Away by Fucs

Something to reflect about

2009-09-21T21:33:00.003+10:00

If the US Constitution and Bill of Rights can be printed on just 17 pages why would an information security policy need anything near that?

Reasons why I like to take care of my garden 1

2009-04-28T15:52:00.001+10:00

Short note:

Recently Chris Soghoian – who reached stardom after faking boarding tickets – signaled he has plenty more to offer! In fact I wonder he should consider moving into the comedy business!

"A slightly more laborious method would be to hack the software running on the BlackBerrys and flash the devices with a new serial number. While this is quite possibly a violation of the Digital Millennium Copyright Act (which prohibits most forms of phone hacking), it is unlikely that Research In Motion (which makes the BlackBerry) would sue the White House for engaging in such reverse engineering."

Why would the US Government hack the Blackberry firmware when they can simply ask RIM to insert such a simple feature on few of the devices? More important would be the fact RIM is a Canadian organization, rather than an American business.

You don't like DCMA? Fair! But… you know… well… never mind…

Save the trees, publish your materials as PDF, HTML, DOCX… whatever

2009-04-09T17:21:00.001+10:00

Is there anything more embarrassing than coming back from an enterprise content management training with 2 student booklets to which you have no source as PDF? Dear friends, nowadays Microsoft Office comes equipped with a semi-decent OCR software and ADF equipped multi function equipment are bloody cheap. Copying your materials isn't hard so please, save your patrons the trouble of scanning and conducting character recognition and provide them with PDFs!

Instead of trying to "protect" your intellectual property, be smart and promote your brand… Call your marketing dept and tell that your company is trying to reduce its carbon footprint by providing paper free training, find a good excuse, but PLEASE, save us from those horribly looking printed booklets…

The author spent few hours time shifting some training he attended, in other words, feeding his scanner's ADF with double sided pages with presentation printouts.

Hoff on Cloudastrophes

2009-03-27T10:22:00.002+11:00

Chris Hoff has a very interesting post on the hype revolving around recent Cloud failures but reading the post I couldn't find answers for a few but important issues:

The Cloud model of business depends on highly-available infrastructure running software and hardware covered by limited liability warranties. Carbonite may try to sue Promise but anyone that reads the Limited Warranty offered by the vendor, knows that Carbonite will have troubles getting any compensation for their losses, other than hardware costs. It is in fact a funny situation where its SLA with the customer governs service availability while its contract with the technology providers does not offer any sort of warranty.

BTW: The Carbonite lawsuit against Promise is a perfect example on why bugs are negative externalities (and why the "No more free bugs" initiative is indeed a positive shift.)

Another interesting point is the reference to the IBM Cloud Certification Program; certainly one of the weirdest ideas I've ever heard but probably a great marketing opportunity... Let's start with the basic question, who would hire IBM, the Cloud customer or the Cloud provider? And, hey, it is an IT service provider doing auditing others…

If the customer is responsible for the hire, it would be incurring in expenses that would be latter used as marketing by the cloud provider. Not to mention the issue of having an ITO provider auditing its competitors. I can tell you from my own experience that it is possible to audit your competitor on a behalf of a common customer but this is a hell of a weird situation where results are bellow optimal, not to mention the clear conflict of interest…

So, the most probable outcome will be the Cloud provider hiring the certification agent as it currently happens with the ISO standards such as 27001, 9000, etc. Oh gosh, so after the PCI conundrum we are set for the "ISO/IEC XTC for Cloud Computing Quality Management System"? Freaky! VERY freaky! Think PCI! Now think Heartland! And now think RBS! Now try to go sleep…

To be or not to be… an information security “professional”

2009-03-25T05:53:00.002+11:00

What makes a professional? Is the income one earns? The knowledge one holds? The code of ethics one subscribes to? Maybe a title one holds?

Most of us, "security professionals" are members and subscribers to the "Code of Ethics" of at least one information security related body, such as the ISC², ISACA and the ISSA, as such, we commit to be "professionals" but curiously enough one question is seldom raised: What means to be a professional.

Looking at the CISSP Prep Guide Golden Edition or similar material, you notice a cookie cutter approach so common in certification preparations material, but surprisingly enough discussions about the subject are still rare and few are the certified practitioners seem to understand the implications of being a "professional".

But if the definition of profession and professional are already concerning, even more concerning is the lack of debate on what professionalization means to the information security market. In fact, most certified practitioners believe professionalization will lead to higher quality standards to the work conducted by its peers. Still the current market situation seems to prove the opposite.

The market we are part of, is almost a circus where one can easily find heralds of fear, compliance preachers, soldiers of fortune, marketers, über-hackers obsessed with the latest vulnerability research and risk gurus that know absolutely nothing about threats.

But what if the circus is eventually healthy? Perhaps yes, especially because I can't stop developing the impression that information security isn't a science, but an art where creativity is vital.

Sadly, during the process of professionalization and the occupational closure, the definition of a core body of knowledge and learning path, are built at the expense of a greater range of experiences and opinions. The suppression of diversity creates a more cohesive labor force, but also creates professionals with less experience from other areas other than IT, or as William Barrett points, the more specialized a professional; the sharper is its focus and shorter is its sight.

So instead of pushing towards professionalization, we should seek exactly the opposite, looking into other fields, promoting new ideas.

We depend more on the ingenuity of the criminal than on the resourcefulness of the security specialist but we can still try to forecast the troubles.

PS: It is important to point that this is not a critique on the certification industry itself, but on the aspiration of certain professionals in the industry to frame it within certain parameters. As unconventional friend of mine once said (in Portuguese), certifications are useful way of setting learning targets (as much as a degree).

Charge, charge all you can, save some bucks and be happy.

2009-03-24T23:29:00.001+11:00

Let's put it clear. I am a supporter of full disclosure, after all, criminals have motivation to detect and keep bugs to themselves.

But I must also say that I fully support the point defended Dino Dai Zovi and some of our peers when they say that researching security bugs should be a paid job.

As Camp and Wolfram noted bugs can be considered negative externalities, in this case, a situation where the producer weak quality control has negative "economic consequences for others for which there is no compensation". At the same time, economists agree that the originator of the negative externality will not take it in consideration unless prevented or discouraged, therefore producing more faulty software than it would, had it have to pay for the cost of testing it.

The problem isn't Dino Dai Zovi belief that he should be paid, he should. If he doesn't charge, companies will keep doing wrong and providing software improperly coded under the cloak of "innovation". Also it's not about greed, after all competition tends to reduce Dino's profit, no wonder the brilliant researcher is chasing after other subjects…

The problem is the lack of transparency on the vulnerability exchange markets.

Who buys the vulnerabilities? For what purpose?

Well… I'm not sure we want the answers.

I want to be a security futurologist; does anyone have a job to offer me?

2009-03-22T13:31:00.003+11:00

In future there will be two different types of illiteracy: Those who are unable to read and those who are unable to use computers.

Do you agree? Well, nowadays the sentence is a cliché but imagine yourself spending your childhood hearing this exact sentence? No I wasn't raised by Arthur Luehrmann, I guess the issue is that my mom quickly realized that despite the modest adoption of computers in South America before the 90s, computing was the future and LOGO was the first step... (oh gosh, better change the subject).

Back in 2000 CFSEC Security Architects I've noticed the ascension of Windows based Automated Teller Machines and speculated about the creation of ATM specific worms would follow. My assumption was that although ATM are usually deployed on separated environments, criminals would be able to bypass segregation by collusion or by attacking fragile elements of the network, such as the communication facilities used by standalone Lobby Cash Dispensers. The idealized concept was a worm able to instruct De La Rue Talaris cash dispensers to "spit money" out of the ATM cash cassettes or dynamically reassign the cassettes denomination of the ATM system.

The first feature was clearly influence of the movies, while the second originated from a Brazilian student tale about an incident where an ATM started dispensing bills incorrectly, and customers formed a long queue to withdraw $20 and instead receive two $50 bills. The ATM was said to be located at the UFRJ's Computer Sciences building.

The concept led to a series of interesting off-record discussions with people from the banking industry but failed to go main stream until... Last week, when The Register reported about the discovery by Sophos of a malware targeting ATMs, another of my bizarre ideas came to reality.

Sadly enough the malware failed to achieve cinematographic status by relying on an effective but still boring strategy:

The malware just recorded the details of cards used on the ATM.

Blah... :-)

The PCI DSS saga

2009-03-15T15:57:00.002+11:00

The polemic Ayn Rand once wrote:

"If there is any one way of confess one's own mediocrity, it is the willingness to place one's work in the absolute power of a group, particularly a group of one's professional colleagues. Of any form tyranny, this is the worst: it is directed against a single human attribute: the mind – and against a single enemy the innovator. The innovator, by definition, is the man who challenges the established practices of his profession. To grant a professional monopoly to any group, is to sacrifice human ability and abolish progress; to advocate such a monopoly, is to confess that one has nothing to sacrifice."

Those who want PCI DSS to be more prescriptive should reflect about what they want.

The same applies for those who think PCI DSS is fine as it is.

More about Rand's words soon.

The Cloud and the security buzzwords

2009-03-11T15:45:00.005+11:00

Since the beginning of the industrial revolution, the industrial society passed thru a huge number of changes, from the limitation of child work in the western societies to the introduction of the lines of production by Ford, passing by the popularization and ongoing decline of the mass newspaper industries. I wonder to know if the buzzword malady was also reality for the early workers and capitalists. Probably yes.

At the moment few buzzwords are more shocking to me than the idea of SaaS & Cloud security are anything rather than pure old security. I confess I try, but every time I stop to read the general discussion about the three subjects I notice a gigantic amount of… well… nothing.

I really try, but I can't read Chris Hoff idea of Economic Denial of Sustainability and see it as something new. In fact, the model Hoff uses to present his concept is a clear and very smart case of DoS made the right way, but calling it by other names, may sound brilliant to some and silly to others.

Those who old enough in the industry will remember that Cray supercomputers where an idealized target for hackers seeking to crack passwords, but once the hacker succeeded into getting an account, he would face the challenge of dealing with a large number of users totally obsessed with their CPU quota consumption. And if this is not convincing enough, I remind you that even Gus Gorman discovered how to achieve "death by 1000 cuts" long before Chris would craft the EDoS term!

And since Chris talks about economy, better we start with the Microeconomics 101 and remember that scarcity is one of the bases of the current economic thinking; so in fact every DDoS attack is an attack on scarce resources. The point is that people on our industry focus on the link, CPU, but businesswise, the question is one and only: Is the hassle (of being online) cost less than the benefit achieved?

Would you call of EDoS a company attempt to take over human capital from a competitor? I guess most of us would call it business as usual, in the same way that keeping control of the CPU quota was business as usual for the supercomputer users.

But if Hoff's EDoS concept is also a very good attempt to think out of the box. My problem with his idea emerges not from the concept itself but from the attempt to create a new class of attacks within the scope of "cloud security", a classical buzzwording attempt.

My impression is that things like cloud security come from the industry habit of seeing security problems with too much focus in technology, and to project our own cultural perspectives on the interpretation of the circumstances. These are people inventing magical solutions to solve models that are confuse from inception and may not survive in the next decades.

It is sad to say, but I have a feeling that the "professionalization" of the security practice is starting to show the disadvantage of specialization, or as put by William Barrett "the more specialized… the more nearly total the blind spot toward all things that lie on the periphery of this focus". No wonder a large part of the industry fails to identify the cloud and SaaS as new names for a model of business that came and left the IT industry several times during the previous years.

The buzzwords are becoming more and more deep-rooted into the information security leadership and this is something concerning after all, even students on Microeconomics 101 learn that when the advertisement leads to increased monopoly power or is self-canceling, the consequence is the good old economic inefficiency.

We told you so… AGAIN?! (x 2!)

2009-03-10T12:26:00.006+11:00

We realized, we submitted and we presented, still the Antivirus provider market proved once again why they are frequently spotted as lagging behind the creativity of the malware creators. Conflicker seems to be the first botnet engineered with the PRNG idea we (Barros, Fucs & Pereira) presented on Blackhat Europe 2007. This isn't all, at the bottom of the Symantec Security Response Blog, they explain:

"As we have said previously, the authors of Downadup are not beginners and they may have the feeling that someone—sooner or later—would break their domain prediction algorithm. So, to avoid losing their botnet, they put a secondary (strong) protection into the threat, which makes it impossible for anyone (other than the original authors) to upload new malicious components onto compromised machines."

Symantec still did not release details but I guess that Conflicker also introduced the use of digital signatures to ensure integrity and why not, authenticate the content downloaded by the bot.

The idea did not come out of the blue and I hate to sound smug but it was also presented by us… :-)

Botnets – and P2P if that matters – lacked security features to ensure their longevity. We presented 4 main concepts that would emerge as solutions of existing issues on botnet design:

Modularity, including the use of XML based commands;
Peer 2 Peer communications;
Public key encryption, including support for digitally command messages;
One time tokens used to identify command pages scattered over the network.

Still, despite our alert, the antivirus emergency teams were quite surprised by the emergence of the new generation of the Conflicker malware.

It may sound obvious but I have reasons to believe that the use of pseudo random C&C tends to replace the now highly ineffective IRC channel control, however, unlike the Conflicker approach of using domain names, the C&C centre will rely on some other form of reasonably unrestricted traffic channels.

It is hard to guess with precision but I would not be surprised with an attempt to use Google Apps, SSL or another DNS attempt using alternative DNS root servers in the near future. Each of the approaches has its own limitations and I'm sure the botnet designers will soon get to the point that only a hybrid multigenerational P2P botnet[*] will be able to circumvent these limitations.

One possibility that flashes in my mind is that the Conflicker designers did prefer DNS domains for tree main reasons; the first is that DNS traffic is largely unrestricted; the second was an expectation that ICANN would not be able to react quickly to the issue and the third the simple flexibility of the DNS protocol.

Fact is that we all now where botnet design are moving to but a question remains: Are the antivirus development teams already working on it?

Only God knows…

[*] What a hell of a long name for a P2P botnet that still lightly relies on seeding SPoF to wake up, but is able to continue talking with previous generations of botnet on a P2P basis... exactly like... Conficker! :)

Update I: A post from SRI confirms the use of Signed Binaries by the Conficker bot to check downloaded executables. (10 Mar 2009 @ 9:36 GMT)

HiTB 2008@KL videos released

2009-02-21T21:58:00.005+11:00

I mentioned before that the classic song Viva Las Vegas will be soon replaced by Viva KL or Viva Dubai. The excellent Hack in the box conference series continue to deliver high quality content on very accessible prices, especially for those orbiting the APAC regions, providing a great option to the Blackhat for those not willing to take long flights to the US or Europe.

I was presented to the HiTB conference by a good friend, emx who strongly recommended the conference. He was 100% right and last year conference in Kuala Lumpur proved to be a great source of novelty and polemics, including the already famous Keynote by Marcus Ranum where you can see the humble owner of this blog trying to annoy the talented speaker.(Ranum is indeed a great speaker) :-)

For those with no download quotas, the HiTB organizers uploaded the conference videos to The Pirate Bay and despite the large size of the torrents, you should check it out.

http://thepiratebay.org/torrent/4654588/HITBSecConf2008_-_Malaysia_Videos___Day_1

http://thepiratebay.org/torrent/4654974/HITBSecConf2008_-_Malaysia_Videos___Day_2

No, I'm not coming back yet... but I keep reading the blogsphere...

2008-11-07T22:21:00.007+11:00

Hey fellas, hope you still remember this blog exists. :-)

Well... It still does and although I do not frequently write in here from time to time I feel an urge to do so.

Earlier this week I was reading Security Balance, a friend's blog and noticed that his last post raised few concerns on the so called virtualization security. Also is his blog, Mike DiPetrillo criticizes Augusto for spreading fear and uncertainty by pointing that this whole increase of complexity on the virtualization platforms has at least theoretically, the chances of increasing the risk surface of the virtualization platforms.

I'm in fact not surprised by Augusto's opinion; In fact not a long time ago had the "pleasure" to spent few hours of a Sunday morning debating this point with a friend who is part of a virtualization development team at MSFT and my arguments were similar to Augusto's opinion, and indeed our opinion is similar to the one posted by, the always ranting but frequently right, Theo de Raadt on an OpenBSD mailing list around one year ago.

In one of his comments on Security Balance Mike diPetrillo asks "Will we ever have a guest to host attack that’s real? Who knows".

Lets give Mike a discount after all he is working for VMWare. But Mike could be a little bit more cautious about his beliefs; I suggest that he reads at least the Redhat advisory RHSA-2008:0892-10.

Despite Mike's opinion that "There’s nothing technical that will prevent it (mixing DMZ and non-DMZ hosts)", crazy fellas willing to do count to much on virtualization security must remember the basic rules of segregation of networks classified information, do not mix different security zones one the same equipment. I know, people did that with VLANs and now people are suggesting you to do the same with virtualized servers.

A good reason why not doing it? Well... The Dept of Defense seems to keep loyal to the concept of total segregation based on information classification, in fact having not one but at least three different networks(NIPRNet, SIPRNet and JWICS) operating in parallel and airgapped.

Virtualization is a great evolution of server computing and I'm sure we will see hundreds of amazing tools based on the technologies but being a little bit more suspicious is not spreading fear but being responsible.

DNS attack reminder

2008-07-25T14:53:00.006+10:00

Ladies and Gentleman managing DNS servers.

Please, remind to review your DNS and firewall configurations in order to ensure random source ports!

I've seen several "patched" DNS servers going to the internet with fixed source ports, something that more or less nulls the patches released by the vendors.

Why not to test your DNS today? (tip by Rubens Kuhl Jr.)

https://www.dns-oarc.net/oarc/services/dnsentropy

Aladdin Day: Tel Aviv

2006-11-01T10:54:00.000+11:00

I could never imagine that I would ever hear the expression "two factor authentication" so many times. :-)

IMS Security

2006-11-01T10:46:00.000+11:00

In my article, Voice over IP: New Telephony and Security, I've made a quick comment regarding the IP Multimedia Subsystem however no details or explanations were provided. Recently Emmanuel Gadaix, a great person and amazing professional, made a introductory presentation regarding IMS Security. The PPT file can be found here.

The picture get clearer every day: It's not only a convergence of technologies but also a convergence of problems.

The quest for the Holy Grail

2006-10-28T08:54:00.000+10:00

Ross Anderson posted a comment regarding an idea that the British banking system is studying as a solution to eliminate phishing attacks. Anderson's comments are greatly precise but I got myself thinking:

Is the search for an ideal strong authentication a quest for a new holy grail?

It’s a wild world

2006-10-27T23:04:00.000+10:00

Recently Pedro Dória, a journalist friend of mine posted some interesting results about this new toy, Google Trends. I was doing some tests when I got surprised by one of the query results.

Bellow we can se the results for volume of search of three different queries: exploit, windows exploit and linux exploit.

exploit

linux exploit

windows exploit

Although I tend to agree that Google is not the best reference for exploit distribution, this drop of queries is at least an interesting phenomenon. Any guess? Would this an evidence of the change of the electronic crime profile from the teenager non motivated cracker to the electronic criminal groups?

Laptop seizure, a reality not so distant from you

2006-10-25T20:52:00.000+10:00

Not a long time ago, Bruce Schneier posted on his blog a note regarding Laptop seizures by the Sudanese government and mentioned rumors about this practice in Israel. After few days he edited the post observing that currently this is a legal practice within USA borders. Let's say it was a quite funny repercussion.

Now, circa one month after the International Herald Tribune published an article about this issue. The article mentions that "an informal survey by the Association [of Corporate Travel Executives], which has about 2,500 members worldwide, indicated that almost 90 percent of its members were not aware that customs officials have the authority to scrutinize the contents of travelers' laptops and even confiscate laptops for a period of time, without giving a reason".

Still, according to the article, "the law is clear. They don't need probable cause to perform these searches under the current law. They can do it without suspicion or without really revealing their motivations."

Sounds like a great reason to use and encrypted flash disk to carry private or sensitive information!

Where is my shawarma (or, Identity Theft, israeli style)

2006-09-25T08:16:00.000+10:00

As some of you know, I was born in Brazil and I had been living in Israel since may 2006. This is my second time in the country. First time was last year when I came here to work. I liked the place so much that I decided to come back and enjoy the Mediterranean life.

Life in this country is quite nice but a little bit peculiar. Firstly because of the fact that most people don't have a single clue about what is living in here, specially on what regards to secret Israeli food like Shawarma and the Sabich. Secondly, because this country is full of weird surprises like the one that I'm trying to write about.

One of the basic steps to become a local is to get new documents specially because in Israel it is obligatory to carry an identification document with you. That may sound a little bit awkward for USA and UK citizens however if you consider that in Brazil every identified citizen has his fingerprints collected, Israel is not so bad. :-)

As far as my current knowledge allows me to say, the Israeli main identification document is called Teudat Zehut that is a very cool and big ID card... With a lot of information, like your parents name, your Jewish birthday date and if you consider the appendix it will have even your home address. In other words it has a lot of stuff that you don't want to care about. So in order to make things easier a lot of citizens choose to carry only their driving license that has enough information and has the size of a credit card. So did I. After passing on the exams, here I was anxious to have my local driving license.

Well, after few weeks waiting I was happy to receive it by mail, however, I'm quite shocked with the lack of precautions that some local government agencies are dealing with the Teudat Zehut number. As what it seems as a normal behavior, my ID number could be easily read on the envelope containing my new document, exactly as it happened when my Israeli Passport was delivered at home. The main difference is that while my passport required a signature, which means that it wouldn't be left in my mailbox, the driving license was lonely in my mailbox. In fact considering that I received it during a holyday, it seems like my driving license was either delivered on someone else mailbox or was took by someone "for a walk".

May sound too paranoid? Maybe... I'm still discovering what can be done just with the number of my Teudat Zehut, still, this is not a very safe behavior. Sounds like the obvious is true: Identity theft is not the country main concern.

Becker and Posner on Identity Theft

2006-09-20T11:38:00.000+10:00

The 1992 Nobel Prize in Economic Sciences, Gary Becker and his fellow Professor, Judge Richard Posner posted on Deterring Identity Theft.

Becker

&

Posner

As an information security professional and frequent reader of their posts all I can say is that I will keep reading their blog despite those weird posts. :-)

Att: Mr Al Kyder and Terry Wrist please board....

2006-08-19T10:41:00.000+10:00

Producers of Australian Broadcasting's (ABC) The Chaser's War on Everything satirical programme booked two tickets on a Wednesday flight to Melbourne with low-cost carrier Virgin Blue. The tickets were in the names of "Al Kyder" and "Mr Terry Wrist," New South Wales daily Sydney Morning Herald is reporting.

Source: FlightGlobal.com

I must confess that they had an amazing idea. :-)

Is "defense-in-depth" the real answer?

2006-07-07T08:37:00.000+10:00

Recently I had been involved in a mail thread regarding the well-accepted application of the "defense in depth" doctrine withing information systems security. I maybe mistaken but it sounds like a mistake to defend such approach when even the modern armies are developing network/information centered warfare tactics.

As the Wikipedia entry for the UK Network Enabled Capability states:

NEC is envisaged as the coherent integration of sensors, decision-makers, effectors and support capabilities to achieve a more flexible and responsive military. In this future vision commanders will be better aware of the evolving military situation and will be able to react to events through voice and data communications.

Sounds like we are a using the wrong approach, or should I say, doctrine? :-)

VoIP users target by regular phishing

2006-07-05T18:02:00.000+10:00

Vono, a leading Brazilian VoIP service, informed their customers about a phishing attempt involving their services. As usual, users were lead by different ways to a clonned website for password recording purposes. Until here no lesson to be learned, Vono service is a prepaid VoIP service that can be paind either by invoice or a non displayed credit card, this last payment method also offers a risky automatic recharge option. However it's interesting to notice that Vono uses the same credentials for both HTTP and SIP authentication. Therefore those that had been fooled by the phishing scam tend to suffer credit theft as consequence of their naivety. Separate authentication methods could provide the VoIP provider the ability to data mine for anomalous Web provisioning activities reducing the impact of the phishing activity.

Still that the impact of this phishing scam tend to be quite small.

VoIP Security

2006-06-18T03:09:00.000+10:00

Brazilian songwriter Chico Science used to say that “one step forward and you’re not at the same place anymore”. Unfortunately, this new place is not always the ideal world we longed to be. This is the reality that many companies are delving into the Voice over IP land are facing. Problems with security are many and, once again are driven by the usual expectation for panaceas; companies are making decisions today that will bring far too many headaches come the future.

As Bruce Schneier realized, VoIP Security is not only about encryption. As happened with internet banking we won't achieve our security targets if we care only about SIP and encryption.

More can be found here in a shor article about voip security.