I think one of the most intriguing aspects of security is that of password management; forget patch, AV, spyware, intrusion prevention and all that other shiny techno security babble – the first immutable law of security states never ever give away your password(s), write it down, disclose it – whatever! Just don’t do it.. period!

This said, it amuses me no end to find that even after repeated education technical, and the not so technical users still revert to the good old post it note stuck to a pin board, monitor etc as the trusted repository of usernames and passwords – security by obscurity – you decide?

The source of this amusement comes from a recent on site conversation with a client about deploying high level protective measures around date loss and data leakage. The clients primary objective was to stop data being disclosed from stolen devices while the second was that of access control to sensitive data by the masses, the preferred (client) choice and buzzword of the moment was to deploy encryption on all fronts. After some serious discussions where held on the subject I pointed out one serious flaw in the chink of the organisation which I suggested that they need to address ASAP – the issue of password disclosure! Of course the response was ‘why do we need to address that issue its not a problem in the organisation, it is forbidden by policy and strictly policed!’ – at which point I asked the client to look at the desk immediate behind to see the ‘pink’ post it note stuck to a helpdesk techies monitor entitled (in bold) enterprise admin followed by account name and password, at which point the client almost fell of the chair!

The funny thing about this was that it was the client that issued the username and password of the account to the techie but failed to realise the significance of the act!

So, if the user can easily masquerade as the enterprise administrator how do you protect your data…..?

Well erm…..

Wow I cant believe its been a whole month since I last posted! Life certainly has been busy with holidays and work pressures…

note to self; post more often….

2nd note to self; leave instructions to find notes….

Just been catching up on the 2007 Darwin Awards, interesting to see that a California computer trainer has been awarded a Darwin for killing himself while driving his car and working on his laptop… article here

The thought that sprung to mind as the laptop survived the crash and the police where able to use it was – I wonder if he had considered implementing whole disk encryption to protect his data in an unlikely event such as this?

I guess we will never know!

An interesting though struck me recently after reading the n’th blog and n’th tabloid report on China’s issues with their attacks on ‘other’ internet citizens.

There is little doubt about the impact that China’s rapid industrialisation is having on the global economy as it is topic of conversation with everyone from politicians to laymen, but, the one thing that I believe that no one has considered is their technological immaturity.

Think back into the golden haze of the late 90’s, the average internet user was still connecting via 56k modem, spam was practically unheard of and the biggest worry that you had with computer security was whether or not you had boot sector protection turned on or not! If you could jump forward ten years from the 90’s and had a conversation with your future self about PC protection products you would think you where talking gibberish, anti malware, anti spyware, endpoint security, zero day sploits, phishing, pharming, patching, on and on and on…. It’s a fact that a lot of these now common day terms where not prevalent in common day use except amongst hardcore security experts, but the interesting thing that comes out of this is that its not the terms, the attacks or the products – but the way in which we actually now conduct ourselves in terms of patching, signature updates and not doing daft things online – even the novice users are aware of these concepts!

We have learned the hard way, adapted and improved – after 10 years of evolution.

Does China have the benefit of 10 years of evolution, I think not.
Have the y been thrust into the middle of a complex security maze with the general populace thrashing around with the same psyche that the rest of the wired world had 10 years ago – almost definitely – you can say that they are behind the curve somewhat!

The moral question is then do we cut some slack to China’s internet citizens until they have matured enough to operate in the wired world? The optimist inside me would like to say yes and the world will follow suite, in all practicality what will happen is that the media frenzy surrounding China will simply keep on building as they struggle to get to grips with the security problems.

Given China’s poor international record and the wave after wave of wired attacks pouring out of their address space its going to take a very long time to for things to change….

For those of us of a certain age may remember the fantastic late 70′s early 80′s program the Dukes of Hazard, it was a complete work of fantasy but it had an appeal to everyone that watched the show – for the kids General Lee and the dad’s Daisy Duke – if you where a kid at the time you didn’t get the later but the dad’s certainly appreciated the short shorts she was infamous for wearing ‘the daisy dukes‘

I guess your wondering what this has to do with security? Well me and you both!

If you work in information security and you have been living under a rock somewhere for the last month or so then you probably will not be aware of the ‘hottest’ attack against disk encryption – cold boot attack against encryption keys. Basically in a nutshell researchers have figured out how to preserve and dump computer memory that contains encryption keys then use these recovered keys to unlock your encrypted system/ files/ folders.

Is I understand it a Daisy Duke is a ‘short’ script (get it) that is run against the cold boot file dump and targets ‘other’ useful information, items such as logon passwords, signatures, documents – anything you wish to recover really and then dumps this information out into a usable format.

I really can see the power of this type of attack and the real benefits – but I have to ask how practical and useful is it?

Well the answer depends on whether you are a pen tester or not; if you are then this is a great way of tormenting customers and breaking everything that they own and then charging the earth – if you are not then you will in all likelihood be in a very small minority that will have physical access, means and motive to actually target some one/ some company to perform this type of attack.

For me the reality of this is simple, if you take care of business with physical security, implement simple things like BIOS protections & power on memory testing then life is good, go home, kiss the wife, play with the kids and sleep easy dreaming of daisy duke.

If you don’t then, well you get everything you deserve…

Check out the register article HERE

And of course a picture of Daisy herself HERE

An interesting article from the register – a New Zealand teenager, convicted of masterminding a series of identity thefts with an estimated value of $20m via a bot network has plead for a lenient sentence due to mental illness and age, the signs are that he will be successful in the plea although sentencing will not take place until late in May’08.

There are two problems with this story that certainly highlights what is wrong in the world today –

One is the plea for a lenient sentence due to a mental illness and age, the issue that I have with this is that in all likelihood the defendant will get a lenient sentence for his crimes due to these factors – but why? The defendant has demonstrated over a long period of time that they are willing to commit the crime and show no remorse at doing so; the full weight of the law should be bought down upon them with no mercy.

Two in all probability the defendant will after a short period of ‘punishment’ and I so use the term ‘punishment’ liberally, receive an offer for a ‘research’ position with a security firm with a six figure salary and perks – I do understand the argument about poacher turned gamekeeper and how valuable these people can be within the industry, but surely this type of activity only reinforces/ glamorises criminal activity even more……

Leopards don’t change their spots…

Just because it happens it does not mean that it is right….

Rant over!

A little article from security focus for all those misinformed *NIX windows bashers out there – it just goes to show that even the mighty *NIX platform can be hacked faster than windows:

Full story

Its been a while since the last post – so here goes!

An interesting article recently appeared on the CNET news channel in regards to AV test labs joining forces to provide a definitive resource for comparing and evaluating our beloved weapons of ‘defence’

The cynic in me says that this is a lot of hype to create a revenue stream that will have no real outcome, while the optimist in me quietly hopes that this will facilitate a convergence of the AV and Malware worlds.

A rhetorical question, but no the less poignant.. so why do the OEM’s insist that virus’s and worms are completely different from spyware/ adware/ malware – after all the intent is the same, its software that you don’t want installed on your machine – so why are we often buying two separate products to perform the same task?

Ah well I can live in hope wearing my rose tinted glasses looking forward to a rosy and bright future that will see a united malwre united in all its forms under one banner…

The eternal optimist

Updated: link to the original post

An interesting little story doing the rounds at the moment;

Gary Sinnott owner and webmaster of www.mildenhall.com , a site that represents a sleepy little village north of Cambridge in the UK has revealed that he/ the site has been bombarded with classified US Department of Defence (DoD) emails for the last few years.

The contents of the emails range from stupid jokes all the way up to highly classified Air Force One flight plans. Apparently Sinnott had repeatedly reported this problem over the years to the DoD but no action was taken.

As it now stands Sinnott has taken the website offline after giving up on trying to resolve the problem – so where are the mails going now? who knows?

Who knows but it sure os obvious that the DoD are practising the old security by obscurity routine…..

Full story

Its interesting to see that the whole IT community has gone bonkers in the last few days over the ‘Cold Boot Attack on Encryption Keys’ as demonstrated by Princeton University.

If you have not seen the attack(s) then look here: http://citp.princeton.edu/memory

In a nutshell the attack works because volatile memory does not loose its ‘memory’ the moment you switch off the PC, it actually retains the image of the data stored in the memory which decays as a function of time usually over 1 to 2 minutes.

The Princeton research group deftly demonstrated that by cooling the RAM the retention period could be dramatically increased to over 10 minutes which would then allow the RAM to be removed and read in a device to recover the data; the research group then went onto to create a program utilising a bootable removable media device that would access the RAM while in situe and recover data from a prone machine.

The attack demonstrates that whole disk encryption protects data at rest on hard drives and nothing else – period!

What it shows is that there is a serious over engineered way to obtain a crypto key form a pc memory, why not use a trojan or a rootkit that sends the contents of the RAM over the wire… would this not be simpler?

But if you cant sleep at night worrying about the memory in your PC retaining information then try these following steps..

1. Enable a bios boot password

2. Allow only boot from C: and nothing else

3. THE BIG TIP – enable a power on memory test – this actually wipes the memory!

4. Never let your PC out of your sight and lock it in a safe when you need some comfort