Secure Tomorrow: Kevin Blanchard's Information Security Blog

This Valentine's Day make sure to use protection

2008-02-12T17:55:00.000-06:00

Protection from computer viruses that is ;-)

With Valentine's Day just a couple of days away it is important to be aware that malicious viruses and worms do not take holidays off. The Storm Worm is the most likely candidate to ruin this ~~Hallmark~~ romantic holiday. Not even two months ago the Storm Worm took advantage of the Christmas holiday using various means to infect users. With Valentine's Day approaching we could see similar tactics used to try to infect users again.

The FBI posted a warning yesterday to their Cyber Investigation E-scam site warning of possible Storm Worm attacks as we approach Valentines Day.

"02/11/08—With the Valentine's Day holiday approaching, be on the lookout for spam e-mails spreading the Storm Worm malicious software (malware). The e-mail directs the recipient to click on a link to retrieve the electronic greeting card (e-card). Once the user clicks on the link, malware is downloaded to the Internet-connected device and causes it to become infected and part of the Storm Worm botnet. A botnet is a network of compromised machines under the control of a single user. Botnets are typically set up to facilitate criminal activity such as spam e-mail, identity theft, denial of service attacks, and spreading malware to other machines on the Internet.

The Storm Worm virus has capitalized on various holidays in the last year by sending millions of e-mails advertising an e-card link within the text of the spam e-mail. Valentine's Day has been identified as the next target.

Be wary of any e-mail received from an unknown sender. Do not open any unsolicited e-mail and do not click on any links provided.

If you have received this, or a similar e-mail, please file a complaint at www.ic3.gov."

A new dwarf crime ring in Sweden?

2008-02-07T16:11:00.001-06:00

The Register has a story about Swedish police investigating a new outbreak of crimes involving the robbing of cargo holds of coaches. The kicker? Swedish police are investigating "people of limited stature" with criminal records because the police believe the crimes are possibly being committed by dwarves being smuggled onboard in baggage. Sounds like something out of a movie.

Full Story: Dwarves hidden in sports bags target Swedish coaches

The Top 5 VoIP Security Threats of 2008

2008-01-25T10:50:00.000-06:00

VoIP News is running a story right now about what they list as the top 5 VoIP Security Threats of 2008.

If you want the 30 second quick version of the article, they list the top 5 VoIP threats as:

DoS (denial of service) Attacks on VoIP Networks
VoIP Eavesdropping
Microsoft Office Communications Server
Vishing by VoIP
VoIP Attacks Against Service Providers

The full article goes in a fair amount of detail about these attacks and ways to combat them. The article can be found here.

The article also links to a white paper titled "A Proactive Approach to VoIP Security". This white paper may be of interest to some of my readers. You can download the white paper from here (registration required).

I saw your mom naked on the internet!

2008-01-23T20:20:00.000-06:00

Not just words yelled by boys to one another on a school playground anymore but it may be true if your mom has a Myspace account.

A bug discovered over the past few months and finally fixed last week exploited a backdoor in the design of MySpace that allowed anyone to see your photos, even in private profiles. Third party websites started popping up when the bug was first discovered making it even easier to exploit the bug and view photos. To no surprise, many of the sites sold themselves as "voyeur" and pedophile type sites focusing on viewing photos in private profiles of MySpace members under 18. By default, a profile owned by a user under 16 is set to private. According to MySpace, this should allow only MySpace friends you allow access to the ability to view your profile information and photos.

The exploit was mainly targeted at MySpace users who have their profiles set to "private". Clicking on the photo link of a private profile should normally give non-friends this message, "This profile is set to private. This user must add you as a friend to see his/her profile." But using this exploit anyone with or without a MySpace account can access the photo by replacing the friend ID in the URL with the friend ID of the user whose profile they are trying to view.

The only users safe from this exploit are those who specifically set their MySpace photo galleries to private in addition to their profile security settings. This comes at a bad time for MySpace. Though this exploit didn't just target underage users, MySpace had already been under a microscope for other pedophile related investigations. MySpace had reached agreements with 49 state attorney generals this week that was hopefully going to bring agreements to allow MySpace to make it's site safer for underage users.

This exploit has been around for over 3 months now. MySpace shouldn't have been in the dark on this issue. I can understand a company not being aware of a zero day exploit or maybe even a first week exploit, but 3+ months? Not only has it been circulating around message boards this entire time but (ad driven) 3rd party websites have been profiting off this exploit and making it easier to view private photos and profiles. You think with all of this going on SOMEONE at MySpace would have jumped on this and fixed it. This shows MySpace still has a long ways to go before users, parents and government agencies can trust MySpace to do a proper job of ensuring the safety and privacy of it's users.

Storm Worm takes advantage of Christmas bliss

2007-12-27T12:03:00.000-06:00

It's been a while since I have updated. This time of year is always crazy. But at least I return with a good one. This time of year is stressful enough for many, without having to worry about things like this while trying to spread holiday cheer.

'Tis the season and there's a storm a brew'n. The Storm Worm that is... and it's back. < / awful puns >

We saw the Storm Worm back at the beginning of the year (2007). It was a huge headache for home users and system admins alike. According to Wikipedia, "The Storm Worm began infecting thousands of computers (mostly private) in Europe and the United States on Friday, January 19, 2007, using an e-mail message with a subject line about a recent weather disaster, "230 dead as storm batters Europe".[6] During the weekend there were six subsequent waves of the attack.As of Monday, January 22, 2007 the Storm Worm accounted for 8% of all infections globally."

If you thought parents elbowing and kicking each other for the last Tickle Me Elmo doll this time of year was bad , the creators of the Storm Worm had a surprise for you, just in time for Christmas. A new version of the Storm Worm has surfaced, taking advantage of users during this holiday season.

Arstechnica is reporting that "Storm-infected systems are kicking out spam mail directing recipients to the Merry Christmasdude.com website (space inserted for security purposes). Once there, visitors are bounced to a few shell sites, shown various "holiday-themed" images and offered a (fake) video codec download. Download and install it, and the worm promptly connects to various P2P sites and begins spamming. Russ MCree at HolisticInfoSec.org has a writeup on the worm's specific activities and system modifications for those curious about how Storm does what it does. This new iteration of Storm appears to duplicate most, if not all, of its predecessor's approach to infecting and configuring the target PC."

If you are concerned about infection, you should check the website of the company that makes your anti-virus program and/or a little google-fu should let you know if you are currently protected.

Some of the observed email subjects from Storm Worm include (but not limited to):

The Twelve Girls Of Christmas
Time for a little Christmas Cheer
Merry Christmas To All
Christmas Email
Warm Up this Christmas
The Perfect Christmas
Santa Said, HO HO HO
I love this Carol!
Find Some Christmas Tail
Mrs. Clause Is Out Tonight!
Cold Winter Nights
Jingle Bells, Jingle Bells

Sadly I was on vacation and unable to post about this sooner. Most of the damage will have been done on Christmas, two days ago. Hopefully this post will at least minimize any aftershocks or allow users who may have been infected and not realize it to be aware of this worm and do something about it.

More on P2P. Know the value of a blocklist.

2007-10-11T15:03:00.000-05:00

Let me start by saying I am not endorsing the use of P2P for illegal uses. The goal of my blog is to raise security awareness as a whole. Now, that said...

Arstechnica is running a story right now about a team of California researchers looking at the impact of using a blocklist when connecting to P2P networks and how that coincided with how likely you were to be tracked. Their findings?

"The old cliché "You're not paranoid if they really are out to get you" turns out to apply quite nicely to the world of P2P file-sharing. A trio of intrepid researchers from the University of California-Riverside decided to see just how often a P2P user might be tracked by content owners. Their startling conclusion: "naive" users will exchange data with such "fake users" 100 percent of the time."

I will highlight the conclusions for those who do not wish to read the whole article.

If you don't use a blocklist, you will be tracked. Every one of the researchers' test clients that did not use a blocklist soon connected to an IP address found within those lists. It turns out that 12 to 17 percent of all IP addresses on the network belonged to these blocklisted ranges.

Trackers aren't that hard to avoid. While "naive" clients may all connect to blocklisted users, it wasn't that hard to stay away from the vast majority of such "fake users." Researchers found that "avoiding just the top 5 blocklisted IPs reduces the chance of being tracked to about 1 percent."

Content owners hide their tracks. Much of this tracking work is farmed out from content owners to companies like SafeNet and BayTSP, and these companies in turn take care to hide their tracks. When the researchers ran reverse DNS lookups on the blocklisted ranges, they found that only 0.5 percent of those addresses resolved back to media companies in an obvious way.

Meet the BOGONS. One of the strategies for remaining anonymous is to operate from BOGON IP ranges. These ranges are unallocated blocks of addresses that should ordinarily not be used on the public Internet. Of the top fifteen blocklist entities that were discovered during testing, 12 were in BOGON ranges. The researchers note that "these sources deliberately wish to conceal their identities while serving files on P2P networks," and reverse DNS queries on these addresses produce little useful information.

If you are using a P2P network, know the value of a blocklist. Using a blocklist isn't a silver bullet by any means. Whether it be someone gathering information for a future lawsuit or a malicious user or group doing information reconnaissance, it will at least give you an additional layer of security.

The original article isn't very long (one page). If you wish to read the full article you can find it here: P2P researchers: use a blocklist or you will be tracked... 100% of the time

If you wish to read the the results of the study they are outlined in a recent paper here: "P2P: Is Big Brother Watching You?" (PDF)

The beginning of the end for DRM?

2007-09-25T16:08:00.000-05:00

DRM has never been a popular way to distribute music. It has been common, but not popular. Traditional DRM has been criticized for good reason. It's a technology that supports a business model where it treats every customer like a criminal. In the case of music, the assumption is, "well some people may share their purchased music with friends or online so we are going to cripple what you can do with it from the get go". Again, DRM in the case of music, assumes everyone is a criminal. I am not saying that there aren't people bending the law, or flat out breaking it when it comes to the distribution of music files but that doesn't mean that every user should have to be forced to purchase crippled music files. If piracy really is a problem, then a suitable technology should be developed that will thwart piracy (if such a solution could even exist) without restricting or removing fair usage for Joe User.

Apple's online media store, iTunes Store has been one of the top retailers of online music sales over the past couple of years. On Febuary 6, 2007 Steve Jobs wrote an open letter to the music industry voicing his dislike of DRM. Steve Jobs was not the first to publicly criticize DRM, but he was one of the first to openly criticize it while being the head of a company in the market of selling online music. Not to be hypocritical, two months later Apple then followed up by offering non-DRM music on the iTunes Store for a slightly higher price. Now, in a move that will surely shake up the online music market, Amazon has just launched their music catalog DRM FREE.

Is this the beginning of the end for DRM? Users of (legally) downloaded music have always complained about the restrictive nature of DRM'ed music. They have felt betrayed being treated like a criminal with music they legally paid for, but yet have had little to no control over. Whether it be what player they use, what format it is in, or sometimes even how long they have "permission" to play the song before it is unplayable. With major players like Apple and now Amazon jumping on board, this may signal a new shift away from DRM in the online music industry and not only offering consumers what they want but by sending a loud message to the music industry, "DRM is NOT the way to do it".

MediaDefender: Victim of hackers or just a victim of karma?

2007-09-20T12:22:00.000-05:00

Unless you have been living under an internet rock this past week, you have heard all the news surrounding the company MediaDefender. From MediaDefender's website, "MediaDefender, Inc. is the leading provider of anti-piracy solutions in the emerging Internet-Piracy-Prevention (IPP) industry. We provide services that stop the spread of illegally traded copyrighted material over the Internet and Peer-to-Peer networks."

In February 2007, MediaDefender launched a video sharing site called Miivi.com. Back on July 4th it was discovered that the video download site MiiVi was really a "honey pot" (fake site) put up to track individual downloading videos illegally. In an interview with Ars Technica, chief executive Randy Saaf stated that "MediaDefender was working on an internal project that involved video and didn't realize that people would be trying to go to it and so we didn't password-protect the site". MiiVi was showdown that same day, July 4th, 2007.

This past week, 6 months (700 MB) worth of emails were leaked out and spread all over the internet. The emails contain information about the various tactics and technical solutions for tracking p2p users, and disrupting p2p services. Following MediaDefender's subsequent email leak, TorrentFreak alleged that MediaDefender's statement about it being an "internal project" (see quote above) was revealed to be a deliberate falsehood. The emails revealed that the site was closed when this fact became public knowledge, and was scheduled to be re-launched as www.viide.com. Viide.com has not yet been opened up to the public.

Quoted from an article on Arstechnica
"MediaDefender's damage control program went into full swing shortly after that. When Douglas pointed out that information about MiiVi had been added to the MediaDefender Wikipedia page, Saaf decided that he wanted it taken down. "Can you please do what you can to eliminate the entry? Let me know if you have any success," Saaf wrote. "I will attempt to get all references to miivi removed from wiki," developer Ben Ebert replied. "We'll see if I can get rid of it."

After a statement Saaf sent to Digital Daily was included in a blog entry, Saaf sent an e-mail to a handful of MediaDefender employees asking if it would be a good idea to post it to the Digg.com news site. He also suggested possibly having MediaDefender employees post comments. Referring to the Digg community, MediaDefender co-founder Octavio Herrera replied, 'They aren't going to believe you.'"

In an additional blow (and I am sure not the last), the group known as the "MediaDefender-Defenders", who are responsible for distributing the leaked emails initially, have today leaked the source code MediaDefender used "for the 'trapping' and decoy software that MediaDefender uses to spread fake files on P2P networks."

As security professionals we all understand that hacking, in and of itself, is not evil or wrong. Hackers are no more "terrorists", as locksmiths are cat burglers. In fact, hacking is merely the discovery of information whether it be in software or hardware. It's the choices you make and how you use said knowledge that really starts to define the "white" versus "black" hats in this realm. That said, I'd like to state I don't endorse or condone pirating movies or music, nor hacking with mal intent. Now that I have gotten all the disclaimers out of the way, I would also like to state that I also don't endorse or condone MediaDefenders tactics in "preventing piracy". These unethical and in some cases illegal business techniques are really the root cause of why they are in such hot water now. Two Wrongs Do Not Make a Right. Some might say what the hackers did falls under this mantra too, but in this case, they didn't hack for mal intent per se. It was an expose. They revealed the unethical techniques used by this corporation, no differently than any undercover journalist would. Just because the technology has changed doesn't make it any different then a 20/20 hidden camera or "to catch a predator" style journalism. These hackers are the modern day "deep throat" (the informer not the movie). I don't want to glorify there actions too much, but at the same time it had to be said to squash any "double standard" remarks. Infecting P2P networks is not the way to handle this issue. MediaDefender is no different then the bored 13 year old kid in China who writes the next big worm or virus. I could go on and on about the techniques they used but with a little help from Google you can read the leaked emails and see for yourself. Regardless of how you feel about illegal downloading or swapping of music and movies, I think you should read over them and ask yourself if you feel the actions by this corporation was ethical as a business, and if there techniques are any better than the "criminals" they were out to prevent.

I really do think in this case MediaDefender is really only a victim of one thing, karma.

New RSS feed location

2007-09-08T16:57:00.000-05:00

For those of you who read this blog through Live Journal syndication this change should be transparent. For others, I am working with my host to allow the change in feed to be transparent for you as well. But if you would like to switch manually in the mean time it might not be a bad idea. The current atom feed has moved to FeedBurner. If you read this blog through a reader please point your reader to http://feeds.feedburner.com/SecureTomorrow instead of the atom.xml file that had been used previously.

America's Hackable Backbone

2007-08-24T16:04:00.000-05:00

Forbes is running an interesting article right now about the weaknesses in many of the critical points in our countries infrastructure.

"The first time Scott Lunsford offered to hack into a nuclear power station, he was told it would be impossible. There was no way, the plant's owners claimed, that their critical components could be accessed from the Internet. Lunsford, a researcher for IBM's Internet Security Systems, found otherwise."

"It turned out to be one of the easiest penetration tests I'd ever done," he says. "By the first day, we had penetrated the network. Within a week, we were controlling a nuclear power plant. I thought, 'Gosh. This is a big problem.'"

It's a dangerous combination. Unpatched and outdated control software, plus a poor understanding of needed security and a splash of good old fashioned US ego(tm). The Achilles heal in many of these cases is the Supervisory Control and Data Acquisition software, or SCADA. With more and more of our infrastructure connected to the internet along with vendors making it difficult or impossible to patch SCADA software, it puts key locations within our infrastructure at serious risk.

This article covers the problem but doesn't go into talking about solutions. Security is, or at least should be a multi-layered approach. For the incident in the article it seems the nuclear power plant was incredibly vulnerable. I imagine the security put in place was far below what most of us would consider adequate for a mid to large sized company, more less a nuclear power plant. Hopefully articles like this will open the eyes more about how vulnerable we really are. Whether it be a terrorist attack, Russian mafia, or just another nasty worm like Slammer, we need to start looking at ways to seal these ~~small holes~~ huge gaps in security, in a consistent and secure manor, esp when it comes to critical pieces of our countries infrastructure.

Syndication issues

2007-08-23T21:30:00.000-05:00

Just a heads up to my readers. Old posts are randomly showing up on Live Journal today (via the rss syndication feature). I don't know if it's on Live Journal's side or a problem with Blogger. I am looking into it. My apologies if it causes any of you any confusion. In the next couple days, if you see any posts that seem like they are out dated, they probably are. But if you are a new reader, then take this chance to catch up on some of my old posts from my archive making a mysterious reappearance.

CyberSpeak Podcast

2007-08-23T10:49:00.000-05:00

For many of you reading this, the Cyberspeak Podcast is a regular addition to your ipod podcast play list. For those of you just getting into infosec, you may not have heard of these guys. From their official description, "Hosted by two former federal agents who investigated computer crime, this is a technology Podcast covering Computer Security, Computer Crime and Computer Forensics Topics." A friend and peer of mine back home in DC turned me onto this podcast back in 2005. I have been hooked ever since. These two guys really know their stuff quite well, and present it in an easily digestible format for a wide range of listeners. Whether you are working in the infosec trenches day to day or just picked up your first CISSP book hoping to move from another area of IT, I think you will find the podcast both enjoyable and educational.

To subscribe to the CyberSpeak podcast via iTunes you can use this link, CyberSpeak Podcast.

Monster gets hacked

2007-08-22T13:03:00.000-05:00

Pretty much anyone who has ever been unemployed in the past 10 years, probably has set up an account on Monster.com at one time or another. Symantec is reporting they found a new Trojan called Infostealer.Monstres. It's sole purpose seems to use compromised employer accounts to harvest personal information of anyone who has a visible job profile on Monster. At the time of discovery by Symantec, the remote server collecting the hacked information had already collected 1.6 million entries with personal information belonging to several hundred thousand people.

I have included a link to the full article if you are interested in reading all the details. I will leave you with a great bit of knowledge from the article, which I can not emphasize the importance of enough.

"To protect your identity when using recruitment sites, or at least limit your exposure to identity theft, you should limit the contact information you post on these sites, use a separate disposable email address and never disclose sensitive details such as your Social Security number, passport or driver’s license numbers, bank account information, etc to prospective employers until you have established they are legitimate."

Full Article Link

I blew the dust off and found a blog here

2007-08-22T12:56:00.000-05:00

I know the blog has been neglected a tad. I am still in the trenches working on security issues but in an Operations environment now. A much different environment to the Engineering and R&D environments I had been doing my security work in during the past several years. I hope to be able to at least do weekly posts in here sharing or discussing current security related issues with my readers.

DST reminder

2007-03-10T20:30:00.000-06:00

For those of you living under a rock, this is a reminder that the new adjusted (earlier) DST goes into effect this year. In fact, tomorrow to be exact. In the IT industry this has felt like Y2K all over again, except far less preparation seemed to have gone into patching systems for the new DST then in the months (years in some cases) put into patching and testing for Y2K. Hopefully, to anyone who reads my blog, you will not feel any headaches from the adjusted DST kicking in tomorrow. I have a bad feeling the lack of forethought by many vendors will bite them in the booty come tomorrow. Though I am not mentioning any names.

PHP forum systems inherit phpBB vulnerability

2007-02-04T22:14:00.000-06:00

For any of you running a phpBB based setup, if there was one idea I could get across to you, underlined, bolded and with 17 exclamation marks is make sure you set register_globals to off.

Now that I have gotten that out of the way, heise Security has a short article up discussing the matter in a bit more detail.

Words the word

2006-12-06T16:33:00.000-06:00

Microsoft recently released an announcement about a zero-day vulnerability affecting several versions of Microsoft Word.

"Microsoft is investigating new public reports of limited 'zero-day' attacks using a vulnerability in Microsoft Word 2000, Microsoft Word 2002, Microsoft Office Word 2003, Microsoft Word Viewer 2003, Microsoft Word 2004 for Mac, and Microsoft Word 2004 v. X for Mac, as well as Microsoft Works 2004, 2005, and 2006. In order for this attack to be carried out, a user must first open a malicious Word file attached to an e-mail or otherwise provided to them by an attacker."

The kicker is the nugget of wisdom Microsoft passes along to us while they sort it all out, "Do not open or save Word files that you receive from un-trusted sources or that you receive unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a specially crafted Word file."

"...or that you receive unexpectedly from trusted sources"
So basically that limits me to documents I already have in my possession and Bob from down the hall giving me a solid heads up he'll be emailing me a document later in the day *smirk*

Guerrilla Marketing

2006-09-06T15:07:00.000-05:00

This is not entirely a security related matter in the traditional sense. Guerrilla Marketing is a less then honest form of online marketing. Guerrilla Marketing involves people creating many accounts and posting to online blogs, forums, websites, etc. from each of these accounts, acting as if they are in fact, different people. Many tech and non-tech people are unaware that this even exists. Some times it is a person or small group of people orchestrating the Guerrilla Marketing. Other times, massive efforts are fueled by PR firms. Much like when phishing[1] first hit the internet and caught many people off guard. To this day, some tech savvy people still get fooled as phishers become cleverer in their wording and targeting. In the way phishing relies on using a false identity to obtain information about the target. Guerrilla Marketing relies on many false identities to present information to targets to create the illusion that is has mass appeal or being shared with the community from a small group of "average users" who just are really excited about the new site/product/service.

I must note that not all Guerrilla Marketing is bad. From Wikipedia, Guerrilla Marketing is described as "an unconventional way of performing promotional activities on a very low budget. Such promotions are sometimes designed so that the target audience is left unaware they have been marketed to and may therefore be a form of undercover marketing (also called stealth marketing)." The basic premise of it is the same. Though many internet users still dislike the fact they are being tricked into thinking one thing and then realize they have been "marketed to". Though Guerrilla Marketing in it self is not bad. Though how it is used and implemented can determine if it crosses any ethical lines.

This post on Penny Arcade was from earlier this year. It by no means is a new concept. I was reminded of it while having a discussion about digg.com[2] and looking over some scary posting trends on digg. Anyway, if the concept is new to you, it's an interesting (short) read.

http://www.penny-arcade.com/news/show/21589

Foot Notes:

1. Phishing - In computing, phising is a criminal activity using social engineering techniques. Phishers attempt to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an electronic communication. Phishing is typically carried out using email or an instant message, although phone contact has been used as well

2. Digg.com - (From Digg's site) Digg is a user driven social content website. Ok, so what the heck does that mean? Well, everything on digg is submitted by the digg user community (that would be you). After you submit content, other digg users read your submission and digg what they like best. If your story rocks and receives enough diggs, it is promoted to the front page for the millions of digg visitors to see.

But MOM! I wanna' connect to the internet NOOOW

2006-08-20T16:01:00.000-05:00

Pedro Bueno over at SANS ISC had some great advice to share. Something I have been preaching myself for quite a while.

"During one of those past weekends I was installing and configuring some honeypots.

I decided to try different Operating Systems to see which one would fit better for my needs.

As I already had a perfect NAT for one IP, nothing more natural that I already put the IP address on the OS during installation, right?
Yep, WRONG! The reason is that if you install an internet facing OS (like my NAT was providing me), maybe there will be not enough time to apply the patches (even offline patches, from CDs or Pen Drivers).

So, my Tip of the Day, is for whatever OS that you are installing, if you can't unplug physically the network, choose to not configure the NICs during installation. In this way, you will have enough time to check which Services will be running in your machine, and turn it down before someone explore your unpatched OS, because if you are installing a fresh OS, chances are that some applications/services are already outdated and you may be a victim of some bot of the day..."

Moving to a new domain

2006-06-11T04:31:00.000-05:00

I will be starting the transfer of this blog over to it's new home at Secure Tomorrow. I will be moving it over to the new domain tonight and it will [hopefully] get a face lift in the coming weeks. For those of you who read this blog via RSS, please update your news readers to point to http://www.securetomorrow.org/atom.xml. For those who read this blog through Live Journal syndication, you do not have to do anything. Hopefully the transition will be as painless as possible. If you have any problems feel free to leave a comment in the blog and I will address it.

kb

Big brother is at it again, and again

2006-06-11T03:28:00.000-05:00

It seems your friendly neighborhood eye in the sky [the NSA] has made it into the news not once but twice in the past month or so.

Recently New Scientist Tech had an article about how the Pentagon's National Security Agency is setting its sights on social networking websites. Now to others already in the security field, this is a "well duuuh" moment. The best piece of advice I ever heard someone give to a friend who had recently discovered the "internet" was "don't put anything on the internet you don't want everyone in the world to know." Truer words were never spoken. Now I am not saying secure data is impossible over the internet. I mean if that was the case, guys like me would be out of a job,lol. But... for your average user of social networking sites, it's a fair assumption that it's out in the open and more then likely, people are putting information about themselves, their wild weekends, etc without realizing the full scope of their actions. As I said, if you are already in the security or privacy mindset it's a "well duuuhh" statement. To most users, they just don't think that way. I am hoping with blogs like mine and others like myself that we can help educate average users and hopefully put them more in a mindset where they think before they post. Whether it be the government, a hacker, or maybe that creepy guy from the bar you refused to give your number to, do you really want them having access to everything you post on your myspace page? Most people put that information up assuming that the only one who would be interested in that info would be other friends or [insert average 16 year old girl myspace user] *giggle* that cute boy from home room with the dreamy eyes. You get the idea. I think it's up to all of us to help educate these people and remind them to think twice before posting personal information on these sites. Read over the article, it's a good read.

New Scientist Tech also had another article. Last month, people were amazed (well some people *snicker*) when it was revealed that the NSA has been collecting records of domestic and business phone calls since shortly after the terrorist attacks of 11 September 2001. I will not go into detail too much on this one. The article sums it up nicely, plus it starts walking that line between keeping this blog technical and not discussing topics relating to any particular political view. This is more of a "discuss with friends" or a topic to let marinate in your head a bit and draw your own conclusions. I will mention that the NSA has been collecting this info WITHOUT (WIRETAP) WARRANTS, a step deemed necessary after 9/11 by some. In fact, some in the current administration seem to think that this should become more of a standard as they feel current wiretap laws are insufficient in this post 9/11 America. Where do we draw the line? Decide for yourself.

Article Repost: "SSL VPNs and security"

2006-06-09T16:06:00.000-05:00

* Thanks go out to Michal Zalewski for a well written article and giving me permission to repost it here.

SSL VPNs and security
Michal Zalewski (lcamtuf dione ids pl)
Original Article URL: http://www.securityfocus.com/archive/1/436479/30/0/threaded

"Web VPN" or "SSL VPN" is a term used to denote methods for accessing company's internal applications with a bare WWW browser, with the use of browser-based SSO authentication and SSL tunneling. As opposed to IPSec, no additional software or configuration is required, and hence, corporate users can use pretty much any computer they can put their hands on.

[ Yes, this is a very bad idea, but often also a perceived business necessity. To counter the risk, some SSL VPN solutions may perform client-side security checks with the aid of an applet or control "not marked as safe". This is, of course, a silly and bypassable design, and has a side effect of teaching the user to click "yes" on scripting safety prompts. But I digress... ]

[ These solutions are sold, among others, by Juniper, Nortel, Nokia, Cisco. The following observations are based on Cisco Web VPN (and your mileage with this and other vendors may vary).

In their most basic operating mode, SSL VPN systems simply act as a HTTPS authentication and authorization proxy that relies on session cookies, and a URI-based request rewriting and forwarding engine. Such a configuration enables the user to access any HTTP or HTTPS based Intranet applications; web-based clients for some other protocols are also sometimes included.

[ With the help of various controls and applets again "not marked as safe", SSL VPNs can also forward local TCP ports through that tunnel, if unsupported network protocols need to be used. ]

A good example: let's say there's an user who wishes to access his corporate Outlook Web Access interface from a remote location. The usual URL for the intranet service is: http://owa/exchange/lcamtuf/inbox

To access it over the Internet, that fellow needs to navigate to https://webvpn.foocorp.com/, enter his credentials, collect a session cookie, and then go to (or be redirected to) something along the lines of:

https://webvpn.foocorp.com/http/0/owa/exchange/lcamtuf/inbox

...which, if the cookie validates, would be translated to the original URL and allowed to go through, with SSL VPN acting as a proxy.

Commercial SSL VPNs are a fairly recent technology that has a considerable appeal to various corporations. Because of its novelty, however, in a typical setup it may be subject to several serious security flaws, unless very carefully designed.

Possibly the most important problem is that web VPNs break the customary browser security model that relies on domain name separation for the purpose of restricting access to cookies and other objects. Browsers generally allow "foo.com" to interact with own cookies or windows, but prevent the site from accessing resources related to "bar.com". Yet through SSL VPN, they all may look the same:

https://webvpn.foocorp.com/http/0/foo.com/serious_work
https://webvpn.foocorp.com/http/0/bar.com/fun_and_games

Because of this design, all pages displayed through a Web VPN interface are lumped together. Whenever a page (or just a HTML fragment) that can be controlled by the attacker is displayed by *any* of the applications behind Web VPN, Javascript can access:

- Web VPN session cookie, which can be then passed to the attacker. This is equivalent to the attacker obtaining access to all protected systems and compromising Web VPN altogether. The threat could be mitigated by associating the cookie with client's IP, but such an approach is not always implemented, and is impractical with AOL and the likes.

- Application cookies set by other applications. If passed to the browser (as some SSL VPNs do), these cookies are separated by the use of "path" parameter alone, which does not necessarily establish a browser security domain boundary. This is equivalent to the attacker obtaining user credentials to these applications.

Some commonly used corporate applications may indeed serve attacker-supplied contents, making these attacks virtually inherent to most SSL VPN deployments:

- Various web mail systems, such as Outlook Web Access (OWA), may serve HTML attachments and other documents received from the Internet without providing an adequate browser warning. Although this is a security challenge by itself for all web mail interfaces (where there is a risk of stealing web mail session coookie), the access to all SSL VPN cookies make the impact far more serious.

- Trivial cross-site scripting flaws in *any* available intranet application may compromise the entire SSL VPN. Because these applications are usually complex, aplenty, and all under-audited, existence of such bugs is pretty much a certainty.

- Trivial cross-site scripting bug in SSL VPNs themselves may endanger the entire system. Impossible? Cisco SSL VPN has this: https:///webvpn/dnserror.html?domain=foo
(and yes, they seem to be aware of this, but have no specific timeline for fixing it - so I suppose it's OK to report it; hi Larry Seltzer).

[ The possibility of allowing Internet access through Web VPN is something I wouldn't even consider here. ]

Additional problems may arise when SSL VPN gateway IP is added to "trusted zone" for the purpose of making certain intranet applications work the way they worked locally at the office.

Yes, these problems are hardly new, and can be mitigated with some very careful design, and some vendors may be doing it properly - but I think that the following needs to be said:

- SSL VPNs may easily turn negligible and common security issues such as XSS into a considerable corporation-wide threat; and preventing this is hard.

- Most SSL VPNs may be "secure by design" only in fairly unrealistic situations or limited uses.

- Unless the vendor takes the effort to precisely and honestly explain how they mitigate these specific threats, it is safe to assume they might be not doing it properly (or not doing it at all).

Since these issues are generally not seriously discussed by vendors in assessments of their products (say, http://www.cisco.com/web/about/security/intelligence/05_08_SSL-VPN-Secur
ity.html), I would assume that extreme caution needs to be exercised.

Flame on.

Regards,
/mz

Encrypting your Instant Messages

2006-06-08T22:44:00.000-05:00

As some of my readers know I am a big proponent of encryption. Well I mean who isn't ;-) But I feel too many times people overlook the use of it or don't take the minimal steps to use it when it takes little effort and keeps [possibly] sensitive information away from hackers or others snooping your network connection. I came across a blog post by a peer of mine that offers a nice little write up about setting up encryption on your instant message client. It's worth a read and encrypted instant messaging is something everyone should get into the habit of doing.

China outlaws Outlook

2006-04-15T21:33:00.000-05:00

vnunet.com has an article running right now about China's new law regarding email servers. An interesting and scary looking into the tight hand China uses to control it's people and "it's internet".

"China has introduced regulations that make it illegal to run an email server without a licence. The new rules, which came into force two weeks ago, mean that most companies running their own email servers in China are now breaking the law."

Full Article

For the VeriSign Site Seal users

2006-04-07T15:07:00.000-05:00

According to Tim Callan at Verisign:

"VeriSign reports that many public-facing Web sites continue to implement an older and less secure version of VeriSign's popular security mark. Because the old VeriSign site seals were created and distributed prior to the rise of phishing, they did not contain the full set of anti-spoofing measures available in the newest version of the VeriSign Secured Seal. For the protection of online consumers, VeriSign is in the process of phasing out its old-architecture seals and moving forward with support only for the newest version of the VeriSign Secured Seal. Old-version seals are in a round, "gold or silver medallion" shape and call their verification page from https://digitalid.verisign.com. Latest-version seals contain the black VeriSign check mark in a red circle and the words VeriSign Secured and call their verification page from https://seal.verisign.com. All Web sites employing one or more VeriSign SSL Certificates in their validity period are entitled to display the VeriSign Secured Seal to improve site visitor confidence and increase visitor propensity to complete transactions. These customers can download the latest version of the VeriSign Secured Seal free of charge at http://www.verisign.com/seal."