Research

An article just posted by the New York Times reveals that the latest National Intelligence Estimate on terrorism concludes that our involvement in Iraq has increased the global terror threat. Most of the time I make fun of security pundits that think because they stopped a few hackers they’re qualified to discuss issues of national security, but this time I just can’t help myself. I’ve become what I loathe. Edited- I take that back, and the rest of the post. There are people losing their lives over this; I deleted my initial comments. Just go read the article and make your own decision. Apologies for letting my ego temporarily get the better of me. Share:

There’s a lot going on in the world of Digital Rights Management (DRM) these days and I realized not everyone understands exactly what DRM is, how it works, and what the implications are. This has popped up a few times recently among friends and family as (being the alpha geek) I’ve been asked to explain why certain music or movie files don’t work on various players. Before digging into some of the security issues around DRM I thought it would be good to post a (relatively) brief overview. I’ll be honest – as objective as I try to be, the title of this post alone should indicate that I have some serious concerns with the current direction of consumer DRM. While one of the better parts of having a personal blog is being able to throw objectivity off a very tall bridge to a very messy landing, tossing all objectivity to the wind often seriously undermines core arguments. Thus I’ll try and keep this a relatively (but not perfectly) impartial overview of the technology. In future posts I’ll dig into the security issues of DRM and make specific recommendations on security requirements for any consumer DRM system. If you’ve ever wondered why you can’t just copy a DVD, why a song you downloaded from iTunes only plays on an iPod, why a song downloaded from Napster won’t play on an iPod, or why you can print some .pdf files but not others… keep reading. If you wonder why it’s so hard to get HDTV on a TiVo or computer… keep reading. If you want to know what that new expensive HDMI cable for your XBox 360 or flat panel really is… keep reading. (and if you know all this stuff you might want to skip this post and wait for the big DRM security analysis in the coming weeks) DRM Defined Digital Rights Management (DRM) is a collection of technologies used to control the use of digital media like music, movies, television, and text. DRM decides and controls who is allowed to read or play a file, copy it, print it, email it, download it to a portable player, burn it to CD, and so on. We broadly divide the market into two halves- the consumer world, and the enterprise world (businesses). While some of the technologies overlap, this is pretty much a hard split and the use and implications of enterprise DRM are very different than consumer DRM. I’m going to simplify a bit here, but DRM essentially works by encrypting a file and tagging it with rules on how that file is allowed to be used (the rules are also protected). Whatever reads that file must be able to both decrypt it and understand (and be able to enforce) those rules. A DRM system has two technical goals: Control/protect content by restricting what software and devices can read it. Control/protect content by restricting what that software/device (and thus the user) can do with it. On the user side, this leads to two major implications: Users are restricted in how they can use content (copying, saving, etc.). Content (and thus users) are locked into using specific players/readers. Thus content publishers and technology companies use DRM as a tool to protect their content (mostly from copying, but there are other implications), and to force you to use their devices. There’s also no single standard technology for DRM, creating a bit of confusion among us consumers. Consumer DRM is actually really hard, since we’re talking about an environment where the user can hack away at both the protected content and the players (devices and software) privately, which tends to give them an advantage over time. Rather than boring you with all sorts of technical jargon I’ll explain a little bit of how this works by comparing two kinds of shiny plastic disks- CDs and DVDs. Compact Discs- Living a Life of Freedom CDs were one of the first (maybe the first, we skipped that in my college history classes) formats for digital distribution. Before music CDs all music distributed to consumers was analog, and one of the characteristics of analog is it tends to degrade over time, and as we make copies, noise sneaks into the signal. CDs changed all that by distributing music in digital form. Not that anyone was playing these things on computers in the 80s, but CDs barged into our lives with the promise of crystal-pure digital music- no scratchy records or stretchy tape. Back then all most of us knew was “it’s digital”, and beyond that we really didn’t think about it. Until CD drives started turning up in computers, that is. Most anyone who has ripped a CD into iTunes now knows that a CD is really just a collection of bits. CDs are totally unprotected unless the music label adds some sort of DRM (which rarely works, since it’s not part of the Compact Disk Digital Audio standard, and our players don’t understand it). As soon as we started putting CD drives in computers we were able to pull perfect copies off CDs onto our computers. Once CD writers and discs became cheap enough we could make perfect copies of these commercial CDs. Then we learned about file compression (to squeeze those big music files into something easier to store and trade) and combined that with the Internet and broadband and all of a sudden anyone, anywhere, could trade nearly-perfect digital music with anyone else in the world without a cent going to the music labels (or artists). They really didn’t like this. It really pissed them off. Their response? Sue the hell out of everyone and write some laws. You see, there’s a huge disparity in perception between content companies and consumers when we buy those CDs. Historically we think of it as “buying music”. We paid money, we own the CD, thus don’t we own the music? Not really- the copyright holder always owns the music, we’re just allowed to use it.

So Apple issued an update for the Mac wireless drivers to prevent a buffer overflow, but denies SecureWorks provided them anything useful. Right. We believe you. Got it. You “just happened” to discover exactly the kind of vulnerability that Maynor and Ellch demoed, but they were evil, uncooperative bad guys for hinting they might be there. Considering SecureWorks works responsibly with all sorts of other vendors in the market I suspect the anger may be a tad misplaced. Come on Apple; all software has vulnerabilities. It’s time to stop putting PR in charge of vulnerability management. To quote the Macworld article linked above: The internal audit came as a result of claims by a senior researcher at SecureWorks that said he had revealed a vulnerability in Apple”s MacBook wireless software driver that would allow him to take control of the machine. SecureWorks later clarified its position and said it had used a third-party driver and not Apple”s driver. Apple has maintained that SecureWorks has provided no proof that Mac drivers are vulnerable in any way. “They did not supply us with any information to allow us to identify a specific problem, so we initiated an internal audit,” Apple spokesman, Anuj Nayar, told Macworld. “Today”s update preemptively strengthens our drivers against potential vulnerabilities, and while it addresses issues found internally by Apple, we are open to hearing from security researchers on how to improve security on the Mac.” According to the update issued by Apple, two separate stack buffer overflows exist in the AirPort wireless driver”s handling of malformed frames. An attacker in local proximity may be able to trigger an overflow by injecting a maliciously crafted frame into a wireless network. When the AirPort is on, this could lead to arbitrary code execution with system privileges. It seems Apple also found some flaws in PowerPC systems, not just Intel Macs. At least the research spurred by Maynor and Ellch’s Black Hat/Defcon disclosures is improving security across the entire Mac product line. But seriously- stop the security PR game or you’ll end up like Microsoft a few years ago… edited 11pm : just want to state that based on additional information I believe it’s quite probable specific vulnerability details, especially on PPC, were discovered independently via Apple’s internal audit. My criticism is of the vitriolic handling of the situation when I believe this could have been resolved more quickly and responsibly had Apple played less with PR, and more with the researchers who obviously found something. Share:

New IE Flaw Exploited on Porn Sites Now we did warn you, and I quote: Especially if you go to “those” sites. Yes, you. Stop pretending you don’t know what I’m talking about. For the record “those sites” are porn and gambling. So you poker addicts are next. And you file sharers- don’t start thinking you’re all safe or something. Those torrent trackers are web pages you know. Of course Disney World fingerprints everyone these days, so maybe they’ll pick this up. Share:

To whom it may concern, While, as a security professional, I take great care to protect all of my systems and data, I cannot guarantee that I am fully compliant with both the HIPAA security and privacy requirements. I have never undergone a HIPAA audit, nor any official HIPAA training or evaluations of any kind beyond those provided to first responders. For your information I do take extensive security precautions including: Hardware and software firewalls on all systems and networks Home directory encryption on my primary Mac Antivirus/antispyware on all Windows systems OS hardening and service minimization Rapid deployment of all security updates Despite these precautions I believe you should discontinue faxing medical records to my online fax system as I cannot guarantee I am handling said records within HIPAA guidelines. While I appreciate the amnio results and insurance records disputes (for multiple patients) they do not directly affect the patient care I administer as a former ski patroller and disaster medic. It is, however, good to know that should I manage to perform an amniocentesis on my pregnant patients in the middle of a ski slope you will be able to provide me with accurate and timely results. By faxing my online system (which forwards to my work email) your medical records are subject to a number of possible security risks, including, but not limited to: Interception on my corporate email server Review by unauthorized persons Loss due to lost backup tapes of said email system Other standard security vulnerabilities I do appreciate you value my medical opinion (since I’m only an EMT/washed-up paramedic) and my input on billing issues (for which I have no training). That said, you should probably remove me from your consultation list. Sincerely, Rich ((Doesn’t it make you feel just peachy that the entire healthcare industry still runs on fax for medical orders, results, and billing? And may have sent me your colonoscopy results?)) Share:

Symantec has just reported a new 0day security vulnerability in Internet Explorer that could allow someone to take over your computer. For you non-geeks a 0day (or zero-day, or 0-day) is a vulnerability without a patch. In other words, you can’t fix the flaw on your computer so you either have to block the attacks before they hit you or disable the vulnerable software. While details are sketchy it looks like this particular vulnerability could allow an attacker to take over your computer when you visit a website with the attack code on it. This isn’t the first time we’ve seen this in Internet Explorer (and a few other browsers) but if you’ve ever found some nasty spyware or a bot on your computer it’s quite possible this is how you got it. Especially if you go to “those” sites. Yes, you. Stop pretending you don’t know what I’m talking about. While you can turn off ActiveX in your browser at this point I recommend using an alternate browser until this flaw is patched. If you’re reading this site odds are you already use Firefox, but if not go and install it right now by clicking here. You can also download the beta of Internet Explorer 7, which seems to be safe. You Mac users are safe. Personally I use Safari and Firefox on my Mac, but I still use Internet Explorer for some sites on my PCs. Rumor is IE7 is pretty good, and much more secure than current versions, for those of you that want to keep using IE. Don’t forget to tell grandma… Share:

I travel a lot, and on occasion I’ll run Nmap or some other scanner from my hotel room to get an idea of what’s out there, and how dangerous these hotel networks really are. To be honest it’s not something I do all that much anymore since even scanning an open network is running the risk of being considered over the line. But I just discovered a new security tool. It’s free. And it even plays music! Yes, the ever venerable and recently updated iTunes turns out to be an honest to goodness, if limited, security scanner. How? Well, I arrived in my hotel room last night, connected to the network, and launched iTunes for some background working music. Very quickly I saw four shared iTunes libraries on the network (without even looking actively, if you have iTunes set to find shared libraries they pop up all on their own after that). Some of my fellow traveler’s musical tastes are fairly interesting. In three of the four libraries the users conveniently included their personal name in their shared library name. One user even had the word “Limewire” in his (judging by his real name) library name. Huh. I wonder if he acquired all the music legally? Thus iTunes is now my new network security tool- I can instantly tell if I’m connected to a switched or segregated network, and even pick up the names and listening habits of other hotel guests. Anyone know if the RIAA offers a bounty? I mean they sue grandmothers and children, I don’t see why they wouldn’t start a confidential informant project. (Update 9/16 : DM and Chris Pepper remind me this feature isn’t anything new. Actually, I’ve used it for years on my home network, but this is the first time I’ve noticed random users on a hotel network and I found it amusing.) Share:

Electronic voting seems to be popping up again thanks to our favorite digital ostrich, Diebold. Martin Mckeay’s also writing on this a bit, and it’s well worth reading. This isn’t the first time I’ve mentioned this, and I didn’t come up with the idea, but with the most recent Diebold gossip I think it bears repeating. Gambling systems, electronic or physical, undergo extensive testing, validation, and auditing. We’re not just talking hacking, they shock the darn things with cattle prods and attack them using such phenomenally creative techniques that I’m awestruck the few times they show it on Discovery channel specials. And it’s the complete system that’s tested and audited constantly- even the odds distributions among video poker clusters in casinos (which are audited externally by various gambling commissions in the sin city of your choice). What does this have to do with voting? Gambling systems are somewhat unique in that pretty much everyone involved has an incentive to cheat everyone else. Were talking about a system where no one can really trust anyone. Sure, casinos (at least in Vegas) are on the up and up, but do any of you really trust them? They sure can’t afford to trust us, and pretty much no one trusts the government. The result? Some fracking good security. So here we have a highly secure system of numerous specialized electronic devices operating in a networked (or non-networked) environment with near-perfect auditability. Hmm, where else might we want a similar system? Heck- they even already have testing labs and audit standards. Funny how closely related gambling and politics are. I wonder if cattle prods are illegal in voting booths? I wonder how long Diebold would survive in Vegas? (I’ll be the first to admit us security types have a habit of blabbing on any topic we can possibly stuff into the security bucket, but electronic voting happens to be one of the areas where our experience is directly applicable. I don’t know too many (any) security types that try to justify Diebold’s positions. They’re either criminal or mentally incompetent.) ((And speaking of casinos- one of my favorite memories of Defcon was how none of the stores in the casino would take credit cards during the event.)) Share:

I’m out on the road this week, right now spending two days at a strategic planning session with a large energy company. This is the kind of trip I actually enjoy- working with an end-user on strategic issues at the executive level where they really want to solve the problem. The theme of the day is major disruptions- how to stay in business in the face of massive disasters that go well beyond disaster recovery. I’m just one of about a dozen outsiders brought in to try and get people thinking in new directions. Someone saw one of my presentations on responding to Katrina (I’m a reservist on a federal team) and thought a little on the ground experience might liven the discussions. I’m more than happy to stay at a nice hotel and tell rescue war stories while drinking fine wine (as opposed to pissing off my friends telling the same damn story for the 50th time after too many drinks). One of the presentations on crisis communications was particularly interesting. No, not ham radios, but how do governments and organizations communicate with the public during a disaster? The academic they brought in had some very compelling examples ranging from nuclear power accidents, to the air quality in lower Manhattan after 9/11, to chemical spills, to product recalls. One message emerged load and clear- liars always get caught… eventually. But they’ll probably get away with it in the short term. I asked him directly if he knows of any successful cases where a corporation or government attempted to spin a situation through obfuscation or outright deception and actually got away with it. His answer? In the long term- no. In the short term- yes, but the long term impact is usually magnified when the truth emerges. The most successful crisis communications? Honesty, transparency, and openness (even if spun a little). Seems like a pretty valuable lesson to us in security. Any security professional will eventually deal with a breach, or on the vendor side with a bad vulnerability. The more we try and cover something up the worse it is for us in the long run. A few quick examples? Look at Cisco and the Mike Lynn situation. I hear there are some job openings at Ohio State. Choicepoint swapped CISOs after their breach, even though it wasn’t an IT security failure. We can go on and on- can anyone think of a single security breach or vulnerability disclosure where the organization involved didn’t get caught in a lie or cover up? Same goes for vendors exaggerating product capabilities. I know one that recently changed their entire management team because the old CEO thought he could fool the market just long enough to get bought. Too bad the board didn’t buy it. He’s out of a job (but I’m sure he got a nice package). The bad news is you can get away with it in the short term, but I’m not sure how that really helps you as an individual, or your company, if eventually you’ll get fired. You see lying is like crack- a short term high, but in the end you’ll end up naked in front of a dumpster with a crack pipe in an uncomfortable orifice. I suppose that’s okay if it’s what you’re into. Personally, I’ll stick to the truth and head downstairs for some free wine. (P.S.- the exception to all of this, of course, is politicians. I think it’s either because we’re lazy as voters, or because they all eventually smell the same. Probably a little of both) Share:

From http://www.september11victims.com/september11victims/victims_list.htm WORLD TRADE CENTER Gordon McCannel Aamoth, 32, New York, N.Y. Maria Rose Abad, 49, Syosset, N.Y. Edelmiro (Ed) Abad, 54, New York, N.Y. Andrew Anthony Abate, 37, Melville, N.Y. Vincent Abate, 40, New York, N.Y. Laurence Christopher Abel, 37 William F. Abrahamson, 58, Cortland Manor, N.Y. Richard Anthony Aceto, 42, Wantagh, N.Y. Erica Van Acker, 62, New York, N.Y. Heinrich B. Ackermann, 38, New York, N.Y. Paul Andrew Acquaviva, 29, Glen Rock, N.J. Donald L. Adams, 28, Chatham, N.J. Shannon Lewis Adams, 25, New York, N.Y. Stephen Adams, 51, New York, N.Y. Patrick Adams, 60, New York, N.Y. Ignatius Adanga, 62, New York, N.Y. Christy A. Addamo, 28, New Hyde Park, N.Y. Terence E. Adderley, 22, Bloomfield Hills, Mich. Sophia B. Addo, 36, New York, N.Y. Lee Adler, 48, Springfield, N.J. Daniel Thomas Afflitto, 32, Manalapan, N.J. Emmanuel Afuakwah, 37, New York, N.Y. Alok Agarwal, 36, Jersey City, N.J. Mukul Agarwala, 37, New York, N.Y. Joseph Agnello, 35, New York, N.Y. David Scott Agnes, 46, New York, N.Y. Joao A. Aguiar Jr., 30, Red Bank, N.J. Lt. Brian G. Ahean, 43, Huntington, N.Y. Jeremiah J. Ahen, 74, Cliffside Park, N.J. Joanne Ahladiotis, 27, New York, N.Y. Shabbir Ahmed, 47, New York, N.Y. Terrance Andre Aiken, 30, New York, N.Y. Godwin Ajala, 33, New York, N.Y. Gertrude M. Alagero, 37, New York, N.Y. Andrew Alameno, 37, Westfield, N.J. Margaret Ann (Peggy) Jezycki Alario, 41, New York, N.Y. Gary Albero, 39, Emerson, N.J. Jon L. Albert, 46, Upper Nyack, N.Y. Peter Craig Alderman, 25, New York, N.Y. Jacquelyn Delaine Aldridge, 46, New York, N.Y. Grace Alegre-Cua, 40, Glen Rock, N.J. David D. Alger, 57, New York, N.Y. Ernest Alikakos, 43, New York, N.Y. Edward L. Allegretto, 51, Colonia, N.J. Eric Allen, 44, New York, N.Y. Joseph Ryan Allen, 39, New York, N.Y. Richard Lanard Allen, 30, New York, N.Y. Richard Dennis Allen, 31, New York, N.Y. Christopher Edward Allingham, 36, River Edge, N.J. Janet M. Alonso, 41, Stony Point, N.Y. Anthony Alvarado, 31, New York, N.Y. Antonio Javier Alvarez, 23, New York, N.Y. Telmo Alvear, 25, New York, N.Y. Cesar A. Alviar, 60, Bloomfield, N.J. Tariq Amanullah, 40, Metuchen, N.J. Angelo Amaranto, 60, New York, N.Y. James Amato, 43, Ronkonkoma, N.Y. Joseph Amatuccio, 41, New York, N.Y. Christopher Charles Amoroso, 29, New York, N.Y. Kazuhiro Anai, 42, Scarsdale, N.Y. Calixto Anaya, 35, Suffern, N.Y. Jorge Octavio Santos Anaya, 25, Aguascalientes, Aguascalientes, Mexico Joseph Peter Anchundia, 26, New York, N.Y. Kermit Charles Anderson, 57, Green Brook, N.J. Yvette Anderson, 53, New York, N.Y. John Andreacchio, 52, New York, N.Y. Michael Rourke Andrews, 34, Belle Harbor, N.Y. Jean A. Andrucki, 42, Hoboken, N.J. Siew-Nya Ang, 37, East Brunswick, N.J. Joseph Angelini, 38, Lindenhurst, N.Y. Joseph Angelini, 63, Lindenhurst, N.Y. Laura Angilletta, 23, New York, N.Y. Doreen J. Angrisani, 44, New York, N.Y. Lorraine D. Antigua, 32, Middletown, N.J. Peter Paul Apollo, 26, Hoboken, N.J. Faustino Apostol, 55, New York, N.Y. Frank Thomas Aquilino, 26, New York, N.Y. Patrick Michael Aranyos, 26, New York, N.Y. David Gregory Arce, 36, New York, N.Y. Michael G. Arczynski, 45, Little Silver, N.J. Louis Arena, 32, New York, N.Y. Adam Arias, 37, Staten Island, N.Y. Michael J. Armstrong, 34, New York, N.Y. Jack Charles Aron, 52, Bergenfield, N.J. Joshua Aron, 29, New York, N.Y. Richard Avery Aronow, 48, Mahwah, N.J. Japhet J. Aryee, 49, Spring Valley, N.Y. Carl Asaro, 39, Middletown, N.Y. Michael A. Asciak, 47, Ridgefield, N.J. Michael Edward Asher, 53, Monroe, N.Y. Janice Ashley, 25, Rockville Centre, N.Y. Thomas J. Ashton, 21, New York, N.Y. Manuel O. Asitimbay, 36, New York, N.Y. Lt. Gregg Arthur Atlas, 45, Howells, N.Y. Gerald Atwood, 38, New York, N.Y. James Audiffred, 38, New York, N.Y. Kenneth W. Van Auken, 47, East Brunswick, N.J. Louis F. Aversano, Jr, 58, Manalapan, N.J. Ezra Aviles, 41, Commack, N.Y. Ayodeji Awe, 42, New York, N.Y Samuel (Sandy) Ayala, 36, New York, N.Y. Arlene T. Babakitis, 47, Secaucus, N.J. Eustace (Rudy) Bacchus, 48, Metuchen, N.J. John James Badagliacca, 35, New York, N.Y. Jane Ellen Baeszler, 43, New York, N.Y. Robert J. Baierwalter, 44, Albertson, N.Y. Andrew J. Bailey, 29, New York, N.Y. Brett T. Bailey, 28, Bricktown, N.J. Tatyana Bakalinskaya, 43, New York, N.Y. Michael S. Baksh, 36, Englewood, N.J. Sharon Balkcom, 43, White Plains, N.Y. Michael Andrew Bane, 33, Yardley, Pa. Kathy Bantis, 44, Chicago, Ill. Gerard Jean Baptiste, 35, New York, N.Y. Walter Baran, 42, New York, N.Y. Gerard A. Barbara, 53, New York, N.Y. Paul V. Barbaro, 35, Holmdel, N.J. James W. Barbella, 53, Oceanside, N.Y. Ivan Kyrillos Fairbanks Barbosa, 30, Jersey City, N.J. Victor Daniel Barbosa, 23, New York, N.Y. Colleen Ann Barkow, 26, East Windsor, N.J. David Michael Barkway, 34, Toronto, Ontario, Canada Matthew Barnes, 37, Monroe, N.Y. Sheila Patricia Barnes, 55, Bay Shore, N.Y. Evan J. Baron, 38, Bridgewater, N.J. Renee Barrett-Arjune, 41, Irvington, N.J. Arthur T. Barry, 35, New York, N.Y. Diane G. Barry, 60, New York, N.Y. Maurice Vincent Barry, 49, Rutherford, N.J. Scott D. Bart, 28, Malverne, N.Y. Carlton W. Bartels, 44, New York, N.Y. Guy Barzvi, 29, New York, N.Y. Irna Basina, 43, New York, N.Y. Alysia Basmajian, 23, Bayonne, N.J. Kenneth William Basnicki, 48, Etobicoke, Ontario, Canada Lt. Steven J. Bates, 42, New York, N.Y. Paul James Battaglia, 22, New York, N.Y. W. David Bauer, 45, Rumson, N.J. Ivhan Luis Carpio Bautista, 24, New York, N.Y. Marlyn C. Bautista, 46, Iselin, N.J. Jasper Baxter, 45, Philadelphia, Pa. Michele (Du Berry) Beale, 37, Essex, Britain Paul F. Beatini, 40, Park Ridge, N.J. Jane S. Beatty, 53, Belford, N.J. Larry I. Beck, 38, Baldwin, N.Y. Manette Marie Beckles, 43, Rahway, N.J. Carl John Bedigian, 35, New York, N.Y. Michael Beekman, 39, New York, N.Y. Maria Behr, 41, Milford, N.J. Yelena Belilovsky, 38, Mamaroneck, N.Y. Nina Patrice Bell, 39, New York, N.Y. Andrea Della Bella, 59, Jersey City, N.J. Debbie S. Bellows, 30, East Windsor, N.J. Stephen Elliot Belson, 51, New York, N.Y. Paul Michael Benedetti, 32, New York, N.Y. Denise Lenore Benedetto, 40, New York,