Cyber Alert System Failure

Posted by Bill McGonigle Thu, 18 Dec 2008 23:28:00 GMT

I got a National Cyber Alert System alert today about the Microsoft Internet Explorer security vulnerability, now that Microsoft has a patch out. The trouble is, everybody has known about this since last week, and anybody finding out about it today is already hopelessly in trouble.

There's nothing wrong with a notification, "hey, you should ensure this patch is applied," but that's not the purported purpose of the Cyber Alert System.

Thank goodness for the ISC which is group of volunteers doing a much better job than the large government bureaucracy charged with the task.

del.icio.us:Cyber Alert System Failure digg:Cyber Alert System Failure reddit:Cyber Alert System Failure spurl:Cyber Alert System Failure wists:Cyber Alert System Failure simpy:Cyber Alert System Failure newsvine:Cyber Alert System Failure blinklist:Cyber Alert System Failure furl:Cyber Alert System Failure fark:Cyber Alert System Failure blogmarks:Cyber Alert System Failure Y!:Cyber Alert System Failure smarking:Cyber Alert System Failure magnolia:Cyber Alert System Failure segnalo:Cyber Alert System Failure

Anti-Virus on Voting Machines

Posted by Bill McGonigle Tue, 26 Aug 2008 01:10:00 GMT

There’s been much made of the revelation that Diebold voting machines run an install of McAfee Anti-Virus, and that it’s caused trouble with the voting software.

The arguments against it typically boil down to:

  • Your voting machines shouldn’t be use for anything else
  • Your voting machines should be secured against anybody installing software on it
  • You can’t verify the operation of MAV so it could possibly tamper with votes
  • You should be running an operating system which is not so easily infected

Those arguments all have merit, but skip the fundamentals - the software image on a voting machine should not be running on read/write media, that is hard drives. If that basic criteria isn’t met, AV software might actually be a good idea, but missing the fundamentals is no excuse for dirty hacks.

I build my first appliance computer that could run from a CD in a CD-ROM drive in 2002. It’s neither new nor a difficult concept. When you need things to be secure, in that case under HIPAA regs, in this case for votes, you mount your media device (hard drive, flash memory, etc) with the ‘noexec’ flag, and then no software installed on the read/write media can be run from that media. Since you can’t write to the CD, software can’t be run from there either. You provide a stripped down OS image to make doing any more than the minimum very difficult, certainly requiring physical access to the machine.

This isn’t to say your machine shouldn’t be kept secure - of course it should, and the BIOS needs to be correctly configured (many of you know the security problems with certain BIOS configurations) - but read-only media and a good Q/A process obviates the need for anti-virus software. Certainly some software selection choices can make this difficult, but any good architecture starts with the requirements and works towards software selection, not the other way around. Assuming good security is a requirement.

del.icio.us:Anti-Virus on Voting Machines digg:Anti-Virus on Voting Machines reddit:Anti-Virus on Voting Machines spurl:Anti-Virus on Voting Machines wists:Anti-Virus on Voting Machines simpy:Anti-Virus on Voting Machines newsvine:Anti-Virus on Voting Machines blinklist:Anti-Virus on Voting Machines furl:Anti-Virus on Voting Machines fark:Anti-Virus on Voting Machines blogmarks:Anti-Virus on Voting Machines Y!:Anti-Virus on Voting Machines smarking:Anti-Virus on Voting Machines magnolia:Anti-Virus on Voting Machines segnalo:Anti-Virus on Voting Machines

Complete Deniability

Posted by Bill McGonigle Thu, 10 Jul 2008 23:51:00 GMT

I’ve written before about the limited usefulness of plausible deniability, especially in relation to software like TrueCrypt, a hard drive encryption program.

The gist of plausible deniability with TrueCrypt is this: You have multiple encrypted hard drive partitions. When your enemy forces you to reveal your keys, you reveal the low-cost key, and the enemy sees some data that he doesn’t care about and sends you on your merry way. The ‘real’ stuff you want to hide is still hidden.

This works if two conditions are true:

  • The enemy doesn’t know you employ a product with plausible deniability
  • The enemy can merely detain you

If those conditions aren’t true, you’re in big trouble. Say a violent group gets you and your data. They know TrueCrypt has plausible deniability, and they really want your data. You’re going to be tortured until they get what they want, it’s that simple, and ugly.

Now, the worst possible scenario is that you can’t give up ‘your data’ because it doesn’t exist. But only you know that. The bad guys think you have it and they know you have plausible deniability. You’re completely screwed.

For this reason I’ve been against plausible deniability systems for defending against all threats (yes, TrueCrypt would still be fine from hiding that porn you have stashed away on your home PC).

This changed when Cal Harding introduced the concept of Complete Deniability. That is, you can prove that you have no more plausible deniability.

Here’s how it can work: With TrueCrypt, you could have a utility that, once inside a locked data set, could be given a set of keys and ensure that those keys account for all readable data and all blocks of the storage device. Because TrueCrypt is open source, the bad guys can trust this utility to verify that you’re no longer hiding anything. They can review the source and compile it themselves, if they wish.

But, good news for you, you get to go home. Because even bad guys don’t like to waste their time and you’re not otherwise terribly interesting. Odds are you’re not getting your laptop back once the bad guys find your porn bank, though.

del.icio.us:Complete Deniability digg:Complete Deniability reddit:Complete Deniability spurl:Complete Deniability wists:Complete Deniability simpy:Complete Deniability newsvine:Complete Deniability blinklist:Complete Deniability furl:Complete Deniability fark:Complete Deniability blogmarks:Complete Deniability Y!:Complete Deniability smarking:Complete Deniability magnolia:Complete Deniability segnalo:Complete Deniability

Microsoft Back For More Yahoo!

Posted by Bill McGonigle Tue, 20 May 2008 00:45:00 GMT

Sure enough, Microsoft has come back and offered to buy only part of Yahoo! this time (the part it cares about, obviously). This doesn’t prove my conjecture that it only cares about Zimbra, but it sure doesn’t rule it out!

del.icio.us:Microsoft Back For More Yahoo! digg:Microsoft Back For More Yahoo! reddit:Microsoft Back For More Yahoo! spurl:Microsoft Back For More Yahoo! wists:Microsoft Back For More Yahoo! simpy:Microsoft Back For More Yahoo! newsvine:Microsoft Back For More Yahoo! blinklist:Microsoft Back For More Yahoo! furl:Microsoft Back For More Yahoo! fark:Microsoft Back For More Yahoo! blogmarks:Microsoft Back For More Yahoo! Y!:Microsoft Back For More Yahoo! smarking:Microsoft Back For More Yahoo! magnolia:Microsoft Back For More Yahoo! segnalo:Microsoft Back For More Yahoo!

Note on Security Update Coverage

Posted by Bill McGonigle Sat, 17 May 2008 22:14:00 GMT

In the past I’ve covered security problems in various software packages I don’t use or recommend, and I haven’t been doing that for some time, but I don’t think I wrote a note to that effect. Going forward I’ll try not to replicate the work US-CERT is doing and avoid pointing out anything less than problems that are highly out of the ordinary, like the recent debian OpenSSL problem or where official channels are just simply too slow.

del.icio.us:Note on Security Update Coverage digg:Note on Security Update Coverage reddit:Note on Security Update Coverage spurl:Note on Security Update Coverage wists:Note on Security Update Coverage simpy:Note on Security Update Coverage newsvine:Note on Security Update Coverage blinklist:Note on Security Update Coverage furl:Note on Security Update Coverage fark:Note on Security Update Coverage blogmarks:Note on Security Update Coverage Y!:Note on Security Update Coverage smarking:Note on Security Update Coverage magnolia:Note on Security Update Coverage segnalo:Note on Security Update Coverage

Microsoft/Zune/NBC/Watermarking

Posted by Bill McGonigle Fri, 09 May 2008 03:44:00 GMT

People are a tizzy about some ‘magical’ technology NBC got Microsoft to put into its Zune to prevent ‘unauthorized’ episodes from playing. Of course, a he-said, she-said spat ensued, and they’re probably both lying. Anyway, this magic isn’t, it’s just watermarking. It’s well-defined how to make this unnoticeable and non-trival to remove. NBC just adds watermarking to the shows before they air, the Zune detects the watermark, and refuses to play the file unless there’s also an authorization key.

The trick with this approach is that it’s 100% DRM; hardware player support is required, and any other player will not have a problem. Also of note, this does nothing to stop copying, it’s just a revenue-enforcement model and is anti Fair-Use.

Nah, neither GE nor Microsoft would do something like that… good on Apple for refusing to play Evil Ball.

del.icio.us:Microsoft/Zune/NBC/Watermarking digg:Microsoft/Zune/NBC/Watermarking reddit:Microsoft/Zune/NBC/Watermarking spurl:Microsoft/Zune/NBC/Watermarking wists:Microsoft/Zune/NBC/Watermarking simpy:Microsoft/Zune/NBC/Watermarking newsvine:Microsoft/Zune/NBC/Watermarking blinklist:Microsoft/Zune/NBC/Watermarking furl:Microsoft/Zune/NBC/Watermarking fark:Microsoft/Zune/NBC/Watermarking blogmarks:Microsoft/Zune/NBC/Watermarking Y!:Microsoft/Zune/NBC/Watermarking smarking:Microsoft/Zune/NBC/Watermarking magnolia:Microsoft/Zune/NBC/Watermarking segnalo:Microsoft/Zune/NBC/Watermarking

How Yahoo! Can Turn Back Microsoft

Posted by Bill McGonigle Sat, 05 Apr 2008 19:45:00 GMT

Spin off Zimbra again.

Microsoft’s talk about gettting all Webby is just the party line.

Zimbra is the most significant competition to Exchange and Microsoft’s stranglehold on ‘The Enterprise’ and the real reason that Microsoft wants to own Yahoo!.

Of course this won’t happen - I think the Yahoo! guys are smart and bought Zimbra so that Microsoft would finally acquire them. And they know what the Exchange monopoly is worth to them, so they can hold out until Microsoft gives.

This group is looking to block the deal with government intervention on these grounds.

del.icio.us:How Yahoo! Can Turn Back Microsoft digg:How Yahoo! Can Turn Back Microsoft reddit:How Yahoo! Can Turn Back Microsoft spurl:How Yahoo! Can Turn Back Microsoft wists:How Yahoo! Can Turn Back Microsoft simpy:How Yahoo! Can Turn Back Microsoft newsvine:How Yahoo! Can Turn Back Microsoft blinklist:How Yahoo! Can Turn Back Microsoft furl:How Yahoo! Can Turn Back Microsoft fark:How Yahoo! Can Turn Back Microsoft blogmarks:How Yahoo! Can Turn Back Microsoft Y!:How Yahoo! Can Turn Back Microsoft smarking:How Yahoo! Can Turn Back Microsoft magnolia:How Yahoo! Can Turn Back Microsoft segnalo:How Yahoo! Can Turn Back Microsoft

See, it really is the Russians

Posted by Bill McGonigle Wed, 30 Jan 2008 19:49:00 GMT

Here’s a Washington Post piece about the Storm worm, and it being traced to St. Petersburg, and the international relations around that.

This is largely posted to have for future reference for when I get the ‘conspiracy nut’ look when I explain that Windows security problems are largely Russian-mafia related.

del.icio.us:See, it really is the Russians digg:See, it really is the Russians reddit:See, it really is the Russians spurl:See, it really is the Russians wists:See, it really is the Russians simpy:See, it really is the Russians newsvine:See, it really is the Russians blinklist:See, it really is the Russians furl:See, it really is the Russians fark:See, it really is the Russians blogmarks:See, it really is the Russians Y!:See, it really is the Russians smarking:See, it really is the Russians magnolia:See, it really is the Russians segnalo:See, it really is the Russians

Pre-Screening Vulnerable Users Through Old Exploits

Posted by Bill McGonigle Wed, 09 Jan 2008 21:56:00 GMT

I was reading about the latest* Windows vulnerability over at the ISC diary and they point out there the vector is a bunch of old vulnerabilities and that the folks involved are tied up in banking fraud.

So, why wouldn't they exploit the latest vulnerabilities to get a bigger victim base? Is it because they're too lazy or incompetent to program for them?

No, I think they know exactly what they're doing. By choosing to target unpatched machines they're purposely limiting their user base. They're limiting it to people who are clueless about security.

If you were a bank fraudster, whose account would you rather tackle, that of somebody who is fanatic about patching their Windows machine or someone who is security ignorant to the point of not having patched their machine in over a year? Why even bother with Mac or Linux users, if you have this perspective...

Notice, one of the exploits dates back to 2003. I wouldn't be surprised if they push victims who were exploited through this one to the top of the list.

* I had to pick between two critical flaws today for 'latest' - allow me the literary license.

del.icio.us:Pre-Screening Vulnerable Users Through Old Exploits digg:Pre-Screening Vulnerable Users Through Old Exploits reddit:Pre-Screening Vulnerable Users Through Old Exploits spurl:Pre-Screening Vulnerable Users Through Old Exploits wists:Pre-Screening Vulnerable Users Through Old Exploits simpy:Pre-Screening Vulnerable Users Through Old Exploits newsvine:Pre-Screening Vulnerable Users Through Old Exploits blinklist:Pre-Screening Vulnerable Users Through Old Exploits furl:Pre-Screening Vulnerable Users Through Old Exploits fark:Pre-Screening Vulnerable Users Through Old Exploits blogmarks:Pre-Screening Vulnerable Users Through Old Exploits Y!:Pre-Screening Vulnerable Users Through Old Exploits smarking:Pre-Screening Vulnerable Users Through Old Exploits magnolia:Pre-Screening Vulnerable Users Through Old Exploits segnalo:Pre-Screening Vulnerable Users Through Old Exploits

Microsoft Patches without Permission 3

Posted by Bill McGonigle Fri, 14 Sep 2007 15:58:00 GMT

I’ve been trying to lay off the ‘Windows bad news’ posts here, but this one is just too important to ignore.

There’s an article called “Windows is Spyware” over at ZDNet talking about a newly discovered (and confirmed) behavior whereby Microsoft patches Windows XP (and apparently Vista) machines without the knowledge or consent of the machine’s owner. I’m pretty sure this means you can’t use Windows in an environment where you’re governed by HIPAA, PCI, or federal security regs, at least without some serious egress filtering to the Microsoft sites at the firewall.

The most amusing point from the article is this:

They seem to think that they own Windows and you and I are just renting our copies. Maybe we should read the lease.
          

Duh. It says right in the EULA that’s exactly what you’re doing, and in fact the new EULA with Windows XP SP1 stated that Microsoft could do this kind of updating (though they weren’t at the time). Anybody who has requirements incompatible with these kinds of EULA’s needs to find a vendor for their OS that doesn’t impose such clauses. Even at that you’re at the mercy of the new vendor’s benevolence, so open source operating systems are the only real choice if real control and security are the criteria.

Does anybody have a source for accurate IP ranges of the Windows update servers?

[hat tip -> Glen]

del.icio.us:Microsoft Patches without Permission digg:Microsoft Patches without Permission reddit:Microsoft Patches without Permission spurl:Microsoft Patches without Permission wists:Microsoft Patches without Permission simpy:Microsoft Patches without Permission newsvine:Microsoft Patches without Permission blinklist:Microsoft Patches without Permission furl:Microsoft Patches without Permission fark:Microsoft Patches without Permission blogmarks:Microsoft Patches without Permission Y!:Microsoft Patches without Permission smarking:Microsoft Patches without Permission magnolia:Microsoft Patches without Permission segnalo:Microsoft Patches without Permission

Older posts: 1 2 3 ... 5