Stuffis
Still "Brent's pile o' stuff" but at least now there are sections.
Security
Open Source
DRM
Voting
Jon Stokes at Ars Technica has written an article entitled "How To Steal an Election". The PDF file is available here. (It's copyrighted, but permission is granted to distribute it if you link to the original article and PDF, as I've done here.) The rush to implement touchscreen voting with no paper trail as a backup is extremely worrisome; how long before we have a successful fraud that tips the balance of an election?
Internet/Web
- How to Hack Millions of Routers: a security consultant has brought together several long-standing vulnerabilities, including DNS rebinding, to produce a technique that gives access to the local networks behind Internet routers (DSL modems, including DD-WRT, etc.)
- Another reason why Secret Questions are poor security design
- Dec 2009: Operation "Aurora" (SecureWorks analysis by Joe Stewart) out of China, targeting large companies apparently to steal IP ("espionage-by-malware") — an IE zero-day was one of the vulnerabilities used — McAfee analysis describes "advanced persistent threats" (APTs) (malware designed to hide, conceal, modify data w/o detection) — Wired article
- Nov 2009: Researchers have discovered a TLS renegotiation man-in-the-middle attack — this is a design flaw in the TLS protocol, so many (all) implementations are vulnerable — description of the flaw
- Feb 2009: SSLstrip: A devious little man-in-the-middle tool that changes all https: links to http:, adds a padlock symbol as the favicon, and uses a lookalike character for "/" to make the front part of the URL look like the right server — combined with arpspoof, allows interception of all sensitive traffic on the local network — Forbes article
- Dan Kaminsky talks about browser UI, user expecations, and EV certificates — insightful analysis as always
- Pilosov and Kapela publicize a BGP rerouting method (more) (it isn't really even an "attack" since this is the way BGP is designed to work) which allows someone to intercept (and eavesdrop on) traffic bound for a certain IP range. Mudge from L0pht had already pointed this out a decade ago.
- A nifty hack: If we have to have CAPTCHA, why not put the recognition to use in digitizing books (reCAPTCHA).
- Great article on current state-of-the-art in CAPTCHA technology — Google's fared best but even theirs has been broken and broken again — Schneier points to a "group [that] is the best out there at defeating CAPTCHAs" (check out their own pretty 3D CAPTCHA)
- Steven J. Vaughan-Nichols says in his article How CAPTCHA Got Trashed that CAPTCHA isn't a viable solution any more. One of his contributors said "harder CAPTCHA solutions mean harder problems for people as well" which I think is the key point — we've reached the "crossover point" where CAPTCHAs that are sufficiently hard to break are harder to use than users will tolerate. (And that doesn't even cover solutions that use humans to break the CAPTCHA for you...)
- Current research on breaking CAPTCHA: Preventing segmentation (breaking the CAPTCHA word up into individual characters) is very important to making it resist attacks (apparently OCR'ing individual letters, however distorted, is not too hard). Microsoft's CAPTCHA algorithm apparently allows segmentation too easily.
- Article on The problem(s) with OpenID
- Insidious automated ARP cache poisoning/HTML injection attack: a machine sits on the network, and poisons the ARP cache for clients on that network to make them think its NIC is the default gateway; acting as a man-in-the-middle, it rewrites HTTP sessions to insert a hostile 0-size <iframe>; client web surfing to any site can now include code for anything the browser is vulnerable to
- Dan Kaminsky continues to astound; his work in 2007 includes circumventing the browser's trust model using a combination of DNS entries, a custom TCP/IP stack written in Flash, etc. — now you have a "beachhead" behind the firewall/within the intranet to send whatever exploits you want
- "Inter-protocol Exploitation" technique: (1) Establish a control channel between a browser's JavaScript engine and an outside controller, so that JS commands can be passed to it, and then (2) have the JavaScript engine assemble protocol frames to attempt exploits from within the network; optionally (3) combine with XSS for an even more dangerous combination
- "Drive-By Pharming" (or Cross-Site Request Forgery, CSRF): JavaScript on a web page that attempts to log into routers and other local network devices using default passwords, and then alters DNS settings to point to a poisoned DNS server
- Applying "fuzzing" techniques to browsers: Michal Zalewsky (2004), HD Moore (Metasploit, 2006) — Month of Browser Bugs — Pwn2Own 2010 Miller against Safari on OS X and Vreugdenhil against IE8 on Win7 and "Nils" against Firefox on Win7 (the latter two defeated ALSR and DEP)
- Why Phishing Works ("To summarize the summary of the summary: people are a problem." — Douglas Adams)
Mac OS X
- Fuzzing is still a useful technique, all these years later — and it's clear vendors aren't doing it themselves. Charlie Miller (past winner of Pwn2Own) has found 20 hackable flaws in Mac OS X Preview.app through a simple fuzzing technique. “"It's shocking that Apple didn't do this first," Miller told us in an interview. [...] "Microsoft, Apple, and Adobe all have huge security teams, and I'm one guy working out of my house," he says. "I shouldn't be able to find bugs like these, ever."”
- Here's an article explaining how MMIO and 32-bit chipsets steal from the 4GB address space, and how the new MacBook Pro with Intel "Santa Rosa" platform (Core 2 Duo) solves this.
- Exploring the Mac OS X Firewall (O'Reilly MacDevCenter.com) — short and sweet info on ipfw
VoIP
It turns out that even though most VoIP streams are encrypted, the ones
that use variable bit-rate (VBR) compression are
vulnerable to analysis.
Mobile
Joanna Rutkowska's "Evil Maid Attack" — use a USB boot device to install a rogue boot loader, then capture your passwords etc. the next time you power it up. The moral, as always, is that when they get physical access, all bets are off.
Small is beautiful:
UK mobile application developer Masabi
has launched EncryptME,
a Java ME security component with officially validated implementations
of 4096-bit RSA and 256-bit AES... in only 3K! "Using a single
SMS message, or a few bytes of GPRS data, EncryptME can set up a
secure session and sign up a new user, a new credit card, and make
a transaction." Nicely done.
Hardware
- You can do a lot of scary stuff via OBD II: disable the brakes, accelerate, lock the ignition so the engine can't be turned off, etc.
- Donald Knuth's MMIX 2009 architecture — Knuth is a CS luminary, the author of The Art of Computer Programming (which had MMIX's predecessor, MIX)
- Homebrew CPUs: Ever since my college microcomputer architecture course, I've always wanted to do a project like this; hats off to those that have done it. Here are some cool ones:
- The GPUs in modern graphics cards have their own architecture and APIs, so they can be used for other compute-intensive tasks than just graphics
- Theo DeRaadt (OpenBSD) on serious security vulnerabilities in the Intel Core Duo, some of which can't be worked around by the OS (Intel apparently disputes this)
- References from Dan Kaminsky on the issue that biometric hashes are reversable: researchers have found ways to turn fingerprint or faceprint hashes back into an image that will match the hash
- Device drivers are starting to become a focus — Attackers pass on operating systems: "Now that the OS layer is harder to crack, you are seeing a lot more people going higher up the stack, to applications, or lower, to device drivers" — Hijacking a Macbook in 60 Seconds or Less (was actually an external USB WiFi modem's drivers)
- Interesting interview with the discoverer of a way to obtain "ring 0" access via System Management Mode (SMM) on some x86 hardware
- FreeBSD's Poul-Henning Kamp describes the NTP flood coming from D-Link devices to his NTP server, similar to the earlier NTP DoS from Netgear devices to the U. of Wisconsin.
Social-networking site malware (Jul. 2006)
Windows
- Multicore CPUs Move Attack from Theoretical to Practical: using a timing attack (race condition) to trick the Windows kernel into executing an SSDT (kernel) call with malicious parameters — this attack was known way back in 1996 (vs. Unix), but was almost impossible to exploit on single-core systems; modern multi-core systems make it much easier
- Wow; a privilege escalation vulnerability that affects all versions of Windows clear back to Windows NT 3.1 — this leverages a bug in the legacy code that supports 16-bit applications — this is one serious drawback to the "backward compatibility forever" approach, your code base only grows, and you retain vulnerabilities from the dawn of time
Windows: The WMF vulnerability (Dec. 2005)
XSS: The "Samy is my hero" MySpace Ajax worm (Oct. 2005)
Security at Microsoft
- eEye has a list of Upcoming Advisories where it tracks as-of-yet unfixed vulnerabilities in Microsoft products
- Secunia also keeps a log of unpatched IE 6 flaws
- Nice interview with Dan Kaminsky (Doxpara) about Microsoft and security
- Brian Krebs at the Washington Post did an analysis of
how long it takes Microsoft to release patches for "critical" vulnerabilities
and the results are interesting. In cases where there's no full disclosure, despite their "Trustworthy Computing" initiative, their time to release "critical" patches has actually risen to an average of 134.5 days (over 4 months). Microsoft steadfastly maintains that the reason for this long time is testing — quality control of the patch to ensure the public trusts Microsoft patches and is willing to install them (which I think is telling in itself). But when there's full disclosure and publication of a working exploit, he says:
one area where Microsoft appears to be fixing problems more quickly is when the company learns of security holes in its products at the same time as everyone else. Advocates of this controversial "full disclosure" approach believe companies tend to fix security flaws more quickly when their dirty laundry is aired for all the world to see [...] In cases where Microsoft learned of a flaw in its products through full disclosure, the company has indeed gotten speedier. In 2003, it took an average of 71 days to release a fix for one of these flaws. In 2004 that time frame decreased to 55 days, and in 2005 shrank further to 46 days.
- "[Dan] Geer's graph shows that Microsoft increased its time-to-patch gap by a little more than one day per month from the start of 2003 to the end of 2005."
Sanitizing MS Word documents (removing hidden data)
Research reveals that even "sanitized" anonymous data is easy to correlate to real people. "Using public anonymous data from the 1990 census [...] 87 percent of the population in the United States [...] could likely be uniquely identified by their five-digit ZIP code, combined with their gender and date of birth." "It turns out that date of birth, which (unlike birthday month and day alone) sorts people into thousands of different buckets, is incredibly valuable in disambiguating people."
As copiers and fax machines get "smarter" we have to start treating them like servers that must be secured and like storage units that must be purged.
An insightful SecurityFocus article from Robert Lemos on
the challenge of defending against zero-day attacks
if your organization uses the traditional patch-cycle approach.
Interesting editorial on
embedded device security.
Good description of, and summary of research into,
practical MD5 collisions.
Schneier
writes
about "identity theft" which he points out is a misnomer (identity is not
"stolen"; the issue is fraudulent use of identification info.). There
are two parts to these crimes: obtaining private data that can be used
to impersonate, and using that data to conduct fraudulent transactions.
Solutions that only focus on the first are insufficient.
IBM's
rebuttal (PDF)
to criticisms about TCPA. In short: TCPA might be used with Palladium
and/or DRM, but those are separate elements requiring separate critique.
TCPA is basically a "smart card built into the computer" and with ties
to the BIOS. Cf. also the classic
Ross Anderson FAQ on TCPA.
HD Moore (Metasploit) points out that in the current climate,
"There is no way to report a vulnerability safely"
(Robert Lemos article). This is a bad trend. Security researchers
(including students) who act responsibly in good faith should be
rewarded for reporting vulnerabilities, not prosecuted for it! Pascal
Meunier at Purdue (CERIAS) describes
his recent experience
with this problem.
Pinch My Ride (Wired):
Insurance companies often believe modern auto "passive antitheft
systems" are infalliable, and deny theft claims since the car is
"impossible" to steal. Worse: Some Honda models apparently have a back
door (pulling the emergency brake, of all things) coded to your VIN.
Lockpicking used to be a relatively rare skill, but the Internet has
spread this knowledge out to a lot more people. Not long ago, someone
developed a technique for producing a master key, given a few normal
keys (think college dorm). Now we have
Sneakey:
a new technique that can use a digital picture of a set of keys to
reverse-engineer them.
Spam, Viruses, Malware
Here's an article summarizing most of the worst viruses released when I was a systems administrator; the names bring back lots of memories of late night damage control and subsequent infrastructure hardening.
Here's something new: Some malware in Europe that rewrites your online bank statement on the fly so you can't see the withdrawals they've making. And it resists white-hat research/response by providing fake compromised accounts to keep the real compromised accounts secret.
Botnet worm that targets routers
ARP spoofing + JavaScript insertion — one compromised host on your net can insert itself between all hosts and the router, and then inject JavaScript malware into every web page received by every browser — use arpwatch to detect
Conficker (a.k.a. Downadup) is the most significant malware seen since 2003 Blaster/Sasser.
Oct 2008, a new malware technique "return-oriented programming" which evades defenses like W^X and signed (trusted) code. Very clever stuff.
Oct 2008, a new TCP threat "Sockstress" is starting to be discussed; apparently it's a flaw in the TCP state table implementation of a whole lot of vendors, which can lead to DoS; could be quite a widespread issue.
SRI's new Malware Threat Center has stats.
New virus Kraken which uses dynamic DNS; not only can that redirect to new IPs when the old ones are shut down, but Kraken has an algorithm for switching to a new dynamic DNS hostname when the old one is shut down.
Washington Post article showing how the amount of malware is skyrocketing (look at that graph!) and AV vendors are struggling just to keep up; what a way to run a railroad.
Latest trends: Viruses that creates a free webmail account to send spam through it (apparently circumventing their CAPTCHA?), and conversely, viruses that use CAPTCHA-like distortion in attachments to prevent their email from being detected as spam. (Speaking of CAPTCHA, see elsewhere on this page for a cool article.)
Since new vulnerabilities are always coming along, 0wned computers
may get swiped by a new 0wner at any time. "The bot network industry
has become so profitable, and hijacked computers so valuable, that
rival gangs are now fighting over them."
Some of the worms in the last few years, notably
Witty
(CAIDA analysis)
and
SQL Slammer (Sapphire)
(CAIDA analysis),
have been amazingly elegant: small (fit in one packet) and quick to
saturate their targets
("flash worms").
Scary stuff. See
The 10 Most Destructive PC Viruses Of All Time.
The latest malware is stealthier and more resilient:
- Dec 2007: Article on Storm and Nugache (via the Schneier on Security blog): Storm uses P2P to hide its command-and-control (C&C) server, and fast-flux (DNS) to change the C&C server; Nugache doesn't use DNS at all, and encrypts the C&C channel — the trend is away from IRC and toward custom C&C channels (SecurityFocus article, IronPort "malware trends" article)
- Jul 2007: Honeynet analysis of the fast-flux (DNS) method that recent malware like Storm is using
- Mar 2007: Gozi trojan horse, which went undetected for over a month; harvested user names and passwords, so the authors could put those up for sale
- Feb 2007: The authors of Storm Worm
(actually a trojan horse) chose peer-to-peer protocols to avoid control chokepoints,
and are adapting the "hook" over time: storms in Europe, greeting cards, Microsoft updates, racy pictures and
club memberships and
YouTube videos and
Blogger posts and
Christmas/New Year's/Valentine's Day greetings and ... (stay tuned). Security Fix puts the number of Storm-infected machines in the hundreds of thousands; Microsoft's MSRT scrubbed Storm from 250,000+ machines in Sept 2007 (SRI CSL in-depth paper)
(SecureWorks analysis by Joe Stewart)
(summary of functionality by Bruce Schneier)
- Raising the Bar: Rustock.A and Advances in Rootkits
- Hiding the Unseen (Mailbox.AZ a.k.a. Rustock.A)
Excellent set of articles describing the history of the spam arms race, and
in particular how viruses (beginning with Sobig) have added a new dimension.
Another article with a history of recent worms and viruses (author's
perspective is that legal punishment is too rare and light):
The sender-pays method of preventing UCE, back in 1933:
10 cents to ring my doorbell
(via Bruce Schneier's blog)
[I don't believe sender-pays is a workable solution for spam, by the way]
ID
GAO investigates flaws in passport issuance: "No credential can be more secure than its breeder documents and issuance procedures" (Schneier): If you can get a passport using forged documents, then all the high-tech anti-passport-forgery technology isn't going to help.
Real ID still lumbers on (including follow-on PASS ID), with 36 states not in compliance by the December 31, 2009 deadline.
My contact information,
brief autobiography (such as it is), and
family tree.
![[Site created with Vim]](/images/created-with-vim.png)
![[Valid XHTML 1.0!]](http://validator.w3.org/images/vxhtml10)
![[EasyDNS: Control Your Domain]](/images/easydns.gif)