Category Archives: Security

OSSTMM version 3 coming soon?

In a previous life, I was a computer security specialist.  I had a really cool job, and worked with really, really damn cool people (hi Gerald, Doug, Jon, et al).  I read (a tiny fraction of) all the cool security news.  I kept up to date on as many security topics as I could.  I read security books.  I studied a lot of security web sites.  I took training from SANS.  I subscribed to a few security mailing lists, although much of the detail in many vulnerability announcements messages was above my understanding.

But in all that reading, research, study, training, and other learning, one of the coolest things I ever consumed was the OSSTMM project. Rather than try to explain this project, I’ll just snag the introductory text from the project home site:

The Open Source Security Testing Methodology Manual (OSSTMM) is a peer-reviewed methodology for performing security tests and metrics. The OSSTMM test cases are divided into five channels (sections) which collectively test: information and data controls, personnel security awareness levels, fraud and social engineering control levels, computer and telecommunications networks, wireless devices, mobile devices, physical security access controls, security processes, and physical locations such as buildings, perimeters, and military bases.

The OSSTMM focuses on the technical details of exactly which items need to be tested, what to do before, during, and after a security test, and how to measure the results. New tests for international best practices, laws, regulations, and ethical concerns are regularly added and updated.

The version I read when I first found this was 2.2.  It has been years since I used it, and I periodically check in for updates on the version 3.0 release.  I haven’t seen an update on the web site, and I’m not a team member/subscriber to the service, so I didn’t expect I would know unless I checked in on my own.  Well tonight, while catching up on email, I get this message from the project:

Continue reading OSSTMM version 3 coming soon?

Security vulnerability attack released for Apple Quicktime

Without notifying Apple of his intent to do so, security researcher Luigi Auriemma has released an exploit that will allow attackers to take control of computers running the latest version of Apple Quicktime.

“The bug is a buffer-overflow and the return address can be fully overwritten so a malicious attacker could use it for executing malicious code on the victim,” Auriemma said in an e-mail.

. . .

Auriemma said that Apple was not been notified of the flaw in advance of its publication.

When Apple updated QuickTime to version 7.3.1 on December 13, 2007, it fixed an RTSP buffer overflow bug (CVE-ID: CVE-2007-6166) related to the content-type/content-base header. The vulnerability Auriemma has identified relates to error message handling and remains unpatched.

I’m guessing Apple will get a patch out quite quickly for this one, but in the meantime, practice safe browsing and consider disabling Quicktime until a patch is available.

F-Secure HealthCheck application patch security tool

In a past career, I was big in to computer security, and got paid well for doing the work. Since I’m now elsewhere professionally, I’m less in touch with the security industry than I used to be. However, I still keep up with a few important resources, and like to pass along really useful tips when I find them. Today in reading some security news and trying to catch up, I caught word of the F-Secure HealthCheck application patches scanning system. While this is unfortunately an Internet Explorer only tool currently, the site indicates work is in process for supporting other (and better, in my opinion, BTW) browsers. Hopefully that will happen soon.

Run HealthCheck to get a scan of applications on your system along with checks for patches and updates to those applications. This should help you track down security problems that have fixes available. If you keep up to date on these patches, it should help significantly with avoiding your machines getting taken over by a ‘bot-network. The tool appears to have been developed or at least re-announced (I’m not familiar enough with HealthCheck and it’s history nor age to know which is the correct term) as a result of an F-Secure poll regarding application patching.

It appears that many people are uncertain if their computers are fully patched when there are third party updates involved.

Q — What can you do about it?
A — F-Secure Health Check.

Health Check is a free online tool designed to help consumers identify security updates needed on their computers.

I will point out that HealthCheck requires installation of an ActiveX control in your Internet Explorer window. I personally trust the eggheads at F-Secure to not do malice as a result of this, but you need to understand that installing an ActiveX control is a security risk which gives the control vendor pretty much full access to your operating system. While *I* personally trust the F-Secure worker-bees to not corrupt, control, nor destroy my system, you’ll have to make that decision for yourself.

After running the test, here’s a snip of what I got as a result:

healthcheck_clip.jpg

In my case, I’m on a work computer without anti-virus and anti-spyware protection. Sadly, I am not allowed to correct this flaw. I make up for it by using the PortableApps version of ClamWin, and regularly scan my system. I also run Firefox for my browser (actually, I use the PortableApps version of this application, too) and stick mostly to web sites I know and trust. I save my home computer for more risky online activity.

If you are unsatisfied with your HealthCheck scan results and the problem turns out to be a browser security issue, can I suggest you update to FireFox?

[tags]security, healthcheck, scanning, vulnerability, patch, Windows, Internet Explorer, FireFox[/tags]

Airport security still sucks and the rules continue to be idiotic

Recently, my wife went on a trip and chose the old standard air-travel for getting where she was going. On the way to her destination, she had to throw away her yogurt she had brought to eat while waiting for the plane. On her way home, she had to throw away her 8-ounce toothpaste that she didn’t realize she’d left in her carry-on bag. Now I understand that she screwed up in both cases because it’s well known by now to any traveler that these things cannot be taken through security.

However, the rules are still idiotic and worthless, and we can do so much better with security by spending money on things that actually help – things like, oh, I don’t know, training screeners better so they don’t miss nearly 100% of all explosives taken through security by people trying to get prohibited items through security.

Government investigators smuggled liquid explosives and detonators past airport security, exposing a dangerous hole in the nation’s ability to keep these forbidden items off of airplanes, according to a report made public Wednesday.

. . .

On March 23, a TSA screener would not let one investigator through a checkpoint with a small, unlabeled bottle of shampoo, even though it was a legitimate carry-on item. But the same investigator was able to bring through a liquid component of bomb that would start a fire.

Thank goodness that investigator wouldn’t be able to terrorize the plane with clean hair and bubbles. That’s a much greater concern than liquid fire. The TSA hand-waves away the problem by emphasizing the multi-layer approach to security in airports and air travel.

“While people think about us in terms of the checkpoints and they see us as the checkpoints, there’s a lot more layers of security,” she [spokeswoman Ellen Howe] said. In addition to the checkpoints, the TSA uses different technologies and has officials who check the validity of documents and observe people’s behaviors throughout the airport. “Just because somebody gets through one layer doesn’t mean they’re going to get through all of the layers.”

And that’s actually damn good to know and comforting. But our money needs pumped into the less visible security measures. Currently, to get through with contraband a determined attacker needs training on not sticking out more than anything else. That alone will make passing through screening nearly guaranteed, yet so much money is going into screening efforts that have repeatedly been proven ineffective (I’ve covered some, but by no means all, such issues in the past, and won’t link them again here).

Here, I’ll throw in a freebie for would-be attackers. If you want to carry in prohibited liquids, buy yourself a beer belly flask to transport your explosives or drinks. As it is right now, screeners are miserable at catching illicit items which someone is trying to take on, but nearly perfect in catching harmless things like the drinks people are consuming as they walk through the screening checkpoints (hint: if they are actively drinking it, it is either harmless to the flight or they already have ingested what they need to use to bring the flight down).

From the screeners link just above, here is what Bruce Schneier has to say.

When I travel in Europe, I never have to take my laptop out of its case or my shoes off my feet. Those governments have had far more experience with terrorism than the U.S. government, and they know when passenger screening has reached the point of diminishing returns. (They also implemented checked-baggage security measures decades before the United States did — again recognizing the real threat.)

And if I were investing in security, I would invest in intelligence and investigation. The best time to combat terrorism is before the terrorist tries to get on an airplane. The best countermeasures have value regardless of the nature of the terrorist plot or the particular terrorist target.

In some ways, if we’re relying on airport screeners to prevent terrorism, it’s already too late. After all, we can’t keep weapons out of prisons. How can we ever hope to keep them out of airports?

Far more insightful and accurate than all the words I’ve thrown out arguing against the money-drain our government has in place now.

EDIT: Accidentally left out part of the Schneier quote.

[tags]Airport stupidity, Air travel, Getting explosives on planes[/tags]

Crash Internet Explorer in one line

I don’t really think figuring out an exploit to crash a browser is a great and fantastic feat, given how insanely complex, large, and bloated most are.  However, crashing a browser in just a single line of HTML and CSS code is pretty impressive.

A Japanese blogger who goes by the name Hamachiya2 has discovered a single line of HTML and CSS that crashes IE 6. The line is:

Ohhhh, the suspense is killing me.  I guess I’ll just have to read the article to find out how easy it is.

[tags]Security, Crash Internet Explorer, Browser vulnerabilities, Another kick in the nuts[/tags]

Set your USB key up to auto-run on insertion

I’ve known this was possible for a while, but I hadn’t looked for nor stumbled upon instructions for putting an autorun file on a USB key and getting it to work. This week, obviously, I found the instructions over at Daily Cup of Tech for making this happen. I can see several good and nefarious uses for this.

The autorun.inf file is the key to getting your USB drive (or CD-ROM drive, for that matter) to perform certain actions automatically and customize it’s look in My Computer. The purpose of this article is to shed some light on how this can be done.

Topics covered are:

  • Autorun.inf Structure
  • Setting a Custom Icon
  • Naming Your USB Drive
  • Setting AutoPlay Options
  • Adding Context Menu Items
  • Changing Default Action
  • Viewing a File
  • School’s Out, Time To Play!

Unfortunately, the author doesn’t have anchors set at each heading, or I would link you directly to each section. Fortunately, the entire article is brief and pretty easy to follow, so this isn’t a big negative in the article layout.

USB key break-ins are a real security threat, and this kind of tutorial helps you make the security breach even easier if you are in to that kind of thing. Whether you depend on natural curiosity to cause the breach or use something like the above-linked tutorial to get a tool running and stealing what you need from your victim, the USB key is handy. This also means you should be aware that the bad guys are learning (or already know) these things and will use them to attack you some day.

So to end, the next natural question for you, the reader, should be “How do I stop this vulnerability from impacting my system/network/company?” now. Well, there are many places that have the answer. I haven’t found one that I would point out as The best way to do this – this Microsoft technet article has the necessary information if you already know your way around the registry, as does this more concise and clearer article. Other helpful points include this CD-Freaks forum post asking that question, as does this web site that seems to focus on autorun features/bugs/benefits. That last one is probably the clearest, so may be the one I point folks to in the future.

[tags]USB autorun, USB keys, Security, DIY, Daily cup of tech[/tags]

Handy software tool from Secunia

In beta test right now, the Personal Software Inspector from security vendor Secunia inspects your installed software and tells you if it is up-to-date, insecure, or at the end of its life.

Test the Secunia PSI (BETA) Technology Preview, an upcoming addition to the Secunia Software Inspector series, based on the proven Secunia File Signatures Technology.

The Secunia PSI detects installed software and categorises your software as either Insecure, End-of-Life, or Up-To-Date. Effectively enabling you to focus your attention on software installations where more secure versions are available from the vendors.

Needless to say, we are very excited about this new free service for the Secunia security community. We appreciate all feedback, thoughts, and ideas that you wish to share with us.

On the security side, Secunia is a good company, so I expect this tool will be good, too. As already noted, its currently in beta, but the final release will still be free for personal use. For more details on the tool, hit the above shortcut or look at the more detailed software information page.

[tags]Secunia, Personal Software Inspector, PSI, Security tools, Software checker[/tags]

Guide: Smuggling liquids on a place

liquids-on-a-plane_resize.jpg Thankfully, there are more people out there that feel as I do about some of the so-called “security” we are getting for our tax dollars.  And they are way smarter than I am, so they write insightful things about the problem.  So there are frequently new posts out there from which I can draw.  The latest is this simple “guide” to taking your liquids on a plane with you.

My latest experiment with TSA security happened by accident. I recently flew to Memphis on business, and while I was there I bought my wife a souvenir bottle of Vidalia onion salad dressing (pictured at left [well, not on my site when I rip his text]). Vidalia onions are one of the four food groups of the South, the other three being barbecue, fried foods, and gravy.

. . .

I took my time packing up my things, watching her wrap the bottle loosely in the paper and drop it into the trash barrel.

I looked around casually. There weren’t very many TSA agents servicing the area, and they were joking around, screening oncoming passengers, watching the X-ray monitor. Everyone’s attention was focused elsewhere. No one was watching me.

I moseyed over to the walkway and glanced in the barrel. It was filled with half-empty coffee cups and discarded water bottles. There, on top of the trash, wrapped in its protective paper, was my salad dressing.

. . .

Calmly, I reached down into that unstable barrel of atomic liquid and grabbed my salad dressing. Then I calmly boarded the moving walkway, and stuffed the salad dressing down my pants. The TSA lets you keep things there, apparently.

No one came after me. I have to be honest, it was almost like they wanted me to take it. The hardest part was returning a few minutes later to take these pictures on my cameraphone.

Mission accomplished, I suppose.  Read the full article for more details and the camera phone pictures that go along with the story.  This story has been covered by several of my favorite web sites/blogs/smarty-smart folks.  Schneier rightly points out that this probably isn’t a smart thing to brag about online and that he probably wouldn’t have been so glib had he been caught.  Boingboing, other the other hand, looks at this from the critique of DHS security standpoint:

The reason this “smuggling” technique works, of course, is that liquids aren’t dangerous. Everyone knows this — even the TSA. That’s why they don’t guard the barrel after they confiscate your wine, water, and salad-dressing. The point of taking away your liquid isn’t to make airplanes safe, it’s to simultaneously make you afraid (of terrorists with magic water-bombs) and then make you feel safe (because the government is fighting off the magic water-bombs). It’s what Bruce Schneier calls “security theater.”

So take your pick of viewpoints – probably unwise and overly risky or possible because everyone realizes liquids aren’t that risky.  Or both, which is what I think – he wasn’t doing himself a favor by doing this, but it wasn’t likely to be caught given how non-dangerous liquids are and therefore unprotected after “disposal” anyway.

[tags]Liquids on a plane, How to smuggle liquids onto a plane, That Zug guy[/tags]

A hypothetical airline terrorist attack that is actually feasible – movie theater security contest

The punchline for those that don’t read long posts: A plausible, possible, stoppable security issue is conceived. Our government won’t do anything to stop this, even though it has put great effort into stopping an implausible liquid-explosive thread. Details following the “more” link:

Continue reading A hypothetical airline terrorist attack that is actually feasible – movie theater security contest

Hack-a-day shows another electronic voting machine insecurity

In case you’d forgotten the security issues with current electronic voting machines, here’s a video that Hack-A-Day highlighted recently.  In it, we see someone get into an electronic voting machine and swap the ROM in about 60 seconds.

Yes, this is not some surefire way to control the votes, since it is highly susceptible to getting caught.  Still, there are sure to be some places where this could be pulled off without anyone being wiser for it.  Security in electronic voting systems is not easy.  But until the vendors at least take the concept seriously, we’ll not have electronic voting systems worth using or trusting.

[tags]Controlling the votes, Electronic voting insecurities, Security, Hack-a-Day[/tags]

The risk of information leakage and the Slingbox Pro

Security is hard. Sometimes, you secure the information well enough that it is infeasible to determine what the encrypted information is, and you feel like you’ve done well. Normally, that would be enough. However, sometimes you have some clever folks come along and look at the characteristics that aren’t subject to encryption to figure out what the secured data is. Basically, an attack on the secondary information in the stream. So what, exactly, does this mean? Well, in this particular instance, I found the security and privacy analysis on gadgets extremely interesting. These researchers were able to determine with extremely high accuracy what movies were being streamed from a Slingbox Pro based on the variation in amount of data sent. They couldn’t tell what the data was, but could still count the number of bits and compare that information to known characteristics of the unencrypted streams from movies to guess what was being passed.

The Slingbox Pro is not the only target of their investigations, but it is the most interesting to me. They also find privacy issues with the Nike+iPod Sport Kit and security issues with Microsoft’s Zune social relationships.

We analyze three new consumer electronic gadgets in order to gauge the privacy and security trends in mass-market UbiComp devices. Our study of the Slingbox Pro uncovers a new information leakage vector for encrypted streaming multimedia. By exploiting properties of variable bitrate encoding schemes, we show that a passive adversary can determine with high probability the movie that a user is watching via her Slingbox, even when the Slingbox uses encryption. We experimentally evaluated our method against a database of over 100 hours of network traces for 26 distinct movies.

Despite an opportunity to provide significantly more location privacy than existing devices, like RFIDs, we find that an attacker can trivially exploit the Nike+iPod Sport Kit’s design to track users; we demonstrate this with a GoogleMaps-based distributed surveillance system. We also uncover security issues with the way Microsoft Zunes manage their social relationships.

Continue reading The risk of information leakage and the Slingbox Pro