JaBbA's Hut - Security

Schneier on Security vs. Privacy

nospam@example.com (JaBbA) — Tue, 29 Jan 2008 10:39:19 -0500

Bruce Schneier posted an article today on the false dichotomy between Security vs. Privacy:

If you set up the false dichotomy, of course people will choose security over privacy -- especially if you scare them first. But it's still a false dichotomy. There is no security without privacy. And liberty requires both security and privacy. The famous quote attributed to Benjamin Franklin reads: "Those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety." It's also true that those who would give up privacy for security are likely to end up with neither.

The American people have been bombarded with so much fear and anxiety that they have stopped thinking. And, unfortunately, for many people that's the way they like it. But I take some heart from the freefall of Rudy "9-11" Guiliani in the Polls - given enough time, people finally started looking at something other than his constant fear speech, and didn't like what they saw. He miscalculated, thinking that the security message could last almost 2 years. It's not that people are beginning to wake up - I think it's more that they have become habituated to the constant drumbeat that they are able to look past it.

But Schneier's right - security comes before social issues like privacy on Maslow's Hierarchy of Needs. We have to get over the fear before we can worry about civil liberties - and that's what the government is counting on. But there is a way - and that is to get people to fear the loss of privacy. Unfortunately, balancing fear of government intrusion against complete paranoia is difficult - and it's much easier to make people fear a violent attack.

This may be why I'm attracted do Obama's message of hope. If we can look forward to a future where we don't see enemies all around us, we can be more cognizant of the importance of personal liberty. I am beginning to believe that Obama sees that future and wants to lead the country there.

JaBbA says check it out.

Finally, a reality show for geeks

nospam@example.com (JaBbA) — Wed, 19 Dec 2007 16:33:01 -0500

The newly-rebranded TruTV (nee CourtTV) is starting a new reality series, but instead of following Police Detectives, or Ghost Hunters, this time it's following a team of penentration testers!

This verite action series follows Tiger Team "a group of elite professionals hired to infiltrate major business and corporate interests with the objective of exposing weaknesses in the world's most sophisticated security systems, defeating criminals at their own game. Tiger Team is comprised of Security Audit Specialists Chris Nickerson, Luke McOmie and Ryan Jones who employ a variety of covert techniques - electronic, psychological and tactical - as they take on a new assignment in each episode."

The first show is December 25th at 11:30pm.

UPDATE TruTV now says it was a special, and will not be made into a series. I heard from someone who was working with the team that there was a lot they just couldn't show, so it was probably too difficult to make it a series. Nevertheless, the Car Dealership break-in is online at TruTV's website (important point - it's amazing what a skilled researcher can find out from someone's trash), and if you can find the Jewelry dealer show, it's a fantastic example of how social engineering and lack of user security awareness can lead to trouble.

Real risk - the Phishing Trojan

nospam@example.com (JaBbA) — Fri, 15 Jun 2007 13:26:17 -0400

Of course, there are real risks out there that we need to avoid.

The targeted emails warning of IRS Audits or overdue invoices are a perfect example. Executives receiving these quite alarming emails click on the attachments to find out what the problem is, and the bad guys now own their computers.

I've seen multiple examples of the IRS audit scam, all of which came to executives here at work. Someone's been doing their homework.

I'd suggest warning all executives of your companies about these emails.

Example, from SANS:

Proforma Invoice for "Company Name" (Attn: "Executive Name")

The Body of the email included this text

"Hello,

The Proforma Invoice is attached to this message. You can find the file
in the attachments area of your email software.

PS: The invoice also includes the cost for the services provided for the
second quarter of 2007.
Please read, evaluate and reply with any comments. Thanks."

Risk and Perception

nospam@example.com (JaBbA) — Fri, 15 Jun 2007 13:19:44 -0400

Bruce Schneier has written another excellent article on the perception of risk:

...when faced with a very available and highly vivid event like 9/11 or the Virginia Tech shootings, we overreact. And when faced with all the salient related events, we assume causality. We pass the Patriot Act. We think if we give guns out to students, or maybe make it harder for students to get guns, we'll have solved the problem. We don't let our children go to playgrounds unsupervised. We stay out of the ocean because we read about a shark attack somewhere.

It's our brains again. We need to "do something," even if that something doesn't make sense; even if it is ineffective. And we need to do something directly related to the details of the actual event. So instead of implementing effective, but more general, security measures to reduce the risk of terrorism, we ban box cutters on airplanes. And we look back on the Virginia Tech massacre with 20-20 hindsight and recriminate ourselves about the things we *should have done.

He's written about risk, perception and "security theater" many times.

JaBbA says check it out.

Windows ANI Patch

nospam@example.com (JaBbA) — Tue, 03 Apr 2007 15:47:36 -0400

Microsoft just released an emergency patch for the ANI Vulnerability. The Internet Storm center has been condition yellow for 76 hours, longer than ever before, because of this vulnerability.

Don't wait for the regular update. go to http://update.microsoft.com/ and get it now. Really. I'll wait......

And be sure not to type 'microfost' by accident. That's one of the websites that was hacking people when they visited.

Dolphin Stadium site hacked

nospam@example.com (JaBbA) — Fri, 02 Feb 2007 12:49:38 -0500

Someone has compromised the official Dolphin Stadium website and inserted malicious javascript into the header. DO NOT visit dolphinstadium.com and if you have any kind of filters block it immediately.

Screenshots can be found at Websense Security Labs

Nervous Yet?

nospam@example.com (JaBbA) — Mon, 16 Oct 2006 15:25:07 -0400

Control of the congress is going down to the wire, and there is no reason to think that the election is going to go any more smoothly this time than in May, especially here in Cuyahoga County.

See my Voter Registration experience.

And a new article today from the IBM Center for Business and Government about possible large scale disenfranchisement

Columbus Day SPAM Attack

nospam@example.com (JaBbA) — Mon, 09 Oct 2006 11:15:04 -0400

The last few months, the mailware writers have been taking advantage of the fact that even security people like to take their weekends off to blast the Internet with their latest and greatest creations.

Apparently, the pump-and-dump SPAMmers have decided to use the same tactic, and thought maybe the Columbus day weekend might be a good time to do it.

At work, my usual volume of SPAM on a Sunday is about 90,000 emails. Here's my current graph. That huge spike at the end - 204,000 email on Sunday.

Where are they coming from? Delivery failures. We've become the spoofed From: line for some spammer out there. And we're not the only ones.

It's getting nasty out there.

FIrefox Flaw? Maybe...maybe not

nospam@example.com (JaBbA) — Tue, 03 Oct 2006 10:54:23 -0400

There's been a lot of uproar over a presentation at Toorcon where a pair of "Security Researchers" (which is what they would be called if they used responsible disclosure) / "Hackers" (which is the term almost universally used in press accounts) claimed to have found a bug in Firefox which they used to build a botnet.

This understandably concerned the Mozilla team, and a member of the Mozilla security team joined the presentation. Turns out they were "joking". I'm not sure how the announcement of the creation of a botnet based on a non-existent security flaw constitutes a "joke" - and I'm a geek. I "get" some pretty esoteric jokes. They wanted to tweak the "Firefox fanboys". Mischa later apologized:

he main purpose of our talk was to be humorous.

As part of our talk we mentioned that there was a previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution. However, the code we presented did not in fact do this, and I personally have not gotten it to result in code execution, nor do I know of anyone who has.

I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly havenât used it to take over anyone elseâs computer and execute arbitrary code.

I do not have 30 undisclosed Firefox vulnerabilities, nor did I ever make this claim. I have no undisclosed Firefox vulnerabilities. The person who was speaking with me made this claim, and I honestly have no idea if he has them or not.

I apologize to everyone involved, and I hope I have made everything as clear as possible.

Sincerely,

Mischa Spiegelmock

Nevertheless, there apparently is a little bit of fire in all that smoke - a flaw in Firefox that can apparently be used for a Denial of service. Of course, I didn't say too much about the IE setslice vulnerability on Thursday because it, too, was a DoS bug - until Friday night, when suddenly a remote code execution exploit was released and caused enough havoc to prompt the ISC to go to yellow alert. So be aware, if I hear of this escalating to an exploit I'll post asap.

The most important thing - Mozilla immediately reacted, is concerned with finding the truth, not maintaining a corporate image, and is taking this very seriously.

JaBbA says: Open Source means more than just source code.

Why did I make a big deal out of the latest MS exploit?

nospam@example.com (JaBbA) — Fri, 29 Sep 2006 12:41:41 -0400

This is why:

[From SANS]

Kevin Shea wrote in to report:

Yesterday morning (9/27) when dropping off my son at school, I told his first grade teacher about the VML exploits and patch availability. She said she had computers at home and would call her husband to make sure they were patched.

When my signifigant-other picked him up around 5:30, the teachers were all talking about how her husband checked and found out they were infected with one of the trojans. Their bank accounts had been drained, by electronic withdrawals and money transfers. Since it had occurred the day before, the bank (unknown) was able to reverse the transfers and replace the money in their accounts. They won't even bounce a check.

After receiving the report, I had a few questions and I received a prompt follow-up. What the thieves did with the money was interesting. Most of the funds were transferred out using one of those services where you can wire cash to people. I'm not sure if these were wired to other accounts using the intermediary, of it people actually walked up to a counter to retrieve the funds. They also used funds in this account to purchase background checks at certain people-search/information-broker companies. Most likely this is an attempt to gather further identities in a way that won't tip-off the broker.

Because Kevin told people about this, that teacher was able to quickly recover all the lost money.

JaBbA says tell your friends: Friends don't let friends get ripped off by using unpatched software.

Electronic Voting and the upcoming election

nospam@example.com (JaBbA) — Fri, 29 Sep 2006 00:32:37 -0400

I'm about half way through Brave New Ballot, the new book about electronic voting by Avi Rubin. Since I've been following the Diebold case since Bev Harris first reported problems with the machines, none of the facts presented are any surprise to me. However, the book is well written, and fair to a fault, as appropriate for a serious academic. I'd recommend it to anyone interested in why the Voter Verified Paper Trails are so important to saving American Democracy. I'll have more as I finish the book.

Also, I finally got the info about helping with the election itself. I was planning on volunteering but, as it turns out, since I'm a computer expert the Cuyahoga County BOE will pay me $250 to be a technical person helping with the vote. So, like Avi Rubin, I'll be working at the polls on election day. I'll be on the lookout for issues that could allow wholesale vote fraud, not that I can fix them, mind you. But the first step is to be sure that someone is watching.

Microsoft Patch

nospam@example.com (JaBbA) — Tue, 26 Sep 2006 17:32:06 -0400

Microsoft released a patch for the VML Issue. Make sure your automatic update is on, or go to windowsupdate.com to get the update directly.

JaBbA says patch. Now!

Status: Yellow. Exploit Code is making the rounds!

nospam@example.com (JaBbA) — Fri, 22 Sep 2006 15:05:45 -0400

ISC has gone Status Yellow because of new exploit code.

It's a drive by - you'll NEVER know you got hacked on a fully-patched Win XP system until someone empties your PayPal account.

Video of it happening is at The Websense Security Blog.

More info in Tuesday's ISC Diary, and Thursday.

JaBbA's Recommendations:

#1 - Use Firefox with NoScript.
#2 - Update your Antivirus. If you don't have Antivirus, try AVG Anti-Virus Free Edition.
#3 - Use Thunderbird instead of outlook.
#4 - Slow down on that itchy trigger finger. Do you really need to click that link that was just sent to you?
#5 - Unregister the DLLs. This isn't for the faint of heart, but it will stop the hack

regsvr32 -u "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll"
or
regsvr32 /u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"

Remove the -u to reregister them after October 10th, the date this is supposed to be fixed.

Calling all Computer Geeks

nospam@example.com (JaBbA) — Fri, 22 Sep 2006 13:32:07 -0400

Especially Computer Security people....

Your skills are needed on November 7th to work the election. The more computer-literate election judges and technicians we have, the more likely it is that people will be able to exercise their right to vote.

NIPA MEETING

Network for Interfaith Political Action
Educate-Organize-Advocate

SATURDAY, OCTOBER 7, 2006
1:00 â 3:00

Make a difference on November 7th (and beyond)

Get the Facts â¦. Get Involved â¦. Make a difference!!!!!

Place: Forest Hills Presbyterian Church
3031 Monticello Blvd, Cleveland Heights
(Corner of Lee Rd and Monticello)

Purpose: Make a difference on November 7th (and beyond).
This election is too important to be left to chance.
â¢ Learn about the new voter I.D. requirements
â¢ Publicize absentee ballot use in your congregation
â¢ How to avoid voting a âprovisionalâ? ballot
â¢ Board of Election poll worker recruitment (paid) and other poll worker volunteer opportunities
â¢ NIPAâs enforcement of the 1993 Voter Registration Act with Cuyahoga County Assistance Agencies
â¢ Hear success stories of people (like you) making a difference in their congregation and beyond

Questions and Registration: Susan Alcorn, 440-247-6604

Schneier: What the Terrorists Want

nospam@example.com (JaBbA) — Fri, 15 Sep 2006 10:37:34 -0400

Bruce Schneier is one of the world's leading experts on security, the founder of Counterpane Security, the author of some of my favorite security books: Practical Cryptography, Secrets and Lies and, most recently, Beyond Fear. And someone I have had multiple opportunities to sit down with and talk about the state of security, both digital and real-world.

He has long made the point that our government and media are giving the terrorists exactly what they want by engaging in "security theatre", which has no real effect on safety. He spells it out again in his newest essay, What the Terrorists Want.

It's time we calm down and fight terror with anti-terror. This does not mean that we simply roll over and accept terrorism. There are things our government can and should do to fight terrorism, most of them involving intelligence and investigation -- and not focusing on specific plots.

But our job is to remain steadfast in the face of terror, to refuse to be terrorized. Our job is to not panic every time two Muslims stand together checking their watches. There are approximately 1 billion Muslims in the world, a large percentage of them not Arab, and about 320 million Arabs in the Middle East, the overwhelming majority of them not terrorists. Our job is to think critically and rationally, and to ignore the cacophony of other interests trying to use terrorism to advance political careers or increase a television show's viewership.

The surest defense against terrorism is to refuse to be terrorized. Our job is to recognize that terrorism is just one of the risks we face, and not a particularly common one at that. And our job is to fight those politicians who use fear as an excuse to take away our liberties and promote security theater that wastes money and doesn't make us any safer.

Ever since Reagan declared a "War on Drugs" we have gotten used to thinking about this as a war - and, of course, Bush just loves to think about his legacy as a "War President". But The Clinton administration had it right - these people aren't an army, they're a criminal conspiracy and it is criminal investigation and intelligence work that will finally stop them.

JaBbA says check it out.