Research

An unpatched vulnerability being exploited in the wild. When I’m on a Windows system (I run it virtualized on my Mac for work) I tend to use multiple browsers since even Firefox has issues at times. I even do this on my Mac- running Firefox and Safari, switching between the two depending on where I’m going. But at this rate I’m going back to Lynx. (And if you go to “those” sites do yourself a favor and only browse from a virtual machine you reset after every use). Share:

After reviewing the materials I could find online I directly contacted Thierry Zoller and he was kind enough to respond with more details. In his words (with permission). Short version is the flaw is well patched, but the exploit is a new technique of getting a remote shell. No kernel bugs this time: Dear Rich Mogull, RM> Saw the ISC entry on your BT attacks. I’ve been writing a bit on this RM> issue and am wondering if you have any time for a couple quick RM> questions? RM> 1. Are currently patched Macs safe (OS X 10.4.8, 10.3.9)? Yes! The underflying flaw is patched since more than 1 year! I also mentioned and stressed this during my talk, that was the reason to to release the source code. HOWEVER and I also stressed this is the reason WHY this is marked as 0-day is that having a REMOTE SHELL over Bluetooth is something nobody knew and noticed, and yet it was feasable for over a year. RM> 2. Where’s the flaw- is this a device driver exploit that drops you RM> into kernel space? No, it’s a plain dumb directory traversal bug in the OBEX FTP server, Kevin used it to upload binaries/local root exploit to special directories. He then planted an Autostart using the INPUTMANAGER (a feature of MACos). Then after getting root through the local exploit (automated) he bound a RFCOMM shell to /etc/tty replacing the existing RFCOMM port 3 with an shell. And that’s it. No Kernel Space bugs demonstrated. – http://secdev.zoller.lu Thierry Zoller Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7 Share:

In the comments of my last post, bkwatch reminds me that paper ballots are from from perfect. I totally agree. I’m also not against e-voting just on principle. Or against all e-voting. I’m just against insecure electronic voting. Which, based on what I’ve seen, is true of many, if not most, current implementations. Here’s what I said: Here”s why I don’t think the risk is overblown. First of all there are only a few manufacturers of voting machines. The problems we see are systemic to those manufacturers and systems. Thus the potential exits for a single attack to potentially work on a massive scale- maybe a number of states. Second, the attacks can be much harder to detect and not require as much collusion as attacks on paper systems. A single technician, programmer, or hacker (for networked systems) can succeed. The normal physical controls we have to reduce election fraud are less effective, or even worthless. There are also availability issues- paper is much more resilient to power outages and system crashes. It’s a lot easier to lose a single memore chip with thousands (or more) votes than a big ballot box with equivalent numbers (which, on occasion, also happens). Thus the scope and scale of the problems is dramatically different. I actually think smart e-voting can improve the electoral process and reduce voter fraud. I”m not against e-voting itself, just many of the current implementations. Electronic voting can be improved by: Requiring independent security lab certification. Not a weak certification like Common Criteria, but something more akin to the testing done on gambling machines. A voter verified paper trail- not something a voter takes home, but something they can visually certify and drop in a ballot box before walking out the door. Eliminating network connectivity. Except for maybe local networking over physical cabling, but even that might be too risky. These won’t eliminate fraud, but they’ll reduce it. The potential is even there to build a system more secure than paper. Share:

I’ll be updating the look and feel of the site slightly, and performing some other system updates. There shouldn’t be any outages, but if you do notice anything strange or some HTML/CSS issues please let me know Share:

I have no details, but am investigating. http://isc.sans.org/diary.php?storyid=1817 I know there are some Bluetooth 0days floating around for various platforms, but this one wasn’t on my list. This was presented at a conference in Europe. A copy of the presentation is here. In the presentation it looks like the flaw is patched, but I’m checking with the author to find out for sure. Right now nothing to panic about, but I do stand by my advice to start limiting wireless use in public areas. I still use my wireless, but I leave it off when I don’t need an active connection. Which you probably already do for battery life, right? Share:

I’m linking to Jim at DCS Security- he has the best SCADA background in the blog community and hopefully he’ll dig into this particular hack a little more: http://dcssec.blogspot.com/2006/11/more-on-water-system-hack.html The more we transition process control networks to the same tech we run the Internet on, and the same Windows and *nix systems we run our homes and businesses on, the more incidents like this we’ll see… (my original post on SCADA) Share:

I don’t know a single security expert that supports any current implementation of electronic voting. It’s too late for this election, but if we don’t take action before 2008, we might as well kiss what’s left of democracy in the United States goodbye. http://feeds.feedburner.com/~r/boingboing/iBag/~3/44064916/fl_evoting_machines_.html We’re not just disenfranchising a small segment of the population; we’re disenfranchising our entire society. Yes, I really think it’s that bad. At least it will be, if we don’t do something… …and yes- I plan on doing something, but after this election cycle when we can leverage a new Congress, not lame ducks. Share:

I don’t cover industry issues here, but this is just too good to pass up. Sanjay Kumar, former CEO of CA, is sentenced to 12 years and $8M in fines. U.S. District Judge Leo Glasser said though Kumar was not a violent criminal, he “did violence to the legitimate expectations of shareholders.” Prosecutor Eric Komitee said Kumar deserved severe punishment as the architect of an elaborate coverup that was “the most brazen in the modern era of corporate crime.” … After the FBI began investigating the company in 2002, Kumar orchestrated a cover-up that involved lying under oath about the “35-day month” and other frauds and trying to buy the silence of a potential witness, authorities said. Oops. Share:

Now there’s something I need to admit here. Hopefully it won’t scare you courageous readers away. You see, as much as I (and fortunately, my employer) consider myself a security expert it wasn’t exactly my major. Nope, wasn’t computer science either. History, you ask? With a bit of molecular biology? Yep, you got it. So when Pete Lindstrom reminds me that it’s not like voter fraud is new to US elections I have to admit he’s right, and I knew it. Heck, to this day rumors still float around that Joe Kennedy may have been a bit of a proactive campaigner for his son. Ballot stuffing and voter intimidation are fine American traditions with a long and- well respectable isn’t the right word, but a long and something- history. I doubt there’s been a single election in the United States, on any level, from kindergarden class president to the President, that’s escaped some degree of shenanigans. So I will admit that despite my FUD and hand waving, the country won’t come to an end nest Tuesday leaving us all in some whacked out version of Mad Max where we mount staple guns to our Saturns. (Actually, I drive a Ford Escape… hybrid. I did used to live in Boulder and all). The thing is, as cynical, pessimistic, and paranoid as I am after a lifetime of working security and rescue and seeing the worst in human behavior, I still cling to some shred of patriotic optimism that this country is something more. More than what? Just more. I grew up on 4th of July parades, Boy Scouts, and little American flags on our car antennas. I’ve been in some sort of continuous volunteer (or paid) service to this country since I was 16. I’m proud that, on occasion, I still get to wear a uniform (not military- rescue stuff). Thus the hyperbole of my previous post is only the result of a deep desire to see this country live up to its potential. If we all keep rolling over and accepting things like voter fraud, there really won’t be anything left but voter fraud. Fortunately there are plenty of indications that, in this case, we not only have a chance to mitigate the problem, but enough people are becoming aware that we have a problem to incite action. Us security experts do have an important role to play in exposing inherent flaws in current electronic voting systems. This is full disclosure at its very best. E-voting itself isn’t dangerous; just the way we’re doing it now. And all you non-security experts have the responsibility to ask questions and implement change. Kind of the whole democracy thing and all, since it really isn’t dead yet. Just resting. But I hope Pete was kidding and is also worried, because e-voting is different. As with all information technology, it supports a scope and scale of fraud far beyond ballot stuffing or registering dead Civil War veterans. One programming change or glitch can swing elections on entire systems in a nearly undetectable way. A few pre-programmed memory cards can disenfranchise entire districts. If someone is stupid enough to connect these things to the Internet, one good worm or hacker could hand the Presidency to a 19 year old Diebold technician. All those scenarios are very possible. It doesn’t take a conspiracy theory. Election fraud has always existed; now we’re enabling it on the scale of the Internet. But the Boy Scout in me truly believes it won’t happen. Well, more than once. At least not on a national scale. Hopefully. As long as we get off our asses. And yes, keep watching this space. On a separate but related note it looks like Diebold is turning into the Court Jester of voter fraud. According to Slashdot, Diebold is insisting HBO not air a documentary questioning the integrity of voting machines. I’m not the biggest fan of using ROI to justify security expenses, but Diebold probably has a great case that the cost of threatening, suing, and defending themselves from allegations of security flaws is greater than the cost of actually fixing their damn product. Seriously guys, a couple of good security engineers are probably cheaper than all your lawyers and PR flacks. I can refer a few if you want. I just saw the article and it looks like “Hacking Democracy” airs tonight. Knowing HBO it will run like, every hour, for a few months, so I’m off to set the TiVo… Share:

One of the great things about the Internet is that it allows isolated assholes to connect and communicate like never before. Thus Rothman and I, mere professional acquaintances and friendly faces at a few industry events, can engage in deeper dialog, dragging any of our loyal readers down with us. (Mike and I are the assholes, not you guys. Except maybe for Will). I like it when smart guys like Mike push me, it makes for better analysis. I published a little on data security a few weeks ago, and Mike calls for a simpler approach. I thought about it a lot, and it gave me a great idea for a new way to position data security within the data life cycle. The bad news is I’ll be publishing it through Gartner, since that’s sort of what pays the bills. It’s also why I can’t completely expand on what little I wrote here on Securosis, that would be a conflict of interest. The good news is that occasionally Gartner releases some of our research free to the public. Below I’ve pasted the complete text of a press release issued by Gartner a few months ago. It’s based directly on a research note I authored, one of the more popular security notes, that any of you with Gartner seats can go take a look at. It’s not often I can release research, but since this is now public material I should be safe. I’m reprinting the entire press release just to be safe. Here ya go Mike. Not quite as simple as you asked for, but much more direct than the hierarchy- Top five steps to limit data loss and information leaks: Gartner Public exposure of private data is becoming a regular occurrence, but the majority of these incidents can be prevented if companies implement the proper security best practices, according to Gartner. Gartner analysts have identified the top five steps to prevent data loss and information leaks: 1. Deploy Content Monitoring and Filtering (CMF) A CMF solution monitors all outbound network traffic and generates alerts regarding (or sometimes blocks) activity based on inspecting the data in network sessions. CMF tools monitor common channels, including e-mail, IM, FTP, HTTP and Web mail (interpreting the HTTP for specific Web mail services) and look for policy violations based on a variety of techniques. “CMF tools are best at detecting and reducing information loss from accidents, such as e-mailing the wrong file to the wrong person, or bad business process, such as exchanging HR data over an unencrypted FTP connection,” says Rich Mogull, research vice president for Gartner. “CMF won’t stop all malicious activity and can be circumvented by a knowledgeable attacker. Still, most information leaks are the result of these accidents or bad processes, and CMF is evolving rapidly to address more malicious attacks.” 2. Encrypt Backup Tapes and (Possibly) Mass Storage Gartner analysts highly doubt that many of the reported lost backup tapes containing consumer records eventually result in fraud. However, because there is no way to know for sure, companies have to assume exposure anyway. Encryption can ensure that the data will still be safe. “During the past few years, tools have emerged that significantly improve the performance, manageability and simplicity of encryption,” says Mr. Mogull. “For large tape installations, we recommend in-line encryption appliances. For tape drives connected to local systems or servers, companies may want to consider software encryption. Older mainframes may need an in-line appliance with an adapter for mainframe protocols, while new software solutions can take advantage of extra processors or cryptographic coprocessors in more current models.” 3. Secure Workstations, Restrict Home Computers and Lock Portable Storage Workstations and laptops can be a major source of loss, especially when a poorly configured or out-of-date enterprise or home computer is compromised by a virus or worm, and by losing portable storage media, such as a Universal Serial Bus (USB) drive or CD-ROM. “There’s really no excuse for not keeping an enterprise system up-to-date with the latest patches, a personal firewall, antivirus and anti-spyware software,” states Mr. Mogull. “These precautions alone will prevent the vast majority of commonly encountered Internet attacks.” 4. Encrypt Laptops If organizations give employees portable computers, employees will store sensitive data on it. Policies don’t matter: Users will always use the tools they acquire, and sensitive data will always end up in unexpected places. “There is only one tool to protect sensitive information on a lost laptop: encryption, preferably whole-drive encryption from a third-party vendor,” Mr. Mogull says. “Whole-driven encryption, as opposed to file and folder encryption, involves very little user action, protects all data on the computer, and is not vulnerable to the same kinds of recovery techniques that skirt the protections of passwords or other controls.” 5. Deploy Database Activity Monitoring. Most organizations struggle to secure existing databases that are rarely designed with effective security controls. While companies eventually need to encrypt some of the data in their databases, database activity monitoring is a powerful security control that”s easier to implement and more viable than encryption for many types of data. “Database activity monitoring tools observe all activity within a database, record this activity in a secure repository and generate instant alerts for unusual activity,” explains Mr. Mogull. “Through detection of unusual behaviour, database activity monitoring can limit insider misuse of database systems, enforce separation of duties for database administrators and limit certain external attacks, all without affecting database performance.” Additional issues related to the state of the security industry will be presented at the Gartner IT Security Summit, September 18-19, at the Royal Lancaster Hotel in London. www.europe.gartner.com/security Share: