Monthly Archives: February 2010

Demotivational Speaking (the AVIEN take)

This is a blog I nearly put up here, but then thought it was about time I did an (ISC)2 blog, so it’s here instead: http://blog.isc2.org/isc2_blog/2010/02/demotivational-speaking.html

However, I suspect the issue will strike chords with many people in AVIEN, too. The article that sparked off my commentary is at http://hbswk.hbs.edu/archive/5289.html.

https://avien.net/blog/?p=389 (Educating the CIO) and https://avien.net/blog/?p=368 (Who will educate the educators?) also have a bearing, if you haven’t read them.

David Harley FBCS CITP CISSP
Security Author/Consultant at Small Blue-Green World
Chief Operations Officer, AVIEN
ESET Research Fellow & Director of Malware Intelligence

Also blogging at:
https://avien.net/blog
http://www.eset.com/threat-center/blog
http://smallbluegreenblog.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/
http://dharley.wordpress.com
http://macvirus.com

PleaseRobMe: too much information…

Sometimes I think I should just stop killing myself multi-blogging and retweet Graham Cluley’s blog URLs.

This is a good item, anyway.

The web site (Please Rob Me, not the Sophos blog) “…mashes together content from Foursquare and Twitter, providing an easy way for potential burglars and stalkers to find out where you are supping your cappuccino, and when you may have left your home empty…”

In fact, what the site has been doing  is auto-grabbing publicly available data from such sites and putting it all in one place, with the intention of highlighting the risk of giving away information that burglars and stalkers would find useful about your movements.

Graham comments that it will be interesting to see if FourSquare and Twitter try to stop PleaseRobMe snarfing the data from them. We already have part of the answer to that: Mikko Hypponen reported about three hours ago that Twitter had suspended the @pleaserobme account.

There’s been a series of infomercials on UK TV recently in which “members of the public” try to interest thieves and burglars in robbing them, and a whil ago there was a “reality” show in which an ex-burglar broke into people’s homes (with permission) and then lectured them on what they should have done to prevent it.

There’s would be a certain felonious irony if PleaseRobMe were to get accused of having stolen part of their idea from these sources. 😉 In fact, though, the site is Dutch, according to the BBC, so maybe not.

David Harley FBCS CITP CISSP
Security Author/Consultant at Small Blue-Green World
Chief Operations Officer, AVIEN
ESET Research Fellow & Director of Malware Intelligence

Also blogging at:
https://avien.net/blog
http://www.eset.com/threat-center/blog
http://smallbluegreenblog.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/
http://dharley.wordpress.com
http://macvirus.com

Airport security and Defense in Depth

I know this Blog is devoted primarily to computer security, specifically emphasizing Malware issues. I’d like you to indulge me for a small side trip to another area of security that impacts most of us, and hopefully this will fire some stray neurons and perhaps give ideas and insight to how we do business.

This all started during one of my latest business trips. We’re told flying is a privilege, not a right, or necessity. I, like so many business travelers, get annoyed being treated as a criminal because I have the audacity to travel by air for business needs. So, let me get things right, I pay for the privilege of being treated as a potential terrorist because in the course of conducting commerce, my employer sees a business need for me to fly to my destination? I also have the honor of paying $25 to check a bag so I can have the luxury of clean clothes when I arrive at my destination? Now I have the honor of sitting next to someone whose weight is such that the seat back tray can not come completely down, while he’s overlapping my already too tight seat, forcing me into the aisle/ wall? Now, my noise-canceling ear buds are worth every penny I paid, but where can I get odor blocking nose buds to block the garlic and other odors emanating from my seatmate? Add in maintenance or weather flight delays, running to gates, layovers longer than three hours, and suddenly I’m not feeling so privileged, and am understanding why fewer people are flying.

It was about this point in my flight when I started playing the old game of “what if”. In this case, what if I owned a domestic airline? How would I address security while making the customer feel more comfortable? I think rather naturally, my first thought went to my seat-mate, and I thought, if you need a seatbelt extender, you need to buy a second seat. Sorry if this offends anyone, and I know they’re shrinking seat size to fit more people on already increasingly full flights, and people of average sizes are cramped but I’m thinking he had to be as uncomfortable as I was, and a second seat (while increased expense to him) would have alleviated that issue rather handily. Next and probably the most revealing thing came when I tried opening my baggie of “Mini Pretzels”. That baggie of airline supplied snacks did not want to open, and I was reduced to using my teeth to get a tear started. Now normally I’d reach into my pocket and pull out my Leatherman Brand multi-tool, and use the knife blade to cut open the bag, but due to security, it was in my checked baggage. Here we go I can hear the cries now, “what kind of uncivilized fool carries a knife in this day and age?”, “Typical Yank, needs his knife and gun”, etc. Well, according to my education, it’s uncivilized and unsanitary to use your mouth to open packages. If memory serves right, Miss Manners said something about the practice lacking proper etiquette. I was taught early it was simple tools like the knife that elevated us above animals, and made our behaviors less animalistic.

Proceeding on the line of thought, I thought about why these rules were in place. The answer came down to preventing skyjacking and making the flying public feel more secure in their flight. Well now, here I am in my element, SECURITY. So let’s take a look at the security and vulnerabilities of modern aircraft. As many have written previously, the flight deck is the weakest point of any aircraft. Like others before me I thought of the isolation of the bridge and flight crew, separate entry points, toilet facilities, rest facilities, etc.

Then a light bulb went off. The weak point isn’t the flight deck, but like in most security issues the personnel. The flight crew itself is the weak point. They are the ones who are directly attacked to gain control of the aircraft. So if we remove them (and flight controls) the aircraft is secure against any kind of take-over attack, right? So who flies the planes? Simple, the same people.

The fact is, most modern aircraft already fly from near take-off to landing by computer, add to this the advances on remotely manned aircraft (such as the ‘unmanned’ drones in the warzones), and the U.S. Air Force openly talking about unmanned fighters in the not so distant future, why not in commercial aircraft? I realize some people are not going to be comfortable without a face they can put “in control”, so it maybe necessary for the short term to have a flight trained deck officer with a manual override capability on each flight. However, as people become more accustomed to the technology, this need will go away. The manual override will need to be designed so that the on-board crew can not activate it themselves, unless some critical event occurs and the aircraft loses communications with the ground, or a ground controller agrees making a two-key type system.

Now, with no flight deck, box cutters, guns, or even bomb threats have no value. There’s no one to take control from. That being the case, there is no need for everyone to be treated as a criminal and go through metal detectors, have our bags scanned and searched, or even go through the full body scanners. The only legitimate threat is explosives, and the destruction of the aircraft.

Looking from a skyjacker/ terrorist point of view, they already know that after 9/11, passengers will not allow an aircraft to be taken over and used as a weapon again. That’s why we’re already seeing attacks like the shoe and underwear bombers. This threat can be addressed by a more cost effective low tech manner, namely well trained K-9s. Think of it, no more security lines, one (or more) dog team behind the baggage check to sniff checked baggage, and several roaming the facility and at congestion points and boarding gates.

So a quick recap, less security officers would be needed, less flight crews, pilots could work from central facilities (like the military drone operators do), enabling them to work 8 hour shifts with less pilot fatigue, and errors like overshooting airports due to pilot inattention. Pilots may even be able to monitor multiple simultaneous flights, if not, at least, moving from one flight to the next is under 5 minutes. Giving increased turn around time. Some will question the wisdom of not checking for knives and firearms. I ask you to use logic and not emotions. Most murderers want to get away; they’re not going on a killing binge on an aircraft where they are already a prisoner with no escape route. As for mass murder/ suicide, other passengers will not be defenseless, and will be able to stop an evil doer before it gets out of hand.

What about explosive decompression? The well educated know this is simply Hollywood hype and not a threat to a modern aircraft from a firearm.

I do believe this to be technically feasible. However I don’t think this will ever happen. Simply because it’s a real security solution, not security theater. Governments will lose control of some power over the traveling public. People will lose jobs, Unions will lose members (and the resulting income and power), and this does not play to people’s fears and emotions, nor provide a visual “security blanket”. Finally, like any security solution, it’s not perfect, but for once a real security solution, that would produce solid results at reduced costs and increased liberties.

Now I know this is already long, but to tie it to the computer security world, how many of our efforts are security theater, rather than actually addressing the root security issue? How many times do we have to put in a layer to provide a feeling of security with out being beneficial and inadvertently impacting our customers? Just something to think about next time we’re asked to “do something”, and if anyone from the airline wants to implement my ideas, I’d welcome it.

Ken Bechtel
Team Anti-Virus
Virus Researcher and Security pontificator

You can’t always read Facebook on a train

When I saw an MSN article headed Facebook friendships ‘not real’, I was expecting something about lack of validation of Facebookers’ identities. Which is indeed an issue, though not a new one. “On the Internet, nobody knows you’re a dog.” Or, indeed, a wolf in sheep’s clothing.

But no… All this time we’ve been making a fuss about the lack of security and privacy on social network sites, it seems that we’ve been getting it wrong. The problem isn’t security at all.

According to a recent survey, most of us see our friends much more on Facebook than we do in person. Apparently, this becomes truer as you move up the age range. Well, I guess you have to meet your friends in order to get smashed with them.

Anna Richardson, described by MSN as a “Channel 4 presenter and relationship expert” apparently commented:

A Facebook friendship is a poor substitute for actually meeting up with a friend as you miss out on the personal engagement and real connection that you need to build a strong friendship.

It is difficult to make time for friends when juggling busy lives, but without making the effort, there’s a danger that precious friendships are becoming lost in the digital era.

Her advice is to log onto http://www.railcards.co.uk/, buy a railcard and… oh, wait a minute. You can apparently get taxis, finance, holidays, accommodation, broadband, car insurance and many other things at railcards.co.uk, but not railcards. I guess she (or more probably MSN – nice proofing, guys…) meant http://www.railcard.co.uk/, which offers a range of discounted passes for rail travel in the UK. OK, so I should login and buy a railcard (yes, Ken, I am eligible for a Senior Railcard: don’t rub it in…) at www.railcard.co.uk… oh, wait another minute. Isn’t that who commissioned the survey? Well there’s a coincidence….

So I get my railcard and wander down to the station, and get on a train at a reduced rate, and go and see my Facebook friends.

“I’d like a ticket please, to Western Australia, Pennsylvania, Bratislava, Florida, San Diego, the Philippines, Helsinki, Reykjavik, Chennai…”

David Harley FBCS CITP CISSP
Security Author/Consultant at Small Blue-Green World
Chief Operations Officer, AVIEN
ESET Research Fellow & Director of Malware Intelligence

Also blogging at:
https://avien.net/blog
http://www.eset.com/threat-center/blog
http://smallbluegreenblog.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/
http://dharley.wordpress.com
http://macvirus.com

PINballzup: chip & PIN issue links

I’ve already blogged this at ESET (3rd link down), so these are just links, but quite a few of them. The first is the actual Cambridge paper (or rather a draft thereof).

Chip and PIN is Broken (Steven J. Murdoch, Saar Drimer, Ross Anderson, Mike Bond), University of Cambridge Computer Laboratory

Chip and PIN is broken: http://www.lightbluetouchpaper.org/2010/02/11/chip-and-pin-is-broken/

Has Chip & PIN Had Its Chips?: http://www.eset.com/threat-center/blog/2010/02/12/has-chip-pin-had-its-chips 

PIN check in EMV protocol for EC and credit cards bypassed: http://www.h-online.com/security/news/item/PIN-check-in-EMV-protocol-for-EC-and-credit-cards-bypassed-929784.html

Chip and PIN system on banking cards seriously flawed: http://www.net-security.org/secworld.php?id=8862&utm_source=twitterfeed&utm_medium=ping.fm&utm_campaign=Feed%3A+HelpNetSecurity+%28Help+Net+Security%29

New flaws in chip and pin system revealed:

Chip and PIN Security Completely Broken by New Attack
http://threatpost.com/en_us/blogs/chip-and-pin-security-completely-broken-new-attack-021210?utm_source=twitterfeed&utm_medium=ping.fm

My Not-So-Funny Valentine

I’d like to start off with something really soppy and sentimental but my heart’s not in it. 😉

Clearly, we can expect more Valentine exploitation as the weekend draws nearer, but some malicious sites have already been flagged. (Apologies to those of you who’ll have seen some of this before at ESET or Mac Virus.)

ESET blogged (well, I did, actually) on “Valentine Scams: Romancing the Stony-Hearted”, listing some malware-populated domains Pierre-Marc Bureau had noted and citing an earlier blog by Dancho Danchev (http://ddanchev.blogspot.com/2010/02/how-koobface-gang-monetizes-mac-os-x.html) that includes quite a few dating scam sites and the like.

A number of us, including my colleague Urban Schrott at ESET Ireland, are seeing Russian bride spam , but when don’t we get that stuff? I guess it goes with being such hunks.

So it’s not surprising that David Marcus, at McAfee Labs, is reporting lots of SEO poisoning: these are some of the terms they report as being used to attract Googlers to malicious web sites:

  • Valentine’s Day Screensavers
  • Valentine’s Day Downloads
  • Valentine’s Day Wallpaper
  • Valentine’s Day Rolex
  • Valentine’s Day eCards
  • Animated Valentine’s Day
  • Valentine’s Day Greetings
  • Valentine’s Day Cupids
  • Valentine’s Day Gift Ideas

The McAfee blog is here:

http://www.avertlabs.com/research/blog/index.php/2010/02/10/valentines-day-searches-lead-to-malware/ 

And I’ve just received a link from my colleagues at ESET Latin America: it’s in Spanish, but includes some images cloaking malicious links, so that you can enjoy some pictures without risking the badware. 😉 (Thanks, Cristian!)

David Harley FBCS CITP CISSP
Security Author/Consultant at Small Blue-Green World
Chief Operations Officer, AVIEN
ESET Research Fellow & Director of Malware Intelligence

Also blogging at:
https://avien.net/blog
http://www.eset.com/threat-center/blog
http://smallbluegreenblog.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/
http://dharley.wordpress.com
http://macvirus.com

With all the Buzz, some education is in order

So, the not very surprising news that Google has once again attempted to launch a social networking site – following its spectacularly unsuccessful 2004 launch of Orkut (no, unless you live in Brazil or India, you won’t have heard much about it either).

The new network, called “Buzz” integrates directly into the Gmail email client. To me this just opens up lots of new ways to exploit the users – although if you are using Gmail to do anything private or confidential, you already do need to have a brain check (more-so now the NSA will be ‘helping’ to secure it). It looks like Google want some of the big dollars that Facebook and Twitter make – and of course everything will be searchable and exploitable for ad companies to target.

All the fuss around social networking has  really highlighted to me the need for good security education – we’ve moved into a new world, one where children are growing up with social networking and mobile phones etc as an integral part of life. I can’t imagine how my parents ever managed without being able to contact me by phone, or being able to look up my status on Facebook, but somehow they did. Parents have a different problem today, one of how to preserve the privacy of their families and children while taking advantage of what these new technologies offer. The sad fact is that in many cases, the kids know much more about the technology than the parents, but neither the parents or the children understand the threats. I’m often called paranoid, but it’s my belief that in some ways you can’t be too careful; our privacy and therefore our rights to a private life for ourselves and our progeny are daily being eroded by the whim of government and the campaigning of large corporations. It’s therefore refreshing that the British government has got behind a new campaign to highlight the dangers of the online world; targeting children as young as five. While the campaign understandably does focus on protection from paedophiles, the advice has wider use, though sadly it doesn’t seem to stretch to take in malware issues.

While I’m encouraged that the government is finally doing something, I’d be much happier to see a comprehensive plan in place that focuses on education in schools where security is taught as a discipline along side all IT classes. We’re a long way from that, but I (and several others who blog here) will keep tilting at that particular windmill.

Andrew Lee
CEO, AVIEN & CTO K7 Computing

Haiti Relief Scams

It’s been a while since I talked about Haiti.

First of all, I’m delighted to report that Jeff’s father turned up very much alive.

Less happily, Tom Kelchner of Sunbelt has flagged a story in USA Today that claims that more than 170 complaints have been received by federal law enforcement agencies relating to earthquake relief scams. Scams specifically mentioned include:

  • SEO poisoning directing search-engine users towards sites laced with rogue anti-malware
  • Door-to-door collectors for fake charities
  • 419-type emails from alleged victims or officials
  • SMS scams where text messages invite potential victims to ring a number to get more misinformation
  • Similar scams using social networking sites such as Twitter and Facebook.
  • Fraudulent charity web sites.

One fake charity I found particularly galling, as a Brit, was the one that claimed to be a British affiliate of the American Red Cross. Come on, guys, we’ve had our very own Red Cross since 1870 (some years before the foundation of the American Red Cross), though it wasn’t called called the British Red Cross Society until 1905. Of course, there’s no particular reason why most Americans should know about the British Red Cross as a matter of general knowledge, but this does illustrate the importance of checking the validity of a charitable organization before you contribute to it. Of course, you also need to be sure that where the charity is real, the collection mechanism is also genuine!

USA Today recommends Charity Navigator (http://www.charitynavigator.org/) and the American Institute of Philanthropy (http://www.charitywatch.org) as a means of checking the charitable status of an organization.

David Harley FBCS CITP CISSP
Security Author/Consultant at Small Blue-Green World
Chief Operations Officer, AVIEN
ESET Research Fellow & Director of Malware Intelligence

Also blogging at:
http://www.eset.com/threat-center/blog
http://smallbluegreenblog.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/
http://dharley.wordpress.com
http://macviruscom.wordpress.com