vultures and disclosure

David Maynor and Johnny Cache presented at Black Hat last week about an exploit against wifi drivers in an undisclosed but likely large number of wireless cards and operating systems. This has caused a minor furor amonst, well, pretty much everywhere somewhere.
Some argue that the duo are sellouts because they did not fully disclose who was affected at a “full disclosure” conference. Some argue they were protecting companies. Some take cheap shots at the video-taped demonstration for various reasons (which was done to prevent users from capturing the attack over the air and using it).
Last year Michael Lynn challenged Cisco and even his former employer ISS when he gave his presentation on a big Cisco vulnerability, after Cisco refused to fix it or even acknowledge it for quite some time.
Lynn’s example brought up the age-old argument I see far too often in information security: disclosure. What is proper disclosure? Should it be full disclosure? This year it is back. Should Maynor and Cache have revealed the affected chipsets and vendors so that users could stop using them until a fix was in place?
I don’t think there are any right answers, but the vultures that love to peck and squabble and argue for no real reason are back at it.
Bottomline, if these two found this problem, there are likely other people who have found out and kept it secret or sold it in private. This exploit was probably found via fuzzing of some type, since that is turning up lots of fun stuff lately. And I can only imagine the fun you could have as a spook or criminal with this sort of exploit in your hands and no one knowing about it…

trying to hold sand

I’ve been pretty conscious lately of where my personal information goes. I’ve been interested in staying anonymous for a blog and mailing lists, so my mind is kinda turning that problem over. In addition, with this year’s heightened problems with indentity theft and disclosure of personal information from places like the VA, every time I fill out a web form, my mind flitters over the thought that here is yet another place my personal information resides, ready to be indexed, stored, stolen, and used.
Just yesterday I submitted a job application to a company in the Seattle area, and at the bottom was a credit report disclosure form complete with social security number field. I immediately glanced up and noticed that the site had no SSL functionality on this particular form. I was a bit annoyed, but at least I was completing this form from my home network. If it had been somewhere else, I would have fully aborted that half hour of effort.
I order books online and provide credit card numbers. I renew my World of Warcraft account online, and there is more information. I submit less information to many sites that require logins, including job sites and corporate sites that want me to log in just to store my resume (so they say). All of this is like trying to hold so much sand in one hand…just think, all it takes is the least secure online store to be broken into and the data siphoned away…such as that site I ordered incense from recently. I wonder if that non-chain, local store has a security guru making sure their site and data are secure?
In the end, I just become more sympathetic to removing the “convenience” of sites “remembering” my account information so I don’t have to put it in again for subsequent purchases I may or may not make. I think data retention of that nature should be disallowed, and transaction logs in databases expunged on a regular basis or just stored on offline, secured media. If I only had to worry about the actual transfer of the information from my system over my network, my ISP, the Internet, to the vendor, I would feel a lot better than to have account and login and payment information stored by said vendor… How often do I let a restuarant keep a copy of my credit card and signature so that I can realize the convenience of not having to reach into my pocket to get it out, wait for the return of the waitstaff, and sign the slip?

a checklist of windows tools

It is a statement about the security of Windows that I have a series of apps I install on any personal Windows XP build that I perform, just to secure it more. I won’t leave home naked, and a Windows box by default being naked exemplifies what is wrong. I was going to post them for my own edification, but have decided to expand this to a listing of some of my favorite tools that I pretty much have on any XP system I build.
First, the initial security, after patches. I use ClamWin Antivirus because it is free. I use a cracked version of Sygate Personal Firewall instead of the XP firewall. I have also recently started trying out an app called WinPooch for digital integrity, ala Tripwire only free (I expect this to be bought up). I also install Mozilla Firefox and Thunderbird (with Enigma for PGP), not so much for esoteric purposes as for security purposes anymore. While investigating a friend’s hijacked AIM account two years ago, I discovered a version of the HTA exploit in IE (still unpatched, I think), and thusly conversed with the hijacker directly about it before getting my friends AIM acocunt back. Since then, I’ve never trusted IE at all. That was the breaking point. The only way to notice of stop that web-based attack against IE was to be running a personal firewall, at the time Zone-Alarm. Otherwise IE was rootable with no user intervention or notification.
In other apps, I have moved from my purchased version of Trillian over to Gaim, due mostly to having used Jabber in my last job and Trillian was slow to adopt. I use a pirated copy of Microsoft Office 2003 (includes everything, Visio, Word, etc). I always move over a bunch of Sysinternals tools as well (pstools, process explorer, tcpview, regmon, and filemon). A cracked version of WinZip 9 gets slapped in pretty quick, as does a free copy of WinAmp (classic mode please). WinDump, WinPcap 3.1, and Wireshark also get installed.
If this is a wireless laptop, I always throw in Netstumbler and Cain. If I am at a wireless hotspot, you can bet I am running Cain in the background (and for this reason, I am very aware of what I myself do at hotspots because I’m not a special hacker or something, I’m a regular guy and if regular guys play with gleaned myspace and email accounts…).
After that, my toolbox gets a bit more murky depending on the uses for the particular box, but pretty much all of the above are part of the ‘settling in’ process of a new system. Of my few cracked products, someday once I am out of the ‘cash-strapped college boy’ phase and into a solid, fair-paying job that keeps me happy, all of those may be replaced with legit copies.

security catching up to hot technology

DefCon and Black Hat have become the premiere security events of the year. Not only are they amazingly fun and informative, but some of the biggest security and insecurity news of the year is now coming out of the minds of those in the culture.
In the last couple years, the dotcom bust gave way to the slow maturation of web-based application delivery, and it is now shooting off quite rapidly. Web-enabled apps have been the buzzword in development for the past two years. In addition, the browser wars with phishers, spammers, and scammers has heightened and browsers are more and more under the guns and fuzzers.
And now, it’s happened. Javascript has been demonstrated to be able to not just screw with a local system, but also penetrate the local network that system is on.
Wow.
Ha.ckers.org made an excellent post that beats anything I could say. But I will add that if someone has presented it to us now, there is little doubt that these techniques have already been in use by the underground.

security pet peeve #2

“Well, you know, it’s a toolbox, I don’t care. You put the tools in and do the job, that’s all.” – Sam, Ronin, when asked what kind of gun he favors.
This is not so much a security pet peeve as it is a general geek pet peeve. I really do not mind discussions about operating systems and the benefits and drawbacks of each, but the eventual bashing and impassioned arguments that can result from talking about Windows vs Mac vs Linux vs Debian vs OpenBSD are amazingly unnecessary and unwanted.
When it comes down to it, the biggest factor in the security of each OS lies in the operator. I think they each have their own place. And I dislike seeing a Windows user completely refuse to learn Linux just as much as I hate seeing a Unix/Linux user be completely useless in Windows.
And let’s face it. All of these are going to be part of a security or IT person’s life at some point and we’ll have to at least be exposed to Macs, Windows versions, Linux boxes, etc. So basically live with it, and move on. My current job is 99% Windows, but my last job had a couple Macs, many Windows boxes, and some of our critical infrastructure systems were Linux (firewalls, DNS servers, monitoring servers, syslog…).
On a more personal note, I have used Windows versions since 95 (all but ME) and still run Windows XP today for the most part, pretty much just for easy wireless and World of Warcraft. However, I love tinkering and learning Linux versions (especially security live cds) and my next computer purchase will be a Macbook Pro. Someday after I get my Mac, I will convert a third oft-used laptop or desktop to be a permanent and oft-used Linux box so that I can really learn that as I also learn Mac. Eventually, I want to use Linux or Mac full-time, and only move to Windows for my work machine (most likely anyplace I work will provide only Windows XP, I bet), for gaming, and just to keep current on Windows (such as when Vista releases). Of course, my lab will always have a number of Windows boxes performing various roles.
I applaud how far Apple and especially Linux have come over the years to bridge the gap so that the only things I will not be able to carry over to Linux from my Windows world will be games. Even wireless is getting to be easy enough…

prove it

I just received email from a vendor I have dealt with in the past, ScriptLogic, whose simple tagline got me thinking: “Can you prove your IT environment is safe?”
I think I need to post that in my workspace at home and use that question as a basis for what I do in security as I move forward.

secutiry pet peeve #1

May as well get this one off my chest early, and try to keep it short and simple. I really dislike when people spit out that “security through obscurity is worthless.” I’ve read this a lot and heard it in person a lot too, but it is often misused. What is really meant is “security through obscurity alone is worthless.” Defense in depth benefits from security through obscurity. In a way, one could argue that passwords and theoretically reversible encryption is just harder-to-guess security through obscurity. The biggest benefits of security through obscurity would be twofold:
1) Eliminate a lot of the casual kiddies and scripted attacks. Running a vulnerable web server on port 1800 does not make the web server less vulnerable, but does limit all the scripts and kiddies who only look for web servers on port 80. You can at least limit your threat exposure.
2) Force determined threats into expending at least a little bit more energy and time to find the obscurities and work through or around them.
Alone, though, security through obscurity is more of a false sense of security than anything, even though the above two benefits are still there, no one should ever sit back and breatht easy by having security only through obscurity.
(Points for me to think about: Does this mean brute-forceable passwords and encryption is, in the end, worthless? Where easy passwords and DES were years ago “unbreakable” they are now accepted as flawed…as processors continue to speed up, will today’s standards eventually be scoffed at the same way? What can stand the test of time, biometrics? Or are passwords or at least encryption the standards we will always have to live with? As long as we have networks that have to communicate and trust, will there always be hashes or an exchange of keys that at some point is vulnerable?)

10 immutable laws of security

Law #1: If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore

Law #2: If a bad guy can alter the operating system on your computer, it’s not your computer anymore

Law #3: If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore

Law #4: If you allow a bad guy to upload programs to your website, it’s not your website any more

Law #5: Weak passwords trump strong security

Law #6: A computer is only as secure as the administrator is trustworthy

Law #7: Encrypted data is only as secure as the decryption key

Law #8: An out of date virus scanner is only marginally better than no virus scanner at all

Law #9: Absolute anonymity isn’t practical, in real life or on the Web

Law #10: Technology is not a panacea

guerilla interviewing

This was a nice read about job interviews. I believe Google also did this sort of interview tactic, especially the “impossible question” part. The biggest takeaway from this for me is the Smart and Gets Things Done. I think this is something I, and many people I know in IT, lose sight of sometimes. Get things done.

unwanted remote control sites and apps

It really sucks when users think they’re being cute by utilizing remote control services to connect from home to work or work to home PCs. These just are not cool, especially when used without permission. I always forget the sites, though, so this will start my list of sites to blacklist on firewalls/web filters whenever I set any up. These are not wanted in the corporate sphere.

GoToMyPC
LogMeIn (and secure.logmein.com)
Hamachi – p2p?

Hamachi is a particularly scary thing, but like Skype, it should require a common mediation server to get the two endpoints together, and therein lies a single point of denial on firewalls. Either way, novel idea, and something I’d like to check out on my own. If even the mediation is peer-to-peer, we should be marking the app as a highly bad app, kinda like an irc client…

Foxy Proxy has some excellent tutorials as well as the proxy stuff.

breaking wep

This paper purports not only to help cracking wep, but to be the final nail in actually outright breaking wep. I’ve not read this yet, but plan to as this sounds like a very swift, albeit technical, way to break wep.