CERIAS Blog - CERIAS - Purdue University

Fun with Internet Video

Wednesday, August 29, 2007 by spaf in General, Secure IT Practices,

[tags]network crime, internet video, extortion, streaming video[/tags]

Here's an interesting story about what people can do if they gain access to streaming video at a poorly-protected site. If someone on the other end of the phone is really convincing, what could she get the victims to do?

FBI: Strip Or Get Bombed Threat Spreads - Local News Story - KPHO Phoenix:

Cyberwar

Friday, August 24, 2007 by spaf in General, Kudos, Opinions and Rants, Reviews,

[tags]cyber warfare, cyber terrorism, cyber crime, Estonia[/tags]
I am frequently asked about the likelihood of cyber war or cyber terrorism. I'm skeptical of either being a stand-alone threat, as neither is likely to serve the goals of those who would actually wage warfare or commit terrorism.

The incidents in Estonia earlier this year were quite newsworthy and brought more people out claiming it was cyber terrorism or cyber warfare. Nonsense! It wasn't terrorism, because it didn't terrorize anyone -- although it did annoy the heck out of many. And as far as warfare goes, nothing was accomplished politically, and the “other side” was never even formally identified.

Basically, in Estonia there was a massive outbreak of cyber vandalism and cyber crime.

Carolyn Duffy Marsan did a nice piece in Network World on this topic. She interviewed a number of people, and wrote it up clearly. I especially like it because she quoted me correctly! You can check out the article here: How close is World War 3.0? - Network World. I think it represents the situation quite appropriately.

[As a humorous aside, I happened to do a search on the Network World site to see if another interview had appeared without me hearing about it. I found this item that had appeared in December of 2006 and I didn't know about it until now! Darn, and to think I could have started recruiting minions in January. :-)]

8 Security Action Items to Beat “Learned Helplessness”

Tuesday, July 24, 2007 by Pascal Meunier in General,

So, you watch for advisories, deploy countermeasures (e.g., change firewall and IDS rules) or shut down vulnerable services, patch applications, restore services. You detect compromises, limit damages, assess the damage, repair, recover, and attempt to prevent them again. Tomorrow you start again, and again, and again. Is it worth it? What difference does it make? Who cares anymore? If you're sick of it, you may just be getting fatigued. If you don't bother defending anymore because you think there's no point to this endless threadmill, you may be suffering from learned helplessness. Some people even consider that if you only passively wait for patches to be delivered and applied by software update mechanisms, you're already in the "learned helplessness category". On the other hand, tracking every vulnerability in the software you use by reading BugTraq, Full Disclosure, etc..., the moment that they are announced, and running proof of concept code on your systems to test them isn't for everyone; there are diminishing returns, and one has to balance risk vs energy expenditure, especially when that energy could produce better returns. Of course I believe that using Cassandra is an OK middle ground for many, but I'm biased. The picture may certainly look bleak, with talk of "perpetual zero-days". However, there are things you can do (of course, as in all lists not every item applies to everyone):

Don't be a victim; don't surrender to helplessness. If you have limited energy to spend on security (and who doesn't have limits?), budget a little bit of time on a systematic and regular basis to stay informed and make progress on tasks you identify as important; consider the ones listed below.
Don't be a target. Like or hate Windows, running it on a desktop and connecting to the internet is like having big red circles on your forehead and back. Alternatives I feel comfortable with for a laptop or desktop system are Ubuntu Linux and MacOS X (for now; MacOS X may become a greater target in time). If you're stuck with Windows, consider upgrading to Vista if you haven't already; the security effort poured into Vista should pay off in the long run. For servers, there is much more choice, and Windows isn't such a dominant target.
Reduce your exposure (attack surface) by:
- Browsing the web behind a NAT appliance when at home, in a small business, or whenever there's no other firewall device to protect you. Don't rely only on a software firewall; it can become disabled or get misconfigured by malware or bad software, or be too permissive by default (if you can't or don't know how to configure it).
- Using the NoScript extension for Firefox (if you're not using Firefox, consider switching, if only for that reason). JavaScript is a vector of choice for desktop computer attacks (which is why I find the HoneyClient project so interesting, but I digress). JavaScript can be used to violate your privacy* or take control of your browser away from you, and give it to website authors, advertisers on those sites, or to the people who compromised those sites, and you can bet it's not always done for your benefit (even though JavaScript enables better things as well). NoScript gives you a little control over browser plugins, and which sources are allowed to run scripts in your browser, and attempts to prevent XSS exploits.
- Turning off unneeded features and services (OK, this is old advice, but it's still good).
Use the CIS benchmarks, and if evaluation tools are available for your platform, run them. These tools give you a score, and even as silly as some people may think this score is (reducing the number of holes in a ship from 100 to 10 may still sink the ship!), it gives you positive feedback as you improve the security stance of your computers. It's encouraging, and may lift the feeling that you are sinking into helplessness. If you are a Purdue employee, you have access to CIS Scoring Tools with specialized features (see this news release). Ask if your organization also has access and if not consider asking for it (note that this is not necessary to use the benchmarks).
Use the NIST security checklists (hardening guides and templates). The NIST's information technology laboratory site has many other interesting security papers to read as well.
Consider using Thunderbird and the Enigmail plugin for GPG, which make handling signed or encrypted email almost painless. Do turn on SSL or TLS-only options to connect to your server (both SMTP and either IMAP or POP) if it supports it. If not, request these features from your provider. Remember, learned helplessness is not making any requests or any attempts because you believe it's not ever going to change anything. If you can login to the server, you also have the option of SSH tunneling, but it's more hassle.
Watch CERIAS security seminars on subjects that interest you.
If you're a software developer or someone who needs to test software, consider using the ReAssure system as a test facility with configurable network environments and collections of VMware images (disclosure: ReAssure is my baby, with lots of help from other CERIAS people like Ed Cates).

Good luck! Feel free to add more ideas as comments. *A small rant about privacy, which tends to be another area of learned helplessness: Why do they need to know? I tend to consider all information that people gather about me, that they don't need to know for tasks I want them to do for me, a (perhaps very minor) violation of my privacy, even if it has no measurable effect on my life that I know about (that's part of the problem -- how do I know what effect it has on me?). I like the "on a need to know basis" principle, because you don't know which selected (and possibly out of context) or outdated information is going to be used against you later. It's one of the lessons of life that knowledge about you isn't always used in legal ways, and even if it's legal, not everything that's legal is "Good" or ethical, and not all agents of good or legal causes are ethical and impartial or have integrity. I find the "you've got nothing to hide, do you?" argument extremely stupid and irritating -- and it's not something that can be explained in a sentence or two to someone saying that to you. I'm not against volunteering information for a good cause, though, and I have done so in the past, but it's rude to just take it from me without asking and without any explanation, or to subvert my software and computer to do so.

Cassandra Vulnerability Updates

Tuesday, July 17, 2007 by Pascal Meunier in R&D,

The Cassandra system has been much more successful and long lasting than I first imagined. Being inexperienced at the time, there were some things I got wrong, such as deleting inactive accounts (I stopped that very quickly as it made many people unhappy or unwilling to use the service), or deleting accounts that bounced several emails (several years ago this was changed to simply invalidating the email address). Recently I improved it by adding GPG signatures. Email notifications from Cassandra are now cryptographically signed. The public key is available on the standard public key servers, such as the MIT server. Things can still be improved I initially envisioned profiles as being updated regularly, perhaps with automated tools listing the applications installed on a system. I also thought that there were many applications without vulnerability entries in MITRE's CVE, the National Vulnerability Database (NVD, used to be named ICAT), or Secunia so I needed to let people enter product and vendor names that weren't linked to any vulnerabilities. However, I found that there was little correlation between the names of products in these sources, as well as between those provided by scanning tools or entered manually by users. ICAT in particular used to be quite bad for using inconsistent or misspelled names. Secunia does not separate vendor names from products and uses different names than the NVD, so Cassandra has to guess which is which based on already known vendor and product names. Because of this, Secunia entries may need reparsing when new names are learned. So, users could get a false sense of security by entering the name of the products they use, but never get notified because of a mismatch! On top of it, bad names are listed by the autocomplete feature, so users can be mislead by someone else's mistakes or misfortune. A Cassandra feature that helped somewhat with this problem was the notion of canonical and variant names. All variants point to a single canonical name for a vendor or a product. However, these need to be entered manually and maintained over time, so I didn't enter many. It gets worse. Profiles are quite static in practice; this leads to other problems. Companies merge, get bought or otherwise change names. Sometimes companies also decide to change the names of their products for other reasons, or names are changed in the NVD. So, profiles can silently drift off-course and not give the alerts needed. All these factors result in product or vendor names in Cassandra that don't point to any vulnerability entries. I call these names "orphans"; I recently realized that Cassandra contained hundreds of orphaned names. And they will be improved I am planning on implementing two new features in Cassandra: Profile auto-correction and product name vetting.

Auto-correction: If Cassandra recognizes a name change in the NVD or Secunia, or if it changes the way it recognizes vendor names from products in Secunia, it will attempt to change matching entries in your profiles.
Vetting: all the product names in Cassandra will be verified to point to at least one entry in the NVD or Secunia; those that don't and can't be updated will get deleted. This means that when you create a new profile, Cassandra won't suggest an "orphaned" name. If your profile contains an orphaned name that gets deleted, you should receive an email if you have email notifications turned on.

Note that you should still verify your profiles periodically, because Cassandra will not detect all name changes -- this is difficult because a name change may look just like a new product. If you have a product name that isn't in Cassandra, I suggest using the keywords feature. Cassandra will then search the title and description of the entries to find matches (note to self: pehaps keywords should search product and vendor names as well -- that would help catch all variants of a name. Also, consider using string matching algorithms to recognize names).

Fun video

Tuesday, July 10, 2007 by spaf in General, Kudos, Opinions and Rants,

[tags]the Internet[/tags]
Satire is sometimes a great way to get a point across. Or multiple points. I think this little clip is incredibly funny and probably insightful.

Recent Blogs

Blog Archive

Page Content

Fun with Internet Video

Recent Blogs

Blog Archive