Security musings (reflectorium)
Security musings (reflectorium)
Monday, January 31, 2005
Microsoft: Mapping International Security Standards to MOF
About time that Microsoft came out with an other free tangible security management goodie.
"Mapping International Security Standards to MOF" or - maybe more bluntly - How does Microsoft's interpretation of ITIL (called MOF) map to international security standards (such as ISO17799).
By the way, the folks behind ITIL have a most excellent book on "ITIL security management", which happens to cover the ISO17799 mapping. So I wonder how much added-value Microsoft brings here. (Granted the ITIL book is expensive and this goodie is free..)
--
After a really hard glimpse at the Microsoft paper - it's really worth getting the original ITIL security management book.
(The Microsoft paper is somewhat thin, but nevertheless is a nice ISO17799 introduction...)
(0) comments
(1) comments
"Mapping International Security Standards to MOF" or - maybe more bluntly - How does Microsoft's interpretation of ITIL (called MOF) map to international security standards (such as ISO17799).
By the way, the folks behind ITIL have a most excellent book on "ITIL security management", which happens to cover the ISO17799 mapping. So I wonder how much added-value Microsoft brings here. (Granted the ITIL book is expensive and this goodie is free..)
--
After a really hard glimpse at the Microsoft paper - it's really worth getting the original ITIL security management book.
(The Microsoft paper is somewhat thin, but nevertheless is a nice ISO17799 introduction...)
Saturday, January 29, 2005
Towards an Economic Analysis of Disclosure
A very interesting posting at Adam Shostack's blog (see below). - Also, have a look at the additional papers mentioned in the comments...
(0) comments
Emergent Chaos, blog by Adam Shostack
http://www.emergentchaos.com/
has some interesting thinking, .. now part of my daily blog diet..
(0) comments
http://www.emergentchaos.com/
has some interesting thinking, .. now part of my daily blog diet..
Friday, January 28, 2005
Information Assurance Technical Framework Forum
"The Information Assurance Technical Framework Forum (IATFF) is a National Security
Agency (NSA) sponsored outreach activity created to foster dialog amongst U.S.
Government agencies, U.S. Industry, and U.S. Academia seeking to provide their
customers solutions for information assurance problems."
They have quite a few documents for download - although, on first glance, not totally cutting edge. (behind what you learnt to expect and love from folks like the NIST...)
http://www.iatf.net/
(0) comments
"The Information Assurance Technical Framework Forum (IATFF) is a National Security
Agency (NSA) sponsored outreach activity created to foster dialog amongst U.S.
Government agencies, U.S. Industry, and U.S. Academia seeking to provide their
customers solutions for information assurance problems."
They have quite a few documents for download - although, on first glance, not totally cutting edge. (behind what you learnt to expect and love from folks like the NIST...)
http://www.iatf.net/
Monday, January 24, 2005
US: National security concerns over IBM notebook sale to China
According to this article in German at SpiegelOnline, the CFIUS comitee in the USA is now voicing national security concerns of the sale of the IBM notebook business to a Chinese company. (I've been wondering about the implications of the Trusted Computing chip in the Thinkpads and China...)
(0) comments
Friday, January 21, 2005
(0) comments
Thursday, January 20, 2005
Defiling - anti-forensics on UNIX
HERT carries an article on "The Grugq" making a tour this year, talking about anti-forensics in UNIX. (Article also links to a presentation).
http://hert.org/story.php/58
Here's a link to a Phrack article mentioned at link above. (old, 2002)
http://www.phrack.org/phrack/59/p59-0x06.txt
(0) comments
http://hert.org/story.php/58
Here's a link to a Phrack article mentioned at link above. (old, 2002)
http://www.phrack.org/phrack/59/p59-0x06.txt
Monday, January 17, 2005
(0) comments
Locksmith rehash disclosure debate
Very interesting article on TaoSecurity Blog about a debate on a locksmith newsgroup that was kindled by a paper titled "safecracking for the computer scientist".
Basically some locksmiths there are stuck in a 19th century mind set. - This is scary, to think that some of these folks still believe that selling insecure devices as secure is okay as long as noone tells about the insecurity in them - and we entrust them with real life valuables.. *yuck!*
Link to entry on taosecurity
(1) comments
Basically some locksmiths there are stuck in a 19th century mind set. - This is scary, to think that some of these folks still believe that selling insecure devices as secure is okay as long as noone tells about the insecurity in them - and we entrust them with real life valuables.. *yuck!*
Link to entry on taosecurity
Tuesday, January 04, 2005
BITS Kalculator: Key Risk Measurement Tool for Information Security Operational Risks
From the Bank of International Settlements (BIS):
http://www.bitsinfo.org/wp.html
(0) comments
From the Bank of International Settlements (BIS):
http://www.bitsinfo.org/wp.html
Defeating web-based content filtering on gateways...
Rory has some comments on proxies that obfuscate the communication at http://raesene.dnsalias.net/archives/000156.html
(Axel pointed me towards this via http://balrog.de/security/archives/2005/01/04/55_security-is-not-a-product-once-again )
Personally, I think one shouldn't focus on these cgi/php-based proxies too much. Isn't it far easier to use google's "translate that page" functionality? Or Anonymizer and Co?
.. or - to the same end - a trusted SSL-based reverse proxy???
Of course, the cgi/php-based proxies will give you
+ clicks 'n hits on someone's web ads
+ and a nice click/usage history somewhere
Should be ideal for phising too.. (So please beware!)
(0) comments
Rory has some comments on proxies that obfuscate the communication at http://raesene.dnsalias.net/archives/000156.html
(Axel pointed me towards this via http://balrog.de/security/archives/2005/01/04/55_security-is-not-a-product-once-again )
Personally, I think one shouldn't focus on these cgi/php-based proxies too much. Isn't it far easier to use google's "translate that page" functionality? Or Anonymizer and Co?
.. or - to the same end - a trusted SSL-based reverse proxy???
Of course, the cgi/php-based proxies will give you
+ clicks 'n hits on someone's web ads
+ and a nice click/usage history somewhere
Should be ideal for phising too.. (So please beware!)
Monday, January 03, 2005
Notes from the 21C03 conference
Here are my notes from the 21C03 conference held by the German Chaos Communication Club (CCC) from Dec 27-29 2004 in Berlin.
The official sites of the event are at
http://www.ccc.de/congress/2004/index.en.html
https://21c3.ccc.de/wiki/index.php/Main_Page
http://21c3.ccc.de/weblog/
The CCC promised to make videos of most sessions available on the web. (Should be up in January 2005).
The annual conference had a record participation (around 3,500 participants) and appeared much more professional than earlier events.
The organisators had to choose from around 200 submissions to fill the session tracks. The trick was really which session to choose.
__Things that really struck me__
_Passive covert channels in the Linux kernel_
- Very interesting talk focused on getting covert messages out as part of the Sequence number in packets. The speaker introduced a tool (nushu.c), which hides this communication. This could have various uses e.g. in bot networks and applications that "want to phone home" and hide additional data.
See http://www.invisiblethings.org/
_Bluetooth vulnerabilities_
- There was a full-disclosure presentation (incl. tools) on the bluetooth vulnerabilities mentioned in 2004 by trifinite.
See http://www.trifinite.org/
- This is really bad. This is about reading and manipulating address books from afar. This is also - on some phones - about using someone else's phone to make phone calls and to redirect phones to someone else's phone to yours.
- People need to get their vulnerable phones updated in a shop. (And most people probably won't.)
_Security nightmares_
- SSH will probably be exploited again in a big way in 2005. (Rumours of another upcoming exploit). -> This makes me think that people should start to look at "port knocking" (or restricting access to certain IPs) to add a level of security for internet facing systems, i.e. you can only connect to your SSH server if you come from a pre-defined IP or after you did some magic ping/connection pattern.
- There might be trouble with cars turning into mobile computers ahead. It appears that some car systems use RDS data (via the car radio) as input. There are rumours that the RDS parsers in some car radios might be exploitable.
- People should really, really patch their mobile phones...
_MD5 insecurities_
- there are collisions in MD5. (Which also means that people should start to use other hash algorithms instead)
- a Chinese researcher has released two proof of concept test vectors that cause a collision. (It is unclear how these vectors were found!)
- these two test vectors can already be used to carry out attacks today
- MD5 operates on blocks, i.e. if you find two files that MD5 to the same hash, an arbitrary payload can be applied to both files and they'll still have the same hash.
(These two files could be e.g. the two test vectors above)
- David Kaminsky's tool "stripwire" produces two binary packages. Both contain an arbitrary payload, but the payload is encrypted with AES. Only one of the packages ("Fire") is decryptable and thus dangerous; the other ("Ice") shields its data behind AES. Both files share the same MD5 hash.
- According to doxpara.com: "This is an excellent vector for malicious developers to get unsafe code past a group of auditors, perhaps to acquire a required third party signature. Alternatively, build tools themselves could be compromised to embed safe versions of dangerous payloads in each build. At some later point, the embedded payload could be safely "activated", without the MD5 changing. This has implications for Tripwire, DRM, and several package management architectures.[..] Very interesting possibilities open up once the full attack is made available -- among other things, we can create self-decrypting executables (fire.exe and ice.exe) that exhibit differential behavior based on their internal colliding payloads. They'll still have the same MD5 hash."
- this also allows for covert channels
- there's also a real hole posed by the MD5 variant used in KaZaa
- -> You can read it all at http://www.doxpara.com
_Instant Messaging security holes_
- Apparently there were/are quite a few bugs in IM clients. This is bad as more and more people use them for "serious" communications.
-> http://www.stonedcoder.org/
_DNS_
- nice talk on how one can use the DNS system with its mind-boggling number of servers to tunnel data and store data
- this included a demonstration of SSH via DNS and webradio (caching)
- NTSX old tool
- droute new tool
- also google for "grr", "nomede" and "miname"
- -> or read it all at http://www.doxpara.com
_physical security_
- They explained how "bump keys" (999 keys) work. Apparently this allows you to pick even high-quality locks and advanced locks like the keso.
The speaker gave a good demonstration by breaking a wide range of locks within mere minutes on stage (see below).Basically you cut the key with the deepest set of grooves possible (often by setting the key making machine to "9999.."). This bump key is then inserted and hit with a vibrating little hammer. This causes the bolts in the lock to shake quickly up and down, allowing for brief openings during which the key can be turned.
See http://www.gregandbeth.com/imagegallery/index.php?action=display&imageID=222
The speaker also showed a (rather easy) attack against the Winckhaus Bluekey system. (Breaking a 250 euro lock with a 40 euro magnet).
_SAP security_
- As people want to be "on the safe side", there are often very insecure settings (i.e. chmod 777) on folders
- look for cleartext passwords in scripts
- look for NFS exports
_phishing_
- They showed an interesting technique that redirects the victim to the legitimate web site, but opens a pop-up window on top of that;
the counteraction for the legitimate site owner is to open a pop-up window with the same name as the phisher's pop-up
_code reviews_
- They showed some source code from Cisco, Microsoft and MySQL that didn't look very secure. (Hard to fall asleep).
_automated web site hacking (php worms)_
- apparently quite a few people are interested in writing PHP worms that use Google now.
- look at the tools RATS and nikto to find flaws
_Sun Solaris 10_
- Sun Solaris comes with a tool called "dtrace" that gives you a very deep view into the system. (and can allow you to read out passwords).
- There's a new rootkit called SiNAR.
__Various miscellaneous notes__
Onion routing
e.g. using TOR (http://tor.eff.org/ )
Infrared hacking
look at http://www.lirc.org/ and http://www.irtrans.org/
Personal firewalls on Windows
will always be breakable/insecure because of the low-level inter-process communication possible in Windows
Fravia on searching the web
-> http://www.searchlores.org/
__Next major event in Europe_
"What the hack?" - July 28-31st in the Netherlands.
This it the bi-annual European Summer camp (HIP97, Heart-of-Gold (99), HAL2001, Fairy-Dust (03), now: WTF 05)
http://www.whatthehack.org/
(0) comments
(0) comments
Here are my notes from the 21C03 conference held by the German Chaos Communication Club (CCC) from Dec 27-29 2004 in Berlin.
The official sites of the event are at
http://www.ccc.de/congress/2004/index.en.html
https://21c3.ccc.de/wiki/index.php/Main_Page
http://21c3.ccc.de/weblog/
The CCC promised to make videos of most sessions available on the web. (Should be up in January 2005).
The annual conference had a record participation (around 3,500 participants) and appeared much more professional than earlier events.
The organisators had to choose from around 200 submissions to fill the session tracks. The trick was really which session to choose.
__Things that really struck me__
_Passive covert channels in the Linux kernel_
- Very interesting talk focused on getting covert messages out as part of the Sequence number in packets. The speaker introduced a tool (nushu.c), which hides this communication. This could have various uses e.g. in bot networks and applications that "want to phone home" and hide additional data.
See http://www.invisiblethings.org/
_Bluetooth vulnerabilities_
- There was a full-disclosure presentation (incl. tools) on the bluetooth vulnerabilities mentioned in 2004 by trifinite.
See http://www.trifinite.org/
- This is really bad. This is about reading and manipulating address books from afar. This is also - on some phones - about using someone else's phone to make phone calls and to redirect phones to someone else's phone to yours.
- People need to get their vulnerable phones updated in a shop. (And most people probably won't.)
_Security nightmares_
- SSH will probably be exploited again in a big way in 2005. (Rumours of another upcoming exploit). -> This makes me think that people should start to look at "port knocking" (or restricting access to certain IPs) to add a level of security for internet facing systems, i.e. you can only connect to your SSH server if you come from a pre-defined IP or after you did some magic ping/connection pattern.
- There might be trouble with cars turning into mobile computers ahead. It appears that some car systems use RDS data (via the car radio) as input. There are rumours that the RDS parsers in some car radios might be exploitable.
- People should really, really patch their mobile phones...
_MD5 insecurities_
- there are collisions in MD5. (Which also means that people should start to use other hash algorithms instead)
- a Chinese researcher has released two proof of concept test vectors that cause a collision. (It is unclear how these vectors were found!)
- these two test vectors can already be used to carry out attacks today
- MD5 operates on blocks, i.e. if you find two files that MD5 to the same hash, an arbitrary payload can be applied to both files and they'll still have the same hash.
(These two files could be e.g. the two test vectors above)
- David Kaminsky's tool "stripwire" produces two binary packages. Both contain an arbitrary payload, but the payload is encrypted with AES. Only one of the packages ("Fire") is decryptable and thus dangerous; the other ("Ice") shields its data behind AES. Both files share the same MD5 hash.
- According to doxpara.com: "This is an excellent vector for malicious developers to get unsafe code past a group of auditors, perhaps to acquire a required third party signature. Alternatively, build tools themselves could be compromised to embed safe versions of dangerous payloads in each build. At some later point, the embedded payload could be safely "activated", without the MD5 changing. This has implications for Tripwire, DRM, and several package management architectures.[..] Very interesting possibilities open up once the full attack is made available -- among other things, we can create self-decrypting executables (fire.exe and ice.exe) that exhibit differential behavior based on their internal colliding payloads. They'll still have the same MD5 hash."
- this also allows for covert channels
- there's also a real hole posed by the MD5 variant used in KaZaa
- -> You can read it all at http://www.doxpara.com
_Instant Messaging security holes_
- Apparently there were/are quite a few bugs in IM clients. This is bad as more and more people use them for "serious" communications.
-> http://www.stonedcoder.org/
_DNS_
- nice talk on how one can use the DNS system with its mind-boggling number of servers to tunnel data and store data
- this included a demonstration of SSH via DNS and webradio (caching)
- NTSX old tool
- droute new tool
- also google for "grr", "nomede" and "miname"
- -> or read it all at http://www.doxpara.com
_physical security_
- They explained how "bump keys" (999 keys) work. Apparently this allows you to pick even high-quality locks and advanced locks like the keso.
The speaker gave a good demonstration by breaking a wide range of locks within mere minutes on stage (see below).Basically you cut the key with the deepest set of grooves possible (often by setting the key making machine to "9999.."). This bump key is then inserted and hit with a vibrating little hammer. This causes the bolts in the lock to shake quickly up and down, allowing for brief openings during which the key can be turned.
See http://www.gregandbeth.com/imagegallery/index.php?action=display&imageID=222
The speaker also showed a (rather easy) attack against the Winckhaus Bluekey system. (Breaking a 250 euro lock with a 40 euro magnet).
_SAP security_
- As people want to be "on the safe side", there are often very insecure settings (i.e. chmod 777) on folders
- look for cleartext passwords in scripts
- look for NFS exports
_phishing_
- They showed an interesting technique that redirects the victim to the legitimate web site, but opens a pop-up window on top of that;
the counteraction for the legitimate site owner is to open a pop-up window with the same name as the phisher's pop-up
_code reviews_
- They showed some source code from Cisco, Microsoft and MySQL that didn't look very secure. (Hard to fall asleep).
_automated web site hacking (php worms)_
- apparently quite a few people are interested in writing PHP worms that use Google now.
- look at the tools RATS and nikto to find flaws
_Sun Solaris 10_
- Sun Solaris comes with a tool called "dtrace" that gives you a very deep view into the system. (and can allow you to read out passwords).
- There's a new rootkit called SiNAR.
__Various miscellaneous notes__
Onion routing
e.g. using TOR (http://tor.eff.org/ )
Infrared hacking
look at http://www.lirc.org/ and http://www.irtrans.org/
Personal firewalls on Windows
will always be breakable/insecure because of the low-level inter-process communication possible in Windows
Fravia on searching the web
-> http://www.searchlores.org/
__Next major event in Europe_
"What the hack?" - July 28-31st in the Netherlands.
This it the bi-annual European Summer camp (HIP97, Heart-of-Gold (99), HAL2001, Fairy-Dust (03), now: WTF 05)
http://www.whatthehack.org/
OSSTMM - Open Source Security Testing Methodology Manual
Almost on the same topic:
ISECOM is working on the "OSSTMM - Open Source Security Testing Methodology Manual".
- A somewhat mixed bag of recipies. Good reading, gives insights. But sometimes I think its labelling goes a bit over the top.
(0) comments
Almost on the same topic:
ISECOM is working on the "OSSTMM - Open Source Security Testing Methodology Manual".
- A somewhat mixed bag of recipies. Good reading, gives insights. But sometimes I think its labelling goes a bit over the top.
OISSG releases Information System Security Assessment Framework (ISSAF)
The OISSG is working on a Information System Security Assessment Framework (ISSAF).
A draft version of this framework is available at the OISSG website at:
http://oissg.org/issaf01/issaf0.1.zip (5.59 MB) or http://oissg.org/issaf01/issaf0.1.pdf (12.6 MB)
- I had no chance to read it so far. YMMV
(0) comments
The OISSG is working on a Information System Security Assessment Framework (ISSAF).
A draft version of this framework is available at the OISSG website at:
http://oissg.org/issaf01/issaf0.1.zip (5.59 MB) or http://oissg.org/issaf01/issaf0.1.pdf (12.6 MB)
- I had no chance to read it so far. YMMV
Me enjoying a "Mate-Club", Alt-Landsberg near Berlin, summer 2003.
RSS Feed now atom.xml!
Essential Security Web-Sites
Internet Head Up Display,
Internet Storm Center incl. Handler's Diary
NewsNow.co.uk on Virii and Security -
Messagelabs stats,
Trendmicro,
Symantec,
CAI,
McAffee,
F-Secure
-- securityfocus,
packetstorm
Recently added Detections from CAI
Standalone Virus Cleaner
Trendmicro Sysclean and Signature, Symantec Removal tools, Stinger from McAfee, F-Secure removal tools, Bitdefender free removal tools
ARCHIVES
11/01/2003 - 12/01/2003/ 12/01/2003 - 01/01/2004
/ 01/01/2004 - 02/01/2004
/ 02/01/2004 - 03/01/2004
/ 03/01/2004 - 04/01/2004
/ 04/01/2004 - 05/01/2004
/ 05/01/2004 - 06/01/2004
/ 06/01/2004 - 07/01/2004
/ 07/01/2004 - 08/01/2004
/ 08/01/2004 - 09/01/2004
/ 09/01/2004 - 10/01/2004
/ 10/01/2004 - 11/01/2004
/ 01/01/2005 - 02/01/2005
/ 02/01/2005 - 03/01/2005
/ 03/01/2005 - 04/01/2005
/ 04/01/2005 - 05/01/2005
/ 05/01/2005 - 06/01/2005
/ 06/01/2005 - 07/01/2005
/ 07/01/2005 - 08/01/2005
/ 01/01/2006 - 02/01/2006
/ 02/01/2006 - 03/01/2006
/ 03/01/2006 - 04/01/2006
/ 06/01/2006 - 07/01/2006
/ 08/01/2006 - 09/01/2006
/ 09/01/2006 - 10/01/2006
/ 12/01/2006 - 01/01/2007
/ 03/01/2007 - 04/01/2007
/ 05/01/2007 - 06/01/2007
/ 07/01/2007 - 08/01/2007
/ 08/01/2007 - 09/01/2007
/ 10/01/2007 - 11/01/2007
/ 11/01/2007 - 12/01/2007
/ 12/01/2007 - 01/01/2008
/ 02/01/2008 - 03/01/2008
/ 09/01/2008 - 10/01/2008
/ 10/01/2008 - 11/01/2008
/ 03/01/2009 - 04/01/2009
/ 09/01/2009 - 10/01/2009
/ 11/01/2009 - 12/01/2009
/ 01/01/2010 - 02/01/2010
/ 02/01/2010 - 03/01/2010
/ 06/01/2010 - 07/01/2010
/
related blogs: general and family research
