Musings of an Over-Grown Dwarf

Using Laser To Fingerprint Paper

noreply@blogger.com (Gadi Evron) — Thu, 18 Mar 2010 14:56:00 +0000

I like it when old technologies and known scientific facts are used in a new way that makes them pure genius.

A discovery of old, which will change the future.

Ingenia Technology Limited today launches an exciting breakthrough proprietary technology, developed by Imperial College London and Durham University - the Laser Surface Authentication system (LSA). The LSA system recognises the inherent 'fingerprint' within all materials such as paper, plastic, metal and ceramics.

The LSA system is a whole new approach to security and could prove valuable in the war against terrorism through its ability to make secure the authenticity of passports, ID cards and other documents such as birth certificates.

This technological breakthrough has been masterminded by Professor Russell Cowburn, Professor of Nanotechnology in the Department of Physics at Imperial College London.

Every paper, plastic, metal and ceramic surface is microscopically different and has its own 'fingerprint'. Professor Cowburn's LSA system uses a laser to read this naturally occurring 'fingerprint'. The accuracy of measurement is often greater than that of DNA with a reliability of at least one million trillion.

The inherent 'fingerprint' is impossible to replicate and can be easily read using a low-cost portable laser scanner. This applies to almost all paper and plastic documents, including passports, credit cards and product packaging.

An interesting day in information security

noreply@blogger.com (Gadi Evron) — Thu, 18 Mar 2010 14:10:00 +0000

A Mafia boss was caught because of his using Facebook, while unrelated to that the EFF released the result of their Freedom of Information request for material on how law enforcement uses social networking to investigate suspects. "under cover".

The SEC moved to freeze portfolios and accounts following attacks by a Russian hacker, who manipulated stocks.

InfoSecurity magazine has a story on espionage in sport, mentioning how where there's a motive, cyber-crime follows.

And of course, the leading story (which I discovered thanks to a post on Facebook by Dave Aitel) is how an hacker (if that is a descriptive word in this case) broke into 100 cars to cause inconvenience, such as honking, or immobilizing customer the cars.

He hijacked the remote control system ("web-based vehicle-immobilization system normally used to get the attention of consumers delinquent in their auto payments") by logging on with an account of an employee. He used to be an employee himself, until fired later on.

Also, check out this extremely interesting paper from Cormac Herley at Microsoft Research on why people reject security advice:
So Long, And No Thanks for the Externalities:
The Rational Rejection of Security Advice by Users

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Email Portability Approved by Knesset Committee

noreply@blogger.com (Gadi Evron) — Mon, 22 Feb 2010 15:06:00 +0000

The email portability bill has just been approved by the Knesset's committee for legislation, sending it on its way for the full legislation process of the Israeli parliament.

While many users own a free email account, many in Israel still make use of their ISP's email service.

According to this proposed bill, when a client transfers to a different ISP the email address will optionally be his to take along, "just like" mobile providers do today with phone numbers.

This new legislation makes little technological sense, and will certainly be a mess to handle operationally as well as beurocratically, but it certainly is interesting, and at least the notion is beautiful.

The proposed bill can be found here [Doc, Hebrew]:
http://my.ynet.co.il/pic/computers/22022010/mail.doc

Linked to from this ynet (leading Israeli news site) story, here:
http://www.ynet.co.il/articles/0,7340,L-3852744,00.html

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Chuck Norris Botnet and Broadband Routers

noreply@blogger.com (Gadi Evron) — Mon, 22 Feb 2010 14:09:00 +0000

Last week Czech researchers released information on a new worm which exploits CPE devices (broadband routers) by means such as default passwords, constructing a large DDoS botnet. Today this story hit international news.

When I raised this issue before in 2007 on the NANOG mailing list, some other vetted mailing lists and on CircleID here and here, the consensus was that the vendors will not change their position on default settings unless "something happens", I guess this is it, but I am not optimistic on seeing activity from vendors on this now, either.

The spread of insecure broadband modems (DSL and Cable) is extremely wide-spread, with numerous ISPs, large and small, whose entire (read significant portions of) broadband population is vulnerable. In tests Prof. Randy Vaughn and I conducted with some ISPs in 2007-8 the results have not been promising.

Further, many of these devices world wide serve as infection mechanisms for the computers behind them, with hijacked DNS that points end-users to malicious web sites.

On the ISPs end, much like in the early days of botnets, many service providers did not see these devices as their responsibility -- even though in many cases they are the providers of the systems, and these posed a potential DDoS threat to their networks. As a mind-set, operationally taking responsibility for devices located at the homes of end users made no sense, and therefore the stance ISPs took on this issue was understandable, if irresponsible.

As we can't rely on the vendors, ISPs should step up, and at the very least ensure that devices they provide to their end users are properly set up (a significant number of iSPs already pre-configure them for support purposes).

The Czech researchers have done a good job and I'd like to thank them for sharing their research with us.

In this article by Robert McMillan, some details are shared in English:

Discovered by Czech researchers, the botnet has been spreading by taking advantage of poorly configured routers and DSL modems, according to Jan Vykopal, the head of the network security department with Masaryk University's Institute of Computer Science in Brno, Czech Republic.

The malware got the Chuck Norris moniker from a programmer's Italian comment in its source code: "in nome di Chuck Norris," which means "in the name of Chuck Norris." Norris is a U.S. actor best known for his martial arts films such as "The Way of the Dragon" and "Missing in Action."

Security experts say that various types of botnets have infected millions of computers worldwide to date, but Chuck Norris is unusual in that it infects DSL modems and routers rather than PCs.

It installs itself on routers and modems by guessing default administrative passwords and taking advantage of the fact that many devices are configured to allow remote access. It also exploits a known vulnerability in D-Link Systems devices, Vykopal said in an e-mail interview.

A D-Link spokesman said he was not aware of the botnet, and the company did not immediately have any comment on the issue.

Like an earlier router-infecting botnet called Psyb0t, Chuck Norris can infect an MIPS-based device running the Linux operating system if its administration interface has a weak username and password, he said. This MIPS/Linux combination is widely used in routers and DSL modems, but the botnet also attacks satellite TV receivers.

Read more, here.

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Mozilla Add-on Policies and Spyware Surprises

noreply@blogger.com (Gadi Evron) — Thu, 18 Feb 2010 04:16:00 +0000

Following up on my previous post, I wrote a full accounting of how I discovered FlashGot illegitimate behavior, as well as how Mozilla's policies work on such issues:
http://www.darkreading.com/blog/archives/2010/02/mozillas_addon.html

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Flashgot Firefox Plugin Now Spyware

noreply@blogger.com (Gadi Evron) — Tue, 16 Feb 2010 07:45:00 +0000

FlashGot Firefox plugin, a long-time download assistant, now acts like spyware.

It gives you recommendations IN Google search to another search site, according to your searches.

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Personal Story, Tactical Communication and Conversation Manipulation

noreply@blogger.com (Gadi Evron) — Sun, 14 Feb 2010 16:52:00 +0000

[syndicated from my personal blog, here]

Going back home from meeting friends for a beer, I was excited. It's not often that I encounter something cool to do which also appeals to my youth's old tactical nature. When I do, I jump it! This is a story of how someone tried to manipulate me, and how I countered.

The two friends with me discussed a fascinating topic I didn't even know existed, and simply because I saw that I could do so, I decided to bring this topic to a larger audience, creating a mini-conference on the subject.

First on my list was to find a location, so I sent an email to a local academic who could be a good partner for this, and called a couple of other friends to get them on board, arranged for speakers, PR and other necessities.

The next day I received an answer with a phone number, and within a few hours had the academic in question on my cell phone. He asked me to call his land line, and I did. Our conversation was very easy-going and friendly in tone. Smiles splattered on our faces.

I told him I am excited to speak with him, as he obviously has more experience on this particular subject. I was differential as academic ego demands, showing him the respect he deserves, but in tone -- I remained an equal.

I made my case, and he cut in, asking "Can you explain what you have in mind? We ran a conference on this four years ago. Do you have something new to warrant an event?"

"No," I answered honestly in an interrupt of my own. He apparently didn't expect that, so I asked to continue my pitch, and then did.

A lot changed in the last four years, and even if not, in a university environment four years ia an eternity -- with many new students who would appreciate this event. I had better arguments than these, and as my purpose was cooperation rather than confrontation, I preferred to move on.

I explained how this topic is exciting, how it has direct impact on both higher education as well as real implications for daily life, governance, and the economy. I used two anecdotal examples to illustrate this, and my excitement probably dripped all over him, even over the phone.

"Well," he responded, "let me tell you about an idea I had."

DING DING DING DING DING
Warning bells sounded in my head. "Happily, what's your idea?

He told me about an event he thought of, which sounded interesting. As he spoke I got about three ideas running in my head on the subject, but I listened quietly. "I would like to work with you, and if you can take some time to think of ideas for what we can do at this event, I'd appreciate us talking about them."

Stay on message

"Of course," I said, "I'd be more than happy to." And I was. "However", I continued with the same breath, "this conversation is about the first idea, so while I'd definitely like to discuss this with you further later, let's stick to the first one for now."

"Alright." he said, and we discussed a bit further, at which point he said "well, last year we ran a small event on this topic, and there was real innovation there which we could showcase. What will be new here?"

I explained a bit more on why I am excited, and why the topic is relevant, and how such an event can be beneficial. Then I decided to change tactics to show my resolve.

Stay on message, clarify position

"As you know, I am a security professional."

"Yes, that is where I know you from. Security, Internet, Cyber Warfare... Why does this subject interest you?"

"Truth be told," I happily jumped in, "I am excited. I learned to be a strategic person, but at heart, I am a tactical person, energized by excitement. I am excited about this topic, and I am willing to put the time into making this event happen. I will make it happen, but as I know of your vast expertise, I decided I must approach you first."

After more deliberation he asked me "What do you think of my event idea? I'd appreciate your opinion on ideas for it, and we can get back together on this after you think about it."

DING DING DING DING DING
Alarm bells rang again.

"I already thought about it, and have three ideas so far."

"Oh, great! What are your ideas?"

I shared two, as my short-term memory had already erased the third. I told him as much, and I think he believed me, but it could be seen as a lure or a trick. We were extremely friendly. He asked me to email him the third one if I remember it. I promised to do so.

Stay on message

"I'd like however, to finish our discussion of my idea for now, as there is a time constraint."

When he heard I want to get it done within a month rather than a year, he was shocked. I told him how excited I am about the specific speakers I want to bring, and how one of them is leaving the country to join his new wife, and he is a major source of my energy for this. I mentioned how I understand if his events schedule is already closed for the coming year, but wanted to make sure and contact him first.

It wasn't my intention to go cold on him or play "girl negotiation" by appearing not interested, but rather to give him way out. But whether it was my excitement or the "girl tactic", or even the ego massage, it seemed to work.

He got excited about this speaker as well, and asked about getting him on video before he leaves. Then....

BANG BANG BANG BANG BANG

A trick I've never seen before, which unlike the ones used up to now, is purely manipulative from whatever perspective you may look at it.

"How about we both take a couple of days to think of our two ideas, then get back together and pick one?"

This is wrong on so many levels. To begin with, his idea is not on the agenda. Second, he assumes I am willing to give up on my idea. Third, he assumes it's one or the other, this is a false choice logical fallacy.

More importantly, with this trick he can potentially achieve four immediately obvious things. First, wipe the slate clean to run his arguments by me again. Second, put distance between the chats so that I have time to move from my strong position, and consider his, perhaps feeling uncomfortable turning him down again. Third, it puts the subject on the agenda. And fourth, potentially try to wear me down, as most people won't call again in two days, or in two months.

I didn't miss a beat.

"I would be happy to discuss your idea separately, it sounds very interesting and I'd be happy to work with you on it. However, my resources are limited and at this time I am only interested in working on this one."

I added my winning argument: "I believe that I can get very good PR coverage for this mini-event, and get cooperation with Famous-Non-Profit which will also be happy to cover a part of the costs."

He lighted up at the mention of PR. We spoke for a bit and he asked me for a few days to speak with his boss. A few days when I have only a month to get things going are critical, so I wasn't happy about it. But the request was reasonable. He threw the ball into my court though, so when I got off the phone, I sent him an email.

I detailed five good ideas for his event, mentioned I was happy to talk with him, and was looking forward to hear from him soon. I also attached my phone number.

As I said when I started this post, he really is a good guy, and very friendly. But he is also a politician. He is an expert communicator who interviewed people live for a decade as a journalist. So while I dislike manipulative behavior I recognize that for some, such behavior is more than acceptable. In fact, it is regular m.o. and needs to be expected as part of the game.

Thing is, even just a few years ago I would have gotten stuck after his first interrupt, and either ended up working on his event without realizing it -- or by being too friendly. Worse still, I could have mishandled the communication in a potentially offensive fashion. Some years ago more, and I wouldn't have been able to play the game, and would have taken offense.

Being able to switch gears into "I'm being manipulated", think fast on my feet with my responses, and keep the conversation on track for my purposes (also the stated agenda of the call) -- all while keeping the rapport going without losing one heart beat, got me very excited. The content of the call was suddenly secondary.

While I am extremely straight-forward and honest in my communication style to a point of bluntness, I am a work in progress and am always learning. And I must admit, when two professionals meet, the conversation is happening on a completely different level. I am just surprised he didn't read through me that I was on to every single trick, when I was able to deflect them all. Or maybe he did and kept throwing them at me anyway to try and outwit me?

The cynic in me may in retrospect reconsider the first thing he ever said to me, to call him back on land line, as a manipulative gesture to get me in a compliant mood. But that would be too paranoid -- wouldn't it?

There are a few issues to consider about this encounter:

1. What was his motive? Perhaps he confused me for a hungry young hot shot, and wanted to use my excitement for his own ends. Perhaps a clear-cut switch-a-roo to get me to work on his event, "stealing" me from mine. Thus, bringing the conversation to where he wants it.

Then again, maybe he was just trying to end the conversation non-confrontationally.

2. His main tricks, in order were: change subject, switch-a-roo, get back together in 2 days.

3. What can you do to counter such tricks? After all, you may not always have a quick wit about you, or know the specific tricks.

The answer is similar to holding your own in politics: Stay on message. Know what your message is and stick to it. Others may try to confuse you, throw you off, and introduce a red-herring such as sending it for discussion in committee. Stay on message.

4. More importantly, the conversation made it clear it is quite possible he has no political power on this front, and thus can't give me what I want anyway.

Which brings us to...

5. What is your goal?
I kept going as I wanted to convince him, and after a fashion, I did get the best possible alternative result. But why keep at it if it won't achieve my goal?

Two tricks such as he used can be excuses as part of natural discussion, at the third, why keep at it? By this time it is clear to both sides what's going on and no positive result can come out of it.

More importantly, my purpose is to achieve a goal, and if I am not going to, why stay on a call that is probably uncomfortable for at least one of the sides, and as sure as the sky is blue, wastes my time?

If my purpose is not adversarial, why treat the situation as a battle? Cooperative discussion is a much better approach. As no cooperation was likely to happen, keeping the discussion going was pointless.

In summary, it didn't work out. But you should not get me wrong, I have a lot of respect for the guy. But it was one of the more fascinating five minutes in my life these past few months.

Here are some articles I wrote on similar experiences I had:
I'm interested, but in you
Snap! Jazz music and mass hypnosis
WTF! Or, wow, this never happened to me before!

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Case study: undetected malware

noreply@blogger.com (Gadi Evron) — Sun, 14 Feb 2010 07:17:00 +0000

In this case study from The George Washington University, researchers Sara Laughlin and Matthew Wollenweber released their work on previously undetected malware they discovered via their IDS system. Unknown to most anti virus products, and proceeded to analyze it:

On January 7th, 2010 GWU ISS Security identified a potential threat by a signature alert on a network sensor. Later analysis confirmed a security threat not currently detected by most antivirus products. This report details how the malware was detected and the analysis of the threat. Additionally, we hope this informs readers of a current threat.

This report underscores how anti virus products while a critical part of any computer's security, are insufficient by themselves, and inherently incomplete as a reactive solution.

I applaud the good work from the researchers, and even more, the fact they took the time to write and to release this report. These are barely ever public, and they earned my respect.

You can read the complete article here:
http://www.cyberwart.com/blog/2010/01/09/undetected-malware-case-study-jan2010-01/

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Security PR: Article Series

noreply@blogger.com (Gadi Evron) — Mon, 08 Feb 2010 09:19:00 +0000

In a five-part article series on Dark Reading, I explored how tech and security companies can be more successful with PR, and build their brand by discovering the wealth of resources they already have.

Many companies I contract with ask me one of the following questions: What is a good PR strategy for releasing a security vulnerability? What if we have nothing to say to reporters? Many people speak of social networking, what's real? How do we get our name out there?

A previous series on articles I wrote was on Lessons I Learned from Cybercrime.

I started this series on PR almost by accident, when discussing why some security blogs are more successful than others, and continued with articles trying to answer some of the other questions.

The Secret Sauce For Security Blogging

About how some security blogs manage to engage their audience better than others and make their readers feel more in touch with what's happening -- on top of earning credibility.

Security PR: How To Talk To Reporters

Here are some tips for security professionals and security public relations representatives on how to pitch reporters when you have something new and exciting to share.

Security PR: How To Disclose A Vulnerability

When your team discovers a new security vulnerability in a third-party product, there are ways to handle it correctly to achieve maximum visibility.

We Have Nothing To Say -- Or Do We?

The first rule of appearing smart, they say, is to keep quiet, but keeping quiet doesn't help your PR. What are you to do?

'Brand' Your Employees

You might want your product to be in the news every day, and for your PR to create miracles for you. But if you want attention, then your company must speak out on big security issues and news. But there are challenges, and your employees may be the answer.

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Corporate espionage in the news: Hilton and the Oil industry

noreply@blogger.com (Gadi Evron) — Tue, 26 Jan 2010 06:42:00 +0000

Is anyone calling espionage by means of computers cyber-espionage yet? I hope not. At least they shouldn't call it cyber war.

Two news stories of computerized espionage reached me today.

The first, regarding the Oil industry, was sent by Marc Sachs to a SCADA security mailing list we both read. The second, about the hotel industry, was sent by Deb Geisler to science fiction convention runners (SMOFS) mailing list we both read.

US oil industry hit by cyberattacks: Was China involved?
http://www.csmonitor.com/USA/2010/0125/US-oil-industry-hit-by-cyberattacks-Was-China-involved

At least three US oil companies were the target of a series of previously undisclosed cyberattacks that may have originated in China and that experts say highlight a new level of sophistication in the growing global war of Internet espionage.

Starwood Charges That Top Hilton Execs Abetted Espionage
http://www.meetings-conventions.com/article_ektid31918.aspx

Starwood's claim points to a "mountain of undisputed evidence," including e-mails among Hilton senior management, that Klein and Lalvani worked with others within Starwood to steal sensitive documents by sending them via personal e-mail accounts, among other methods, and that such information was shared and used by all of Hilton's luxury and lifestyle brands, as well as in the development of Hilton's now-shelved Denizen brand. In the new filing, Starwood says, "This case is extraordinary, and presents the clearest imaginable case of corporate espionage, theft of trade secrets, unfair competition and computer fraud...Hilton's conduct is outrageous."

As to whether China is involved, maybe. But the automatic blaming has got to stop. Many other countries have been known to be conducting corporate espionage, such as France, and as the second story above shows, so do corporations themselves.

But.. here are a few questions:

- My dog barked, was China involved?
- The traffic light turned red, was China involved?
- I am tired. Is China involved?

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Bill Brenner Joe Jobbed by a Facebook App

noreply@blogger.com (Gadi Evron) — Sun, 24 Jan 2010 17:08:00 +0000

My friend Bill Brenner, editor of CSO Magazine, just warned friends in his Facebook status message that someone may be trying to get them to add an application to their wall by using his name.

Bill Brenner: Some cyber-dope is apparently trying to use my name to infect your machine with the message "Bill Brenner has posted something on your wall." Do not click on it. It's a trick. Repeat: If you get a bunch of messages from me saying I posted something called "news feed" on your wall, do not allow the app access.

I don't know if this is targeted against Bill (if so, congratulations Bill! Your made it!) or if a malicious app is using names of friends to get people to add it. But this is certainly an interesting development.

Bill, stay strong and ignore. I passed it over to Facebook security. And people, remember to be careful of what you click on!

This is why I like Bill, he immediately warned everybody.

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Perhaps it's time to regulate Microsoft as critical infrastructure?

noreply@blogger.com (Gadi Evron) — Sat, 23 Jan 2010 06:38:00 +0000

Microsoft has put a lot into securing its code, and is very good at doing so. However, is it doing enough?

My main argument is about the policy of handling vulnerabilities for 6 months without patching (such as the Google attacks 0day apparently was) and the policy of waiting a whole month before patching this very same vulnerability when it first became an in-the-wild 0day exploit (it has now been patched, ahead of schedule).

Microsoft is the main proponent of responsible disclosure, and has shown it is a responsible vendor. Also, patching vulnerabilities is far from easy, and Microsoft has done a tremendous job at getting it done. I simply call on it to stay responsible and amend its faulty and dangerous policies. A whole month as the default response to patching a 0day? Really?

With their practical monopoly, and the resulting monoculture, perhaps their policies ought to be examined for regulation as critical infrastructure, if they can't bring themselves to be more responsible on their own.

This is the first time in a long while that I find it fit to criticize Microsoft on security. Perhaps they have grown complacent with the PR nightmare of full disclosure a decade behind them, with most vulnerabilities now "sold" to them directly or indirectly by the security industry.

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Large Hadron Collider, Nessus, and the InterWebz

noreply@blogger.com (Gadi Evron) — Sat, 23 Jan 2010 06:08:00 +0000

CERN put the Large Hadron Collider through some rigorous tests, and apparently at first some of the Siemens manufactured SCADA systems failed. While they are apparently better now, and I am happy to see how serious CERN is about security, this does beg the question.... WAIT! You mean it's connected to the Internet? I suddenly don't feel so safe.

Protection against external access
‘Redundant installations such as the Simatic S7-400H fault-tolerant type of controllers may offer a high degree of operational safety. But who can guarantee that no one will take over the controller, crash it and compromise its security?’ asks Dr. Stefan Lüders from the computer security team of the IT department at CERN. ‘Most controllers, field devices and even actuators are now directly connected to Ethernet.’

The team led by Dr. Lüders therefore developed a special test bench for dedicated examination of the vulnerability of controllers, SCADA (Supervisory Control and Data Acquisition) systems and other Ethernet-connected devices in the market to cyber-attacks. This not only relates to protection against hackers with more or less criminal intent, but also against viruses and worms that can be introduced through a variety of channels—including USB sticks and CF cards. In contrast to the usual patches that can be installed in an office environment, controllers cannot be easily updated daily with the latest antivirus protection, even if it is available.

As part of the validation of controllers used at CERN, at the test bench on Control System Security at CERN (TOCSSiC), 31 devices from seven manufacturers were systematically tested for penetration resistance with the vulnerability scanners Nessus and Netwox. Taking all different firmware versions into account, this led to 53 tests in total. In addition to interference through overload (Denial of Service, DoS), the tests also included provoked attacks on vulnerabilities in operating systems by infiltration of malicious software and ‘malicious’ manipulation of TCP/IP-based protocols. About one third of the tested devices failed these tests and has shown severe security problems.

Approximately one third of the devices came from the Simatic S7 product series, some with an integrated Ethernet interface, some with separate communication processors, such as the CP 343-1 Lean for the S7-300 series.

The poor test results led to a ‘very productive interaction with Siemens’ and ultimately made ‘Simatic controllers significantly more secure over the years; now they meet the stringent requirements at CERN,’ summarises Dr. Lüders.

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

China's CNCERT response to Google

noreply@blogger.com (Gadi Evron) — Sat, 23 Jan 2010 04:14:00 +0000

China responds to Google's accusations on its CNCERT web site, here.

Johannes Ullrich just brought this to my attention on Facebook.

In short, CNCERT wrote that China is the biggest victim of cyber attacks, and that Google lacks evidence to link the recent attacks to China as the perpetrator.

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Traffic Video Ads Replaced with Porn

noreply@blogger.com (Gadi Evron) — Sat, 16 Jan 2010 10:13:00 +0000

Fergie (Paul Ferguson, one of my favorite people in the world), posted a news item to the funsec mailing list:

Traffic jerked to a standstill as rubbernecking motorists ogled a pornographic clip posted by hackers on big-screen video billboards in Moscow, Russian news agencies reported Friday.

The company that operates the billboards, Panno.ru, said hackers were behind a graphic sex video broadcast late Thursday night on two roadside screens along Moscow's Garden Ring Road, one of the city's busiest arteries.

"This was an attack by hackers on the computers, as a result of which one of the commercial video clips was swapped for an indecent video," Panno.ru commercial director Viktor Laptev told RIA-Novosti.

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

China Hacks Google, Etc.

noreply@blogger.com (Gadi Evron) — Fri, 15 Jan 2010 11:55:00 +0000

Many news sources are reporting on how Google and other corporations were hacked by China.

The reports, depending on vendor, blame either PDF files via email as the original perpetrator, or lay most of the blame on an Internet Explorer 0day.

Unlike my colleagues (save for the ones reporting), I rather not discuss this too much before more data is available.

Regardless of what really happened, which I hope we will know more on later, these things are clear:

1. Unlike GhostNet, which showed an interesting attack, but unfortunately many of us jumped to conclusions without evidence that it was China behind them -- based on Ethos alone I'd like to think that when Google says China did it, they know. Although being a commercial company with their own agenda, I am saving final judgement.

2. The 0day disclosed here shows a higher level of sophistication, as well as m.o. which has been shown to be used by China in the past.

3. If this was China, which some recent talk seems to make ambiguous, but still likely; they would have more than just one weapon in their arsenal.

4. This incident has brought cyber security once again to the awareness of the public, in a way no other incident since Georgia has succeeded, and to political awareness in a way no incident since Estonia has done.

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Online Pharmacy Scammer Speaks

noreply@blogger.com (Gadi Evron) — Thu, 14 Jan 2010 10:29:00 +0000

Reddit has an interesting subsection called IAmA, AMAA -- I am a... Ask me absolutely anything -- in which different people with varying life stories open up and let people ask them questions. One of the most recent IAmA's is from a person who used to work as a fake doctor at an online pharmacy. A good read:
http://www.reddit.com/r/IAmA/comments/apcv0/i_was_a_doctor_at_an_online_pharmacy_i_did_not/

A few months a go a "legal" spammer spoke out on IAmA, as well:
http://www.reddit.com/r/IAmA/comments/9xrn1/iama_person_who_sends_spam_email_for_a_living_ama/

Enjoy,
Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Getting back at the TSA

noreply@blogger.com (Gadi Evron) — Tue, 12 Jan 2010 11:32:00 +0000

Many in the security community are continually annoyed with the TSA and air safety, mumbling security theater this and idiots that. Following the undies bomber incident, these mumbling turned into rumblings, and then into a "let's get back at the TSA" joking spree, which I was more than happy to jump ahead of.

via AppleGeeks Lite 561.

And indeed, folks on the funsec mailing list had some fun with it.
phester wrote:

I've considered carrying a bag of dildoes when I fly. I imagine a conversation something like this;

TSA: What's this?!?

Me: A bunch of dildoes.

TSA: Why are you carrying a bunch of dildoes?

Me: It makes me feel safe.

TSA: How does a bunch of dildoes make you feel safe?

Me: I've been asking the same thing since they created the TSA.

This was indeed fun, and we had a good laugh. Erik Harrison replied with the often quoted TSA joke:

TSA: "Nine times out of ten, it's an electric razor but, every once and a while, it's a dildo. Of course, it's company policy never to imply ownership in the event of a dildo. We have to use the indefinite article. A dildo, never your dildo."

After a bit more fun, I responded seriously:

If it was me, I would say it was my dildo every time. It would be interesting to see their faces, but more importantly, if it's not mine, it might be a terrorist who put it in my bag. Bad idea: an exploded bag, a cavity search and 3 hours to 3 days later...

But more than the TSA not having a sense of humour, this is really about respect, and about understanding that they can take no chances with you not being serious:

It's great to joke about, but not to practice as a joke. As I said earlier, bad idea.

Don't mess with:
1. People trying to do their jobs.
2. People who are on alert for criminals and terrorists.
3. People who have the power to arrest you.
4. People who have guns to do their job.
and:
5. People who are forced to check you completely with the mere mention of a joke, as it might not be a joke.

All-in-all, we had a good time playing with this, but we should all keep in mind that regardless of what we may think of the TSA and others around the world, some jokes are just not worth the price of a cavity search -- or at the very least 10 more minutes in line.

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

New subject specific blog from me: Pathos Daily

noreply@blogger.com (Gadi Evron) — Tue, 12 Jan 2010 09:59:00 +0000

I have been interested in human communication for a while now, be it debate and rhetoric on the one hand, or social/non-verbal psychology and persuasion on the other. I often come across links of interest, and share them with friends. Or have thoughts on the subject and share them here.

I decided that with the effort of emailing out links, I can also easily blog them. And so, I started a new blog on this subject matter, to specifically post links to interesting news stories and comic strips.

It is called Pathos Daily, and you can read it at:
http://pathosdaily.blogspot.com/

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Funny! Mario & Luigi on Omegle: Password Social Engineering

noreply@blogger.com (Gadi Evron) — Sun, 10 Jan 2010 13:30:00 +0000

This is a funny picture describing a chat on Omegle, which not only made me ROFL, but also teaches social engineering!

Sometimes learning about security and hacking can come from odd sources. :)

Gadi Evron,
ge@linuxbox.org

Follow me on twitter! http://twitter.com/gadievron

Putting Trojan Horses on Chips!

noreply@blogger.com (Gadi Evron) — Fri, 08 Jan 2010 18:45:00 +0000

This is a story about a contest to put Trojan horses on chips. Very interesting from an hardware hacking perspective, as well as a trusting trust and supply chain security perspective.

5 January 2010—In November, engineering students from five top universities gathered at the Polytechnic Institute of NYU, in Brooklyn, N.Y., for the Embedded Systems Challenge. The aim was to test new attacks and defenses against an underappreciated breed of Trojan horse—embedded malware built into integrated circuits.

The winning team’s results, set to appear in journals and at conference proceedings in 2010, reveal how vulnerable many systems are to "chip attacks" The contest also demonstrated the high degree of technical sophistication required for these attacks, making it more likely that attackers will pursue specialized applications, such as sensitive military equipment or high-security financial computers. Attacking Dad’s new Windows 7 PC probably isn’t worth the extreme investment of time and money—especially when cheaper and quicker phishing and software-based malware attacks still work all too well.

Definitely worth a read!

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Air Travel Security: Practical Industry Suggestions From Us

noreply@blogger.com (Gadi Evron) — Wed, 30 Dec 2009 01:18:00 +0000

I am just a security guy, as are many others who will read this. Perhaps it is time us "simple" security guys got together and write some recommendations for air travel security? Get our voice out there as an organized professional group, which can in turn lobby for our professional recommendations.

Then we can edit them, vote on them, and submit them to the government for consideration in the upcoming brouhaha of committee discussions.

Here are mine, just to get the ball rolling:

Strategic:
0. Review useless technologies which are there for beyond the security theater purposes (which do matter) and start eliminating bad projects. Your purpose in security theater was to maintain air travel and keep people calm, right?
1. An investment in better intelligence (no brainer)
2. Create a "always strip-search" list rather than just "no fly" list., so that lesser threats can be dealt with responsibly without compromising the usefulness of the no fly one. I am sure they already have one, but they should layer this rather than deal with extremes.
3. Hire better agents (education/ability... better pay). Should be a small increase per person, but it will cost a lot in total. Then again, how much do all the current b/s additions cost?
4. Yours?

Tactical:
1. Copy Israel's air security training manual for agents. Israel's tactics may not be able to scale to the US level, but the training can.
2. Stop panicking and alienating people, so they are calmer and you can more easily identify suspicious people, so that this new training is more effective. Heck, do it anyway. Send TSA agents to some workshop on being nice. Or make shifts shorter.
3. Put "human sniffer" walk-through machines in every airport, for international flights.
4. Buy the better brand of baggage screening && X-ray machines for international flights (remember the liquid issue with checking for explosives in the last scare?)

5. Some people suggested to start profiling and leave PC behind, but I'm not touching that.
6. Yours?

Some of these are very high cost. Some of these are (on scale) very low cost.
Some of these should replace other high-cost idiocies, such as creating two new mega-airports, which is sound security-wise, but will only add an hop to the threat to jump over, with the same silly tests in yet another airport, rather than add a filter. Or full-body scans which will be of limited help, and insult us all.

What are yours? Join the discussion!

Gadi Evron,

ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Spymaster sees Israel as world cyberwar leader

noreply@blogger.com (Gadi Evron) — Fri, 18 Dec 2009 17:28:00 +0000

Reuters reports from the Institute for National Security Studies (INSS), a Tel Aviv University think tank, where Major General Amos Yadlin, IDF chief of military intelligence, spoke:

In a policy address, Major-General Amos Yadlin, chief of military intelligence, listed vulnerability to hacking among national threats that also included the Iranian nuclear project, Syria and Islamist guerrillas along the Jewish state's borders.
Yadlin said Israeli armed forces had the means to provide network security and launch cyber attacks of their own.

He further said, as mentioned in this Israeli publication, that other countries, such as the United States and Great Britain, are establishing units for cyber defense, and that Israel has soldiers and officers on the job.

In fact, just today I heard a lecture by the director of the CIA who, as is general United States policy, places cyber security on the map when discussing issues such as proliferation of nuclear weapons and international terrorism.

HaAretz, an Israeli newspaper, quotes Major-General Yaldin as saying:

"Fighting in the cyber dimension is as significant as the introduction of fighting in the aerial dimension in the early 20th century." (my translation)

If this statement is to be believed, Israel is active in cyberspace. And yet, why would Israel admit that, regardless of if it really happens?

One option is that Israel decided it needs to show that its military is on par with other militaries around the world.

"Preserving the lead in this field is especially important given the dizzying pace of change," Yadlin said.

On the surface, disclosing cyber space activity, which your enemies can develop as well, or push to develop more of, seems silly.

After all, Major-General Yadlin said:

"Cyberspace grants small countries and individuals a power that was heretofore the preserve of great states,"

As Israel, much like the Western world, is very advanced technologically, it is more reliant on computers than many of its enemies and neighbors, and is therefore more at risk from potential cyber attacks. With attacks against Israel's internet presence these last few years, it may not be a silly idea after all.

With the world becoming more aware of threats to computer systems, investment in cyber security rising and more and more security incidents being disclosed; countries around the globe invest in cyber capabilities. Indeed, Israel too, which has been under internet attacks for years, needs to buckle up and do more to combat the threats.

Major-General Yadlin also mentioned cyber attacks fit well with Israel's doctrine for military offensives (mistranslated below as defense). This bit is tricky, and I will try and read between the lines.

"I would like to point out in this esteemed forum that the cyberwarfare field fits well with the state of Israel's defense doctrine,"

While Major-General Yadlin in all probability meant something along the lines of being bold and staying ahead of the curve, as in the same sentence he also spoke of Israeli youth and innovation, mentioning how Israel is often referred to as the "start-up country":

"This is an enterprise that is entirely blue and white (Israeli) and does not rely on foreign assistance or technology. It is a field that is very well known to young Israelis, in a country that was recently crowned a 'start-up nation'."

It is possible, although unlikely, that he meant to indeed discuss Israel's defense doctrine, thus possibly speaking about deterrence in cyberspace.

Deterrence is an integral part of Israel's defense doctrine, with the goal, in broad lines, of widening the window between inevitable Arab attacks by a strong response, some would say a disproportionate one, which will score a quick and decisive victory. Hopefully deterring them from attacking again. This strategy has roots in Israel's history all the way back to Ben Gurion's time and the formation of Israel.

Deterrence on the Internet, however, is mostly nonsense. This due to inability to identify who it is actually attacking you, and then if somehow successful, if it is really them or if their computer has been taken over by yet another attacker. Is someone trying to frame another as your attacker? Is your attacker even a nation-state to begin with, rather than an organization that doesn't care about retaliation?

On the internet, you may know who your enemies are rivals are, but you may never find out who is attacking you. The Internet is perfect for plausible deniability.

If this was the thinking behind the announcement, which I'd like to think is not the case, then the strategy was copied from the United States where this silliness has been going on now for a few years. The US strategic experts have been using Mutual Deterrence (or MAD, Mutually Assured Destruction) for over 70 years now, and feel comfortable with it. Therefore, when they needed to tackle the cyber realm, they immediately started pushing for a deterrence strategy even though cyber experts have been warning about it continually.

Deterrence for the most part, doesn't work online. It is my hope Israel does not repeat the American mistake on this matter and that I am right, and Major-General Yaldin was only speaking of Israel's spirit, where commanding officers lead the charge rather than wait behind.

From a completely different perspective, cyber warfare has been recognized as a strategic weapon on par with weapons of mass destruction for at least two decades. Israel does not admit strategic capabilities such as Nuclear Weapons, if it has them. Should it admit cyber capabilities?

"The potential exists here for applying force ... capable of compromising the military controls and the economic functions of countries, without the limitations of range and location."

While cyberspace is certainly strategic, the analogy to nuclear weapons is relatively weak.

There are obvious differences between the nuclear world and the cyber world, such as with tactical cyber uses of a very targeted nature -- without collateral damage, and in international law governing the proliferation of nuclear arms, while the cyber realm is in its infancy. In fact, the United States, Russia and the United Nations arms control committee are as I write these lines engaged in early discussions on securing cyberspace, and limiting military use of this realm.

When I first heard of the speech by Major-General Yaldin, I was highly disappointed with Israel for taking this route of public disclosure. Now, I am not so sure.

Disclosing that Israel is ready to defend itself and potentially engage its enemies in cyberspace right along-side the physical world, certainly has merit considering recent world events such as the attacks against Estonia and Georgia. I am just left wondering if this indeed discloses a real capability, or is just public relations.

I can personally attest from my years of defending Israel's internet, that Israel is under constant attack in cyberspace, and this intensifies whenever political tensions mount.

"At times it would seem," said Major-General Yaldin, "that our enemies would like to give a special award to Western companies whose products can be bought off-the-shelf at a reasonable price." (my translation)

Regardless, putting cyber security on the agenda along-side with Iranian nuclear weapons, Syria and Islamist guerrillas, is a step in the right direction to defending against the threats of cyberspace.

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Was the ClimateGate Hacker Justified? Join the Debate!

noreply@blogger.com (Gadi Evron) — Thu, 26 Nov 2009 16:27:00 +0000

A few days ago a story broke where someone hacked into a global warming research institute and stole all emails from the past 10 years, proving a conspiracy.

In the vast amount of emails stolen, some emails were also found with clear-cut lies, showing how some scientists conspired to deceive in scientific research about data that did not fit their agenda of proving global warming.

I am opening the subject for debate on the debate mailing list. It is a fascinating topic covering several subjects such as 'does the end justify the means?', 'irresponsible disclosure of personal data', 'is it justifiable to break the law?' and 'civil disobedience and the hackers' role in keeping society honest'.

Here are some possible questions to get the wheels rolling:

- Is the action taken by the hacker legal, ethical, and/or moral? Was the action justifiable?

- Do you believe the harm done as a result is justified for the good (disclosure) that came out of it?

- Can this be treated as civil disobedience?

For background, check out this story:
http://www.examiner.com/x-25061-Climate-Change-Examiner~y2009m11d20-ClimateGate--Climate-centers-server-hacked-revealing-documents-and-emails

Another source:
http://noconsensus.wordpress.com/2009/11/19/leaked-foia-files-62-mb-of-gold/

Join the debate mailing list, now! :)
http://whitestar.linuxbox.org/mailman/listinfo/debate

Please state your opinions openly, and let's discuss!

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Announcement: Critical Internet Infrastructure WG is now open to public participation

noreply@blogger.com (Gadi Evron) — Wed, 18 Nov 2009 17:16:00 +0000

ISOTF Critical Internet Infrastructure WG is now open to public participation.

The group holds top experts on internet technology, critical infrastructure, and internet governance, from around the globe.

Together, we discuss definitions, problems, challenges and solutions in securing and assuring the reliability of the global internet infrastructure, which is critical infrastructure for a growing number of nations, corporations and indeed, individuals -- world wide.

The group started as a closed and private forum, to discuss technical and operational risks, as other venues limited discussion of critical internet resources to politically charged subjects such ascontrol of ICANN and ARIN, thus overshadowing other important aspects.

As of November 18th 2009, the list is open for public access, to advance public awareness of the issues, and bring new talent on board.

The group is hosted by the ISOTF, but is governed by members.

Note: SCADA, network operations, and other related issues should be discussed in the appropriate forums, elsewhere. This group deals with the internet.

To subscribe:
http://isotf.org/mailman/listinfo/cii

Gadi Evron for ISOTF-CII-WG.

Follow me on twitter! http://twitter.com/gadievron