Research

As a security professional I admit that I normally assume someone I’m dealing with isn’t necessarily honest; especially if they’ve done something to draw my attention. I learned early on that most humans have an unbelievable capacity for deceit, and they use it on a daily basis. In many cases the individual is so believable because they’ve convinced themselves that what they’re doing/saying is either the truth (when it’s clearly not), or they’re justified for some bullshit reason (like “the man” has been keeping them down). No- you really don’t deserve to steal my bike out of the garage because I make more money than you (despite coming from a bankrupt family as a kid) or because I was dumb enough to leave the door open. (Yep, even us pros screw up sometimes and pay the price). I’ve also discussed, usually in the context of security screening, how, in certain cases, it’s better to assume everyone is a threat and apply strict controls across the board. It’s not the right approach in every case, but there are times when it’s definitely appropriate. Now Microsoft and Universal are taking the same approach and assuming we’re all a bunch of pirating criminals. In a simply astounding move, MS will pay Universal for every Zune sold. Anyone stupid enough to buy a Zune will pay a $1 tax because, and I quote: Universal said it was only fair to receive payment on devices that may be repositories for stolen music. … “It’s a major change for the industry,” said David Geffen, the entertainment mogul who more than a decade ago sold the record label that bears his name to Universal. “Each of these devices is used to store unpaid-for material. This way, on top of the material people do pay for, the record companies are getting paid on the devices storing the copied music.” But wait, are we, the lowly consumers, the real criminals? This next statement sounds like the old Mafia bosses roaming the streets of Jersey City where I was a medic: When the companies initially licensed Apple”s fledgling iTunes service, “they didn”t figure he”d make tens of billions of dollars from the iPod,” said Mr. Gordon, author of the book “The Future of the Music Business.” “This time they”re saying, “Well, we want a piece.” “ Ah. Now I understand. It’s a protection racket. That’s like the auto manufacturers paying the gas companies a few extra bucks for every car sold on the off chance you’ll steal some gas from the pump someday. Or computer manufacturers paying every single software company in the world a tax on the off chance we’ll copy their software. How does it feel to be a criminal? Never mind- we all know who the real crooks are. (Truth is this might just be MS screwing with Apple since the music companies now want a piece of the iPod- which hurts Apple a lot more than a $1 on something no one will buy anyway). Share:

From BoingBoing: If you experience any irregularities in voting today, call 1-866-OUR-VOTE, the hotline for the National Campaign for Fair Elections. EFF lawyers and many others are standing by across the country to take legal action to remove malfunctioning voting machines, keep polls open, etc. I voted this morning using an optical reader and didn’t experience any problems, but did notice a few. A couple people were turned away due to Arizona’s ridiculous photo ID law and precinct changes. Some voters had problems reading the tight print on the optical ballot, but I won’t really blame the machine for that. There was a single DRE at the polling station that seemed unused- I think it was for specific disabilities. Share:

As the silly season comes to a close with today’s election (at least for, like, a week or so) there’s a change to the political process I’ve been thinking about a lot. And it’s not e-voting, election fraud, or other issues we’ve occasionally discussed. On this site (and others) we’ve discussed the ongoing erosion of personal privacy. More of our personal information is publicly available, or stored in private databases unlocked with a $ shaped key, than society has ever experienced before. This combines with a phenomena I call “The Long Archive”- where every piece of data, of value or not, is essentially stored for eternity (unless, of course, you’re in a disaster recovery situation). Archived web pages, blog posts, emails, newsgroup posts, MySpace profiles, FaceBook pages, school papers, phone calls, calendar entries, credit card purchases, Amazon orders, Google searches, and … Think about it. If only 2% of our online lives actually survives indefinitely, the mass of data is astounding. What does this have to do with politics? The current election climate could be described as mass media shit-slinging. Our current crop of elected officials, of either party, survives mostly on their ability to find crap on their opponent while hiding their own stinkers. Historically, positive electioneering is a relative rarity in the American political system. We, as a voting public, seem to desire pristine Ken dolls we can relate to over issues-focused candidates. No, not all the time, but often enough that negative campaigning shows real returns. But the next generation of politicians are growing up online, with their entire lives stored on hard drives. From school papers, to medical records, to personal communications, to web activity, chat logs (kept by a “trusted” friend) and personal blogs filled with previously private musings. It’s all there. And no one knows for how long; not really. No one knows what will survive, what will fade, but all of it has the potential to be available for future opponent research. I’m a bit older, but there’s still an incredible archive of information out there on me, including some old newsgroup posts I’m not all that proud of (nothing crazy, but I am a bit of a geek). Maybe even remnants of ugly breakups with ex-girlfriends or rants never meant for public daylight. Never mind my financial records (missed taxes one year, but did make up for it) and such. In short, there’s no way I could run for any significant office without an incredibly thick skin. Anyone who started high school after, say, 1997 is probably in an even more compromising position. Anyone in the MySpace/FaceBook groups are even worse off. With so much information, on so many people, there’s no way it won’t change politics. I see three main options: We continue to look for “clean” candidates- thus those with limited to no online records. Only those who have disengaged from modern society, and are thus probably not fit for public leadership, will run for public office. The “Barbie and Ken” option. We, as society, accept that everyone has skeletons, everyone makes mistakes, and begin to judge candidates on their progression through those mistakes or ability to spin them in the media of the day. We still judge on personality over issues. The “Oprah/Dr. Phil” option. We focus on candidate’s articulations of the issues, and place less of an emphasis on a perfect past or personality. The “Issues-oriented” option. We weigh all the crap on two big scales. Whoever comes out slightly lighter, perhaps with a sprinkling of issues, wins. The “Scales of Shit” option. Realistically we’ll see a combination of all the above, but my biggest concern is how will this affect the quality of candidates? We, as a society, already complain over a lack of good options. We’re limited to those with either a drive for power, or a desire for public good, so strong that they’re willing to peel open their lives in a public vivisection every election cycle. When every purchase you’re ever made, email, IM or SMS, blog post, blog comment, social bookmark, WhateverSpace page, public record, and medical record becomes open season, who will be willing to undergo such embarrassing scrutiny? Will anyone run for office for anything other than raw greed? Or will we, as a society, change the standards by which we judge our elected officials. I don’t know. But I do know society, and politics, will experience a painful transition as we truly enter the information society. Share:

An unpatched vulnerability being exploited in the wild. When I’m on a Windows system (I run it virtualized on my Mac for work) I tend to use multiple browsers since even Firefox has issues at times. I even do this on my Mac- running Firefox and Safari, switching between the two depending on where I’m going. But at this rate I’m going back to Lynx. (And if you go to “those” sites do yourself a favor and only browse from a virtual machine you reset after every use). Share:

After reviewing the materials I could find online I directly contacted Thierry Zoller and he was kind enough to respond with more details. In his words (with permission). Short version is the flaw is well patched, but the exploit is a new technique of getting a remote shell. No kernel bugs this time: Dear Rich Mogull, RM> Saw the ISC entry on your BT attacks. I’ve been writing a bit on this RM> issue and am wondering if you have any time for a couple quick RM> questions? RM> 1. Are currently patched Macs safe (OS X 10.4.8, 10.3.9)? Yes! The underflying flaw is patched since more than 1 year! I also mentioned and stressed this during my talk, that was the reason to to release the source code. HOWEVER and I also stressed this is the reason WHY this is marked as 0-day is that having a REMOTE SHELL over Bluetooth is something nobody knew and noticed, and yet it was feasable for over a year. RM> 2. Where’s the flaw- is this a device driver exploit that drops you RM> into kernel space? No, it’s a plain dumb directory traversal bug in the OBEX FTP server, Kevin used it to upload binaries/local root exploit to special directories. He then planted an Autostart using the INPUTMANAGER (a feature of MACos). Then after getting root through the local exploit (automated) he bound a RFCOMM shell to /etc/tty replacing the existing RFCOMM port 3 with an shell. And that’s it. No Kernel Space bugs demonstrated. – http://secdev.zoller.lu Thierry Zoller Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7 Share:

In the comments of my last post, bkwatch reminds me that paper ballots are from from perfect. I totally agree. I’m also not against e-voting just on principle. Or against all e-voting. I’m just against insecure electronic voting. Which, based on what I’ve seen, is true of many, if not most, current implementations. Here’s what I said: Here”s why I don’t think the risk is overblown. First of all there are only a few manufacturers of voting machines. The problems we see are systemic to those manufacturers and systems. Thus the potential exits for a single attack to potentially work on a massive scale- maybe a number of states. Second, the attacks can be much harder to detect and not require as much collusion as attacks on paper systems. A single technician, programmer, or hacker (for networked systems) can succeed. The normal physical controls we have to reduce election fraud are less effective, or even worthless. There are also availability issues- paper is much more resilient to power outages and system crashes. It’s a lot easier to lose a single memore chip with thousands (or more) votes than a big ballot box with equivalent numbers (which, on occasion, also happens). Thus the scope and scale of the problems is dramatically different. I actually think smart e-voting can improve the electoral process and reduce voter fraud. I”m not against e-voting itself, just many of the current implementations. Electronic voting can be improved by: Requiring independent security lab certification. Not a weak certification like Common Criteria, but something more akin to the testing done on gambling machines. A voter verified paper trail- not something a voter takes home, but something they can visually certify and drop in a ballot box before walking out the door. Eliminating network connectivity. Except for maybe local networking over physical cabling, but even that might be too risky. These won’t eliminate fraud, but they’ll reduce it. The potential is even there to build a system more secure than paper. Share:

I’ll be updating the look and feel of the site slightly, and performing some other system updates. There shouldn’t be any outages, but if you do notice anything strange or some HTML/CSS issues please let me know Share:

I have no details, but am investigating. http://isc.sans.org/diary.php?storyid=1817 I know there are some Bluetooth 0days floating around for various platforms, but this one wasn’t on my list. This was presented at a conference in Europe. A copy of the presentation is here. In the presentation it looks like the flaw is patched, but I’m checking with the author to find out for sure. Right now nothing to panic about, but I do stand by my advice to start limiting wireless use in public areas. I still use my wireless, but I leave it off when I don’t need an active connection. Which you probably already do for battery life, right? Share:

I’m linking to Jim at DCS Security- he has the best SCADA background in the blog community and hopefully he’ll dig into this particular hack a little more: http://dcssec.blogspot.com/2006/11/more-on-water-system-hack.html The more we transition process control networks to the same tech we run the Internet on, and the same Windows and *nix systems we run our homes and businesses on, the more incidents like this we’ll see… (my original post on SCADA) Share:

I don’t know a single security expert that supports any current implementation of electronic voting. It’s too late for this election, but if we don’t take action before 2008, we might as well kiss what’s left of democracy in the United States goodbye. http://feeds.feedburner.com/~r/boingboing/iBag/~3/44064916/fl_evoting_machines_.html We’re not just disenfranchising a small segment of the population; we’re disenfranchising our entire society. Yes, I really think it’s that bad. At least it will be, if we don’t do something… …and yes- I plan on doing something, but after this election cycle when we can leverage a new Congress, not lame ducks. Share: