LABrat.com - Grant's rants on information security

Judge Orders Defendant to Decrypt Laptop | Threat Level | Wired.com

2012-01-27T13:10:00.000-08:00

Judge Orders Defendant to Decrypt Laptop | Threat Level | Wired.com

This decision has left me wondering, why would someone volunteer to decrypt their laptop? Isn't it the equivalent of telling the police where you hid the murder weapon? You can order someone to do it all you want, but the fact is I can't think of a reason the person would be motivated to give it up. In the end, I guess its the same as a murder weapon; you hope that the more cooperative you are with authorities the less of a sentence you receive as a result of the crime.

This portion of the case was really just a test to see if revealing a password *could* be protected under the 5th amendment, which it is not. I doubt this precedent is going to change much either in police work or in court cases.

Gov't and IP, takedown of MegaUpload.com

2012-01-25T07:50:00.000-08:00

It is an interesting coincidence that in the same week time frame that SOPA/PIPA are to be voted on here in the US, MegaUpload.com is taken offline and its owner being brought up on charges. The US Gov't has conveniently listed them on the home page of MegaUpload.com for us to reference. I think there a couple of interesting points to be made out of these recent events.

SOPA/PIPA are both the wrong tool for the right job. Certainly we expect the government to take steps to protect people's intellectual property (IP) and their copyrights. What we're challenged with, however, is the history of "personal use" when duplicating quality was a problem, and both the originators of the content and the people making personal copies were satisfied with the quality of the copy. Laws and content owners were satisfied (or at least told to be satisfied) with people making copies of media for their own use. Those who are old enough to remember... We copied each other's vinyl albums onto cassette tapes. We made mix tapes from songs recorded from albums or the radio. We bought VCRs specifically to record our favorite TV programs from network, broadcast TV. And all was good, and the law was on our side. Only when technology improved to create near, or even exact, copies of the content were the content providers not satisfied with the laws of "personal use" and sought to change the laws. I would argue that they instead should keep focusing on managing the technology of content delivery. Yes, its a hard problem and one that is going to take a long period of time to resolve. Where content providers are challenged with delivering a product that can be easily copied and distributed, they should not be creating an onerous legal environment which has significant ramifications to more than just their content distribution.
Did MegaUpload.com do something illegal? They should likely be prosecuted for their role in promoting privacy. I say likely, because I'm not privy to the evidence the government has. In matters of prosecution for information security related things, they've been pretty good. The fact that Kim Dotcom barricaded himself in his mansion on the distant island (at least from the US authorities) of New Zealand probably says something about how he feels about his own business dealings as well. Not that its evidence of wrongdoing but...
Shuttering a site that is not used exclusively by evildoers is not a good solution. There should be a better method for dealing with shutting down sites which hold legitimate consumer data. While I believe MegaUpload intentionally catered to the people who wanted to share illegally copied content, I have to imagine that some of that 50 million user base statistic are legitimate users of a functional service. I believe, that similar to how failing banks are transitioned to new banks, sites and data should be transitioned to similar services. How that exactly happens, I'm not sure, and I'm sure it would be challenging, but the point is that consumers are left without their data because the government shut down a site that was providing services to law abiding citizens, unknowingly supporting a (likely) criminal enterprise. People's ownership and stewardship of their data is going to become more and more of an issue as our lives are increasingly data driven.

Comments? I'd love to hear them.

Chris

LABrat.com

uCertify's Computer Hacking Forensic Investigator PrepKit initial impressions

2012-01-04T12:18:00.000-08:00

I received an offer from uCertify to review their "PrepKit" for the EC Council's Computer Hacking Forensic Investigator certification. Given I'm a security geek and hold several certifications, I thought I'd see what it's like. They call this the 312-49 PrepKit.

Initially, the UI looks good and the process of taking the first assessment test was good. Lets face it, the requirements of a test UI isn't rocket science, however it is hard to do well. I think uCertify has done a good job at this component. I was a little challenged in the initial assessment questions around specific tool names, so I'm eager to understand the rest of the test questions to see if this is a quality test prep for that exam.

As soon as I am done with the full review I will post it for you all.

Thanks!
Chris

Hitler and Cloud Computing Security - YouTube

2011-12-01T11:19:00.000-08:00

If you're involved in managing risk assessments for your organization, you will find this video hilarious. The subtitles are where the action is. This video is priceless...

Hitler and Cloud Computing Security - YouTube

Chris

Help stop SOPA/PIPA and corporate censorship of the Internet

2011-11-28T09:48:00.001-08:00

These pair of bills (Senate and House) need to be defeated. The PROTECT IP Act and the Stop Online Piracy Act both go to far. I don't object to the original intent, necessary, to give copyright holders more capabilities to block those people who are infringing on their legitimate rights, however, these bills are overreaching and put the power in the wrong hands (government driven by business). Please sign up at americancensorship.org and help stop these from being passed.

Chris

top testing tools for SQL injection

2011-06-14T12:15:00.000-07:00

While trying to look up options for testing SQL injection, I came a cross a few you may want to try. I have not tried all of these, but it seems that there isn't a good list of them around that Google can find, so I'm going to make one here. YMMV

Happy hunting!
Chris

99.7% of Android phones leak data, contacts can be downloaded

2011-05-21T22:53:00.000-07:00

Turns out that Google uses tokens for authentication that have an unreasonable lifetime. This isn't the real issue. The problem is that when your phone connects to an open wifi network, the phone attempts to reconnect to all the services, including your Google accounts. This is where your contacts are stored. So...sniff the AuthToken, use it later to authenticate/sync to an account, and wah-lah, p0wn3d.

http://mocana.com/blog/2011/05/17/almost-all-android-phones-leak-account-details/

Gee, nice...

Police: Wireless network [cracker] targeted Seattle-area businesses

2011-04-24T00:15:00.000-07:00

Who knew wardriving could still net credit card data. I was considering getting a laptop mount, but maybe that would just arouse suspicion of wardriving for cracking purposes.

Even more brazen is physically stealing the servers themselves. Having the servers, you'll also have the data.

Police: Wireless network hacker targeted Seattle-area businesses - seattlepi.com

Chris

Wells Fargo says no to personal smartphones and tablets, period | ITworld

2011-04-11T12:36:00.000-07:00

This is an unpopular move, but one that's certain to ensure Wells Fargo data is more safe/secure than the alternative. Wells Fargo has a policy which forces work only and personal only devices, segregating company vs personal data. Letting personal devices onto corporate networks invites potential for data breaches through accidental loss or theft. Even if an Exchange server or a Blackberry Enterprise Server (BES) sets policies on those devices, the fact of the matter is that the organization doesn't own those devices, and cannot bring them back, once a person leaves. I'd bet a significant amount of data stays on the device and can be recovered, even if wiped remotely by the organization.

This particular decision isn't a panacea for security any organization, and won't guarantee data loss prevention, however, it does raise the bar significantly and makes it easier for a company to create and change policies, as well as provides more options for the company to enforce that policy.

Wells Fargo says no to personal smartphones and tablets, period | ITworld

end note: The debate then is can a person be productive if they have to carry two smartphones instead of one? Does the loss of convenience have a direct correlation to loss of productivity? And is the risk worth it, for the sake of increased productivity, especially in these economic times?

Chrome Facebook error, just to help out others...

2011-04-05T10:34:00.000-07:00

When I clicked on an email notification from Facebook I got the error "Only the recipient of a message may view it." My default browser is Chrome, and when it opened up the link, this is what I got. I cut/pasted the link into IE9 and it opened right up. Seems like Facebook has a problem with Chrome at this point.

Chris

Ideal Skill Set For the Penetration Testing | InfoSec Resources

2011-03-24T11:28:00.000-07:00

This is a great article which flushes out a lot of the key things I look for in a good information security professional. If you have this knowledge and mindset, you will always have job security in the information security business.

Ideal Skill Set For the Penetration Testing | InfoSec Resources

Chris

How to Secure Linux Servers :: Basic Linux Server Security

2011-03-24T11:20:00.000-07:00

Looking for a quick start guide to a security standard for Linux server boxes, or looking to secure your own, here's a quick guide for newer users of Linux:

How to Secure Linux Servers :: Basic Linux Server Security

Chris

Facebook open JavaScript hole

2011-02-11T14:59:00.000-08:00

Facebook open JavaScript hole

This is going to be an issue going forward for a large number of users if Facebook doesn't do something different with how they handle applications. Using iframes creates an abstraction that users can't see. The linked Trend Micro blog has this right. Maybe there will be other protections, but at this point it doesn't look good.

Chris

The awesomeness that is Android on HTC Evo 4G

2011-01-24T13:16:00.000-08:00

As I type this, I am sitting in an car repair shop using my Sprint HTC Evo 4G to run PDANet (Android USB tethering application for Internet access) connected to my netbook, using my noise canceling head phones to listen to PaulDotCom (security podcast) using Car Cast Pro (Android podcast downloader/player) as well as updating my podcast feeds. Android and good Internet access is all good...

Chris

missing sound on virtualbox

2010-10-03T16:15:00.000-07:00

So I have a Ubuntu 10.04 host that has a Windows 7 Enterprise guest that has no sound because the Multimedia Audio Controller driver isn't auto-detected by Windows. The solution is to update the driver with the Realtek driver as told by the following blog.

Woo hoo, sound! Now to plug something into the speaker/headphone jack. :-)

http://heratech.net/blog/sham/virtualbox-windows-7-no-sound-multimedia-audio-controller-driver-missing

--Chris
LABrat.com

Virtual box error NS_ERROR_FAILURE (0x80004005)

2010-09-28T09:02:00.000-07:00

Yesterday morning I got the following error message on my Ubuntu 10.4 host, trying to start up my Windows 7 Enterprise (64-bit)Virtual Box guest.

Virtual box error NS_ERROR_FAILURE (0x80004005)

The short answer is to run

sudo '/etc/init.d/vboxdrv setup'

The results are the following, after which the VMs fire up just fine.

cgrant@desktop:~$ sudo /etc/init.d/vboxdrv setup

[sudo] password for cgrant: 

* Stopping VirtualBox kernel module * done.

* Removing old VirtualBox netadp kernel module * done.

* Removing old VirtualBox netflt kernel module * done.

* Removing old VirtualBox kernel module * done.

* Recompiling VirtualBox kernel module * done.

* Starting VirtualBox kernel module * done.

cgrant@desktop:~$

InfoSec monitoring in the hands of non-InfoSec people

2010-08-10T11:55:00.000-07:00

Here's what happens when you give a non-InfoSec person the tools without giving them the training and the duty that comes along with being a professional.

Girl quits her job using a whiteboard, pictures and email

Don't get me wrong, its funny, and we see this type of web usage in companies more often than not, but her conduct was still not professional. She may not be as trusted in her new job.

Chris

LABrat.com

Google Android apps ‘collecting personal data’

2010-08-07T09:18:00.000-07:00

Google Android apps ‘collecting personal data’

This article isn't that surprising. I'm actually surprised that its not more of an issue, meaning that we've not seen web browser history being sent back and even keyloggers being put into Android apps. With the proliferation of smartphones and people's shift to performing more and more financial transactions through their phones, this is the next ripe target for malware writers. It would seem that they've largely stuck to writing malware (viruses, keyloggers, etc) for the Windows population, but writing apps for Android apparently is quick and easy. AND there's little scrutiny to getting an application into the Google Marketplace.

Maybe Apple's model of tight control over their store is good, it just has to be tuned to look for security issues. It would be great to have a set of tools/apps that they could run an app through as a security assessment and evaluation to whether or not this application needs to gather phone numbers, voice mail numbers, etc. Control, document and push back if there's no logical reason why this information needs to be gathered. Doing this would protect the users and be doing a service to the #1 smartphone OS being sold at this time.

The new Facebook issue is the same old Facebook issue, yet again

2010-07-31T22:58:00.001-07:00

The Facebook Data Torrent Debacle

Security dude, Ron Bowes, did a couple of notable things. He programmatically gathered, or harvested, names and profile links of 171 million Facebook users. This was publicly available information so he did not have to break into anything to do this. He simply wrote a script to plow through all of the data he could find through Facebook's public profile directory. He then took it and provided a way for people to download the large amount of data that he gathered.

The media (I guess me too at this point) latched on to this and started talking about it. While this is interesting data, the fact of the matter is that it shouldn't be that surprising. If you've made your data public, then that means that people will be able to see it. The fact that only about a third of the total number of Facebook users are in the directory should tell you that many people have changed their settings to prevent this. If you don't want people to see your information, change your permissions so they don't. Or, as always, don't use social networking sites all together if you don't want to be discovered online.

My last thoughts on this are more from a core information security operations perspective. It would seem that Facebook doesn't have anything in place to detect large scale probing, scanning or harvesting data from their sites. There doesn't seem to be any sort of traffic analysis or monitoring of their internet property to detect when someone is working to gather all of the information they can from their site. Facebook seems to have faith in the code that their publishing to the Internet is solid and secure, and that only the information they are intentionally sharing is the only information they're actually sharing. Because of this, I guess they wouldn't necessarily need to have this level of visibility or awareness, but when is the last time any developer or company was 100% sure of their Internet-facing applications and what vulnerabilities they have? Could they have prevented this? Should they have prevented this?

Chris

LABrat.com

Combining Google "mere mortal" accounts with Google Apps accounts

2010-07-28T15:48:00.000-07:00

Looky, I'm posting under my own LABrat account on Blogger!

This has been possible as a result of new efforts from Google. It hasn't been set up globally, but you will soon be able to use more of Google's apps through your own Google Apps hosted domain. If you've never been exposed to how Google Apps work, they had offered a stripped down set of their services aimed at enterprises, or what they thought enterprises would want. For instance, Google Reader, Blogger.com and Google Voice wouldn't allow you to log in, even though you knew that your accounts were "Google accounts", their systems differentiated between a normal, public Google account and a Google Apps account. Google is now finally getting around to offering other services for their Google Apps customers.

From an Information Security perspective, there's some things to consider. You are now tying more and more services to one login/userid. This means you're putting all your authentication and authorization for all those services into one basket. Do you trust Google? Do you trust that the security of your userid/password is good? Reminder, they were recently the target of an attack by the Chinese government where source code was stolen for their authentication system, or so the news media outlets report. That being said, and maybe I'll regret saying this, but I'm not too concerned, given these types of events tend to create change within a company. Why does it take something really bad to make people pay attention? I'm not sure, but its human nature and happens, over and over again (*needs citations :-) but I'm sure you also recognize this).

The whole Google/Google Apps account authentication merger is still in beta, but transitioning data/accounts seems to work okay, although each service has its own way of doing things. Like Blogger, for instance, I just had to set up my account and then give it admin rights. Google Voice requires you to do a transfer from one account to another, which according to their instruction page, isn't actually supported for Google Apps accounts. So, they'll need to clean up some things.

Anyway, I'm glad to see that this is happening. Makes my Google life a lot easier.

Chris
LABrat.com

Making all your mailto: links work for Google Apps hosted email

2010-07-22T23:16:00.000-07:00

So, one of my users on my personal Google Apps domain (my Dad) asked the same question that I had written off as a normal inconvenience of using web-based email. Not having an actual, physical application my desktop to associate with the mailto: links on webpages means that every time I click on a link an unconfigured Outlook fires up. Annoying. And then my Dad asked me about it, so I had to get to the bottom of this.

After a little searching I found that there is Gmail Notifier and other like applications, but they seem to only work with Gmail accounts, not Google Apps hosted email accounts. Then I found this article, which I'm summarizing and reprinting, just in case the Google Support Forum goes away, and to make this easier to find in search engines.

http://www.google.com/support/forum/p/Google+Apps/thread?tid=78ea6533155ea1fe&hl=en

Edit the following text and make it into a reg file before applying it by replacing yourdomain.com with your Google Apps hosted email domain.



Windows Registry Editor Version 5.00



[HKEY_CLASSES_ROOT\Gmail.Url.Mailto]

@="URL:Mail Protocol"

"URL Protocol"=""



[HKEY_CLASSES_ROOT\Gmail.Url.Mailto\shell]



[HKEY_CLASSES_ROOT\Gmail.Url.Mailto\shell\open]



[HKEY_CLASSES_ROOT\Gmail.Url.Mailto\shell\open\command]

@="rundll32.exe url.dll,FileProtocolHandler http://mail.google.com/a/yourdomain.com/?extsrc=mailto&url=%1"



[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Gmail]

@="Gmail"



[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Gmail\Capabilities]

@=""

"ApplicationDescription"="Gmail"

"ApplicationName"="Gmail"



[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Gmail\Capabilities\URLAssociations]

"mailto"="Gmail.Url.mailto"



[HKEY_LOCAL_MACHINE\SOFTWARE\RegisteredApplications]

"Gmail"="Software\\Clients\\Mail\\Gmail\\Capabilities"



[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Gmail\Protocols]



[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Gmail\Protocols\mailto]

"URL Protocol"=""



[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Gmail\Protocols\mailto\shell]



[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Gmail\Protocols\mailto\shell\open]



[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Gmail\Protocols\mailto\shell\open\command]

@="rundll32.exe url.dll,FileProtocolHandler http://mail.google.com/a/yourdomain.com/?extsrc=mailto&url=%1"

Save the above text as a .reg file. Then double click on it to import it into your registry.

Lastly, go into your Internet Options in Internet Explorer and change your default MAILTO application to the new Gmail application.

All done!

Chris
LABrat.com

Fresh security feature in the new Android 2.2

2010-07-19T09:47:00.000-07:00

Fresh security feature in the new Android 2.2
I meant to blog about this a while back. It looks like Android phones are prepping to become enterprise-capable, given the addition of centralized controls over security features. Does anyone know if these have been incorporated into any commercial software? I would hope that Exchange would soon be able to control Android phones as well as iPhones and Windows Mobile, as they do now.

Chris
LABrat.com

New logo and CafePress store, now open! :-)

2010-07-19T09:43:00.000-07:00

I've put together a CafePress store of the new logo you've seen on the site put onto various gear, so if you're a fan, you can buy stuff through the store with my logo on it. I know there's tons of other things they make, but my logo, as is, only really looks good on things that are white.

Anyway, check it out. LABrat.com Gear at CafePress

LABrat.com
Chris

How to tell the difference between Geeks and Nerds

2010-07-13T15:34:00.000-07:00

I hear today is "embrace your geekness day". I'm not sure if that's true or not, but regardless this is a pretty good WikiHow article about the definition of Geeks and Nerds. I think the Internet as a whole is coming to some more solid definitions of what a geek is and also what a nerd is. Geeks rule!

My license plate on my vehicle has GEEK on it. :-)

Chris
LABrat.com

Somewhere 'security by obscurity' actually helps: power grids

2010-07-13T15:19:00.000-07:00

As it turns out, the old 'security by obscurity' approach does actually work in some place, like electric power grids. This Wired article talks about what it would really take to manipulate electricity in the United States. While its not insurmountable to achieve domination and control over the power distribution system, it takes a whole lot of knowledge that your'e not going to gain through casual reading at home. This was a good read.

Chris
LABrat.com