Archive for the ‘Guests’ Category
Dave G. | July 10th, 2007 | Filed Under: Guests
Login: cwe Name: Steve Christey / Bob Martin
Directory: /guests/cwe Shell: /bin/sh
On since Wed Jul 10 21:55:00 EDT from www.cwe.org
No Mail.
Plan:
----------------------------------
Views expressed by guest bloggers not necessarily
those held by Matasano Chargen.
Evolution of the CWE Pie Chart
We thought we would provide some clarification on the CWE pie chart
that we published, which was adapted and is now making the rounds in
the blogosphere.
The 55/45 chart is a simplification of a pie chart that we presented
at Black Hat DC this year. We’re not sure who simplified it, although
it is consistent with the original chart, which we presented to
demonstrate the utility of CWE, not as an authoritative analysis.
The original chart was constructed as follows. Application security
vendors provided us with their internal vulnerability descriptions,
which we then mapped to CWEs, creating new CWEs as necessary (we did
this in the very early days of CVE, too). At the end of this first
round, we had CWE mappings for 6 vendors. We then looked at how much
overlap there was between the tools. We found that 55% of CWEs
weren’t covered at all, 1% were shared by all 6 sources, and the rest
were covered by 1 to 5 sources.
We built the CWE mappings based on what the vendors’ documents said
they look for, which has certain limitations. For example, CWE
supports multiple levels of abstraction, such as about 8 XSS variants
and 15+ directory traversal variants; we only mapped a tool to a
“variant CWE” if it specifically mentioned that variant. Also, CWE
has about 104 categorization nodes (such as “Authentication Issues”);
many of these would not be reported by a tool, which would be looking
for more specific children. Finally, some tools include checks for
issues that are useful for developers but not necessarily inherent
weaknesses.
Finally, many CWEs are design-level or business logic issues, which
are difficult if not impossible to detect automatically. CWE also
included many issues that aren’t applicable to web software. So, it’s
not a surprise that tool coverage would be less than 100%, nor should
we expect it.
We expect that the adoption of CWEs will help to make communication
more precise. However, the community is in the early stages of
adoption, and we think it’s reflected in the original pie chart.
Still, it demonstrates how CWE could be useful in identifying
opportunities for vendors and consumers to widen their vulnerability
coverage.
We did not expect our slide to generate such interest. In light of
this, we will conduct a more careful analysis and provide more
specific information on methodology, assumptions, and constraints of
the statistics. We will also give a more qualitative description of
the gaps that we encountered.
Thoughts or feedback are welcome at cwe@mitre.org.
Steve Christey, CWE Technical Lead
Bob Martin, CWE Program Manager
No Comments
Dave G. | June 7th, 2007 | Filed Under: Guests, Industry Punditry
Login: ted Name: Ted Julian
Org: App. Security, Inc. Title: VP/Marketing
Directory: /guests/dhbg Shell: /bin/sh
On since Wed Jun 6 15:55:00 EDT from
www.appsecinc.com
No Mail.
Plan:
----------------------------------
Views expressed by guest bloggers not necessarily those held by
Matasano Chargen.
Quick Disclaimer: Some readers will find it odd that we have a VP/Marketing writing a guest blog post. He may describe himself as vendor scum, but we listen to him. You
should too. For the record, we are vendor scum too.
To know Dave and Tom is to love them. So when we were at the Gartner IT Security Summit this week and they asked me to write a post about the goings on here I just couldn’t say no. So here you have it, your post from the field on what you missed if you couldn’t join the festivities in DC.
First some disclosures are in order, however. Years ago I spent nearly 8 years as an industry analyst. And one of the only places I didn’t work was Gartner. Safe to assume it will be hard for me to resist finding at least some flaws in their logic. Second, while Dave and Tom can post here with some semblance of vendor neutrality – I’m vendor scum, plain and simple. There’s a better than decent chance you’ll find some comment in here about how database security is the most critical and strategic investment enterprises need to make because the threat has changed, attackers have gone pro, they’re after data they can sell and the most efficient way to harvest the maximum amount of this data is by compromising your databases. If you’re not protecting against this threat, you’re throwing good money after bad, or at least putting data security lipstick on the network security pig. Hey, at least I told you up front. That’s more forthcoming and more provocative than when at RSA this year Art Coviello’s big idea was that there’d be no more stand alone security companies – right after RSA got bought by EMC. Or yesterday when Bruce Schneier’s key take-away was that security products will disappear because you’ll buy them with your infrastructure – now that CounterPane is part of BT.
So what are the Gartner gang’s key take aways?
It’s all about Application Security, sorry, I meant application security 
You’ve heard the argument before: it’s far less expensive to remove security issues earlier in the development cycle than at production or even worse after a breach. Gartner (and others) have said this before, but to Gartner’s credit, they drilled down quite a bit on this notion. Joseph Feiman did the best job I’ve seen of segmenting the development process (design, architecture, coding, etc.), highlighting the security issues at each stage, approaches you can take to address them, etc. This charming guy has just been made a research fellow so he can chase this idea which is great because I know that by the end of his session I was dying for the next step. That is, drill down into each of these areas to nail the people, process, and technology details. He’s got another session today – so maybe we’ll get more detail. That will be critical since the challenge for IT on this front is to identify quick wins that tide you over while architecting the proverbial great leap forward. Because if payback is restricted to new code working through the whole process and then getting broadly deployed, we won’t be able to witness it. It’ll take 10 years and we’ll all be off to different jobs – a few times over.
The collision of security and compliance. Essentially, it boils down to building a control framework, identifying the universe of controls within that framework, and then mapping them to your disparate compliance initiatives. Don’t run 38 scans for your 38 compliance initiatives. Do run an uber-scan once and take what you need from it for each initiative. This way, you can minimize the redundant gruntwork associated with a one-off, reactive approach and minimize the risk that you’re so busy getting the auditors what they need that you take your eye off the security ball. Good security should make compliance easy. Other than getting the auditors off your back, I don’t know what good compliance gets you.
Here too, the idea is not new or particularly unique, but Gartner drilled down to make it more actionable. For example, the “distinguished” Mark Nicollet and much respected (and ironically vendor-scum turned enlightened analyst) Paul Proctor detailed how this works, frameworks you can use (ex. ISO 27001, COBIT), infrastructure you might apply this to (like databases – hey, maybe these guys aren’t so bad?).
I’ve got two nits to pick on the many compliance discussions. One is the notion of audit. Like security, auditing is a process, not a product. It spans scanning, monitoring / detection, configuration, logging, and god knows what else. Actually, he/she probably doesn’t know or care, but you’re auditor might tell – for some cash, on a quarterly basis. Anyway, in the same way you can compliance yourself out of security; you can audit yourself into oblivion. In my simple mind, audits are simply an awesome corollary benefit of good vulnerability management. Specifically, scans get you the reporting you need to document that you’ve established the appropriate controls. Meanwhile, monitoring helps you flag violations of those controls in a timely fashion. To Gartner’s credit they’ve bolted this notion on to their vulnerability management lifecycle – they just need to be consistent by carrying this through the rest of their research and keep running with it. I think this is a big idea and from a writing cool research perspective, so far they’ve buried the lead.
My second gripe is the notion of privileged user monitoring. It came up a ton. Ironically, so did the conflicting but spot-on notion that knowing the true user is virtually impossible given account pooling and other crippling complexity. So, how are we supposed to monitor privileged users if it’s impossible to know who they are?
More achievable and probably more valuable is simply monitoring privileged activity. For example, in my “I’ve got a database security hammer and all I see is nails” world, it isn’t too hard to identify what columns in the database matter most (like maybe the credit card number column) and then simply monitor all activity against it, independent of the user. The wily external hacker compromises wireless to get on the corporate LAN and gain privilege on the database? The insidious insider DBA runs a select * against the credit card column? It’s all the same to us, they try to rob the database – we’ve got ‘em.
Over time monitoring systems will integrate with other infrastructure (SIM / SIEM, directories, IAM, and so on) to help get to the true user. But at least today you can get an early warning system which if you’re lucky will flag a reconnaissance attempt so you can avoid a breach altogether. If you’re not so lucky, you’ll still know fast and can do some quick old-fashioned forensics to contain the damage and try to catch the bad guy.
The bad guys are crafty and you should be VERY scared. Details about different break-ins have been sprinkled throughout this thing, but as usual Avivah Litan’s prezo was chock-a-block with details about who the bad guys are, how they’ve pulled off different heists, and what they got away with. And Greg Crabb from the Postal Service (the guys who deliver the mail, not the band – though that’s also a worthy topic) had some great war stories - including pictures! Later today, Rich “The Mogul” Mogull looks to add to the booty with his talk, “Involuntary Data Security Case Studies.”
Even jaded security veterans can’t resist fodder like this. It’s a necessary reminder that threat has changed and more of the same won’t save us.
The major gripe I heard from attendees was the increased amount of vendor advertising –vendor prezos at meals, vendor tracks throughout the day sandwiched between the Gartner prezos, and so on. A few people I talked to said they’d pay more to do away with it.
1 Comment
Dave G. | March 19th, 2007 | Filed Under: Guests
Login: stevec Name: Steve C.
Directory: /guests/stevec Shell: /bin/csh
On since Mon Mar 19 19:55:00 EDT
No Mail.
Plan:
----------------------------------
Views expressed by guest bloggers not necessarily those held by
Matasano Chargen.
Disclaimer: this is personal opinion, based on 15 minutes of thought, and is in no way associated with my professional work, except in the sense that identifying the influencers is an important step in the maturity of this young industry. Lame attempts at humor are mine.
Stefan Esser. invented most of the new PHP variants, tore the language apart with his l33t love. And this was BEFORE the month of PHP bugs.
str0ke. milw0rm, what more be said? You don’t need to flood the world with every bug under the sun to have an impact.
Alan Paller. the head of SANS gets things done at high echelons of government and industry. Both expresses and evokes opinions.
Luigi Auriemma there’s only a drop in the bucket for research into video games, and he’s the only one making a splash. When you entertain thoughts about disclosure rules, don’t leave him out in the cold.
Pascal Meunier. did you know that there’s a web site with materials for secure programming education in academia, complete with syllabus ideas? For free?
retrogod. complicated PHP research packaged in ready-made, multi-stage sploitz for compromising gazillions of web sites. Hey, we’re talking influence here.
Tavis Ormandy. whether it’s Google or Gentoo security, it’s all good.
FX. had a quiet year, but let’s not forget him, shall we?
Michal Zalewski. why this guy isn’t a rock star like H D Moore is a mystery. Simultaneous breadth and depth is rare.
Window Snyder. Chief Something-Or-Other. Dared to remove feature bloat from Firefox in order to reduce attack surface. The gall of it all, practicing what you preach!
Alexander Kornbrust. puts the pressure on Oracle along with David Litchfield and Cesar Cerrudo.
Georgi Guninski. said goodbye to disclosure this year, yet still much better than most.
Mark Dowd. duh.
Tan Chew Keong. has the audacity to audit major third-party libraries on the Windows platform, affecting dozens of products in countless installations.
KAPDA (organization). leading Iran’s entry into the scene. truuend5, in particular.
Tom Ferris. he’s the guy who finds a lot of Apple user application bugs, remember?
Gadi Evron. oh wait, wrong list. You’ve heard him. Of him, I mean.
Juha-Matti Laurio. tries to track Microsoft zero-days and provide useful information.
14 Comments
Dave G. | November 14th, 2006 | Filed Under: Guests
Login: jm Name: John McDonald
Directory: /guests/jm Shell: /bin/zsh
On since Fri Nov 10 08:55:00 CDT from shaolin
No Mail.
Plan:
----------------------------------
Views expressed by guest bloggers not necessarily those held by
Matasano Chargen.
In the first challenge, you can see that there is a variable relationship between maxsize and ptr. maxsize is supposed to track the amount of space left in the buffer, and ptr points to the next place to write in the banner buffer. The vulnerability here is that the relationship between these variables is invalidated right after the concatenation of the origin IP string. Look at this again:
ptr += strlen(ptr);
maxsize -= strlen(ptr);
ptr is correctly updated to point past the origin IP string. However, maxsize isn’t changed, because strlen(ptr) is going to be 0. The operations were done in the wrong order; maxsize should have been updated first, before ptr was moved to point the end of the string. Thus, there is a buffer overflow possible in the vsnprintf( ) because maxsize will be off by the length of the origin IP string.
Looking at the second challenge, consider what happens when a match for the dangerous environment variable is found:
if (*vp == '\\0' && *ep++ == '=') {
char **P;
for (P = env;; ++P)
if (!(*P = *(P + 1)))
break;
}
env++;
The program eliminates this environment variable by shifting the following environment variables back one position in the env array, overwriting the “evil” variable. The problem is that, once this is accomplished, the env pointer is incremented before the search for evil environment variable continues. So, say you had this env array:
env -> LD_PRELOAD=/tmp/evil.so
LD_PRELOAD=/tmp/evil.so
TERM=vt100
MARK=lazy.australian.making.me.write.his.answers
So, it matches LD_PRELOAD and shifts the following environment variables back one to overwrite it:
env -> LD_PRELOAD=/tmp/evil.so
TERM=vt100
MARK=lazy.australian.making.me.write.his.answers
Then, it incorrectly increments env:
LD_PRELOAD=/tmp/evil.so
env -> TERM=vt100
MARK=lazy.australian.making.me.write.his.answers
Oops! Like all good bugs, this bug was originally found in Linux by Solar Designer ages ago. Astute readers may have noticed that it still affects certain modern day Internets.
Ok, the third challenge. We were shooting for a good example of an RLIMIT bug. So, the goal in this attack would be to have the write() of the very last password entry return immediately after writing the username and the colon character. This would leave the user without a defined password. On Linux, you could use RLIMIT_FSIZE to dial in the exact byte at which you wanted this to occur. This could cause the SIGXFSZ signal to be sent, but the signals were blocked. (Also, your signal mask is inherited in a suid so you could have that signal be ignored in your exploit.)
As far as the competitors go:
Adam Morrison was the only one to see where we were going with the third one. However, he didn’t answer the other two challenges, though god knows he could have easily.
So, it basically comes down to Kasperle and Mangoboy. Kasperle’s analysis was awesome, but in the end we think that mangoboy’s figured out the the more exploitable condition and his suggestion of creatively filling up the disk is plausible.
We didn’t think of that vector when crafting this challenge, though daveg came up with it along with the rlimit attack within a few minutes. So, it was a tough call, but the winner of this challenge is mangoboy.
5 Comments
Dave G. | November 13th, 2006 | Filed Under: Guests
Login: mdowd Name: Mark Dowd
Directory: /guests/mdowd Shell: /bin/ash
On since Tue Sep 26 21:55:00 CDT from ???
No Mail.
Plan:
———————————-
Views expressed by guest bloggers not necessarily those held by
Matasano Chargen.
UPDATED (11/14/06 10:33AM/Eastern): This contest is closed. We need to do some judging. I approved all of the comments and answers in the meantime.
UPDATED (11/13/06 7:12PM/Eastern): The prize remains unclaimed. Challenge #3 may be OS specific, but we know it works on at least one OS (Linux).
Obligatory book plug:
We recently finished a book called “The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities”. It’s
all about finding security vulnerabilities in software, covering design
review through implementation review across a wide variety of
technologies, including Unix, Windows, network software, and the Web. It
will be published by Addison-Wesley on November 20th, who have provided
a sample chapter.
Note: In our previous post to this blog we indicated that the book would
be available on November 15th. The reason for the date change is that
there was evidently a problem with printing, which has delayed the book
by a few days. Sorry for the inconvenience!
But enough chat, on with the challenges!
—
Here’s the first one. Assume getoriginip() is only going to be 16 bytes maximum, and that you can provide a very long string to be placed in the
banner through the varargs. Also, assume that there isn’t a format string issue.
int banner(int origin, char *fmt, …)
{
char buf[1024], *ptr = buf, *origin_string;
size_t maxsize = sizeof(buf) - 1;
va_list ap;
…
switch(origin){
case LOCAL:
origin_string = “Local Connection”;
break;
case REMOTE:
origin_string = “Remote Connection”;
break;
default:
origin_string = “Unknown Connection”;
break;
}
sprintf(ptr, “|%s| “, origin_string);
maxsize -= strlen(ptr);
ptr += strlen(ptr);
…
sprintf(ptr, “%s: “, get_origin_ip());
ptr += strlen(ptr);
maxsize -= strlen(ptr);
…
va_start(ap, fmt);
vsnprintf(ptr, maxsize, fmt, ap);
va_end(ap);
—
This next one contains some code to remove a variable from the program
environment, say to strip out LD_PRELOAD for a setuid program in ld.so.
Assume you can specify any environment you want, but this code will be
run after an execve() so it’s guaranteed to be somewhat well-formed. The
first argument, var, is a pointer to the name of the environment
variable to be stripped out:
static void
_dl_unsetenv(const char *var, char **env)
{
char *ep;
while ((ep = *env)) {
const char *vp = var;
while (*vp && *vp == *ep) {
vp++;
ep++;
}
if (*vp == ‘\\0′ && *ep++ == ‘=’) {
char **P;
for (P = env;; ++P)
if (!(*P = *(P + 1)))
break;
}
env++;
}
}
—
Lastly, let’s consider a program that is running with setuid root
privileges and writing to a sensitive file. The file is line-based and
contains username/password pairs of the form “username:password”. If
“password” is omitted, then that user has no password. Assume that when
the function is called, the users credentials that correspond to
“username” have already been established, and this function updates
their password. You can also assume that the file_entries list has been
filled out by reading in the information from the privileged
(non-readable) password file, and that the /data directory is not
writable by non-root users. Here’s the code:
#define TEMP_PASSWORD_FILE “/data/passwords.tmp”
#define PASSWORD_FILE “/data/passwords”
struct password_entry
{
unsigned char user[32];
unsigned char pass[32];
struct password_entry *next;
};
struct password_entry *file_entries;
int update_password(unsigned char *username,
unsigned char *password)
{
int i, fd, rc = -1;
struct password_entry *ent;
if(!username || !password)
return -1;
for(i = 0; password[i]; i++)
{
if(!isalnum(password[i]))
return -1;
}
block_signals();
umask(022);
if((fd = open(TEMP_PASSWORD_FILE,
O_RDWR|O_CREAT|O_EXCL|O_NOFOLLOW,
S_IRUSR|S_IWUSER)) < 0)
{
unblock_signals();
return -1;
}
for(ent = file_entries; ent; ent = ent->next)
{
unsigned char buffer[256];
if(strcmp(ent->user, username) == 0)
snprintf(buffer, sizeof(buffer), “%.32s:%.32s\\n”,
ent->user,password);
else
snprintf(buffer, sizeof(buffer), “%.32s:%.32s\\n”,
ent->user,ent->pass);
if(write(fd, buffer, strlen(buffer)) < 0)
goto epilog;
}
rc = rename(TEMP_PASSWORD_FILE, PASSWORD_FILE);
epilog:
close(fd);
unlink(TEMP_PASSWORD_FILE);
unblock_signals();
return rc;
}
24 Comments
Dave G. | November 10th, 2006 | Filed Under: Guests, Uncategorized
Mark, John and Justin have generously offered up a free copy of their upcoming book (THANKS GUYS!) to the first person that correctly answers all of the challenges within one of the challenge posts. Our first winner is:
Liudvikas Bukys
And a reminder that the next challenge will be posted on Monday, Nov 13th at 12PM/Eastern.
Updated: Got the date wrong… its correct now.
1 Comment
Dave G. | November 10th, 2006 | Filed Under: Guests
Login: jm Name: John McDonald
Directory: /guests/jm Shell: /bin/zsh
On since Fri Nov 10 08:55:00 CDT from shaolin
No Mail.
Plan:
----------------------------------
Views expressed by guest bloggers not necessarily those held by
Matasano Chargen.
Ok, so let’s go over the first challenge:
int print_msb(int number)
{
...
char buf[sizeof("255")];
sprintf(buf, "%u", number >> 24);
...
}
This code is attempting to isolate the most significant byte of the integer argument number. It does this with a right shift, but because the number is a signed int, an arithmetic right shift is performed instead of a logical right shift. (google Intel’s “sar”) This means that the sign bit will be propagated as the number is shifted. So, if the number was -1, it would have a bit pattern of 11111111 11111111 11111111 11111111. After the right shift, it would still have this same bit pattern. Thus, the buffer buf won’t be big enough to hold the unsigned decimal ascii representation of the number, and a buffer overflow will be possible.
Now for the second one:
int bank1[1000], bank2[1000];
...
void hashbank(int index, int value)
{
int *bank = bank1;
if (index<0) {
bank = bank2;
index = -index;
}
bank[index % 1000] = value;
}
This is a demonstration of something we’ve dubbed the Leblancian Paradox, as the formidable David Leblanc showed it to us. So, in two’s complement arithmetic, to negate a number, you invert all the bits and add one. So what happens when you negate the number 0x80000000? Here’s the bit pattern:
10000000 00000000 00000000 00000000
Invert the bits, and you get:
01111111 11111111 11111111 11111111
Add one, and you get:
10000000 00000000 00000000 00000000
Neat, huh? So, in the above code, if you provide an index of 0x80000000, the unary negation doesn’t change the value of index. Thus, the code places value into offset 0x80000000 % 1000. Now, index is a signed integer type, so the result of this modulus operation will actually be -648. Thus, the memory behind the bank2 array will be modified! Now, we probably should have switched the order of bank1 and bank2 or added a fake void *gEXTRASUPERCRITICALFUNCTIONPOINTERSPLEASEFORTHELOVEOFGODDONOTOVERWRITE[1024] somewhere, but hopefully you can see how this could be a ruxer.
Congrats to the following Chargen superstars:
Liudvikas Bukys
Ian
James Lee
Mangoboy
cneckar
Kasperle
Matt
Next challenge will be post on Monday, November 13th at 12PM/EST.
1 Comment
Dave G. | November 9th, 2006 | Filed Under: Guests
Login: jm Name: John McDonald
Directory: /guests/jm Shell: /bin/zsh
On since Tue Sep 26 21:55:00 CDT from ???
No Mail.
Plan:
----------------------------------
Views expressed by guest bloggers not necessarily those held by
Matasano Chargen.
Mark Dowd, Justin Schuh, and I recently finished a book called “The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities”. It’s all about finding security vulnerabilities in software, covering design review through implementation review across a wide variety of technologies, including Unix, Windows, network software, and the Web. It will be published by Addison-Wesley on November 15th, who have provided a sample chapter.
We’re thrilled that Matasano has given us the opportunity to talk about our book. So, we’ve decided to do a series of little mini-challenges to give you a taste for the kinds of things we cover. We’ll give the solutions in a follow-up post.
Let’s start with some interesting C idiosyncrasies. The goal for these is to corrupt memory that you shouldn’t be able to affect. Exploitability of these synthetic bugs would admittedly be difficult, but the underlying language mechanics are worth keeping in mind when auditing real-world code. Here’s the first one (assume you can completely control ‘number’):
int print_msb(int number)
{
...
char buf[sizeof("255")];
sprintf(buf, "%u", number >> 24);
...
}
Here’s the second one (assume you can completely control ‘index’ and ‘value’):
int bank1[1000], bank2[1000];
...
void hashbank(int index, int value)
{
int *bank = bank1;
...
if (index<0) {
bank = bank2;
index = -index;
}
bank[index % 1000] = value;
}
Put the answers in comments. Explain how and why.
Also, a quick plug: Chris Wysopal, Lucas Nelson, Matasano’s own Dino Dai
Zovi, and Elfriede Dustin have a brilliantly titled book coming out on Nov. 27th. It’s also being published by AW, and it should complement our book nicely. The title is “The Art of Software Security Testing,” and it’s all about empowering quality assurance personnel with a sophisticated, battle-tested process for testing software security.
12 Comments
Dave G. | October 6th, 2006 | Filed Under: Guests
Login: frank Name: Frank Rieger
Directory: /guests/frank Shell: /bin/ksh
On since Tue Sep 26 21:55:00 CDT from ccc.de
No Mail.
Plan:
----------------------------------
Views expressed by guest bloggers not necessarily those held by
Matasano Chargen.
One of the things that kept the Chaos Computer Club busy in the last
couple of weeks was to take part in the mission of the dutch campaign, “We dont trust voting computers”. I never imagined that building a chess board for a voting computer out of paper and magnetic euro-cent coins might be necessary to preserve the last remains of democracy…
The reason for playing chess on a Nedap voting
computer was that Mr.
Groenendaal from Nedap claimed that the Nedap systems are “dedicated
special purpose machines” and not ordinary computers and therefore
could not be used to play chess. He also used the famous last words
spoken by so many companies “Hackers have absolutely no chance”.
Well. A few weeks later the hackers owned the Nedap boxes inside out.
We played chess on them, we manipulated votes and we could detect
what has been voted from across the street, using compromising
(spurious) emissions, aka. TEMPEST. I am particularly happy that we
managed to demonstrate a simple TEMPEST attack, as it is the first
time (at least as far as I know) that this method was used for a
“good” purpose. I do not recall a similar complete and utter defeat of a
systems vendor in the last years.
Go and read the technical report paper. It is entertaining and may give you fresh ideas for your own pet projects.
The details of the reengineering effort can be found here.
The battle now moves on to the legal department. We showed on the
technical side that voting computers are not fulfilling the legal
requirements for an election (for Germany and the Netherlands at
least). The next step is to convince or, if necessary, force by legal
means the government to acknowledge the technical findings and
revoke the certification of voting computers.
3 Comments
Dave G. | October 2nd, 2006 | Filed Under: Guests
Login: dcox Name: Dennis Cox
Org: Breakingpoint Systems Title: Chief Technology Officer
Directory: /guests/dcox Shell: /bin/ksh
On since Tue Sep 26 21:55:00 CDT from bpointsys.com
No Mail.
Plan:
----------------------------------
Views expressed by guest bloggers not necessarily those held by
Matasano Chargen.
Black and White
Recently, an article entitled “Animal activists free 15,000 farmed
fish to their deaths” by Valerie Elliot was published in the Times
Online (UK). It’s a wonderful article (in fact, there was a SciFi
Movie about a similar topic in which everybody was turned into killer
mad Zombies) stating that the Animal Liberation Front “freed” 15,000
halibut to the open oceans. All the halibut died.
This is a pretty standard phenomenon. If you are black and white in
your beliefs you’re going to wind up killing a bunch of things.
As another example, let’s take a touchier subject - Religion. Certain
religions believe that if you don’t believe in “X”, you will not be
saved. In addition, you must not be a very nice person because all
nice people believe in “X”. So if someone makes a joke about “X”, he
must be evil because “X” is great and no one should make fun of “X”.
Solution? Kill everybody that doesn’t believe in “X”!
Black and White. It either is or isn’t.
The security industry is made up of quite a few folks who are what I
consider, Black and White people; People that believe in the darndest
things! For example, take the recent bump key hype that finally made
it to the media. The Security Expert on the news said “You shouldn’t
bother locking your door because anybody could break in with no
trouble at all”. What a black and white response and what an idiot, I
say! It is impossible to have a conversation (I define a conversation
as “listening AND talking”.) with someone that thinks in Black And
White. Nothing is ever secure enough, so why bother securing at all,
they argue. When I was working for TPTI I heard that all the time.
Regarding blocking attacks – Man I can evade that stuff so easily. It
can’t stop this or that, and the recent full disclosure threads on
anti-virus (granted I personally think anti-virus is a joke) when
signatures were bypassed with simple changes to case sensitivity
proves their point… The security folks are right - they are flawed,
they are not perfect, and they don’t get you 100% protection.
That being said, it’s really about mitigating risk. A seat belt may
or may not save your life, but it will increase the odds for most
cases across the board. Sure, there is that one case in Montana back
in 1982 where someone died because of a seatbelt (B&W person will
send me a link, I’m sure!), but generally the rule of thumb is that
if you wear a seatbelt, you will have a better chance of survival and
less major injuries in an accident.
If you use a Firewall, IPS, 802.1x (HUGE FAN!), or AntiVirus you may
get infected and typically you, your network, and your computer will
run a lot slower because of it. (Ugh!) But, you will have a better
chance of surviving the next worm. That’s what it is all about - it’s
about staying alive and not about being perfect, survival of the
fittest. Now, what’s the cost? If $$$ gives me a 40% better chance to
survive versus $$$$ which gives me 45% chance, is the higher cost
worth it? Now that depends on your business, and it depends on your
point of view.
So what’s the point of this rant? If you’re in security then you’re an
influencer. I’ve been watching this trend for a while now, you most
likely are causing more problems then good. See it’s that silly Black
and White mentality that you have developed about security. Don’t
misunderstand me - I’m all for calling out peoples security problems
in their products. In fact it’s all fair in my opinion to say as
little or as much as want in regards to marketing that is shady.
HECK! Make a video and give no data and make a big splash with the
media all you want at a big security show. Make the whole thing like
a bad TV show about people in a airplane crash stranded on a island.
Let the mystery run on for months and months. What I dislike is
people acting like Bruce Schneier, who I think of as the the Rush
Limbaugh of Security. Bruce talks about the TSA in the same way that
Rush talks about Ted Kennedy, bringing up 9/11 as often as Rush
brings up Chappaquiddick. Writing about how insecure and bad things
are - and how smart he is. How what we are doing is making the world
a horrible place. Complaining about the insecurities of Airport
checkins, tell everybody that it does more harm then good. Even
though the TSA just found a women with a loaded handgun trying to get
on a plane the other day. People that
spread that kind of message are causing people to IGNORE security -
saying there is no hope at all (cause that’s the message you are
giving them). Sadly, it’s a message that’s that may actually be far
worse then no message at all. Try solving some of the security
problems - instead of just talking about how insecure things are.
Remember, if you free the farmed fish - they will most likely die in
the open water. Not just one, but all of them. Best to think of
another method. Oh when they all die, nobody will listen to you rant
about squids.
20 Comments
