Jim's blog - Security

Axenic Web Site

nospam@example.com () — Tue, 02 Nov 2010 22:40:21 +1300

Last week my business web site for Axenic Ltd went live after a few months of gestation and a week or so of concentrated labour. Thanks to Chris Blunt for his efforts on the content and Plastic Studio for the design work.

nospam@example.com () — Wed, 26 Aug 2009 14:19:15 +1200

A practical view of security

The pain of security

nospam@example.com () — Thu, 05 Mar 2009 14:45:15 +1300

I have just been reminded of Marcus Ranum's "The Six Dumbest Ideas in Computer Security".

The idea that we should only allow what is necessary for the function we need to deliver is usually only thought of at the level of firewalls and other network level systems. Once we get onto a workstation or server we generally have access to a wide range of services by default - even on a locked down system.

I am going to start taking a serious look at the hundreds of installed packages on my Ubuntu laptop to see what I can remove or disable without stopping me doing what I need to on a day to day basis.

One that comes instantly to mind is the Vodafone Mobile Connect Client. The Gnome Network manager now handles my Vodem 3G USB device properly and I am no longer using VMC. Of course I won't be able to send or receive text messages (unless there is something else to do that) but actually apart from an initial test to see if it works, I never did anyway.

I'll keep a record of my application and executable cleanup activity and update this from time to time.

Security thinking

nospam@example.com () — Wed, 01 Oct 2008 12:41:00 +1300

Another excellent article by Bruce Schneier on how our thinking on security makes us take illogical steps to prevent attacks similar to previous ones rather than focussing on how to best protect ourselves in a more general way. We are more scared of events that are statistically unlikely to occur than events like plane crashes and terrorist bombs that are extremely unlikely (in most parts of the world).

It got me wondering about how the US governments response to the current financial crisis is like their response to 9/11. Is the massive cash injection that they are trying to get through Congress a knee-jerk response that will cover one of the cracks until the next crisis arrives in an unexpected form? What really needs to be done to protect the world's population from this kind of event?

nospam@example.com () — Thu, 31 Jul 2008 14:41:39 +1200

I have just re-discovered this article by Marcus Ranum - long time security guru and developer of one of the world's first network firewalls.

I see similar issues all the time in the course of my work - there is frequently not time or budget to do a thorough job of securing a system but often both are needed to fix it downstream. There is one customer of mine who pulled an application release shortly before go live day after we looked at the risks they would be exposed to. It will be deployed but in a different framework and with only strictly required network connectivity.

Another hacked biometric security system

nospam@example.com () — Fri, 04 Jul 2008 11:37:57 +1200

Computerworld has this this article on how a researcher made a rubber fingerprint copy and made a retail purchase at a store trialling a new payment system. It's not a great recommendation.

Intrusion detection etc

nospam@example.com () — Wed, 02 Jul 2008 13:55:58 +1200

Some years ago I was involved in the design of a managed security service. For a variety of reasons it was less successful than I (and the company) expected and it was a very hard sell to customers who couldn't see the point for the most part - or at least the cost-benefits.

I just found this blog quoting some really interesting research pointing out the time that most vulnerabilities exist before compromise, detection and mitigation, and showing where IDS and managed security services may still have a useful place.

If an attacker has physical access it's all over anyway

nospam@example.com () — Wed, 05 Mar 2008 15:00:56 +1300

The guys at SecurityAssessment.com have been digging into the techniques of tapping directly into memory of a running PC using standard Direct Memory Access (DMA). External peripheral buses such as Firewire and PCMCIA use DMA for fast efficient transfer of data directly into host memory.

Adam Boileau of SecurityAssessment.com has demonstrated how he connected his Linux laptop into the Firewire port of a laptop running Windows XP and accessed its memory to bypass user authentication processes. This how DMA and Firewire are designed to work and is not a flaw in the Microsoft operating system (contrary to the article headline).

Graphics cards as a hacker tool

nospam@example.com () — Mon, 29 Oct 2007 11:49:11 +1300

I am regularly trying to figure the tradeoff with clients between password lengths, lifetimes, complexity and ease of remembering for staff. A complex password takes longer for a hacker to crack so doesn't need to be changed as often. Less frequent password change makes it a bit easier for staff to manage more complex passwords. However this article points out that the tools hackers have available are growing ever more powerful. The GPU in high end graphics cards appear to be able to crack complex passwords in days rather than month so do we need to advise staff to change complex passwords on a daily basis? That would be almost impossible in most organisations.

Smart cards are looking better and better...

From Realtime Web Security referring to a New Scientist article that I'll need to look up.

It's easy to forget how computationally powerful some graphics cards are. They create near realistic renderings of objects and it turns out their good for password cracking, too. New Scientist is reporting that Elcomsoft, a Moscow based software company, has filed for a US patent on a technique to radically improve the speed of password cracking using off the shelf video cards like nVidia's GeForce 8800

... read more

x86 Memory system and virtualisation

nospam@example.com () — Wed, 17 Oct 2007 14:55:30 +1300

The X86 Memory System And Why It's Hard To Virtualize Securely

The first in a series of articles by Thomas Ptacek about how the x86 system memory architecture makes secure virtualisation difficult.

This reinforces the message I got some time ago from a colleague working in the hacking/forensics field forensics who pointed out that encrypted disks and related technologies are useless if you can gain access directly into system memory through a DMA channel. PCMCIA slots (and probably USB) have DMA capabilities that are easily usable by a competent hacker with physical access to a computer.

from Security Focus

Spam is less of an issue for many people

nospam@example.com () — Tue, 16 Oct 2007 11:12:28 +1300

According to this article

Most people are seeing less spam because of filters provided by either their workplace or ISP.

Microsoft release Windows 2008 server RC0

nospam@example.com () — Tue, 09 Oct 2007 11:39:13 +1300

Just noticed that Microsoft have announced Windows Server 2008 Release Candidate 0.

You can download it.

How long before the hackers have cracked it?

NZ companies under-invest in security

nospam@example.com () — Mon, 08 Oct 2007 14:57:26 +1300

Why do NZ companies invest less in security than those overseas?

http://computerworld.co.nz/news.nsf/scrt/F27620C382A5B1D3CC257363007FFE18

Phishers target Linux

nospam@example.com () — Mon, 08 Oct 2007 14:49:43 +1300

Linux servers are a desirable target for phishers as they provide a more flexible framework for launching attacks. Researchers are finding more and more Linux servers being compromised by hackers.

"The vast majority of the threats we saw were rootkitted Linux boxes, which was rather startling. We expected Microsoft boxes," he said.

and

"Since Linux machines can be used to more easily create specially crafted networking packets, they can be used in highly sophisticated online attacks, said Iftach Amit, director of security research with Finjan's malicious code research centre.

Capabilities like this make Linux machines highly coveted by online attackers, and they fetch a premium in the underground marketplace for compromised machines, Amit said."

Read the article here

Hacker bears bad news about PDF

nospam@example.com () — Mon, 24 Sep 2007 12:47:54 +1200

And you thought PDF was a 'safe' format to download text in... You shouldn't just download PDF files assuming that they are safe to view. A researcher has identified a major flaw in all versions of Adobe's Acrobat PDF Reader according to Computerworld.

The hacker who discovered a recently patched QuickTime flaw affecting the Firefox browser says he has found an equally serious flaw in Adobe Systems's PDF file format.

"Adobe Acrobat/Reader PDF documents can be used to compromise your Windows box. Completely!!! Invisibly and unwillingly!!!," wrote Petko Petkov, in a breathless Thursday blog posting. "All it takes is to open a PDF document or stumble across a page which embeds one."

Petkov said he had confirmed the issue on Adobe Reader 8.1 on Windows XP and that other versions may be affected.

Read the complete article.