|
.: February 2008 Archives
DailyDave has scared out an interesting mini-conversation about Security Religion. I call this Security Religion because the argument centers on some very fundamental beliefs that security people have when combating the evils of the cyber world. It is extremely important in passionate discussions to realize which religion speakers are siding with, to avoid circular arguments that get nowhere. Some discussions have no correct answer, but there can be no chance of agreement due to differences in fundamental assumptions (kinda like someone claiming their religion as ultimate because it says so in the Bible, but their audience hasn't bought the assumption that the Bible is divine...). The argument is in the assumptions, not the resulting assertions.
I have purposely striked most of the content below, since it is just me being wordy and unnecessary.
Absolute security vs incremental security.
Absolute Security followers accept and pursue security solutions that are inherently secure or absolutely secure. Something that is inherently secure may not be absolutely secure right now, but is as secure as it theoretically can be at this moment.
Absolutists may often define security as something much closer to a state, where things are highly secure. When something is adding security, they mean that it is in a state that is not breakable. They may say that security is not a state to achieve, but only insomuch that zero days can be found and patched against; i.e. new attack vectors and threats that aren't known today. They don't spend excessive amounts of time, money, energy, or political clout on solutions that have weaknesses or holes in them. With this approach, they tailor their security approaches towards even highly skilled threats, internal and external.
Perfect security seems like an impossibility, meaning these people will have very few solutions and very few good feelings about their security. They shouldn't use Windows, as this violates the fundamental belief (since Windows can be inherently insecure). Absolutists may be unable to provide satisfactory solutions without an overflowing budget, support, and staff. Absolutists do not manage risk, and would rather try to remove all risk. They put heavy emphasis on technological controls, since people are fallible and make mistakes. Absolutists will overlook small security measures that stop unskilled attackers or automata, but would fail against a skilled attacker.
Example A) Absolutists will argue against the benefit of changing the listen port of an SSH server, and instead prefer to harden the SSH server itself.
Example B) Absolutists will likely argue against the value of IDS or other detection solutions. Attacks should not succeed in absolute security networks, therefore this is wasted time. Caveat: detection may be suggested as a tripwire for zero day attacks or unknown things.
Example C) Absolutists scoff at the notion of MAC address and SSID hiding controls in WAPs.
Incremental security means acknowledging that security measures are not perfect, especially in an imperfect world with imperfect humans as the base of any security regimen. Therefore, they believe that layers are the best approach. Sometimes this means, "any security is an improvement."
Incrementals acknowledge that there are no perfect security measures, and can plan around those deficiencies. Incrementals tend to define "security" as a measure on a scale between ultimately secure and ultimately insecure. They have a more realistic outlook, which means being able to work with tighter budgets, lack of staff, and less efficient tools. Incremental belief lends itself to a risk management approach. They almost always accept that security is an ever-changing process and not a state.
An Incrementalist may waste time applying various imperfect layers of security to compensate for the imperfections. They may get mired in always fighting an uphill battle; causing burn-out, frustration, and never-ending politicking to get projects approved and accomplished.
Example A`) Incrementals believe there is some benefit to changing the listen port of an SSH server.
Example B`) Incrementals will be considerate of IDS and detection measures as a way to alert on possible or successful attacks.
Example C`) Incrementals will argue that there is some value in protecting wireless networks by disabling SSID broadcasting and using MAC controls.
There is a time and place for both security religions. This can change based on the organization's resources, threats, or assets. A government defense facility may side much deeper into the Absolute Security, but a web development start-up may be best served with an Incremental approach.
I'm not saying either religious side is better or worse. I think it depends on the personality and environment. Hell, I would also be keen to say it can depend on the solution or situation. You might be forced to be Incremental in your desktop OS and shared servers (think web or SQL), but you'd be damned to budge from being an Absolutist on the network or servers that only you use (think DNS or mail).
by michael 02.01.08 at 10:18 AM in /general - comments(2)
Research has claimed that businesses are now more concerned with "availability" than they are security. I'm not surprised by this since the availability of technology is a shared role between IT in general and the security team (as part of the CIA triad). I''d like to point over to some ongoing discussion at Farnum's Place. Feel free to chime in!
So, when did security eclipse availability? I think availability, by its nature, always has to be first. Or maybe an integral part of the security posture (again the CIA triad) and not broken out separately. Regardless which of the above two is correct, this breakdown makes me wonder at the vailidity of this research, or at least the article presenting it.
by michael 02.04.08 at 9:33 AM in /general -
Had an outage on my home cable network which may have been related to weekend reports of midwest AT&T issues (I use Qwest). The outage started Saturday evening and lasted until Sunday morning. The cable modem lost connection and reverted to its default internal IP (192.168.100.14).
A note to myself not to mess with the Internet On/Off button on the device. Since it didn't behave like a switch (when you push it, it doesn't sink in and stay in and then pop out with a second push), I didn't think it would save state over a power cycle. Alas, 2 hours after physical connectivity returned, I finally hit the button and everything came back up.
On the bright side, my IP was not renewed. Pretty odd for that long of an outage.
by michael 02.04.08 at 10:13 AM in /terminal23 -
A new issue of Insecure Magazine has been released.
And Veracode has an amazingly brilliant code review comic posted (source: osnews).
by michael 02.07.08 at 10:36 AM in /general -
I still maintain that AntiVirus software is a necessity for computers these days. But after reading some thoughts from Michael about AV, I'm wondering if my long-standing Top 5 Security Step is less and less founded in rationality. As a quick summary, I'll say that AV is dying in the enterprise, but as a consumer protection, it is still an easy and easily understood suggestion. In the enterprise, AV is simply evolving either migrating into other layers or into things like HIPS. As a bottomline, be open and think about the role of AV in your situation. I expect (and welcome!) strong reaction from Wismer on any holes in this post! :)
(I run AV on my home Windows boxes. I also use it on my mail gateway. My Linux boxes do not run AV. At work, we use AV and soon HIPS on all systems, and we're a fully Windows shop.)
So what is AV supposed to be doing? Well, it is supposed to block, detect, and clean various bits of malware from my system. It does this in realtime and with regular scans.
Signature-based- Everyone digs on AVs signatures being a limiting factor. This is true and is illustrated by the TSA no-fly lists. Jason Bourne's name appears on this list. When Jason Bourne attempts to board an airplane, someone compares his name to that on some ubiquitous list of baddies. What if Jason changes his name to James Bourne? He'll get through. What if there is another, completely innocent person named Jason Bourne? He might get denied access. Signatures work no better, really. And what if his name gets printed as Bourne, Jason? This is a bit like a file getting scrambled or encrypted a bit. It still works, but might not exactly match the signature list.
Protects against email-borne malware- AV protects against bad things sent via email. The problem here is threefold. First, many users are slowly getting used to not clicking random files in emails that they didn't request (slow but sure!). Second, mail servers and gateways are getting better at stripping bad attachments and files. Third, any brand new threats that attack otherwise trusted files like pdf or doc, are no better stopped by AV at the host than the AV at the gateway. I've found our third-party spam filter provider is far better at detecting and scrubbing and reacting to spam and new attacks than we ever could hope to be (part of the outsourcing trend of security commodity services).
Protects against network-borne malware- AV protects against bad things banging against and entering the system from the network, via network shares on the host or the host connecting to network shares. This can also include old exploits that pop vulnerable services/stacks in Windows or Windows-borne apps. We've not seen a huge number of these like we did 4+ years ago. The network is getting more protected as the OS incarnations become more solid (arguably) and network security matures. Firewalls, IDS/IPS, gateway AV, and even simple router ACLs/NAT keep a lot of things safer than they used to be. We're also getting better at detecting when something bad is circulating on the network. I believe all of this progress is not due to technology, but the slowly incrementing of technical experience and expertise in the enterprise and commercial tools. All of this means AVs use to protect against network-borne malware is a bit more redundant.
Protects against web-borne malware- This is my more dubious claim, but I don't have a feeling that AV protects me all that much from the various web-borne attacks. Sure it can detect and maybe stop the big ones, but there are innumerable ways to write such malware. I'm just as worried about the targeted attack from a niche hacking site I visit as the Super Bowl page with some generic dropped script. Things like web filters and HIPS and limited rights help the enterprise user. Things like non-standard browsers and NoScript types of add-ons help home users. I think the impact of AV on this vector is diminished.
Keeps the system running smoothly- Malware still bears the telltale trait of slowing our systems to a crawl, in many cases. We don't like this. It soaks up productivity, increases user frustration with technology, and can harm the system itself up to overheating or simply an unrecoverable OS. Other security factors have been pushing data to be more secured and available, especially in backups or on the trusted networks. This means the physical end point is becoming more expendable as the least costly of our worries. Likewise, a pwned system with lots of malware can simply be rebuilt in such an environment, with little real loss. Home users are typically not as lucky in this regard.
Protection against known attacks- My problem with this sort of an assertion is twofold. First, protection is against only known attacks, not bleeding-edge unknown ones. AV is not the only victim here, since the attacks *are* unknown! Likewise, the inverse is true, AV protects against known attacks no better than protections in other layers, like the mail gateway or web filter. Second, keeping systems and applications patched (always easier said than done!) should also protect against known attacks. I would never happily justify slack patching due to AV protection.
Provides security in untrusted networks.- I'll argue that this is still true, but also reduced and probably eclipsed by a good bi-directional firewall and HIPS. It's a fact of life that computers can now move at will from the trusted network to untrusted ones. Even if your laptop usage is small, it helps to just treat everything like it is mobile. While AVs role is diminished by edge and perimeter security measures, those are gone in an untrusted network.
Keeps the computer safer from human stupidity- There's a reason this bullet is last: it's especially important. Users can still make mistakes, and it really does help to catch those mistakes. Even if they happen and detectors raise alarms, I'd rather know something is borked than not know it. I really see AVs main purpose these days to be protecting against human error. Yes, other tools and approaches like limited rights and HIPS can do the same thing, but at least AV is easily accessible to home consumers, and more understood. If a malware from 3 years ago gets sent to my users, I can expect one, someday, to accidentally click on it (come on, we've all accidentally run something we didn't mean to at some point!), and that's the safety net AV maintains. I'd rather my parents run AV than a FW or HIPS and not know whether to allow an action or not.
While I feel, personally, that the role and importance of AV in the enterprise is dying or greatly diminished, I would not recommend any shops abandon AV without doing a couple things.
Replace the AV with something- Chances are this will be a HIPS product, but replace it with something. I don't think I'm fully ready to strip the host of third-party protection or leave it with just firewalls in place.
Examine your laws and regulations- Does some regulation specifically require AV to be present (PCI)? Then you have to keep it, really. You might also have to make an extra good case to your lawyers or mgmt teams; AV necessity is pretty deeply ingrained now.
Examine your defense in depth- A lot of the usefulness of AV is being eroded by layers of defenses and replacement products. Sure you can replace AV with HIPS, but don't argue against AV if you don't have network perimeter and edge device protections to stop malware from entering the safety of your trusted networks. Make sure you still have confidence in your other mitigating security measures.
Prove the value of the alternatives or the invalue of AV- Set up some tests with your techs to evaluate the real benefits of AV. Granted, I doubt your results will be publish-worthy, but try to understand what gets by the AV and what gets by HIPS if that is your alternative. Scrape your spam filter for bad files, put them onto a box with both products, and attempt to run them. Try to run them on an unsecured box, and see if you can push or install the products after the infection. And so on. Understand what you're replacing, so that you can be more confident with the added or decreased value of your decision. Or have your vendors/partners do this for you. Maybe HIPS will provide additional benefits like perhaps an inbound firewall or other alerting mechanisms that go beyond just AV actions. These tests may go a long ways to garnering you support in the enterprise.
by michael 02.08.08 at 1:01 PM in /general - comments(2)
The Asus Eee PC (the official page is way too flowery to link to) is becoming a bit popular amongst colleagues for the low price and small footprint. It comes loaded with Xandros by default. Via the Full-Disclosure mailing list, it appears the device comes shipped with a rootable version of the Samba daemon. Doh! Props to RISE Security for finding and posting about this.
If you're like me and have not jumped on the wagon of the Asus Eee, it might be worth waiting for the second generation in April (from the Wikipedia article).
If you run a network that you want to be hostile to outsiders and you don't use Asus Eee's, you should be able to add passive/active rogue system detections to automatically trigger this rooting should a system be plugged in. Detect, root, wipe, see who screams later.
by michael 02.08.08 at 4:09 PM in /general -
Not sure who pointed me over to Lindstrom's post on vulnerability counts going down. Vulnerability counts may have gone down last year, which seems to have Lindstrom all exicted and nipply.
I really don't know why I should even care. Such a metric is not actionable. The sad reality might be that budget-makers might react to it, but that should be it.
by michael 02.11.08 at 1:17 PM in /general -
I had posted about the article from Tim Wilson (DarkReading) giving a blitz of opinion from Peter Tippett, but deleted the post. I got the link from Rothman, and now I see (as I catch up with the news) Hoff posted as well. Shit, I guess I will repost, especially as I can fully empathize with Hoff's feelings "flip-flopping between violent agreement and incredulous eye-rolling from one paragraph to the next." I also deleted my post because I really had no idea who Peter Tippett is.
Tippett compared vulnerability research with automobile safety research. "If I sat up in a window of a building, I might find that I could shoot an arrow through the sunroof of a Ford and kill the driver," he said. "It isn't very likely, but it's possible.
"If I disclose that vulnerability, shouldn't the automaker put in some sort of arrow deflection device to patch the problem? And then other researchers may find similar vulnerabilities in other makes and models," Tippett continued. "And because it's potentially fatal to the driver, I rate it as 'critical.' There's a lot of attention and effort there, but it isn't really helping auto safety very much."
I sometimes use such analogies myself, but I think it is important to not lean too heavily on such analogies. The analogy above ignores the ease and efficiency of digital attacks. This analogy would be more accurate if I could shoot many arrows randomly, build arrow-firing machines in any place I want, and recruit others who can easily build and deploy such devices. If this occurred with the efficiency, impersonality, and ease of a digital attack, you bet it might be a concern for Ford. Likewise, such arrow attacks may impact just the drivers and a few nearby cars; a data disclosure or cyber attack could affects hundreds or thousands, for years.
I also took exception with that might be a problem with condensing Tippett to a few hundred words, or might mean Tippett needs to do a little soul-searching on how he wants to approach security.
But if a hacker breaks into the password files of a corporation with 10,000 machines, he only needs to guess one password to penetrate the network, Tippett notes. "In that case, the long passwords might mean that he can only crack 2,000 of the passwords instead of 5,000," he said. "But what did you really gain by implementing them? He only needed one."
versus
Tippett also suggested that many security pros waste time trying to buy or invent defenses that are 100 percent secure. "If a product can be cracked, it's sometimes thrown out and considered useless," he observed. "But automobile seatbelts only prevent fatalities about 50 percent of the time. Are they worthless? Security products don't have to be perfect to be helpful in your defense."
What the hell is he trying to conclude here? I could be reading more than he is intending, but hopefully he just wants to say we need to think more about the value of these measures. It just struck me as odd that he takes two rather opposing positions there. Both approaches don't secure 100%, but in one case he questions the value and in the other condones it.
by michael 02.11.08 at 1:32 PM in /general - comments(1)
One of the biggest failures of SMTP (email) is the ability to spoof the sender, i.e. repudiation. I'm a firm believer in the ongoing death of email.
But I see there is still room for improvement. DKIM, DomainKeys Identified Mail ( just covered by NetworkWorld), appears to use DNS-stored keys and signed mail using those public keys to verify the sender of email. This will only be as strong as private keys are kept private, the IT techs don't fudge their mail server configs, and a fake signature can't be imbedded into the mail and pass any checks (email clients [or MTAs] will have to flag fake ones, since us humans certainly can't tell).
I had no idea about DKIM until today, but it definitely sounds like a move in the right direction. Will it save SMTP? That I don't know, but it should certainly reinvigorate it in the business world. I do plan to work DKIM into what I do, but it will only be after/during my email server overhaul/migration from a Windows app to Postfix (most likely).
by michael 02.12.08 at 10:10 AM in /general -
Microsoft is in a not-so-enviable position when it comes to patch releases. Microsoft yesterday released MS08-006 as one of their slew of patches. They rated this issue "Important." But if you look closely, it scores the highest severity in every category except one: number of systems affected. But if you have servers affected, this is about as critical as an issue can get, other than having it already worming around.
This sucks because techs like me want the real skinny, but we all know media will latch onto "Microsoft released a critical patch..." and drop off the, "...that only affects..." part. And then people like my managers of stakeholders on the systems in question will say, "But Microsoft themselves only rated this Important, surely you can slow down..."
There's really no answer here, and I think Microsoft errs on the correct side, since I can figure out for myself that the issue is critical (assuming Microsoft continues to be detailed in their descriptions), but the common public is less likely to figure out the issue doesn't matter to them. Still, it is a lame situation. Maybe Microsoft should only apply an overall severity to an issue only after identifying the affected products?
Or do what SANS does and split them up between client and server ratings. These are general enough and make damn good sense.
by michael 02.13.08 at 1:20 PM in /general -
Yesterday I mentioned the severity of MS08-006. Last night, HD Moore posted an analysis of this patch.
This is a server issue, and is only enabled by the use of certain coding practices that are not bad in and of themselves. Considering most admins have no idea what code is going on their systems, either from internal developers or third-party web products, this patch should still be critical for servers. I assume a purposely vulnerable and dangerous asp file will be released in the next few weeks that I can copy, put on a server, and auto-pwn it in some way (shovel a shell over asp?).
by michael 02.14.08 at 9:45 AM in /general -
For some reason, just about every hour, the IP address 66.249.67.139 (crawl-66-249-67-139.googlebot.com) hits my site and does a one word search on my site. They're rarely meaningful terms, although now and then it searches for some relevant to my site. Weird.
by michael 02.14.08 at 3:31 PM in /general -
The 2008 Winter Scripting Games have begun! I'll do my best to post my own answers as the deadlines for the events pass. I don't have much time tonight to do things, but I have a clear weekend. I hope to spend only 10% of my time on the PowerShell stuff, and the rest of my efforts on Perl.
by michael 02.15.08 at 8:15 AM in /general -
I am again posting my entries to the scripting games over on my wiki. Due to time constraints, I've not been able to devote myself at all to the Perl side of the events, but I have completed all the PowerShell ones (I've not turned them in yet and will do so as the deadlines approach). I also decided to try the Sudden Death stuff. Not sure why my first one scored 0, but I emailed them about it. I think me sending it in 1.5 hours before the deadline may have counted against me.
Overall, very fun exercises this year, and I get to learn more about PowerShell. I think the events are just a bit more complicated than last year, which is truly welcome!
Event 1 involved creating a word out of the letter conversion of a 7 digit phone number. Rather than stop at finding an answer, my script finds all the possible ones and just returns the first one.
Event 2 wanted to average scores from a text file and echo the top 3. This was pretty routine, and maybe one of the easier Advanced events.
by michael 02.20.08 at 2:53 PM in /general -
My RSS reader is getting swamped because I'm behind. In trying to catch up, I see more QQing about user education (either lack of support or lack of value in it). Here are some of my personal guidelines about user education in regards to enterprise security. These are not hard and fast rules, but simply general guidelines for me.
1) User education helps inform users of and explain corporate policies and technical controls. A workforce that doesn't know policy, can't follow it. A workforce that doesn't understand why a control is in place, will fight against or around that control.
2) User education helps those who truly want to do the right, secure, safe thing. Some people are quite open and actually thirst for this knowledge, both for work and at home. This is not all people especially when push comes to shove and the "right" thing means not doing the "easy" thing in your job. E.g. It is easy to just email that client the necessary SSN-filled spreadsheet than figure out or set up a secure transfer method via "encrypted" mail, encrypt mail, or SFTP. (Yes, I meant to list three things there...)
3) User education fills in the gaps that technical controls cannot adequately fill. There are security problems that simpy cannot be solved very well with technical or procedural controls. A salesman talking in the airport on his cell phone about confidential business plans can be overhead, and there's not much you can do about that. Or it may not be technically possible to add more physical security to your building if you don't own it. But user education can demontrate that the business is not negligent about such issues, and the user may change his behavior after such education (see #2).
4) Technical controls are more valuable than user education. To mitigate a particular risk, if the value of the technical control roughly equals that of the user education control, and they cannot add to each other, then the technical control should win out. While user education has value, it does not ensure anything. Even I, as an informed and careful sec geek, would rather not have to make judgement calls or risk mistakes dealing with a strange attachment. I'd rather it be stripped early, not delivered to me, or my system not vulnerable (patched, least rights, hIPS...).
5) User education is worthless without technical controls. This follows from some earlier points, but imagine a company that has little to no technical controls and relies on its workforce intelligence to be secure. At least with technical controls, there is some assurance of a certain level of unattended security, assuming good configurations and settings. With technical controls, you can trust and verify. With user education, you have to trust, measure, and generalize.
6) User education is especially valuable, nonethless, to the people who decide technical controls. IT and security staff need continued training. IT and security staff neeed continued training. IT and security staff need... We can't make things right unless we know how to make things right. From developers to IT professionals to managers, the technical people need technical training. Part of "baking in" security is about kneading in the knowledge.
Parting thoughts: This is not to mean I think user education is worthless. I think a proper security approach blends both user education (along the guidelines above) with strong technical controls. I simply think the drink is more like 1 part user education to 9 parts technical control.
by michael 02.20.08 at 4:32 PM in /general -
Over on the Windows IR blog, Harlan has posted a most excellent list of tools and resources for someone getting started in forensics without busting the piggy bank open.
by michael 02.22.08 at 4:33 PM in /general -
CanSecWest will give round 2 of their PWN 2 OWN contest. If you can hack a box, you keep the box. This year they will offer up patched versions of Windows Vista, Mac OS X, and Ubuntu. They will also allow browser, email, and IM application attacks. I understand an out-of-the-box, fully-patched attack, but I guess one can argue "typical configuration" of those apps. So, thinking inside the box, I would expect the challenges to be centered on privilege escalation, finding something running as root level, hijacking something root-executable due to poor file access security.
Anyone ready to start a pool on which order and how these boxes will be pwned?
Order of pwnage
1. Ubuntu Linux - Ubuntu, the bloated desktop OS for Linux, is really not what you want representing Linux, but it matches the desktop use of the other two entries. Unfortunately, I think Ubuntu is the least vetted when it comes to security, and will be the first to fall. I wouldn't be surprised to hear about poor file system permissions that lets userland replace something normally invoked by root. Or maybe an outdate package of something or other.
2. Mac OS X - I think everyone will still love to pwn the Mac and keep it in its place, making it a prime target. I suspect inherent flaws in the apps used will cause this breakdown, much like QuickTime last year.
3. Windows Vista - This might depend on the timing of patches, but I think Vista combined with IE7 will prove somewhat formidible, especially if the user is not an admin.
Most common attack vector
Web browsing - Browse to my site and get pwned! I think this will be, far and away, the most common attack vector and likely the approach used by the successful attacks. This might not result in attacking a flaw in the browser itself, but will involve the browser in some way.
by michael 02.25.08 at 10:22 AM in /general - comments(2)
Some business mag articles are insightful; others are as wasteful a time as listening to a broken record. Today for lunch I was at my second-closest Barnes & Noble Starbucks waiting to try out the new honey latte when I spied an IT article in the Harvard Business Review: Radically Simple IT (requires $$). "Oh neat."
(Of note, I can pick up a copy and read the articles for free at the store, but I can't get them online...meh.)
I skim the article and while I would love to read specifics on what Shinsei Bank did to be radically simple in their path-based approach to IT projects, I instead was bored to tears reading business cliche after business cliche after vague generalization (yes even generalizations can be vague) after fluff after fluff... It uses a lot of words and pages to esssentially say: "Be smarter about IT projects. Do better, more intensity, more cowbell!"
The mashed synopsis can be found online; I suggest reading it and wondering if that says anything new. I'll answer that and say, "Nope, nothing new."
Shinsei Bank, from the sound of the article, was in an enviable position from the eyes of us IT guys. They got to spend $55 million in a year to replace an antiquated IT infrastructure with a new enterprise system (whatever the hell that means) Well, I think many people would love to have the opportunity to flush it all away and start their operations anew. How often does that happen? Not often enough!
Fine, the article does have some good points later on when it talks about how to build IT. Things like minimal standards, simple architecture, and listening to users. But that's pretty common sense, if you ask me. Anyone who has planned a system of any type, and had to live with the results knows these things (sorry consultants, sometimes your ideas suck when you live with them for years!).
The nonsense about "forging with business" instead of "aligning with business" basically makes me want to drown a kitten with my honey latte...stop reinventing terms for vague crap. Just say, "align with business with more intensity!" Or better yet, just stick to "align with business."
Trying to move a project ahead with less requirements is simply asking for future finger-pointing from just about everyone. The reason we have so many damned requirements is due to the blame game that ensues after an IT project finishes and it's not perfect for everyone everywhere for the unforeseeable future. But that's really a corporate culture or management personality thing.
That's my rant for this week; surprising since it's been a relatively low-key week in which I'm beginning to build my next gaming machine...
by michael 02.27.08 at 12:48 PM in /general -
It's been about 5 years since I built my gaming machine. Yup, it's about time to build a new one and I thought I would share some specs. This system is not built yet, but I am already starting to get pieces in. The total cost minus the toys and monitor will be slightly over $1,000. I will buy almost every piece from NewEgg.
The system I want should stand up to about 3+ years of upgrading. For now, I skimp on some parts that are easily upgradable, and splurge on things that are not. I stick to a nice motherboard that no doubt has at least 2-3 good years of high/middle-end gaming in it. It will support most any Intel dual or quad core CPU that will be on the market this year. I can go up to 8GB DDR2-1200 RAM and plop in 2 ATI Radeons in Crossfire mode (basically use dual graphics cards instead of 1). I doubt I will ever do dual graphics or that much RAM, but the options exists! I like a decent case that I can show off, so I don't go cheap there either.
I normally would not have gotten a high-end PSU like I have listed below, but I picked up the Antec 850Watt PSU from a closing CompUSA for under $100. I couldn't pass that up.
This will all be cooled with a water cooling system I'll build. I'll most likely get all of the water cooling parts from PetrasTechShop or maybe a few from FrozenCPU.com. I've used FrozenCPU for my last system, but I've not tried Petras yet. The parts are individually listed below. I choose water cooling because it keeps the system far quieter than if I relied entirely on air cooling. That and it looks cool!
Logitech G15 keyboard
Antec TPQ-850 850watt PSU
LG L226WTY-BF Black 22" 2ms DVI Widescreen LCD Monitor x2
Lian-Li PC-60BPLUSII W Black Aluminum ATX Mid Tower
Asus P5E LGA 775 Intel X38 ATX Intel Motherboard - up to DDR2-1200 1333/1600 FSB
Intel Core 2 Duo E6550 Conroe 2.33GHz 1333 FSB
Corsair XMS2 2GB (2 x 1GB) 240-Pin DDR2 SDRAM DDR2 800 - 4s cas latency
Diamond Viper 3870PE4512SB Radeon HD 3870 512MB PCI-E 2.0
Western Digital Caviar SE16 WD5000AAKS 500GB 7200 RPM 16MB Cache SATA-300 Hard Drive
Lite-On Black SATA DVD Burner with LightScribe
Creative Sound Blaster SB0570 Audigy SE 7.1
AeroCool FP-01 55-in-1 Card Reader w/Flip-up LCD Screen
Okgear 18" SATA II data and power combo cable-UV blue model OK105
some cable coils just to make the cables pretty?
dual 12" cold-cathode tube UV lights from petrastechshop
water cooling parts
D-TEK Fuzion universal waterblock
Swiftech MCR-320 resevoir
Swiftech MCP635 pump (aka Laing 55 Inline 12V pump)
Swiftech MCRES-micro resevoir
Arctic Cooling MX-2 thermal
some 7/16 tubing, clear
some 120mm fans (x4?)
some coolant/dye additive
by michael 02.28.08 at 9:28 AM in /general - comments(2)
I was browsing around somewhat randomly and came across this little list of challenges for people looking to get into security. Kind of a cheesy thought, but then I started reading the tasks and really liked them. Some get old school, but damned if security pros really should be exposed to some old school things like IRC or email via telnet.
If you know someone who is looking to get into security a bit more, these are very basic and useful tasks to give them. Even a tech geek that hasn't had an interest in security should find some of these tasks horizon-expanding.
Snagged from beginningtoseethelight.org.
by michael 02.28.08 at 4:57 PM in /general -
The recent "cold boot" or "memory remanence" attack against keys stored in RAM (particularly against FDE vendors) has gotten good publicity, including mainstream media. I passed along information to my team, which then got up all the way through the top of my organization partially because we're just about to roll out an FDE product. What did I recommend or say?
I quickly (2 paragraphs) and in mostly non-technical terms described the attack. Then, in a small FAQ-style section, explained that we are not at much risk of this attack. Memory dumping is not new, nor is memory dumping from recently powered-off memory. Can Joe down the street do it? No. Would Jess after lifting your laptop from the airport queue line crouch in a corner to start freezing your memory? No. Even if tools became available to boot a laptop to USB and quickly dump memory for offline scraping/cracking, this is still not a huge problem.
Bottom line: Is this something that an average computer (laptop) user or average corporate user care about? Seriously, no.
This sort of attack would be of interest to government units, defense contractors, and others who might be subjected to targeted, highly motivated, and decently funded attackers. National or major corporation espionage comes to mind. This attack is also of interest to us security geeks. Not only is it cool, but it keeps us thinking outside the box. It also keeps vendors honest and working towards better security.
What mitigations are there?
Reduce laptop theft risk.
Power off the laptop when it is not in use.
Don't keep valuable data on mobile devices.
Use advanced multi-factor authentication.
Enforce proper password complexity and age requirements.
Limit booting from removable devices or use a BIOS password.
None of these steps should be very new to organizations, and certainly not to any organization that should care about the cold boot attack. All of the above steps should take much higher priority to all of us.
I don't follow Bruce Schneier as much as I used to, but I do believe he has a good point when he talks about how badly humans evaluate and react to risk. We see risk and get all dramatic when it comes to low probability but exotic issues, yet ignore common issues that wouldn't make a Hollywood movie script. This attack is exotic and not common.
by michael 02.29.08 at 12:57 PM in /general - comments(2)
As mentioned by Nate Lawson and illustrated by fellow Security Catalyst Didier Stevens, the cold boot attack against FDE applications is not limited to just FDE, but any program that stores keys in memory.
This is a much bigger problem than just an FDE problem, but it is still far outside the vision and concern of regular users, at least today and likely this year. Didier's approach to grabbing information out of memory while logged in should be of more concern than a cold boot attack.
So before your auditors require you to put the question, "How do you manage keys in memory?" to your FDE vendor questionaires, make them apply it against every application your organization makes use of or creates.
by michael 02.29.08 at 1:44 PM in /general -
Well, it has started. Nice to see!
by michael 02.29.08 at 2:50 PM in /general -
Think someone is using Wireshark to listen to your network? Why not throw out traffic meant to crash Wireshark? Looks like a few have been reported recently.
by michael 02.29.08 at 2:52 PM in /general -
|
