrate, here is a very small picture of a very large grizzly bear. If opened as a rar file, the message in the embedded archive “secret.txt” can be read.

In a way, steganography is a close cousin to cryptography; they both deal with protecting and hiding information. Whereas cryptography involves scrambling information and obscuring its meaning, steganography deals primarily with hiding the fact that a message is even present.

Each Tuesday, Security Musings features a topic to help educate our readers about security. For more information about Gemini Security Solutions’ security education capabilities, contact us!

The other day, Peter wrote about an unreasonable investment in cryptography and information security. Walt and I both chimed in with our thoughts, but take for a moment the investment criminals make. Ignoring this fact is often the reason government officials, the media, and overprotective parents take extreme security measures that are really just theater.

As we’ve mentioned many times before, a determined attacker can always get to your data. Then again, you could also get a free iPhone by beating up some kid who has one, but you won’t. The investment is unreasonable with huge risks (not to mention a small reward). An organized crime syndicate could probably get their hands on a few though by paying people to do the robbing for them – big reward, little direct risk. See how that works?

Security needs to be evaluated in terms of effort – both ours (security folks) and theirs (crooks). Ask yourself, how much effort is someone willing to expend to get this (data, laptop, identity) and what will they lose if they fail?

That’s why someone probably isn’t going to drug you and hit you with a wrench for your ‘encrypted’ laptop. Nobody really wants to go through the effort or go to jail forever if they get caught. It’s more plausible for a teenager in Russia to attempt a Pentagon hack than it is for someone to mug you for data.

The effort put into security only becomes unreasonable if it greatly exceeds criminal effort.

First, what is network sniffing? It’s listening to the bits on the wire (or in the air) that are sent between computer systems. Really, it’s all 1s and 0s that are sent in a particular format. That particular format is usually “Ethernet” or 802.3, but can also be 802.11 (wireless) or single/multi-mode fiber. There are ways of sniffing by “vampiring” the physical wires, but we’re going to start a step above that and assume you have a computer that can already connect to the network somehow.

A basic introduction to how 802.3 works would be useful, so here we go. Because of the way Ethernet works, the machines on the network have to take turns transmitting or their transmissions will interfere with each other. There’s one signal that is sent out first to see if the wire is clear. If it is, then that machine starts sending its data. If not, an exponential back off timer starts, and the machine asks again once that timer goes off. As long as the wire is shared, every single machine on that wire can hear what every other machine is sending. You now see how easy it is to listen in on other conversations Hubs and repeaters are considered part of the same physical wire. All they do is boost the signal and rebroadcast to all their other ports. Switches are one step above that and place a physical barrier between network segments. They don’t indiscriminately rebroadcast to all of their ports. They just re-broadcast to the one port that has the destination machine. How do they do that, as in how do they know what port to broadcast on? That’s where MAC addresses come in – Media Access Control. These addresses are (supposed to be) unique for every single network connected system manufactured. In practice – not so much, although it’s generally “good enough” – except when you ship an entire box full of Ethernet cards to a university, and they all have the exact same MAC address…

The MAC address is sent with every single packet that is sent on the wire. The switch remembers which ports have what MAC address (and so do a lot of machines). This is stored in a table on the switch – with a limited amount of memory. If the switch gets overloaded, it will tend to revert to hub operation – rebroadcasting to all ports. One packet at least will be broadcast to all ports until the switch knows what port a specific MAC address is on. In normal operation (i.e., not *trying* to break the switch) and with a properly planned network, the switch has enough memory to maintain the table for the number of ports it has (and the bandwidth it’s expected to provide). However, what if there is a hub connected to the switch? That means X more MAC addresses the switch has to remember above and beyond the number of ports that it has. There used to be a rule of thumb – never have more than 3 hubs/switches connected together. This was part of the reason. You’d see degraded network performance because the MAC table couldn’t keep up (it also had to do with the physical limitation on Ethernet cable lengths).

So, you now have a switch, and if you don’t happen to be on the port that the packets are being sent to, you can’t “hear” their communication. But, if you “break” the switch and make it revert to broadcasting to everyone, you can “hear” the traffic. Another way to “break” the switch is to keep telling the switch that you are the destination’s MAC address, and the switch will start rerouting everything to you instead. If you want to sniff something useful, you’d better be prepared to keep routing the traffic to the “real” machine (and not through the switch you just “broke”), or you won’t get very far.

Most of this applies to wireless networks as well, although they use a slightly different method of telling other systems that they want to transmit.

For anyone who wants to delve more in-depth on how Ethernet works, the Ethernet Wikipedia page has a good discussion, and any good college textbook on networking will discuss Ethernet and several other technologies as well.

Each Tuesday, Security Musings features a topic to help educate our readers about security. For more information about Gemini Security Solutions’ security education capabilities, contact us!

XKCD #538, Security

It’s worth a discussion. Is Randall Munroe, writer of xkcd.com correct? Is there an unreasonable investment in cryptography and information security?

My take: Since the ‘drug him and hit him with a wrench’ probably violates several very enforceable laws, the attacker is taking a pretty big risk going down that path. Whereas if the attacker was just trying to expose flaws or use massively parallel processing to crack a key, that may violate some laws on paper (ahem) which are harder to enforce–and an attacker would be pretty dumb to let slip that they were up to something like that. What are your thoughts?