The new website shows the Aconiac of 2010, as opposed to the old transitional Aconiac portrayed by our old site.

In the future, Aconiac will offer these three overall services:

1. Simulated hacker attacks
2. Software development
3. Consulting.

On top of this, we will be focusing on writting security and development guides that your company can use, free of charge, to enhance your business.

The Aconiac of 2010 is more streamlined, more focused and more determined than ever! We look forward to working with you in the new year to come.

On another note: The site was deployed minutes prior to writting this blog post. As such, there might be some small clitches here and there. If you see any odd behaviour on the site, please do feel welcome to contact us here on the blog or at info@aconiac.com. Any comments are also very welcome.

Streamlined, simpler and up to date on what the company does and how it does it. So keep a look out for that and we’ll of course also post about the release here on the blog.

But anyway, we went there last week and there was one talk in particular we simply felt was so important, that every developer who didn’t already know about it, should know about it! Luckily the guy doing the talk that day was James Roper, a developer at Atlassian. He apparently feels the same way, so he made a bunch of blog posts about it back in September, so that everyone can get this important knowledge and learn how to avoid the issues he talks about.

The issue he’s stating is the wrong use of pseudo-random number generators, or PRNGs. It’s not exactly new knowledge, but it’s knowledge that’s still unknown to many developers around the globe. Pseudo random number generators are used in a whole array of different corporate settings, from session id’s in user systems, to e-mail verification tokens, to CAPTCHA fields (those things in forms to check you’re not a spam computer) and beyond that. Many security features rely on the presence of some random number generation that is unpredictable by a hacker attacking your system. The problem is however, that unless you do it right, that number generator you thought was unpredictable is actually very predictable. In many cases, the attacker just needs to know a little about the generator used and perhaps a little math.

James Roper takes you through a number of examples of how you can crack a system using these pseudo-random number generators badly. We must however admit his examples and the tricks used are quite technical unless you’re a seasoned developer, computer scientist or mathematician.  So if you’re not one of these things but you have developers in your staff, consider asking them to read the material and tell you if this is an issue in your systems.

The first blog-post from James details how developers often use linear congruential PRNGs that are actually not cryptographically secure and how you can crack a system using these. Here exemplified by Java’s java.util.Random:

http://jazzy.id.au/default/2010/09/20/cracking_random_number_generators_part_1.html

The second blog-post from James details some of the math involved in calculating previous seeds in linear congruential PRNGs:

http://jazzy.id.au/default/2010/09/21/cracking_random_number_generators_part_2.html

The third and fourth blog-posts from James looks at a much more complex pseudo random number generator called the Mersenne Twister, which is used by the rand() function in Ruby, the random module in Python and the mt_rand() function in PHP. It turns out even systems using this is fairly easy to crack, however it’s a bit more involved:

http://jazzy.id.au/default/2010/09/22/cracking_random_number_generators_part_3.html

http://jazzy.id.au/default/2010/09/25/cracking_random_number_generators_part_4.html

This ends James Ropers series on pseudo random number generators, at least for now. According to his fourth blog-post, he will be putting up a fifth part detailing how developers can ensure their applications are secure against attacks on pseudo random number generators. He hasn’t done that yet, but perhaps he will. We encourage you to keep an eye on his blog and we’ll also try to inform you if it turns out he publishes such a post.

Until then however, we can tell you the two basic things needed to ensure secure use of a pseudo random number generator:

1. Use a cryptographically secure pseudo random number generator
   (like java.security.SecureRandom in Java).
   You can usually check whether a PRNG is cryptographically secure through the generator’s documentation.
2. Always use an entropy based seed source!
   This is really critical, because even cryptographically secure PRNGs are easily breakable if you can approximately guess the seed used. The generator’s documentation will most likely state the default seed source used, so make sure that’s something entropy based, like electronic static or something to that effect. An example of an entropy source is /dev/urandom on Linux.
   And for the love of god don’t ever use something like the current time for a seed – it’s easy to crack if the attacker can just approximately guess what that time was.

That’s about it, I hope you got something out of James Ropers work on this.

Just for the record, James Roper is in no way related to Aconiac Security Group and vice-versa. We’re simply telling you about his work because it’s very relevant for most companies out there using IT in any public way. So he gets all the credit for this fine walk-through.

OWASP is the Open Web Application Security Project, which is an open and free set of projects all designed to enhance security of web applications of all shapes and sizes.

In former blog posts we’ve referred you to guides on doing secure Facebook App development and secure Ruby on Rails development, but this time it’s a more general guide we want to bring to your attention.

OWASP has created the OWASP Development Guide which is a giant 293 page long guide on developing web applications with security in mind. With this guide you can accomplish getting a product out there with a reasonable level of security from the get go.

Obviously just using the guide alone won’t be enough, since you still have to do regular code inspections during development, post-development security testing through pentesting and every other “normal” security procedure – however getting the most obvious things right to begin with, will still save you a lot of time and money in the end. So it’s definitely worth taking a good look at. We recommend getting your company’s developers familiar with the principles in the development guide, so that you can avoid some of the most basic security issues all together.

The guide covers all different sorts of normal security issues from the old-school SQL injections to the modern AJAX exploitations, session hijacking and cryptographic issues. The guide is written specifically for software architects, programmers and designers – so some level of technical expertise is needed to read and understand the guide.  Understanding is however helped by quite a few examples, plus occasional code examples in Java, ASP.Net and PHP.

Even though the guide doesn’t directly handle cases with e.g. Ruby on Rails and Django, the principles are the same and transferable (however some of these frameworks may handle certain security issues by default, e.g. cross-site scripting with Django) .

The guide can be found here: http://www.owasp.org/index.php/Category:OWASP_Guide_Project

It’s not that we’ve just been enormously lazy during this summer, sitting on beaches and drinking Mai-Tais – we’ve actually been very busy getting a new website made for Aconiac and working on quite a few client projects.

So despite the fact we haven’t just been lazy, we are still very sorry we’ve neglected the blog here for so long. Hopefully we will be able to post at least once a week all of the remaining year.

If there are any specific subjects you’d like to see us cover, please do say so by placing a comment to this blog post or by contacting us directly. This blog is meant to give you the information you need to work with your business securely and effectively, so obviously we’re interested to know exactly what you need! So please do comment!

The first “real” blog post for this new period will hopefully be posted this weekend, so keep an eye out for that.

First off: I am very much against any form of privacy infringement and believe quite strongly that most forms of proactive surveillance against non-criminals are futile at best and damaging for national security at worst. However this whole case is just somewhat ridiculous.

Yes, Google made a mistake in not disabling that specific piece of software, but calling the data they gathered private is a bit of a joke. What they gathered was data sent unencrypted over a public network. If you’re sending confidential information over a public network unencrypted, Google stealing your deep-dark secrets is the least of your worries. They did it by mistake – many others do it intentionally!

In fact where I’m sitting right now, I can see no less than 7 open wifi-networks. Most are private homes and most of them have, according to Kismet, traffic flowing over them right now. This means that if I wanted to, I could activate software like Kismet or Wireshark and use this to steal every single bit of unencrypted data sent over this network. In fact, I would be able to do this with almost no chance of ever being detected in doing so. Even if the network owners tried to catch me, they most likely would not be able to. That’s simply how easy and risk-free it is.

The reason why I can do this, is because wifi-networks work by transmitting data outward on a given frequency and then let all clients in that network receive all data. It’s then the client’s computer that needs to filter out what was meant for it and what was meant for everyone else. If a computer behaves “nicely” it’ll discard anything not meant for it, but if it’s been put up to intentionally receive everything, you’ve created a so called “sniffer” and all unencrypted data is up for graps.

While software like Wireshark allows you to only “sniff” data sent over the network you’re connected to, Kismet let’s you “sniff” from any network without ever connecting to that network. This effectively makes you completely invisible to the network owners, so they have no way of knowing, that you’re stealing everything they send.

Sadly, most users are completely oblivious to these facts and use open networks as if they we’re their home networks. And sadly in some cases they even are (as was the case with most of the 7 networks here). So effectively, when Google was driving around gathering private data from open wifi-networks, they weren’t really “sniffing” because they had no intention of gathering that data. The users on those networks were however shouting every single bit of so called “private” information in all directions, forcing Google wifi-analysis software to capture and save it.

Now, to be fair: Google weren’t really being smart here and should not have captured data sent over unencrypted networks. It was a bad move and while they didn’t intend to do so, it probably still didn’t give them a boost in their reputation!

That being said, I must however still say, that the real problem here is the user and the open networks. If you don’t want your data to be scooped up by Google, don’t send it unencrypted over an open network. Chances are someone far worse than Google is listening in – especially if it’s a public network near train stations or the like. Sending data over a open wifi-network is, for all intents and purposes, the equivalent of shouting the same information out your office window.

Back in April 2010 we published a blog post describing the secure way of working from open wifi-networks – We recommend you read up on that and use the techniques mentioned there in order to keep private data private in the future.

Now this “hack” is made especially interesting by the fact that the victim was the, at the time, 2008 Republican vice presidential candidate Sarah Palin. Now you may have noticed I write “hack” instead of hack or security break-in, and the reason for this is actually quite simple: It really wasn’t a hacker attack!

What this kid (David C. Kernell) did, was that he simply used the “Forgot your password?” feature on Yahoo Mail to guess his way in to change Sarah Palins password and gain access to her mails. In the end, he actually gained access by using publicly available information and subsequently reacted by bragging on a discussion board while posting pictures of Sarah Palins e-mails. That’s not hacking! What he did was, at best, correctly estimating Sarah Palin’s knowledge of proper password policy.

Now what would an appropriate reaction be to such an incident? He’s clearly a reckless idiot, so some action should probably be made. Yet, at the same time, he showed Sarah Palin knows very little about basic security, thereby making a quite powerful (and perhaps needed) political point. If she can’t even secure her e-mail against amateurs, how is she going to secure the nation against ruthless psychopaths?

But basically, no matter what the appropriate reaction was, the prosecutors and Sarah Palin went with, for all intents and purposes, ending this person’s life! They went to court and tried to get him convicted for crimes with a combined punishment of up to 21 years and 250000$ in fines. All for guessing a password!

Until now he’s been convicted of felony destruction of records to hamper a federal investigation and of a misdemeanor charge that he unlawfully accessed a protected computer. He was however acquitted of a federal wire fraud charge. What level of punishment he’ll end up getting is hard to guess at, at the moment. But almost no matter what kind of punishment he gets, there’s a high likelihood it’ll be grave overkill.

Let’s face it: This 22 year old man is a moron – he did something enormously stupid. Not so much because he showed a grave lack of security understanding from the possible future vice president, but because he didn’t inform her, or her people, and didn’t give them sufficient time to correct the issue before sending it to the proper media channels. All in all he should have been a lot smarter! But that being said: What harm did this person really do?

Now, I’m all for punishing criminals and putting dangerous people behind bars. However a person like this isn’t really dangerous, he’s just not well-mannered. Had there been a proper, legal and well-documented process for reporting security issues in systems or procedures, then he would most likely have used these to get what he wanted: To show Sarah Palin knew little about security! Bare in mind, almost all IT-security professionals have learned primarily by doing – as in, they’ve tested their methods in more or less moral ways. Personally, I’ve always tried to keep to the moral part, however many others have been somewhat morally challenged – yet are now enormously talented and hard working. In fact, some of the best security professionals I’ve met are former “criminal” hackers to some degree.

So what’s my point with all this? Well basically: A young man/woman who “hacks” into a system and flaunts about it, is a person who lacks a place to be. We have full-fledged university degrees for biochemists, computer scientists, lawyers, politicians, engineers etc., yet we don’t have one for a hacker? We even educate police and military in the tactics of their enemies and how the enemy operates – even to the degree that certain soldiers have to act like the enemy in training in order to simulate combat. Yet we still don’t have any equivalent program to educate military hackers or security experts, even though we know for a fact that hacking has been used to attack a country’s infrastructure.

My five cents here is that David C. Kernell shouldn’t be prosecuted to the fullest extent of the law. He should get a slap on the wrist for handling it stupidly and for publishing/reading the content of Sarah Palin’s e-mails, and should then be thanked for showing the problem and put into a training program for IT and Security somewhere in the US. Even though this “hack” was enormously simple, he might still have some talent that could be used for so much good, instead of just throwing a 22 year old kid in jail and wasting his life.

We’re in a very problematic place in our society if showing the government aren’t doing some task well enough, results in oneself being imprisoned for the majority of one’s adult life.

Such a society is quite surely insecure!

This week they came out with a new finished OWASP Project: The Top 10 Security Threats of 2010.

The project website is located here and the full 22 page report can be found here: OWASP Top 10 for 2010 (pdf)

Basically what this is, is a break down of the most severe security issues in web applications for the year 2010. What’s especially scary about it is however, that these 10 security issues have stayed largely unchanged since the Top 10 of 2007. In fact only two issues have been replaced on the list, making the OWASP top 10 security threats of 2010 (the new ones are bold):

1. Injection
2. Cross-Site Scripting (XSS)
3. Broken Authentication and Session Management
4. Insecure Direct Object References
5. Cross-Site Request Forgery (CSRF)
6. Security Misconfiguration
7. Insecure Cryptographic Storage
8. Failure to Restrict URL Access
9. Insufficient Transport Layer Protection
10. Unvalidated Redirects and Forwards

What this shows us is that despite the efforts of OWASP, Aconiac and similar organizations, the security field has stayed largely unchanged and developers are still making the same mistakes in their designs and code. It might very well not be entirely possible to change this fact in general, even given 10 years from now.

But while companies in general may be making these mistakes, you don’t have to! The OWASP report includes several pages describing the security issues in detail, including an analysis of the risk it imposes on your business and what impact a breach might result in. We encourage you to download and read the entire 22 page PDF and make it mandatory reading for every developer and designer in your organization.

And have you even been a bit too tempted and logged onto this open network? Again, most probably have.

Now, have you then started working while on this network and directly sent corporate information or handled information on your corporate systems? Sadly, many have and if you’re one of them: Read on! Using open networks directly for sensitive data (like corporate data) is a big security no-no!

So why would this be a problem? Isn’t it just free internet for the masses? Well, yes and no. Yes it’s probably a network you are completely free to use. It might even be a network owned by the office building, hotel, airport or which ever company you’re at. But due to the way wifi-networks are designed, everything you send over this network is completely public. Every person, on the network or simply in the vicinity, can easily set up a simple network scanner like Wireshark or Kismet and directly save all the information you send over this network, including all e-mails, websites you visit, data you send to websites, data you receive – plain and simply everything! And you have no way of detecting this! None what so ever! There is absolutely no way to check for eavesdroppers on an open unencrypted network.

To add insult to injury, eavesdropping on a network is extremely easy to do and there are several easy to use tools out there that hordes of 15 year old script kiddies love to use to steal as much information as they possibly can – for no other reason than: They can!

So are we advocating not using public open wifi-networks? No, not at all – you just need to use them correctly!

You can look at it like this: A public open wifi-network gives you a gateway on which you can build a connection to your workplace and work from there. How do you do this? Well basically there are several solutions here:

• Make the network encrypted.
  Well normally you won’t have the option of doing this, but in most cases it is simply better to keep smaller networks encrypted and then only use encrypted networks. Preferably using WPA2-PSK or WPA-Enterprise as encryption schemes. This is however most likely not a possible solution!
• Use a VPN connection
  A VPN (Virtual Private Network) is a technology with which you can remotely connect to your organization’s network in a completely encrypted manner. It is by far the most transparently secure solution available and is generally the one we would suggest to companies wanting their employees to be mobile always.
  There are several VPN solutions available out there, including big corporate solutions from companies like Cisco and open source solutions like OpenVPN.
• Access resources with SSL/TLS
  While VPN applies to all network traffic sent from your computer, there is also the other option of encrypting critical parts of your work like e-mail, FTP access, critical websites etc. There are protocols to support this for almost all the different kinds of traffic including: POP3S and IMAPS for email, SFTP for FTP and HTTPS for websites.
  Using this solution may in many ways be simpler, but it assumes you know beforehand every place from which you will be needing critical information. It also puts a considerable extra security concern onto the individual employee, since this person now has to deduce whether or not the given communication he/she is doing at the moment is secure or not. Using VPN, these concerns go away in most cases.
• Remote desktop solutions
  Another option, that’s somewhat similar to the VPN option, is to have the employee make a secure connection to a server at the workplace and from there open up a terminal service running another computer remotely. Solutions like this are available in many forms like VNC, RDP and proprietary solutions from companies like Citrix. This gives the employee a remote view of his/her workstation desktop even though he/she is no way near the actual office and, most importantly, it makes it possible for him/her to work securely from any network.

So you can look at it like this: If you’re not doing any of the above, you have a problem and should take it up with your company in order to get a security policy on the matter and making it safe for the company to work from anywhere! Mobility is one of the top priorities in business these days, and you really want to use the opportunities laid before you well, without screwing yourself because of bad security.

So remember: Public open networks aren’t bad, but you need to keep your assets safe while using them!

For several years now,  smart phones have increased in popularity and will continue to do so for years to come. We are truly only in the beginning of this development and can expect to see even faster and better systems in the future.

One thing that is however still lacking is effective handling of mobile security for a company with more than a few employees. Most available solutions are monolithic solutions where a company buys a software suite with some number of features (anti-virus, anti-spam, locking mechanism etc.) and then has to manually install this suite onto every single employee’s phone one by one, and subsequently if any additions are made to the software later on, in most cases you’d have to do the same manual reinstall all over again. In the end this can lead to enormous financial costs for a company, simply in shear terms of man-hours used!

Hoodgate is adopting another solution to the problem! Hoodgate will be offering a service where you, as a customer, can handle all your employee’s phones through a central control panel. Through this control panel you can then create a “Mobile Security Policy” for your company.

A “Mobile Security Policy” is basically the features you want to have, e.g. the ability to find a given phone through GPS, encrypted e-mails, remote lock of the phone (in case of theft), voice logging, and much more. Once you have a customer profile you can easily buy new features, remove old or order specially developed ones, and all these changes to your “Mobile Security Policy” are automatically sent to all your employee’s phones, ultimately making management of security for your mobile workforce much easier and cheaper. It is then the Hoodgate software on these phones that take in updates and synchronizes with the company “Mobile Security Policy” stored with Hoodgate online, rather than your system administrators having to do it manually.

Hoodgate is just starting up now, and does not at the moment have a finished product. We will however be making regular updates on how the development is going, and try to continually involve future customers in the development, in order to make as good a product as humanly possible.

The platforms we intend to support are the following:

With development prioritizes more or less in that order, so that the primary platform is Android.

All the plans above are of course still preliminary and open for change, and you can easily have a say in those changes and speak your mind to us. All you have to do is comment on this blog post, contact us directly or on one of the social networks we’re on (links are farther down). We’re very curious to hear what you think, even if you’re the type of guy/girl who loves to point out flaws in plans or designs – a real hacker type person! Feel free to contact us and point out what we’ve done wrong or haven’t thought about. In the end your opinions might very well result in an even better final product.

The company website can be found at http://www.hoodgate.com/ although it’s still very preliminary. As we state several times on the page: We’d rather use our time developing the software you need rather than worry about website details at the moment. The short comings on the site will however be handled within the near future.

You can also find us at other places on the web. We invite you to get involved and get your voice heard. We’re listening!: