Tag Archives: security

VB Seminar 2010

I spoke at the VB 2010 Seminar in London on ways that Social Engineering can affect your business’ users.

During the talk, I used some links for demos (many thanks to my good friend Dave Marcus for originally showing me a few of these). For those that are interested, here are the links:

 

Andrew Lee
AVIEN CEO

Snakeoil Security

This is a really good article about how poor  security products can appear to work, but actually increase the problem:

http://ha.ckers.org/blog/20100904/the-effect-of-snakeoil-security/ *

The article also links to a good article about the ACUTrust product (which no longer exists) http://ha.ckers.org/acutrust/ – which contains the following quote

“like most systems that use cryptography it is not a vulnerable algorithm, but the system that uses it is”

This really does bear repeating as many times as possible. Just because a product claims to use cryptography – most will claim to be using AES256 – doesn’t mean they’re using it in a way that makes the system secure. Cryptography is all too often a security panacea, a ‘buzzword’ that makes the user feel like they’re safe, but the importance is, as always, in the implementation.

One of the best examples of this sort of failure I’ve seen recently is this http://gizmodo.com/5602445/the-200-biometric-lock-versus-a-paperclip. The incredibly secure biometrics in the lock mean nothing if the manual lock can be opened with a paperclip. Adding a stronger mechanism to a weaker one does not strengthen the system.

So why does this sort of failure happen so frequently? It really happens because security practitioners, as well as the people who buy security products, often don’t see the big picture. Security is about people, and what people will do (or not do) to the systems that they are presented with. A classic example is enforcing a strict ‘strong’ password policy that means that users write down their password, and stick it to the monitor so they don’t forget it.

Security isn’t really about products, or technologies – those can be enablers, but it is about seeing where the weaknesses are, understanding the risks, and taking what measures are possible to ensure those risks are minimised. Buying into ‘hot’ products is not a reasonable investment if you don’t understand what you are buying and why you’re buying it.

I personally am coming to believe that the greatest failure of security over the last 20 years is that we have failed to understand that we are securing (for and against) people not technologies, and people do the strangest things.

Andrew Lee
AVIEN CEO / CTO K7 Computing

* Thanks to @securityninja for the original link

HP Webscan opens a hole in your enterprise

In an interesting piece of research, Michael Sutton details the vulnerability opened up by leaving HP’s Webscan service enabled on your network attached scanner/printer devices.

http://research.zscaler.com/2010/08/corporate-espionage-for-dummies-hp.html

This really does highlight the fact that, when thinking about security, it is never good to assume anything. Any device attached to your network should be thoroughly examined, and the benefits considered.

Of course, it also is a big failure on the part of HP not to ensure such services are secured by default (or at least must be specifically enabled). Hopefully they’ll fix this, but for now, if you own an HP scanner/printer/fax device, then it’s worth checking you’re not exposing sensitive documents to the wrong people.

Andrew Lee
AVIEN CEO / CTO K7 Computing

AVAST takes $113 Million in capital

In what seems to be something of a trend for big investments or buyouts of AV companies, AVAST, the Czech based makers of the popular free AVAST Anti-virus, have sold a minority stake in their company to investment firm “Summit Partners”.

http://www.itnews.com.au/News/229866,avast-takes-113m-equity-injection.aspx

AVAST (formerly ALWIL software) has long been in the ‘free’ anti-virus game, as one of the pioneers of that model, and clearly it seems to be working for them. It should be interesting to see what they do with the cash and how their product line develops over the next few years as they compete with their big neighbour AVG, also Czech based and big in the free AV game.

Andrew Lee
AVIEN CEO / CTO K7 Computing

Also blogging at http://blog.k7computing.com

Breaking news: Intel Buys McAfee

Intel announced today that it has bought out McAfee, http://mcafee.com/us/about/intel_mcafee.html

It’s definitely a time of consolidation in the industry, and this is an interesting move on the part of a player that hasn’t so far gotten it’s feet wet in the software security arena (although Intel Capital has invested in other AV companies such as AVG).

What this means for consumers could be interesting, as the AV could be much more closely tied to the processor architecture.
Anyway, congratulations to all my friends at McAfee, next time we meet, the drinks are on you.

Andrew Lee CISSP
AVIEN CEO / CTO K7 Computing

Update 20/08/2010: Of course, I neglected to mention that Intel did of course have an AV product called LANDesk some years ago, that was bought by Symantec, so Intel isn’t totally new to this game.

Sins of Omission

It’s not really related to malware, but this is an interesting article that brings up a few issues that should be highligthed.

http://www.bankinfosecurity.com/articles.php?art_id=2846

Firstly, the cheque images in question are used as a security feature, you can view them online to see when and where they were cashed, and they are attached to a specific transaction. Those who don’t have a US bank account might not be familiar with such a system – however, the fact that the cheque now exists online should be a red-flag for security, and you would expect it to be protected as part of the bank account (your cheques, after all, have your signature on them, along with your bank details and a sample of your handwriting). The key to the success of this breach was that the images were all stored in a single online database. This in itself is a huge vulnerability.

Secondly, just because something is not a regulatory requirement, doesn’t mean that it shouldn’t be done as a matter of course. Holding such a database, and knowing that it contains data that would be very useful in fraud, then it makes sense to use encryption to protect it - so in this case fact that they were not encrypted simply makes it worse. It’s like saying that we were only required to put locks on the doors, but the regulations didn’t state we needed to close the windows.

Many European banks are moving away from paper driven cheques, and that would of course reduce or eliminate this specific attack, but what doesn’t seem to be happening is any assumption by the banks of attack. For instance, my bank has implemented some rudimentary anti-phishing protections, but it still uses a very weak password based account entry, which any key-logger could get around (unless of course I’m using a secure browser like K7SecureWeb or SafeCentral), and that combined with  a screen-scraper could easily compromise the anti-phishing measures.

Probably, as things get more serious (in terms of fraud) for the banks, there will be much more concentration on securing things. For now, the sad fact is that the consumers are not driving this, because they don’t care – the losses are to the banks, because of consumer protection (at least in the EU and USA). The reason my bank (along with most other British and US banks) have such poor security is that at the moment, the customers aren’t demanding higher security. That, coupled with silly things like only implementing the letter, rather than the spirit of regulation, is not going to bode well for the online banking in the near future.

Meanwhile, the Anti-malware industry gets a harder and harder rap for not being able to clean up all the mess, while what really needs to happen is for everyone to take a bit more responsibility for their actions, and understand that there are real threats out there, that cannot just be addressed by anti-malware alone, nor indeed any purely technology based solution.

Andrew Lee CISSP
AVIEN CEO / CTO K7 Computing

Virus Bulletin Seminar Announced

Virus Bulletin have announced the first in a new series of Seminars. Aimed towards the corporate IT Admins and security practitioners, the day long seminar will look at protecting organisations in the modern age of Internet enabled crime.

Speakers include

  • Bryan Littlefair, Vodafone Group
  • Bob Burls, Police Central e-Crime Unit
  • Graham Cluley, Sophos
  • Alex Shipp
  • David Evans, Information Commissioner’s Office
  • Andrew Lee, K7 Computing
  • Martin Overton, IBM
  • Richard Martin, UK Payments Administration

http://www.virusbtn.com/seminar/index.xml

There’s an early bird price available, and seats are likely to fill up fast, so get in early!

Andrew Lee CISSP
AVIEN CEO / CTO K7 Computing

NTEOTWAWKI

Given all the hype generated by the ridiculously titled Gawker Article about the so called ‘iPad’ hack, I’m somewhat reluctant to add to any more of the noise over what is really a pretty run of the mill story, but because I’m procrastinating on other jobs, I’ll write something. Warning: this story does involve the shocking exposure of people’s email addresses, said addresses getting revealed when they shouldn’t have been, and yes….er…well, no, that’s about it actually.

Indeed, Paul Ducklin of Sophos wrote a very nice article stating the rather important fact that, every time you send an email, that passes your email out on to the open internet. Of course, that’s not an excuse to have a poorly written web app that will spit out the email addresses of your partner company’s clientele at will. Partner company, I hear you cry, wasn’t this an Apple problem? Yes, indeed, this is absolutely nothing to do with Apple, it’s not an Apple problem, and it’s not a breach of Apple’s security, nor is it a breach of the iPad. In fact, it was solely down to a web application on AT&T’s website. It doesn’t even involve touching an iPad. But, but, you may splutter, isn’t this is an iPad disaster? No. Not even slightly; not once did the ‘attackers’ go near any one’s iPad. The ‘attack’ was purely a script  that sent ICCID numbers (this links a SIM card to an email address) to the AT&T application, in sequence, to see if their database had that number with an email attached – and if so, that came back. That’s right, it’s a SIM card identifier. The only ‘iPad’ part is that the ‘attackers’ spoofed the browser in the requests, to make the app think the request was coming from an iPad.

The upshot is that, as this page rightly points out (thanks to @securityninja for the link)

“There’s no hack, no infiltration, and no breach, just a really poorly designed web application that returns e-mail address when ICCID is passed to it.”

So, the correct title of that original Gawker article might have been “Badly designed AT&T web application leaks email addresses when given SIM card ID”, but that wouldn’t be “The End Of The World As We Know It”.

In a week where one ‘journalist’ writing here (thanks to @paperghost for the link) claimed that some security people confessing to being ‘hackers’ (whatever that means) “confirms our suspicions that the whole IT insecurity industry is a self-perpetuating cesspool populated by charlatans”, it might be time for the world of the media to turn that oh so critical eye on itself and ask who is really generating the hype in the information security world?

If you’re interested in keeping up with genuine Mac/Apple related security issues, a good resource is maintained here by my good friend David Harley

UPDATE: The original ‘attackers’ have published a response to the furore here. Pretty much confirms what I was saying

“There was no breach, intrusion, or penetration, by any means of the word.”

Andrew Lee
CEO AVIEN/CTO K7 Computing

Attack of the Mutant Zombie Flesh Eating Chickens From Mars

Yesterday there was widespread reportage of one of those periodic stories that make media types drool; and make security experts cringe in despair.

However, this ‘summer slow day news story’ was so widely (mis)reported, that it does bear commenting on. The story in question was titled (by the BBC) as “First Human Infected with Computer Virus“. This of course conjures up the idea of a person getting sick, by means of malicious computer code (a claim that is, and will remain for a significant amount of time, well within the realm of science fiction).

What actually happened is much more mundane. It appears that the ‘researcher’ placed a piece of replicating code onto an RFID chip, and used that to infect the reader control system which then (at least in theory) could then pass the code back to other similar RFID devices. So far, so boring. We know that it is possible to have storage devices contain code (malicious or not) and pass that code between themselves via other systems. The difference in this case is that the researcher then injected the ‘infected’ (rather bizzarely he refers to this as ‘corrupted’ making me doubt that it was even a virus) chip into his hand, and claimed that this made him infected.

The news stories all got caught up with the fact that this gave him special Jedi powers enabling him to open doors with a simple wave of his hands (ok, maybe they didn’t exactly say that, but hand waving was involved), or…horror of all horrors….activate his mobile phone. Surely a deadly device if one had ever been made. So; we already know that RFID chips can open doors (after all, that’s a valid use for many of them) and they can carry code. The ONLY difference is that this ‘researcher’ inserted the chip into his flesh. To claim that this makes him ‘infected by a computer virus’ is a bit like saying that if I dropped the same chip into a cup of coffee, a steaming fresh cow pat, or even a mutant zombie flesh eating chicken from Mars, those would also be ‘infected’.

As Graham Cluley pointed out, the only interest that this story might have generated otherwise would be in a security research into vulnerabilities of RFID readers. You need a vulnerable reader to get affected by the code, and then you need to be able to read the other RFID tags/chips with that reader to ‘infect’ them. There’s a valid point in that RFID exploits could be used to compromise security and or privacy – but that’s not new knowledge, we’ve known that for many years.

As Chris Boyd (@paperghost on Twitter) nicely summed up “In conclusion then, “man infected with computer virus” is basically “device for opening doors works as intended”.”

Andrew Lee
AVIEN CEO / CTO K7 Computing

The great wall of Google

So, we hear the news that Google ‘really has’ ceased censorship in China. At least, that is the meme currently working its way around the internet. Actually, this is rather disingenuous, and shows a particularly unsavoury side of how the Google PR machine really works.

If you’ve been living on Mars or want some background, here are a couple of links on the story.

http://news.bbc.co.uk/1/hi/world/asia-pacific/8582233.stm

http://www.guardian.co.uk/technology/2010/mar/22/google-china-shut-down-censorships

Of course, a careful read of these articles shows that Google have done nothing more than redirect their front page to their existing Hong Kong search page, and that the censorship (which operates automatically between the mainland of China and…well…everywhere else) is still very much in place.

Users inside China have no greater freedom now, and this is a very different situation than if Google had really put its money where its (big) mouth is and uncensored its .cn site search results. Clearly they wouldn’t do that though, as not only would it be illegal in China, it very likely would have caused them to have to pull out of the lucrative market they so badly want a piece of – instead of getting a bit of bluster from the Chinese government and maybe a slap on the wrist.

Do a search for, say, ‘Tiananmen Square’ from inside China, and as the Guardian article points out, the internet connection will reset. Lest we forget, this is part of what Google is complicit in covering up. The Chinese government have been almost entirely successful in expunging this monstrous event from the consciousness of those living in their country, and Google (and others) have not only not done anything to stop this, they have actively aided them in their attempts at revisionist history.

This is a security blog, so I’ll get to the point that everyone seems to be missing. This whole story erupted because, allegedly, Google suffered attacks on its Gmail network from inside of China. Let’s leave aside for the moment, the whole “buzz” fiasco which probably did Google far more harm, but this is the rather grubby truth that Google is managing to cover up so well with its big talk about not “being evil” and opening up the freedom of the internet (which they so eagerly avoided doing for so long in order to get their hands on those lovely Chinese RMB).

The point is, that rather than look at what they were doing that was wrong and securing their network; or finding out what led to the compromises against their network, Google instead simply threw their toys out of the crib and made up a new story about solidarity and freedom and so on. Do you trust Gmail more now that they’ve engaged the NSA to help them secure it? I didn’t think so.

It’s a shame that so many tech bloggers have focused on the smokescreen political issues and ignored slamming Google for the real issues, that its approach to the privacy and security of its users is time and time again a huge disaster. The real problem is that they’ve got the money and the PR machine to cover it up with a different story, and swamp all those dissenting voices to avoid having to have that brief moment of introspection that might acutally change things for the better…rather like a certain government, don’t you think?

Andrew Lee
AVIEN CEO