Friday, July 30, 2004

NIST Withdraws DES

It's about time! NIST has published its intention to withdraw its approval for using the DES encryption algorithm to protect federal gov't information. The short announcment encourages DES users to switch to AES, but also notes that DES used as part of triple DES implementations is still OK.

Web threat taxonomy published

The Web Application Security Consortium has published a new taxonomy of web security threats. It's 87 pages long and contains detailed descriptions, examples and references for over 20 types of attacks. Is it rocket science? No. Is it useful? Maybe, but only if enough people actually read it and start referencing it.

A taxonomy is a good thing, in my opinion. I need to read in more detail before I can say whether I'll be using it on a daily basis, though.

joatBlog mentions that there might be a trust issue with using a copyrighted taxonomy, but I've read the OpenContent license this document uses, and it seems quite reasonable and very Open Source-like.

The best hacking tools you've never heard of (Part 1)

Reading this article about a Blackhat presentation on Metasploit gave me the idea for this entry.

If you haven't tried Metasploit, you should. Right now. Their motto, "Hacking like it is in the movies", is pretty accurate. They've got a good database of reliable cross-platform exploits and payloads all wrapped up in a convenient point-n-click GUI. It's extremely useful as a tool for security testers and admins who want to verify the security of their systems, but unfortunately, it can also easily be used for Evil.

You really do owe it to yourself to check this out. Trust me.

OpenSSL programming is easier than you thought

IBM's developerWorks has published Kenneth Ballard's fine article on basic OpenSSL programming. This is the clearest, most straightforward explanation of how to program the OpenSSL library in C. Although the documentation does a good job of hiding it, it's really trivial to work OpenSSL into your own applications.

Wednesday, July 28, 2004

Ethical worms: What crack is Slate smoking?

Slate has an article entitled Fight Virus With Virus - That's the only way to stop MyDoom. The author's idea is that if we can't stem the tide of malware with our current technology, then we should fight fire with fire, or "virus with virus", by creating worms that exploit widespread security holes in order to spread around and automatically fix security holes.

This idea is not just bad, it is disastrous. It's hard enough sometimes for legitimate administrators to patch their systems and have them still run reliably (pre-production testing, anyone?) and the idea of trusting my systems to an anonymous piece of code that has no local knowledge about my configuration, requirements or schedule is simply ludicrous.

Let me be clear: No way in hell.

Sunday, July 25, 2004

Kids may be more security-savvy than we think

The SANS Internet Storm Center's diary entry for today talks about something I find, frankly, amazing. Scott Weil, the head of SANS' Local Mentor training programs, spoke with a group of school children about Internet safety issues. He asked some of the students to design an attack against their school's network, and the rest to design defensive measures to protect their network against attackers. I'm amazed by the sophistication their responses displayed.

Saturday, July 24, 2004

Detecting altered digital photos

Slashdot has a pointer to a a couple of articles showcasing Dartmouth Assistant Professor Hany Farid's work on detecting altered digital images. Apparently, he and his graduate student, Alin Popescu, have developed a mathematical model that can determine whether or not various common image editing techniques (cloning, averaging, resizing, etc) have been applied.

How is this related to Information Security, you may ask? For one thing, it may have potential ramifications for the admissibility of digital photos as evidence in a court of law. Also, and neither article mentions this, it sounds like it may also have the potential to help identify images which contain steganographic content.

Thursday, July 22, 2004

DNC convention network vulnerable?

The Boston Globe has an article showcasing possible vulnerabilities in the network setup planned for the Democratic National Convention. Apparently, some of the hackers over at Newbury Networks have keyed in on the fact that although the DNC is deploying an exclusively-wired network, the influx of thousands of laptops pretty much guarantees some of them will be misconfigured to act as as bridges to their built-in wireless networks. The article describes an attack whereby a Bad Guy could set up a high-power access point near the convention site and trick unwary laptop users into associating with his malicious network, and then use the attendees laptops as jumping-off points into the wired network.

This attack has a reasonable chance of succeeding but it's nothing new. You see this type of thing any place lots of people bring laptops (conventions, conferences, heck even hotel networks). The real question in my mind is about the potential risk. I'm not familiar enough with what goes on at these conventions to know what's on the network or evaluate what the potential loss could be. Anyone care to comment?

Wednesday, July 21, 2004

Should we train hackers? has a good paper exploring the issues (pro and con) of teaching "ethical hacking." As you probably know, any yahoo with $$ can sign up for a number of "Super Ultimate Megaleet Hacking" courses and learn most of the same techniques the Bad Guys use against us. The concern is, of course, are we the ones teaching the Bad Guys? My take is that truly dangerous blackhats don't need our help to learn anything, so the benefit to the security community far outweighs the possible downside. But check out this paper and see if you agree.

Creating a vulnerability-scanning capability in an academic environment

Check out Eliot Lim's excellent paper, Design and Deployment of a Rapid Response Security Vulnerability Scanning Infrastructure. It's a fascinating case study of implementing a vulnerability scanning program in an environment which is usually downright hostile towards security, the university and academic research facility.

Tuesday, July 20, 2004

CAUTION: This network protected by Casey Jones

El Reg has an amusing article surveying the musical tastes of various types of IT pros. Apparently, security pros are supposed to be fond of 60's rock classics like The Dead, Jimi Hendrix and The Doors. While I do have
Hendrix and The Doors on my iPod, I'm more of a blues man myself. Guess I'll have to get another job...

Towards a worm creation language

Immunity's Dave Aitel has posted slides from his recent talk, entitled Advanced Ordnance. The presentation explores the idea of creating a description language and compiler for implementing the next generation of platform-independent worms. Lest you think this is just pie-in-the-sky, I should mention that it's based on his freeware MOSDEF tool, so parts of what he describes already exist, or are withing cat-hurling distance of existing. It's interesting stuff, though the implications are a little on the scary side.

(Note: The presentation is in an OpenOffice format)

Monday, July 19, 2004

419ers get nasty

The Register has this story about Nigerian scammers skipping the wasteful "please we really need your help" schtick and getting down to business: "Pay up or we'll kill you."

Saturday, July 17, 2004

Athens Olympics Steps Up Cybersecurity

The Associated Press has an interesting story about cybersecurity measures for the upcoming Olympic games. It's a little light on technical details, but there are some interesting nuggets nonetheless. I'd like to know how large of a staff they have working on this part, but unfortunately the article doesn't say.

Friday, July 16, 2004

A dramatic example of the business need for Information Security

I've just read that Los Alamos National Lab has temporarily suspended all classified research due to a continuing pattern of Information Security problems. Specifically, in this last incident they lost two ZIP disks containing classified weapons-related information.

Classified research counts for a lot of their business, so I hate to think how much this is affecting a) their scientific mission, and b) their bottom line. It's nice to hear that they are finally taking decisive actions to clear up the problem, though.

On that note, here's my favorite quote from the article:

Nanos said people at the lab sometimes have an attitude of impunity, expressed in the phrase, "They can't fire us all."

Speaking to those who had behaved with a cavalier attitude, Nanos said, "We're going high and right on this one. And the fact of the matter is, if we have to, we will fire you all."


joatBlog is another of my favorite security blogs. He's got a good head on his shoulders, and he also reads extensively. It's always interesting seeing what he comes up with.

Oxford University Students Break Network, Law

In a brash display of... well, I'm not sure what, but it certainly wasn't brains, two Oxford students apparently hax0r3d the school's network and then published the results in the school's newspaper.

The law is the law, folks, and the difference between an administrator and a hacker is permission. If you don't have it (in writing!), you're just asking for trouble pulling this kind of stunt.

Here's a writeup from El Reg, and here's the students' original article.

Stupid Security

One of my favorite blogs is Stupid Security. Their tag line, Exposing Fake Security Since 2003 pretty much says it all. I just wish it could be updated more frequently, but I guess the less stupid security, the better.

Phrack #62 Released

Phrack issue #62 was released this week. This is a pretty Windows-oriented issue. As usual, it's well worth reading if you can get past the juvenile "I'm 133T33R than you" attitude.