Devil's Advocate Security

First iPhone Worm in the wild - for Jailbroken iPhones only

2009-11-09T12:30:00.000-05:00

PMP Today reports that the first iPhone targeted worm is hitting jailbroken iPhones due to a standard SSH password. The worm is a mobile device Rick Roll, resulting in a Rick Astley photo being set as the phone's background.

The easy fix is, of course, to not use a default SSH password - "alpine" wasn't exactly a good password to start with.

Risky Behavior: Making Risk Assessment Fun

2009-11-05T21:03:00.004-05:00

The Naval Safety Center's Picture of the Week often provides a great visual aid when discussing risks - I find that audiences get a kick out of them, and they can help break the ice when starting a risk assessment. This one? I'm pretty sure that's an integrity risk (for his bones), and an availability risk (to his services). Impact? High! Probability? Well...that depends.

Visualizing a Risk Vocabulary

2009-11-01T20:34:00.006-05:00

Worlde.net's word visualization tool can be a great way to map out words and concepts. The Wikipedia text for Risk Assessment became part of a presentation I am building for a presentation that I was asked to provide as a guest speaker in an MBA class. Here's what is looks like:

The map for computer virus is also interesting:

I suspect that these will be useful visual aids in my presentations - a new way to present security concepts is often helpful, particularly when dealing with a non-IT staff audience.

Future Proofing an Information Security Job

2009-10-30T12:00:00.000-04:00

One of the more interesting information security job questions that I've seen recently is "How do you future proof a security job?".

That's an interesting question - security, like much of IT has changed significantly over the past few years, and the skillsets required have changed or matured. A decade ago, there were far fewer dedicated information security positions, web security was just starting to become a visible issue, and intrusion detection was in its infancy. We've come from a world where local networks mean that copied floppies and boot sector viruses were our main threat to a world where even our phones are possible threat vectors.

How then, can an information technology security professional stay relevant?

If you want to remain a technologist, rather than enter management, there are two popular paths: specialize or become a generalist.

If you choose to specialize, your route will take you down the path of becoming ever more highly trained in one discipline, or possibly a few closely related areas. Penetration testers may become more skilled programmers, and could delve deeply into web technologies, or system kernel exploits. Network security experts might become a CCIE, or tackle high end certifications from specific vendors.

The problem is that when that technology dies, you may have to re-train. That's nothing new in the world of information technology. Banyan Vines and Netware administrators have moved on to handle Active Directory and experts in Token Ring have trained to deal with gigabit switched ethernet and Internet protocols. What it does mean is that you have to keep an eye open to avoid being outdated with the technologies that you are expert in. Specialization is a great way to get a job - if that job is in demand, and the supply is small. Cobol programmers knew this in 1999 - but that was a relatively rare opportunity for a dying technology to make a brief comeback.

The other route, of course, is that of the generalist. This tends to put you into a role that glues together security with other IT areas, and can be quite rewarding - but you may find that you're unable to operate at the same depth that your specialized peers can attain. Generalists may have a harder time justifying specialized training, and will not necessarily find that their resumes qualify them directly for the highly specialized jobs that require a single scarce skill.

Which route should a security analyst take? That's a tough call. At the end of the day, your work environment and your own preferences will likely shape your futureproofing efforts. In either case, technology will change, new threats will appear, and the job will continue to provide the challenges that we all face.

How To: Search Engine Webpage Removal - A Search Engine Entry Removal Roundup

2009-10-29T20:30:00.004-04:00

If you run a website of any type, there is a good chance that you'll want to remove content from Google, Bing, and other search engines at some point, either due to outdated information or sensitive data exposure. Below are links to the documentation provided by each of the major search engines for their removal process.

Most search engines will tell you that your first action should be to create an appropriate robots.txt, and many want you to return a 404 error. If you don't, they may keep your content cached for even longer than they might otherwise.

Google

First, you can build and submit a removal request for information, images, outdated or inappropriate content.

Then, you can remove your own content, then cause Google to re-index it more quickly using their webpage removal request tool.

Finaly, make sure you follow Google's noindex meta tag and robots.txt instructions.

Yahoo!

With Yahoo's move to the Bing search engine, their removal process has changed. You can use their SiteExplorer tool to remove your site from their results.

Ask (formerly Ask Jeeves)

Ask only provides robot.txt support, and has no formal published removal process.

Bing

Microsoft's new search engine has recently published removal instructions.

AltaVista

Per AltaVista's support information,

"If an AltaVista user comes across web pages that contain private personal, professional or financial information that is not available to the public and/or may have been illegally obtained, he or she can write to legal-support-uk@av.com to request that the offending URL be removed from AltaVista's index. Please note that removing said URL from AltaVista's index does not remove the URL from the public internet or the indexes of other search engines."

Archive.org / the Wayback Machine

Archive.org provides a long term snapshot of much of the Internet, dated by when the page was crawled. If your site has been available for any length of time, and if you have static content that it can crawl, there's a good chance you'll want to contact Archive.org for exclusion.

President Obama on Cybersecurity Month

2009-10-23T12:30:00.001-04:00

President Obama's short video on cybersecurity month is available. This is the first time I've heard the President outline our frequent security advice - verify identities before giving out information, update your software, beware of suspicious emails. You can watch for yourself below:

Worried About The Evil Maid?

2009-10-22T20:56:00.004-04:00

Joanna Rutkowska's "Evil Maid" TrueCrypt attack has been getting a lot of buzz in security circles today. In essence, the attack involves compromising the trust that TrueCrypt (and the user) places in the boot process. An evil maid (or other ne'er-do-well) exploits their physical access to a machine and that machine's capability to boot from external media such as a USB device to add a keylogger or other trojan to the boot sector or firmware, allowing capture of the presumably unchanging decryption key that the user enters to access their filesystem.

Am I particularly concerned about this as an attack against my organization's resources? Of course not!

We do use encryption on our mobile systems - not TrueCrypt, but the caution is largely against the concept, not necessarily only Rutkowska's specific implementation. With that said, a simple risk assessment serves us in good stead. Is our data so valuable, or are maids so twisted that we have to worry about them attempting to access our laptops which (hopefully) we lock in safes in hotel rooms, or otherwise appropriately protect? No - none of the people that I work with are in Her Majesty's Secret Service, or otherwise likely to be high value targets.

The good news is that Rutkowska's implementation of this attack serves as a good reminder that our trust in enterprise drive encryption is much like any other technological solution in our daily security war - simply a stage in the escalation of tools.

Years ago, we recommended passwords on laptops. Then, legislation and more technically aware users pushed us to drive encryption. Next, as attacks like this become more widely approachable, we'll worry about how to use TPM, drive hashing, two factor authentication, or technologies that can guarantee the state of a system between uses. For now, I'm far more worried about malware installed on systems either via a vulnerability or a user's mistake. Why? Because our drive encryption efforts do nothing when the drive is unlocked for the user's daily work.

For your daily security efforts, you can likely worry about much more immediate security concerns - and in the meantime, if your maid cackles evilly, and speaks in l33t - you may want to guard your USB ports.

VirusScan 8.7 and Security Center reporting

2009-10-20T17:30:00.000-04:00

If you've been driven to distraction recently by users who noticed that the Windows Security Center wasn't reporting their McAfee VirusScan 8.7 status correctly, you're in luck. Messages like "McAfee VirusScan Enterprise is on but reporting its status to Windows Security Center in a format that is no longer supported" on Windows 7 and Vista, while only a reporting issue, were resulting in a lot of questions.

McAfee has released Patch 2 (link goes to the readme) for VirusScan 8.7 which fixes the issue. Along they way, they also improved the performance of On Access scans, which many users were complaining about as well.

What went wrong? Well, the Microsoft API for this reporting was updated, and this required updates from vendors. McAfee's patch lagged behind, resulting in worried customers. The good news is that their AV was working. The bad news is that we've spent years making our customers more aware, and now even a false positive can cause a lot of helpdesk calls.

1000 Security Experts? Not exactly what the doctor ordered.

2009-10-17T17:30:00.000-04:00

Bob Cringely recently discussed the Department of Homeland Security's plan to hire 1,000 "cybersecurity experts" to defend U.S. computer networks. His take? That there aren't 1,000 cybersecurity experts to be found in the U.S. His unnamed cybersecurity expert friends tend to agree in various forms, ranging from a discussion of the semantics of the goal to a more in-depth discussion of the forms of expertise that can be found, and a note that there are 1,000 security experts - on the wrong side of the fence.

Cringely also contends that no matter what the actual intent, this hiring is largely window dressing and that the end result won't be a sea change in how government information security is done. He points to low CCIE graduation rates as a good metric for how many security experts can be found, which may not be the best metric for security expertise across the board - to me, it indicates that holders of one brand of high level network security expertise do exist, but that the demand for CCIEs isn't sufficient to push further qualifiers into the certificate at a high rate. In addition, personal experience indicates to me that many qualified security experts don't carry all of the certifications that they could qualify for for any of a broad variety of reasons - that doesn't mean that we have hundreds of certification-less CCIEs around, but it does mean that we may have experts we're not counting if we only count certificates.

The problem here is that security expertise covers a broad variety of fields from risk assessment to network security to physical security design and back again. Seeking a thousand cybersecurity experts is, in many ways more akin to seeking a thousand expert college professors in engineering. You many not find them all in nuclear engineering at the level that you desire, but you may very well find that many experts across all of the disciplines that you need - and then you'll realize that you really wanted some of them to be TA's, Ph.D. candidates, and others who many not yet be experts - but will be.

Polymath experts with broad experience and deep expertise across the spectrum of information security are definitely necessary to tie those skillsets together, especially when you need to glue complex systems together, but you don't need - or necessary want hundreds of those big guns. Cringely notes that such experts aren't found in packs, and that is one point that I'll agree with. In any field the major experts hold a special place, and some take full advantage of it.

One of Cringely's experts dismisses the DHS plan - "you will end up with 1,000 Security Managers in the government with Sec+, and CISSP certifications". This picture of outsourced expertise and a lack of true change doesn't reflect the fact that skilled security managers are just as necessary as the heavy hitter deep dive experts. If the Department of Homeland Security really wants to change the face of government information security, the program and these new hires must be run adeptly, and that can be a real challenge.

DHS doesn't need to simply hire 1000 identical security superheroes. They need to embed employees with appropriate skillsets in those areas that face risk - after they assess the risk - and then they need to work out a coherent program to improve and manage both their security program and their security staffers. With the right guidance, 1000 security employees of many types could change how government information security is done.

The Three Phases of the Security Analyst

2009-10-15T21:00:00.001-04:00

Creative Commons attribution licensed image courtesy Flickr user anyjazz65

I spend a lot of time working with people outside of my own immediately group of security analysts, and I often find it useful to provide a model that will help them understand how security analysts work. Fortunately, I've found one that I like.

Security staffers that I have known through the years tend to fall into one of three stages - typically depending on the phase of their career, with some variation depending on the person's personality, their workplace, and of course, their experience.

The Phases:

1. The Black and White Security Analyst: A Binary Analysis - typical amongst newer security professionals, a Black and White analyst sees the world as a series of security issues. A system is either secure, or insecure. It complies with best practices, or it fails. Black and white analysts can drive outsiders nuts (and, at times, their non-black and white compatriots), but they also serve as a very useful check to the other phases - and they make very good auditors.

Some black and white analysts find their role because of limited direct experience. Simple book knowledge rarely has a compromise solution, and forcing best practices can make an otherwise reasonable staffer look like a truly obstinate opponent. Every analyst needs to fall back on these behaviors at times, particularly for thorny problems that have a high risk solution. Of course, in some environments this is the desired mode of operation, and should be fostered.

2. Shades of Gray: The Risk Modeller - as security professionals spend more time in the field - and, often, as they become more jaded, they often start to view the world as a series of risks. Training teaches you to do a risk assessment, to rate those risks, and to build controls based on that model.

Their assessments start to balance these risks, and they become more flexible in their views. The danger? Making too many tradeoffs, whether for functionality or simply for the ease of implementation. This can have a benefit of course, as often the shades of gray allow the analyst to be more flexible when analyzing risks and controls.

3. The Realist: Life Along the Continuum- some, but not all security staffers make it to a third phase. This third phase tends to emphasize the continuum of possible security options, and those who have reached this level will typically rate security based on the improvement along that continuum. Analysts often set a minimum acceptable level - and strive to ensure that a balance is maintained between improvements beyond that and the organizational costs of moving along the line. Realists are fully aware that security cannot always win, and instead choose their battles. This can mean that at times, they are more willing to accept compromise than they necessarily should be, and burnout can lead to a less effective analyst, but realists are often the best interfaces with outside organizations if you need to build bridges.

In the end, all three stages are useful, and each has its place. What matters in the end is reaching an organizationally acceptable balance of risk, usability, and security, and that ebb and flow is what makes the job both a challenge and an adventure.

Passwords...in Newsweek?

2009-10-11T23:13:00.004-04:00

You know that passwords and their problems have gone mainstream when Newsweek carries an article about them. Nick Summers describes current password technology issues, as well as some of the potential future solutions. It even describes brute forcing and the issues with simple passwords - meaning that your users might come ask a few good questions.

That's amazing. I've got the same combination on my luggage...

2009-10-07T19:18:00.003-04:00

Wired's Danger Room blog quotes analysis of a recent Hotmail, MSN, and Microsoft Live account leak which showed that 123456 was the most common password.

In my experience universities tend to find that their most common passwords are catch phrases common to the school. Corporations that run password audits may find similar patterns in their own users passwords selections.

Does your organization have a common password?

Hostageware Hits the Mainstream

2009-10-01T21:00:00.000-04:00

Creative Commons Attribution licensed image courtesy Alan Miles NYC

The New York Times was recently hit with a hostageware ad that switched from a seemingly legitimate Vonage ad to virus warnings. The Times believed they were trusting a vendor that they had previously worked with, and allowed un-vetted servers to serve ads to their site. The Times isn't the only major site to have this occur, and my security threats crystal ball says that since we've all locked our computers down to prevent worms, the bad guys are going to target the places that they know that we go - and trust.

As the New York Times article notes, "These so-called affiliates can mimic the advertisements of legitimate companies, learn their techniques for submitting ads to networks and sites, meddle with ad servers and then go so far as to provide customer support for people who install the software, keeping the scam running as long as possible."

In my own recent experience, this type of ad is increasingly prevalent as a threat to users, and the malware itself is taking advantage of a number of browser bugs and plugin bugs to slide past users defenses. With threats that take advantage of PDF vulnerabilities, Java vulnerabilities, and more, users who navigate to trusted sites may still be compromised. This also means that the standard habits that we have taught users for years are no longer a panacea - simply not going to untrusted sites and not opening unexpected emails, or avoiding clicking untrusted links isn't the shield it was.

Home users who find themselves staring at a popup screen that offers to save them from the malware that their PC is infected with can find some solace in the fact that capable anti-malware products like MalwareBytes is available for free. Sadly, mainstream AV seems to have real problems with many of these hostageware packages, so a second layer of defense is key.

So, what can you do from a corporate perspective? That's a bit tougher. Here's what I'm looking at:

First, full patching for systems that includes browser plugins is really essential. I continue to see systems that have full OS patches that are behind on browser plugins. Comprehensive, system wide software management is becoming even more of a corporate necessity.
Second, enterprise AV can still be helpful, even if only for detection. Remember to have your support staffers check out machines that show continued issues, as some components of malware often gets removed, but the remaining parts can restore them. I've had organizations using central AV notice large numbers of their machines disappearing, which resulted in investigation that showed a widespread compromise. Not exactly how they expected to leverage their AV management console, but well worth the price of admission.
Third, investigate enterprise licenses for useful tools. MalwareBytes and other vendors do offer attractive pricing for enterprise licensing. I've found that a quick Google results survey can often indicate what secondary package is most recommended, and that can really help.
Fourth, monitoring outbound traffic for hits on known malware and scam sites gives you a chance to find infected hosts before they become problems.
Finally, user training and awareness is still key. Finding out when these hostageware programs are showing up, and what the user was doing when they got infected can help prevent widespread infections.

How is your enterprise handling hostageware?

Thawte Discontinues Free Email Certificates and the Web of Trust

2009-09-24T17:00:00.002-04:00

Creative Commons Attribution License image courtesy Flickr user Fristle

Thawte's Web of Trust and free email certificates have been a great way to get S/MIME certificates signed for personal use by a large CA. I've been a notary for a few years, and I've found that being able to offer an easy to obtain certificate with a reasonably strong validation process was a great way to introduce S/MIME certificates and secure email to many people.

Today Thawte announced that both their free personal email certificates and the Web of Trust will cease to exist after November 16th, 2009. Details of the impact are covered in their FAQ.

This will remove one of the largest in-person vetted identity certification groups that I know of - a reasonably unique institution. Those who paid money for notarization to receive points in the Web of Trust will find that that investment no longer pays returns. Thawte's consolation prize is a single year of VeriSign's commercial personal email certificate service, and a free one year certificate of the member's choice.

I'm not aware of any viable community replacement for this servicefor S/MIME certificate users, and I'm somewhat disappointed that Thawte hasn't pushed the idea of making this some form of community supported or managed service.

Aquisition drive too small? Loop and offset to the rescue!

2009-09-22T07:35:00.005-04:00

On any given day, I might need to take an image of a physical drive to analyze offline. In the past, our imaging target drives of 1TB were plenty to handle a raw dump of the drive as well as partition dumps or carves later on. However, with the spate of large capacity drives being installed, even in laptops, I'm lucky to just get the raw dump of the drive with some working space for an evidence locker. But what if I need to parse through the partitions individually or want to mount them remotely? Loop device mounting and offset (commands operands supported within the mount command) to the rescue. After imaging the entire drive and of course verifying the hash, I have everything I need. Now for the fun.

Typically, you can mount a raw image with the loop device operand:

#mount -o loop,ro -t auto /some/image.raw /your/mountpoint

I use this often when I only have an image of a partition. However, this option will not work when trying to mount an image of an entire physical device with one or more logical drives defined within it. So now what?

Given that an image is really just a block level copy of data, we are only dealing with data. Using the the loop device with further options - offset specifically - offers you the ability to tell it where you want it to consider the starting point within the string of data. In essence, the offset operand tells mount and the loop device to offset from the actual beginning of the string of data n bytes. But where do my partitions start and end?

To get an idea of what is contained inside the image, as far as file system information, logical drives etc, you will need to use a utility like fdisk. fdisk is a partition table manipulator for Linux. While it can be used to manipulate the partitions, we'll just use it to find out what's inside the image. The following command will give you all the details we need about an image:

# fdisk -ul image.001

You must set cylinders.
You can do this from the extra functions menu.

Disk image.001: 0 MB, 0 bytes
255 heads, 63 sectors/track, 0 cylinders, total 0 sectors
Units = sectors of 1 * 512 = 512 bytes
Disk identifier: 0xd42ad42a

Device Boot Start End Blocks Id System
image.001p1 * 63 42154559 21077248+ 7 HPFS/NTFS
Partition 1 has different physical/logical endings:
phys=(1023, 254, 63) logical=(2623, 254, 63)
image.001p2 42154560 156296384 57070912+ 5 Extended
Partition 2 has different physical/logical beginnings (non-Linux?):
phys=(1023, 0, 1) logical=(2624, 0, 1)
Partition 2 has different physical/logical endings:
phys=(1023, 254, 63) logical=(9728, 254, 63)
image.001p5 42154623 156296384 57070881 7 HPFS/NTFS

In the example above, I pointed "fdisk -ul" at an image of a Windows drive that had two partitions. I used option "u" to list the sizes in sectors instead of cylinders and "l" to list the partitions within the device and then exit. So, from here, how do we calculate where the starting point is for each partition and then tell mount where we want the beginning to be? First we start by determining the sector size. This will be in bytes, and the number we use as a multiplier to determine how many bytes into the image we want to offset. We can see in the output that the sector size is 512 bytes:

Units = sectors of 1 * 512 = 512 bytes

Next we need to know at what sector each partition starts. In the example above, we see several partitions listed; image.001p1, image.001p2, image.001p5. Each partition entry in the output has a start point denoted in sectors:

Device Boot Start End Blocks Id System
image.001p1 * 63 42154559 21077248+ 7 HPFS/NTFS
image.001p2 42154560 156296384 57070912+ 5 Extended
image.001p5 42154623 156296384 57070881 7 HPFS/NTFS

But wait - in this example I have a drive image that only contained two partitions - why are there three listed? This is because the drive I imaged was partitioned with one primary boot partition and an extended partition which contains another partition. There are many religious debates on how to partition drives, but suffice it to say, this is by far more common than not. Today, we are only concerned about mounting the two NTFS partitions listed. In the fdisk output we can see that partition 1 starts at sector 63 and partition 5 starts at sector 42154623. We'll multiply these starting sectors by our sector size to determine what our offset (in bytes) is for each mount operation:

sector size * starting sector = offset
512 * 63 = 32256
512 * 42154623 = 21583166976

Now that we have the offset, in bytes, we can formulate our mount commands:

#mount -o ro,loop,offset=32256 -t ntfs-3g image.001 /some/mountpoint
and
#mount -o ro,loop,offset=21583166976 -t ntfs-3g image.001 /another/mountpoint

And there we have it - both partitions within a raw drive image mounted and ready to explore without having to take more images of just the logical drives - or carve them out of what we have. Of course, file systems will vary along with disk geometry and associated mounting options. However these basic steps can be used to identify and mount every partition contained within a raw disk image.

Stolen Laptop Recovery with LogMeIN - Round 2

2009-09-18T12:30:00.000-04:00

PC World has David Krop's story of laptop recovery using LogMeIn. I've discussed a couple of similar stories involving a laptop and an iPhone previously, as well as the case for remote control software, and this is another example of a laptop that was not properly secured being used by a new user while remote login software was on.

The buyer of the stolen laptop is quoted, saying "I didn't care whether it was stolen, I buy stolen stuff all the time. I don't care... If I can save $600, I'll do it.". While he may not have learned a lesson, the owner of the stolen laptops did, noting that he won't leave the laptops unattended, that he takes only one with him, and that he uses passwords and remote tracking software now.

What You Do on Facebook Can Cause You Harm is True For Criminals Too

2009-09-18T12:15:00.001-04:00

Jonathan G. Parker of Fort Loudon, Pennsylvania was arraigned on a burglary charge after he forgot to log out of Facebook on the computer at a house that he had robbed.

We're all busy telling our users that what they do on Facebook can cause them problems in the future, but this is a slightly more direct example...

Making Web Application Security Controls Repeatable

2009-09-17T20:28:00.005-04:00

Raul Siles recently posted a useful reminder as his ISC diary post - "Review the security controls of your Web Applications... all them!". He used the problems described by Ryan Barnett that were found in Yahoo's web API as an excellent example of this rule. Both posts point to a common problem in applications that I see - the loss of established controls in new code and new functionality.

One way I've been working to help fix this in an organization that hasn't developed a comprehensive software develoment lifecycle or broad QA process is to build a multi-step process to handle security flaws found in an application. Typical steps are:

Determine whether the problem is unique to the application, or if it is a flaw that is likely found in other applications, either current or future.
If it is more than a one time problem, design a common library or technique to handle the problem.
Assess the severity of the problem, and apply the fix to other applications if the risk is determined to be high enough to justify the effort. If not, add the fix to the queue for the next update to those applications.
Re-test the application to verify that the fix works.
Document the library and ensure that the rest of the team is aware of it.

One of the best things about this sort of process is that developers start to think about problems in a much broader context. Recently, I've seen two of the developers I work with frequently stop during a meeting and ask out loud "I wonder if that applies in application X too...". That thought process usually ends up in modifications to their standard application libraries which means that problems I saw once tend not to come back across their entire group.

How are these vulnerabilities discovered? A web application vulnerability scanner - WebInspect in this case - provides most of the vulnerability testing. Manual testing, while often deeper and more likely to find corner cases for vulnerabilities doesn't scale as well into an environment with limited resources and a large number of applications. Automated testing systems are also great to help cover some gaps in skillset. As Jeremiah Grossman points out, they may simply cover low hanging fruit, but that can be very valuable.

Do you have a unique or creative internal process to make sure that your organization keeps web application vulnerabilities from recurring?

Brazilian ATM Skimmer Installation Video

2009-09-14T12:15:00.001-04:00

LiveLeak has great footage of an ATM skimmer being installed in Brazil, as well as the police arrest that followed. Note - LiveLeak itself may be not safe for some work environments due to adult ads.

The first few seconds are a quick lesson in how easily these skimmers can be attached.

Security Humor: Indiana State Government Ponzi Scheme Education

2009-09-11T08:00:00.001-04:00

Google text ads can sometimes be a bit humorous as seen in this example:

I knew there was a reason that our budget wasn't as bad as those in other states. Of course, I wonder if the Secretary of State also teaches advanced Ponzi schemes...

EDUCAUSE's 2009 Video and Poster Contest Winners

2009-09-10T20:25:00.000-04:00

EDUCAUSE has announced their 2009 security video and poster contest winners. They can be viewed at: http://www.researchchannel.org/securityvideo2009/. Previous years can be accessed from the main EDUCAUSE contest site.

The videos produced for this contest are typically aimed at students, but often address topics that are relevant to the general populace.

This year, I particularly liked the Cyber Security Awareness video by Nathan Krochmal, and Lenae Boykin's 10 Most Common Passwords is quite well done. In previous years, Adam Stackhouse's Laptop Theft video has been a big hit.

As with the videos and other materials created each year for this contest, colleges and universities can use these videos as part of their education and awareness campaigns. They're a great way to add spice to typical student security awareness and education videos, and they've helped to inspire some of our staff and faculty awareness efforts as well.

SMB2 - Breaking Windows From Afar

2009-09-09T12:30:00.002-04:00

Creative Commons Attribution License Photo courtesy Justus Hayes / Shoes on Wires / shoesonwires.com

Announcements have been making the rounds about vulnerabilities in Windows Vista and Windows 7's implementation of SMB, SMB2. As posted on Full Disclosure, this version of SMB "SRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE PROTOCOL REQUEST functionnality.", which results in a remotely initiated crash for any Vista or Windows 7 machine with exposed SMB services.

Older versions of Windows, including 2000 and XP are not affected, as they do not use the new SRV2.SYS driver.

Another good reminder that SMB shouldn't be exposed on workstations in general, and that if it must be available, that it should be locked down to prevent access beyond your local trusted networks or workgroup.

Defeating Acoustic Weapons

2009-08-28T17:30:00.000-04:00

Wired covers the BBC show Bang Goes The Theory 's designs to defeat acoustic weapons like the LRAD and other systems used to help protect cruise ships and for crowd control. As the article points out, simply defending from non-lethal systems may make users more of a target. Does this mean we'll see pirates attacking cruise ships while wearing giant fishbowl sound dampening helmets? Only time will tell...

Details: The Most Notorious Counterfeiter

2009-08-26T21:17:00.003-04:00

Details has Albert Talton's story online - he produced over 7 million dollars in counterfeit bills using commodity hardware. An interesting story, and a great lesson about how even the Secret Service can have problems finding counterfeiters, and how easily some of our currency protections can be avoided. Talton's process was ingenious, if flawed - he used the same scan for every bill, making them easier to identify. In the end, a series of mistakes, including those made by those he recruited to help him resulted in his capture.

Lessons Learned: Test Your Forensic Tools

2009-08-13T21:05:00.003-04:00

Creative Commons attribution licensed image courtesy AlexWitherspoon

A recent call for a forensic drive copy which had to be done in a limited timeframe prompted a co-worker to dig out his USB to IDE/SATA bridge. Since we were asked to provide some time estimates, and to brush up on our imaging process, he ran a couple of tests on drives we keep for just those purposes. A quick boot of Helix on one of our laptops and he was ready to image the drive.

As you would expect, he dd'ed the drives, and then checked MD5 sums. For the first test on a small partition, the MD5 sums matched. For the second, larger partition, the MD5 sums didn't. That's not normal - and not something we frequently see. Testing showed that this appeared to be repeatable.

A repeat, with another USB bridge device returned a correct MD5 sum. If we had used the first bridge device for our image, we might have found out that our image wasn't provably correct hours after we began.

The moral of the story? Test any device you use for forensic imaging before you have to face a real event. It will help you provide realistic time estimates, allows you to test your process, and might just save your day.

As for the device? The manufacturer is sending a newer model - apparently this isn't an unknown issue.