Handy software tool from Secunia

In beta test right now, the Personal Software Inspector from security vendor Secunia inspects your installed software and tells you if it is up-to-date, insecure, or at the end of its life.

Test the Secunia PSI (BETA) Technology Preview, an upcoming addition to the Secunia Software Inspector series, based on the proven Secunia File Signatures Technology.

The Secunia PSI detects installed software and categorises your software as either Insecure, End-of-Life, or Up-To-Date. Effectively enabling you to focus your attention on software installations where more secure versions are available from the vendors.

Needless to say, we are very excited about this new free service for the Secunia security community. We appreciate all feedback, thoughts, and ideas that you wish to share with us.

On the security side, Secunia is a good company, so I expect this tool will be good, too. As already noted, its currently in beta, but the final release will still be free for personal use. For more details on the tool, hit the above shortcut or look at the more detailed software information page.

[tags]Secunia, Personal Software Inspector, PSI, Security tools, Software checker[/tags]

Guide: Smuggling liquids on a place

liquids-on-a-plane_resize.jpg Thankfully, there are more people out there that feel as I do about some of the so-called “security” we are getting for our tax dollars.  And they are way smarter than I am, so they write insightful things about the problem.  So there are frequently new posts out there from which I can draw.  The latest is this simple “guide” to taking your liquids on a plane with you.

My latest experiment with TSA security happened by accident. I recently flew to Memphis on business, and while I was there I bought my wife a souvenir bottle of Vidalia onion salad dressing (pictured at left [well, not on my site when I rip his text]). Vidalia onions are one of the four food groups of the South, the other three being barbecue, fried foods, and gravy.

. . .

I took my time packing up my things, watching her wrap the bottle loosely in the paper and drop it into the trash barrel.

I looked around casually. There weren’t very many TSA agents servicing the area, and they were joking around, screening oncoming passengers, watching the X-ray monitor. Everyone’s attention was focused elsewhere. No one was watching me.

I moseyed over to the walkway and glanced in the barrel. It was filled with half-empty coffee cups and discarded water bottles. There, on top of the trash, wrapped in its protective paper, was my salad dressing.

. . .

Calmly, I reached down into that unstable barrel of atomic liquid and grabbed my salad dressing. Then I calmly boarded the moving walkway, and stuffed the salad dressing down my pants. The TSA lets you keep things there, apparently.

No one came after me. I have to be honest, it was almost like they wanted me to take it. The hardest part was returning a few minutes later to take these pictures on my cameraphone.

Mission accomplished, I suppose.  Read the full article for more details and the camera phone pictures that go along with the story.  This story has been covered by several of my favorite web sites/blogs/smarty-smart folks.  Schneier rightly points out that this probably isn’t a smart thing to brag about online and that he probably wouldn’t have been so glib had he been caught.  Boingboing, other the other hand, looks at this from the critique of DHS security standpoint:

The reason this “smuggling” technique works, of course, is that liquids aren’t dangerous. Everyone knows this — even the TSA. That’s why they don’t guard the barrel after they confiscate your wine, water, and salad-dressing. The point of taking away your liquid isn’t to make airplanes safe, it’s to simultaneously make you afraid (of terrorists with magic water-bombs) and then make you feel safe (because the government is fighting off the magic water-bombs). It’s what Bruce Schneier calls “security theater.”

So take your pick of viewpoints – probably unwise and overly risky or possible because everyone realizes liquids aren’t that risky.  Or both, which is what I think – he wasn’t doing himself a favor by doing this, but it wasn’t likely to be caught given how non-dangerous liquids are and therefore unprotected after “disposal” anyway.

[tags]Liquids on a plane, How to smuggle liquids onto a plane, That Zug guy[/tags]

A hypothetical airline terrorist attack that is actually feasible – movie theater security contest

The punchline for those that don’t read long posts: A plausible, possible, stoppable security issue is conceived. Our government won’t do anything to stop this, even though it has put great effort into stopping an implausible liquid-explosive thread. Details following the “more” link:

Continue reading A hypothetical airline terrorist attack that is actually feasible – movie theater security contest

Hack-a-day shows another electronic voting machine insecurity

In case you’d forgotten the security issues with current electronic voting machines, here’s a video that Hack-A-Day highlighted recently.  In it, we see someone get into an electronic voting machine and swap the ROM in about 60 seconds.

Yes, this is not some surefire way to control the votes, since it is highly susceptible to getting caught.  Still, there are sure to be some places where this could be pulled off without anyone being wiser for it.  Security in electronic voting systems is not easy.  But until the vendors at least take the concept seriously, we’ll not have electronic voting systems worth using or trusting.

[tags]Controlling the votes, Electronic voting insecurities, Security, Hack-a-Day[/tags]

The risk of information leakage and the Slingbox Pro

Security is hard. Sometimes, you secure the information well enough that it is infeasible to determine what the encrypted information is, and you feel like you’ve done well. Normally, that would be enough. However, sometimes you have some clever folks come along and look at the characteristics that aren’t subject to encryption to figure out what the secured data is. Basically, an attack on the secondary information in the stream. So what, exactly, does this mean? Well, in this particular instance, I found the security and privacy analysis on gadgets extremely interesting. These researchers were able to determine with extremely high accuracy what movies were being streamed from a Slingbox Pro based on the variation in amount of data sent. They couldn’t tell what the data was, but could still count the number of bits and compare that information to known characteristics of the unencrypted streams from movies to guess what was being passed.

The Slingbox Pro is not the only target of their investigations, but it is the most interesting to me. They also find privacy issues with the Nike+iPod Sport Kit and security issues with Microsoft’s Zune social relationships.

We analyze three new consumer electronic gadgets in order to gauge the privacy and security trends in mass-market UbiComp devices. Our study of the Slingbox Pro uncovers a new information leakage vector for encrypted streaming multimedia. By exploiting properties of variable bitrate encoding schemes, we show that a passive adversary can determine with high probability the movie that a user is watching via her Slingbox, even when the Slingbox uses encryption. We experimentally evaluated our method against a database of over 100 hours of network traces for 26 distinct movies.

Despite an opportunity to provide significantly more location privacy than existing devices, like RFIDs, we find that an attacker can trivially exploit the Nike+iPod Sport Kit’s design to track users; we demonstrate this with a GoogleMaps-based distributed surveillance system. We also uncover security issues with the way Microsoft Zunes manage their social relationships.

Continue reading The risk of information leakage and the Slingbox Pro

Unintelligent filtering – Internet filtering is stupid, bad, dangerous, and worthless

Yesterday at work, I saw an article over at Ars Technica that I wanted to read. It was a news update on the substitute teacher who was convicted of showing porn to students after the spyware infected class PC started showing porn pop-up images. If you aren’t already familiar with the story, there are a large number of articles on the story’s beginning and evolution over at boingboing. I had already read some about the latest in the story – Ms. Amero has been granted a new trial in place of the sentencing she was supposed to receive today – but wanted to read the Ars Technica take on this simply because I respect the authors at Ars and value their views.

Rather than getting to read the full Ars story, however, I get the following block page (Click ‘More’ for image – click the image for a larger view).

Continue reading Unintelligent filtering – Internet filtering is stupid, bad, dangerous, and worthless

Microsoft security engineer shows simple wireless network break-in tools

I love security. I really need to get a good job back in the computer security industry. If I could track down a decent job in security, I’d get to play with cool software like the wireless security breaking tools demonstrated by Microsoft’s Marcus Murray (more information on this session on Murray’s blog).

ORLANDO – During an updated version of one of the more popular sessions at TechEd each year, senior security engineer and Microsoft MVP Marcus Murray did attendees a major service by demonstrating that hacking into a network is not really an art, and in some ways, not even much of a science.

His “Why I Can Hack Your Network in a Day” session is actually something of a misnomer, as many of the tools he uses (including one written by SysInternals guru-turned-Microsoft fellow Mark Russinovich) can enable individuals to work their way to revealing the passwords of domain administrators in closer to 15 minutes.

Of course, this is just a case of technology allowing transfer of skill – one security expert figures out the vulnerability, encases it in a point-and-click tool, and shares with the world. But it is still interesting to see what is going on in the back-and-forth of improved security/improved breaking of security fight. As always, security experts will look at the exploited vulnerabilities, come up with ways to reduce or eliminate them, improve protocols, and release equipment with the improved protocols. This will be followed by the break-in experts analyzing the new protocols, looking for direct and secondary/side-channel attacks, determining weaknesses, exploiting those weaknesses, and releasing simple tools that allow less skilled attackers break the security. Around and around it goes, until the eventual heat death of the universe or until we all start communicating via telepathy (which will probably get hacked somehow, in which case evolution will create better telepaths, and so on).

[tags]Microsoft security engineer demonstrates wireless hacking tools[/tags]

The JFK plot

I know there has been plenty of news lately about the plot to blow up JFK airport, but I haven’t bothered writing anything about it. I have had someone contact me to ask me why, since I’ve covered a number of other terrorist plots or physical security issues in the past. The main reason is that this planned attack just wasn’t very feasible, nor was the attack likely to have had any success.

Safeguards in the fuel delivery grid greatly limit the amount of damage that can be done by intentional or accidental explosion/destruction/burning of any section of the fuel system. Additionally, jet fuel contains additives specifically designed to reduce the chance of explosion, increase the difficulty of catastrophic fire, and minimize spread of flames in general. Yes, the stuff burns, but it actually does not burn well enough to have very much of a chance of the spectacular destruction it seems the attackers had in mind.

Though Mr. Defreitas had lived in Brooklyn and Queens, he told the informant that his resentment of the United States hardened into hatred during his years as a cargo worker at the airport.

“He saw military parts being shipped to Israel, including missiles, that would be used to kill Muslims,” the complaint read. Mr. Defreitas, who was secretly recorded by the informant, complained bitterly that he “wanted to do something” and that “Muslims always incur the wrath of the world while Jews get a pass.”

Mr. Defreitas envisioned “the destruction of the whole of Kennedy” and theorized that because of underground pipes, “part of Queens would explode.” He boasted that in addition to a huge of loss of life – “even the twin towers can’t touch it,” he said – the attack would devastate the United States economy and strike a deep symbolic blow against a national icon, President John F. Kennedy, officials said.

Sure, it sounds scary and stuff, but the explosion he dreamed of just wasn’t going to happen. And given how much I’ve written about improbable attacks and the over-reaction of Americans to these things, I was planning on giving this incident a pass. I’m tired of wasting my time detailing the weaknesses of bad, weak, improbable and infeasible threats. You’ll note that I’ve not even taken the time to provide links backing up my claims on infeasibility and difficulty of any success. That’s because the whole plot was so ludicrously bad that I don’t want to waste more of my time pointing out specifics. You can spend a few minutes online and easily find reputable sources supporting what I’ve stated above. If you disagree, please post it in the comments and I’ll be glad to expand on the topic. But unless someone really thinks this attack was worth worrying about, I’m not going to waste more time on it. That is, unless the government does something else stupid to strip away our freedoms as a result. Then, you can be sure I’ll come back to bitch about the poor job our government is doing.

[tags]JFK explosion plot too infeasible to even waste time debunking it[/tags]

Major slip from Astroglide manufacturer

If you’ve ordered a free sample from Astroglide maker BioFilm in the past 4 years, there’s a good chance your contact information – specifically name and mailing address – was out on the web for all to see. Of course, I’m sure many of you will claim to have never ordered the free sample, but since I know how much married men like to prevent hand-chafing, I’m sure there are a few liars saying this. Admittedly, having someone get just your name and address is no big deal, but security slips like this are sadly frequent. Remember how easily this happened next time you try signing up for something free online.

More than 250,000 people’s names and addresses are now naked on the web after the maker of a popular sexual lubricant called Astroglide accidentally exposed lists of people who bought or requested free samples of its products, proving that there’s no such thing as a free lubricant. BioFilm, a privately-held California company specializing in sexual lubricants, exposed customer data files dating from 2003 to 2007 to Google’s search engine in early April. Google then indexed the pages and made local cache copies. A search on an individual’s name now reveals that person’s home address and the product they requested or ordered.

To my knowledge, the company has not informed people affected by this error.

[tags]Major slip from Astroglide manufacturer, Customer records accidentally revealed on Google by Astroglide manufacturer[/tags]

Latest zero day attack in the wild

If you surf the web using Internet Explorer, here’s another reminder that you should consider switching browsers:

If you’re reading this with Internet Explorer on a Windows machine, don’t. The Windows animated cursor zero-day attack that was coming through on IE 6 and 7 running on fully patched Windows XP SP2 is now also hitting Windows 2000, Server 2003 and Vista. As F-Secure advises, better to use some other combination.

Proof-of-concept code for the attack was released after business hours on Friday, according to SANS.

Blocking .ani files won’t help. SANS has picked up reports of the vulnerability being exploited in the wild with .ani files renamed as JPEGs.

Microsoft today posted security advisory 935423 about the exploit. Here’s the full list of vulnerable systems:

Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP Service Pack 2
Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium)
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Microsoft Windows Vista

The company still hasn’t provided a patch. The vulnerability is a candidate for inclusion in the CVE (Common Vulnerabilities and Exposures) list, having been assigned the label CVE-2007-0038 (previously also CVE-2007-1765).Although there currently is no official patch, a SANS handler has posted instructions on detecting and filtering out .ani file exploitation attempts. eEye provided a temporary patch, although the company recommends updating to Microsoft’s patch when it’s out.

That’s a pretty significant vulnerability, and there’s just not a way to deal with it in a manner that would leave me comfortable.  I highly recommend Mozilla or Opera for the Windows-bound, although you have to remember that no matter what browser you use, there will be vulnerabilities at times.  In this case, it’s a matter of reducing your exposure.

[tags]Zero-day Windows exploit via animated cursors, Time to switch browsers[/tags]

Remember, all this security is only for your protection

Proving that our government continues to be incapable of protecting us, no matter how many rights or freedoms it strips away, we find that screeners at the Denver airport can identify a bomb only about 10% of the time, even when screening systems set off alarms. So, as almost always is the case, the human element breaks down. But then, that weakness of security has been known so long (and a shorter link to that article). The question is, how do we improve the weak link? I’m thinking hiring better people for the positions, training them better, cutting shift durations (repetition and boredom lead to reduced performance), and I’m sure other measures – all requiring more money.

Checkpoint security screeners at Denver International Airport last month failed to find liquid explosives packed in carry-on luggage and also improvised explosive devices, or IED’s, worn by undercover agents sources told 9NEWS.

“It really is concerning considering that we’re paying millions of dollars out of our budget to be secure in the airline industry,” said passenger Mark Butler who has had two Army Swiss knives confiscated by screeners in the past. “Yet, we’re not any safer than we were before 9/11, in my opinion.”

The Transportation Security Administration (TSA) screeners failed most of the covert tests because of human error, sources told 9NEWS. Alarms went off on the machines, but sources said screeners violated TSA standard operating procedures and did not hand-search suspicious luggage, wand, or pat down the undercover agents.

“The good news is we have our own people probing and looking and examining the system,” said Rep. Ed Perlmutter, a Democrat in the 7th congressional who sits on the House Homeland Security and transportation committees. “The bad news is they’re finding weaknesses.”

Actually, the fact that they are finding weaknesses is also good news. Having the weaknesses is indeed bad news. Finding them means we can develop means of improving on them, which is a good thing. Still – I can no longer take my keychain Leatherman when I fly, because it has a 1 inch knife blade, but people who actually want to inflict harm have a 90% chance of getting their bombs on with them. Way to protect us, TSA and Homeland Security!

[tags]Denver airport security screeners miss 90% of explosives[/tags]

Anandtech forumites discuss freeware security products

I’ve been a reader of the Anandtech forums for far longer than is reasonable. I typically lose interest in such communities and move on to others way sooner than I have this forum. While browsing the forums last night, I ran across this thread on freeware security tools. Given that Anand’s site is so techie oriented, the forums are loaded with very knowledgeable techs. This thread shows that, and has a lot of great information on choosing and using anti-virus, firewall, anti-spyware, and other security tools. If you aren’t set up with malware protection on your system, consider choosing a recommended product from each category in this thread.

For even more security information and guidance from the Anandtech forums, look at this consolidated malware solution thread. It greatly expands on the information from the above-linked free security tools thread. In fact, this 2nd thread is the discussion responsible for the 1st thread. And these folks really know their stuff.

[tags]Anandtech forumites recommend freeware anti-malware[/tags]