Stuffis
Still "Brent's pile o' stuff" but at least now there are sections.
Security
“Those who would give up essential Liberty, to purchase a
little temporary Safety, deserve the hottest brands at rock bottom
prices!”
Open Source
DRM
Voting
Jon Stokes at Ars Technica has written an article entitled "How To Steal an Election". The PDF file is available here. (It's copyrighted, but permission is granted to distribute it if you link to the original article and PDF, as I've done here.) The rush to implement touchscreen voting with no paper trail as a backup is extremely worrisome; how long before we have a successful fraud that tips the balance of an election?
Best Practices
- Password schemes: Schneier's thoughts; Diceware, XKCD's correct horse battery staple, and Gibson's Haystack
- Great analysis of PIN frequency — take-aways: (1) don't start your PIN with "19" or "20" (4-digit year), (2) don't start your PIN with "0" or "1" (most common), and (3) use big gaps between digits (prefer "38" to "45") — of course, best is to use a PIN bigger than 4 digits, if you can
- Cautionary tale: Analysis of the HBGary hack — lots of best practices not being followed by a supposed security company
Fraud
- $45,000 stolen in phone porting scam: The thieves tricked this man's daughter into revealing his mobile phone number, had the phone "ported" to a new provider so they could control it, and were then able to satisfy two-factor protections and drain money from the man's account
Internet/Web
- WiFi Protected Setup (WPS): a lot of routers now come with this feature to make WiFi setup easier, but unfortunately WPS is vulnerable to brute-force attacks and can't always be turned off
- Java 8 schedule pushed back to focus on security
- Stealth survey of open ports/devices finds many devices never intended to be unprotected and directly reachable on the Internet
- Amazing piece of research: an attacker can obtain the crypto key of another process on the same virtual/multi-core server using side-channel VM attacks
- Every vulnerability these days has to also break out of whatever sandbox it's in to be useful. I keep seeing "and then we bypass protected mode" in vulnerability write-ups, and it leaves me with the impression that protected mode isn't that hard to evade. Apparently protected mode isn't very tight:
Bekrar said his team has found “many vulnerabilities in Protected Mode” that are all unpatched. ”We used a memory corruption vulnerability in the way Protected Mode is implemented but we have found many more vulnerabilities there.”
- Google experimenting with authentication via QR codes — clever two-factor solution
- SSL Renegotiation is becoming a problem — a new tool called THC-SSL-DOS can DoS a server with very minimal resources
- Spammers are hacking the DNS of reputable companies to add subdomains like drugs.goodcompany.com or loans.goodcompany.com that point to their own servers
- BEAST exploit can decrypt TLS 1.0 to steal credentials etc.
- Google gives Georgia Tech $1 million to research transparency tools to detect censorship, throttling, etc.
- Yikes: Slowloris, a recent implementation of an attack method described in 2005 and 2007 — a relatively low-bandwidth way to hamstring an HTTP server using partial HTTP requests — apparently, though, iptables can be used to defend against this by closing connections that are being held open too long
- Evilgrade highlights the vulnerabilities that result when software vendors don't securely sign their software updates — you can trick an app that listens for updates into downloading and installing something malicious
- The Firesheep Firefox extension demonstrates the flaw in a pervasive security model: Even if the initial login+password to a web site is encrypted with SSL, if the rest of the site is not encrypted, sniffers (e.g. on a public WiFi hotspot) can grab your session cookie and then do anything as you. Encryption of the whole site via SSL is the only solution to this problem. Or see Idiocy for another way to highlight the issue. :-)
- How to Hack Millions of Routers: a security consultant has brought together several long-standing vulnerabilities, including DNS rebinding, to produce a technique that gives access to the local networks behind Internet routers (DSL modems, including DD-WRT, etc.)
- best 802.11n router that supports DD-WRT or Tomato
- Another reason why Secret Questions are poor security design
- Dec 2009: Operation "Aurora" (SecureWorks analysis by Joe Stewart) out of China, targeting large companies apparently to steal IP ("espionage-by-malware") — an IE zero-day was one of the vulnerabilities used — McAfee analysis describes "advanced persistent threats" (APTs) (malware designed to hide, conceal, modify data w/o detection) — Wired article
- Nov 2009: Researchers have discovered a TLS renegotiation man-in-the-middle attack — this is a design flaw in the TLS protocol, so many (all) implementations are vulnerable — description of the flaw
- Feb 2009: SSLstrip: A devious little man-in-the-middle tool that changes all https: links to http:, adds a padlock symbol as the favicon, and uses a lookalike character for "/" to make the front part of the URL look like the right server — combined with arpspoof, allows interception of all sensitive traffic on the local network — Forbes article
- Dan Kaminsky talks about browser UI, user expecations, and EV certificates — insightful analysis as always
- Pilosov and Kapela publicize a BGP rerouting method (more) (it isn't really even an "attack" since this is the way BGP is designed to work) which allows someone to intercept (and eavesdrop on) traffic bound for a certain IP range. Mudge from L0pht had already pointed this out a decade ago.
- A nifty hack: If we have to have CAPTCHA, why not put the recognition to use in digitizing books (reCAPTCHA).
- You might be able to use WolframAlpha to crack certain kinds of CAPTCHA
- Great article on current state-of-the-art in CAPTCHA technology — Google's fared best but even theirs has been broken and broken again — Schneier points to a "group [that] is the best out there at defeating CAPTCHAs" (check out their own pretty 3D CAPTCHA)
- Steven J. Vaughan-Nichols says in his article How CAPTCHA Got Trashed that CAPTCHA isn't a viable solution any more. One of his contributors said "harder CAPTCHA solutions mean harder problems for people as well" which I think is the key point — we've reached the "crossover point" where CAPTCHAs that are sufficiently hard to break are harder to use than users will tolerate. (And that doesn't even cover solutions that use humans to break the CAPTCHA for you...)
- Current research on breaking CAPTCHA: Preventing segmentation (breaking the CAPTCHA word up into individual characters) is very important to making it resist attacks (apparently OCR'ing individual letters, however distorted, is not too hard). Microsoft's CAPTCHA algorithm apparently allows segmentation too easily.
- Article on The problem(s) with OpenID
- Insidious automated ARP cache poisoning/HTML injection attack: a machine sits on the network, and poisons the ARP cache for clients on that network to make them think its NIC is the default gateway; acting as a man-in-the-middle, it rewrites HTTP sessions to insert a hostile 0-size <iframe>; client web surfing to any site can now include code for anything the browser is vulnerable to
- Dan Kaminsky continues to astound; his work in 2007 includes circumventing the browser's trust model using a combination of DNS entries, a custom TCP/IP stack written in Flash, etc. — now you have a "beachhead" behind the firewall/within the intranet to send whatever exploits you want
- "Inter-protocol Exploitation" technique: (1) Establish a control channel between a browser's JavaScript engine and an outside controller, so that JS commands can be passed to it, and then (2) have the JavaScript engine assemble protocol frames to attempt exploits from within the network; optionally (3) combine with XSS for an even more dangerous combination
- "Drive-By Pharming" (or Cross-Site Request Forgery, CSRF): JavaScript on a web page that attempts to log into routers and other local network devices using default passwords, and then alters DNS settings to point to a poisoned DNS server
- Applying "fuzzing" techniques to browsers: Michal Zalewsky (2004), HD Moore (Metasploit, 2006) — Month of Browser Bugs — Pwn2Own 2010 Miller against Safari on OS X and Vreugdenhil against IE8 on Win7 and "Nils" against Firefox on Win7 (the latter two defeated ALSR and DEP)
- Why Phishing Works ("To summarize the summary of the summary: people are a problem." — Douglas Adams)
Mac OS X
- Fuzzing is still a useful technique, all these years later — and it's clear vendors aren't doing it themselves. Charlie Miller (past winner of Pwn2Own) has found 20 hackable flaws in Mac OS X Preview.app through a simple fuzzing technique. “"It's shocking that Apple didn't do this first," Miller told us in an interview. [...] "Microsoft, Apple, and Adobe all have huge security teams, and I'm one guy working out of my house," he says. "I shouldn't be able to find bugs like these, ever."”
- Here's an article explaining how MMIO and 32-bit chipsets steal from the 4GB address space, and how the new MacBook Pro with Intel "Santa Rosa" platform (Core 2 Duo) solves this.
- Exploring the Mac OS X Firewall (O'Reilly MacDevCenter.com) — short and sweet info on ipfw
VoIP
It turns out that even though most VoIP streams are encrypted, the ones
that use variable bit-rate (VBR) compression are
vulnerable to analysis.
Mobile
Yikes! An 11-byte code, embedded in a web page or sent by SMS, QR code,
or NFC, can factory-reset your Samsung Galaxy S2 or S3 with no confirmation.
The only significant concern I have, personally, in the Carrier IQ scandal
is the issue of keystroke capturing — because I use KeePass to store
all my passwords on my phone. Carrier IQ vehemently denied that they track
keystrokes, whereas the original and subsequent research says they do.
What's the deal?
This article
sheds some light on the disconnect; Carrier IQ says in "some Carrier
IQ implementations" (remember that each cell provider can customize
their bloatware implementation), "keystroke data is being recorded in
the log file, but that the data isn't sent back to Carrier IQ and the
operators' database". Well, not intentionally transmitted anyway;
but other apps presumably can sneak access to the data, and who knows
whether an oversight might result in that data getting slung upstream
unintentionally?
Android prior to 2.3.4
sends authentication data over unencrypted HTTP
for Google Calendar, Contacts, etc.; beware using open wireless
networks at coffee shops, libraries, etc. (Ars Technica analysis) Sprint is apparently
working on a server-side fix.
Joanna Rutkowska's "Evil Maid Attack" — use a USB boot device to install a rogue boot loader, then capture your passwords etc. the next time you power it up. The moral, as always, is that when they get physical access, all bets are off.
Small is beautiful:
UK mobile application developer Masabi
has launched EncryptME,
a Java ME security component with officially validated implementations
of 4096-bit RSA and 256-bit AES... in only 3K! "Using a single
SMS message, or a few bytes of GPRS data, EncryptME can set up a
secure session and sign up a new user, a new credit card, and make
a transaction." Nicely done.
Hardware
- Malicious people could potentially set your HP printer on fire by feeding it a destructive firmware update — Stuxnet proves that keeping your printer in a secure VLAN isn't sufficient protection against this kind of attack — what other devices will be vulnerable to attacks like this in the future?
- Scary: custom Broadcom firmware with rootkit
- Paper on relay attacks on Passive Keyless Entry and Start (PKES) systems used in modern cars (these are like the Prius, where you don't insert a key or even take it out of your pocket; the proximity of the (wireless) key is sufficient)
- Description of one thief's use of gift card cloning; clever way to get around "must be activated at register", and completely defeats long-random-token — via Schneier: article comments have some effective countermeasures (e.g. verifying the last 4 of the printed (visible) card number matches the magstripe), and a list of insider (staff) vulnerabilities
- You can do a lot of scary stuff via OBD II: disable the brakes, accelerate, lock the ignition so the engine can't be turned off, etc. — also, apparently there is no separation between the car stereo and control networks, so you can use a trojan MP3 file as a beachhead
- Donald Knuth's MMIX 2009 architecture — Knuth is a CS luminary, the author of The Art of Computer Programming (which had MMIX's predecessor, MIX)
- Homebrew CPUs: Ever since my college microcomputer architecture course, I've always wanted to do a project like this; hats off to those that have done it. Here are some cool ones:
- The GPUs in modern graphics cards have their own architecture and APIs, so they can be used for other compute-intensive tasks than just graphics
- Theo DeRaadt (OpenBSD) on serious security vulnerabilities in the Intel Core Duo, some of which can't be worked around by the OS (Intel apparently disputes this)
- References from Dan Kaminsky on the issue that biometric hashes are reversable: researchers have found ways to turn fingerprint or faceprint hashes back into an image that will match the hash
- Device drivers are starting to become a focus — Attackers pass on operating systems: "Now that the OS layer is harder to crack, you are seeing a lot more people going higher up the stack, to applications, or lower, to device drivers" — Hijacking a Macbook in 60 Seconds or Less (was actually an external USB WiFi modem's drivers)
- Interesting interview with the discoverer of a way to obtain "ring 0" access via System Management Mode (SMM) on some x86 hardware
- FreeBSD's Poul-Henning Kamp describes the NTP flood coming from D-Link devices to his NTP server, similar to the earlier NTP DoS from Netgear devices to the U. of Wisconsin.
Social-networking site malware (Jul. 2006)
Windows
- TDL (a.k.a. Alureon) rootkit can now infect Windows 7 64-bit... bypassing kernel driver signatures by altering the MBR to disable signature verification
- Multicore CPUs Move Attack from Theoretical to Practical: using a timing attack (race condition) to trick the Windows kernel into executing an SSDT (kernel) call with malicious parameters — this attack was known way back in 1996 (vs. Unix), but was almost impossible to exploit on single-core systems; modern multi-core systems make it much easier
- Wow; a privilege escalation vulnerability that affects all versions of Windows clear back to Windows NT 3.1 — this leverages a bug in the legacy code that supports 16-bit applications — this is one serious drawback to the "backward compatibility forever" approach, your code base only grows, and you retain vulnerabilities from the dawn of time
Windows: The WMF vulnerability (Dec. 2005)
XSS: The "Samy is my hero" MySpace Ajax worm (Oct. 2005)
Security at Microsoft
- eEye has a list of Upcoming Advisories where it tracks as-of-yet unfixed vulnerabilities in Microsoft products
- Secunia also keeps a log of unpatched IE 6 flaws
- Nice interview with Dan Kaminsky (Doxpara) about Microsoft and security
- Brian Krebs at the Washington Post did an analysis of
how long it takes Microsoft to release patches for "critical" vulnerabilities
and the results are interesting. In cases where there's no full disclosure, despite their "Trustworthy Computing" initiative, their time to release "critical" patches has actually risen to an average of 134.5 days (over 4 months). Microsoft steadfastly maintains that the reason for this long time is testing — quality control of the patch to ensure the public trusts Microsoft patches and is willing to install them (which I think is telling in itself). But when there's full disclosure and publication of a working exploit, he says:
one area where Microsoft appears to be fixing problems more quickly is when the company learns of security holes in its products at the same time as everyone else. Advocates of this controversial "full disclosure" approach believe companies tend to fix security flaws more quickly when their dirty laundry is aired for all the world to see [...] In cases where Microsoft learned of a flaw in its products through full disclosure, the company has indeed gotten speedier. In 2003, it took an average of 71 days to release a fix for one of these flaws. In 2004 that time frame decreased to 55 days, and in 2005 shrank further to 46 days.
- "[Dan] Geer's graph shows that Microsoft increased its time-to-patch gap by a little more than one day per month from the start of 2003 to the end of 2005."
Sanitizing MS Word documents (removing hidden data)
Research reveals that even "sanitized" anonymous data is easy to correlate to real people. "Using public anonymous data from the 1990 census [...] 87 percent of the population in the United States [...] could likely be uniquely identified by their five-digit ZIP code, combined with their gender and date of birth." "It turns out that date of birth, which (unlike birthday month and day alone) sorts people into thousands of different buckets, is incredibly valuable in disambiguating people."
As copiers and fax machines get "smarter" we have to start treating them like servers that must be secured and like storage units that must be purged.
An insightful SecurityFocus article from Robert Lemos on
the challenge of defending against zero-day attacks
if your organization uses the traditional patch-cycle approach.
Interesting editorial on
embedded device security.
Good description of, and summary of research into,
practical MD5 collisions.
Schneier
writes
about "identity theft" which he points out is a misnomer (identity is not
"stolen"; the issue is fraudulent use of identification info.). There
are two parts to these crimes: obtaining private data that can be used
to impersonate, and using that data to conduct fraudulent transactions.
Solutions that only focus on the first are insufficient.
IBM's
rebuttal (PDF)
to criticisms about TCPA. In short: TCPA might be used with Palladium
and/or DRM, but those are separate elements requiring separate critique.
TCPA is basically a "smart card built into the computer" and with ties
to the BIOS. Cf. also the classic
Ross Anderson FAQ on TCPA.
HD Moore (Metasploit) points out that in the current climate,
"There is no way to report a vulnerability safely"
(Robert Lemos article). This is a bad trend. Security researchers
(including students) who act responsibly in good faith should be
rewarded for reporting vulnerabilities, not prosecuted for it! Pascal
Meunier at Purdue (CERIAS) describes
his recent experience
with this problem.
Pinch My Ride (Wired):
Insurance companies often believe modern auto "passive antitheft
systems" are infalliable, and deny theft claims since the car is
"impossible" to steal. Worse: Some Honda models apparently have a back
door (pulling the emergency brake, of all things) coded to your VIN.
Lockpicking used to be a relatively rare skill, but the Internet has
spread this knowledge out to a lot more people. Not long ago, someone
developed a technique for producing a master key, given a few normal
keys (think college dorm). Now we have
Sneakey:
a new technique that can use a digital picture of a set of keys to
reverse-engineer them.
Spam, Viruses, Malware
If confirmed, badBIOS would be very scary (further explanations), but skepticism is growing as researchers so far haven't been able to replicate it
Aug 2013: As predicted, botnets now starting to use Tor for C&C
Malware has evolved to the point where we can talk about it in terms
of an "industry" that has "products and services" and a "business
model":
Malware as a Service (MaaS)
Interesting point about mobile malware and sandboxing: restricting all applications in sandboxes or in user-only mode, means that security software is also so restricted — and therefore, malware which takes advantage of vulnerabilities to root the mobile device can do more than the security software can
Report showing PDF is becoming the attack vector of choice
The Stuxnet worm, which appears to be written specifically to target SCADA systems, uses multiple Windows vulnerabilities (some 0-day). "These guys are absolutely top of the line in terms of sophistication." NYT article and Fox News article with more specifics; this is an amazingly targeted attack. It has now been revealed that Stuxnet was created by the U.S. and Israel; it wasn't supposed to leave the Iranian facility but it escaped.
Subsequent Stuxnet-class attacks include Duqu and Flame. Turns out the antivirus industry didn't detect these or the exploits they were based on until they were in the wild for years.
Here's an article summarizing most of the worst viruses released when I was a systems administrator; the names bring back lots of memories of late night damage control and subsequent infrastructure hardening.
Here's something new: Some malware in Europe that rewrites your online bank statement on the fly so you can't see the withdrawals they've making. And it resists white-hat research/response by providing fake compromised accounts to keep the real compromised accounts secret.
Botnet worm that targets routers
ARP spoofing + JavaScript insertion — one compromised host on your net can insert itself between all hosts and the router, and then inject JavaScript malware into every web page received by every browser — use arpwatch to detect
Conficker (a.k.a. Downadup) is the most significant malware seen since 2003 Blaster/Sasser.
Oct 2008, a new malware technique "return-oriented programming" which evades defenses like W^X and signed (trusted) code. Very clever stuff.
Oct 2008, a new TCP threat "Sockstress" is starting to be discussed; apparently it's a flaw in the TCP state table implementation of a whole lot of vendors, which can lead to DoS; could be quite a widespread issue.
SRI's new Malware Threat Center has stats.
New virus Kraken which uses dynamic DNS; not only can that redirect to new IPs when the old ones are shut down, but Kraken has an algorithm for switching to a new dynamic DNS hostname when the old one is shut down.
Washington Post article showing how the amount of malware is skyrocketing (look at that graph!) and AV vendors are struggling just to keep up; what a way to run a railroad.
Latest trends: Viruses that creates a free webmail account to send spam through it (apparently circumventing their CAPTCHA?), and conversely, viruses that use CAPTCHA-like distortion in attachments to prevent their email from being detected as spam. (Speaking of CAPTCHA, see elsewhere on this page for a cool article.)
Since new vulnerabilities are always coming along, 0wned computers
may get swiped by a new 0wner at any time. "The bot network industry
has become so profitable, and hijacked computers so valuable, that
rival gangs are now fighting over them."
Some of the worms in the last few years, notably
Witty
(CAIDA analysis)
and
SQL Slammer (Sapphire)
(CAIDA analysis),
have been amazingly elegant: small (fit in one packet) and quick to
saturate their targets
("flash worms").
Scary stuff. See
The 10 Most Destructive PC Viruses Of All Time.
The latest malware is stealthier and more resilient:
- Dec 2007: Article on Storm and Nugache (via the Schneier on Security blog): Storm uses P2P to hide its command-and-control (C&C) server, and fast-flux (DNS) to change the C&C server; Nugache doesn't use DNS at all, and encrypts the C&C channel — the trend is away from IRC and toward custom C&C channels (SecurityFocus article, IronPort "malware trends" article)
- Jul 2007: Honeynet analysis of the fast-flux (DNS) method that recent malware like Storm is using
- Mar 2007: Gozi trojan horse, which went undetected for over a month; harvested user names and passwords, so the authors could put those up for sale
- Feb 2007: The authors of Storm Worm
(actually a trojan horse) chose peer-to-peer protocols to avoid control chokepoints,
and are adapting the "hook" over time: storms in Europe, greeting cards, Microsoft updates, racy pictures and
club memberships and
YouTube videos and
Blogger posts and
Christmas/New Year's/Valentine's Day greetings and ... (stay tuned). Security Fix puts the number of Storm-infected machines in the hundreds of thousands; Microsoft's MSRT scrubbed Storm from 250,000+ machines in Sept 2007 (SRI CSL in-depth paper)
(SecureWorks analysis by Joe Stewart)
(summary of functionality by Bruce Schneier)
- Raising the Bar: Rustock.A and Advances in Rootkits
- Hiding the Unseen (Mailbox.AZ a.k.a. Rustock.A)
Excellent set of articles describing the history of the spam arms race, and
in particular how viruses (beginning with Sobig) have added a new dimension.
Another article with a history of recent worms and viruses (author's
perspective is that legal punishment is too rare and light):
The sender-pays method of preventing UCE, back in 1933:
10 cents to ring my doorbell
(via Bruce Schneier's blog)
[I don't believe sender-pays is a workable solution for spam, by the way]
ID and Privacy
Yet another way to track users with a code that's hard to remove. KISSmetrics beat a hasty retreat when they were outed, but of course the technology stil exists for others to use.
Marketers are using every trick they can to tag your browser with a unique ID that will track you across all their sites. The latest is using HTML5's client-side database storage to add an ID — mysteriously, even if this storage element is removed, it is re-added by the server with the same ID. This is on the heels of some marketers who use Flash cookies, which are separate from regular browser cookies and are not removed by the browser's "clear cookies" function — the Flash cookie is used to re-created the traditional cookie after it's been removed. And now we have an even more advanced form of this: evercookie, a JavaScript API which uses no less than eight forms of cookie storage (HTML cookies, Flash cookies, cached PNGs, web history, and HTML 5 local storage). Here is a summary and ways to kill the evercookie.
GAO investigates flaws in passport issuance: "No credential can be more secure than its breeder documents and issuance procedures" (Schneier): If you can get a passport using forged documents, then all the high-tech anti-passport-forgery technology isn't going to help.
Real ID still lumbers on (including follow-on PASS ID), with 36 states not in compliance by the December 31, 2009 deadline.
My contact information,
brief autobiography (such as it is), and
family tree.
