Archive for July, 2007

30
Jul

How to pass a security audit

By alfredo reino Comments
Categories: Security

Interesting article at Dark Reading about security audits with basic tips on how to pass them (or at least how to give it a good try) It starts off with “Nobody passes a security audit on the first try“. Maybe the title should be changed to “Where will the auditors look for issues (and probably find them)“.

The eight general recommendations are:

  • Establish a consistent set of practices for change management
  • Keep your app developers away from production/operations
  • Give users access only to the data and apps they need
  • Shore up physical access to your systems
  • Establish methods to detect security anomalies — and where they come from
  • Map your security processes to real business processes
  • Double (and triple) check your accounting processes
  • Document your work and train your users on what you’ve done

Sounds easy, heh? If you have that reasonably locked down, you’ve gone a long way.

25
Jul

Outage

By alfredo reino Comments
Categories: Fun and Weird and Meta

Craigslist, SixApart, Netflix, Technorati, TypePad, LiveJournal, etc. down.
Is it time for “Disaster Recovery 2.0″? :)

20
Jul

Harmful error messages

By alfredo reino Comments
Categories: Rants and Security

I use Google Mail. While checking email today, I ran across this error message.

Arrgh! The page has been corrupted. If you are running security or firewall software, you might have to disable it

(see screenshot)

I stared at it for several seconds.

WTF? Who the hell decided the wording of this error message? Is that an actual recommendation from Google? Disable security software and firewalls when you encounter a momentary glitch in a web application?

19
Jul

Random bit generator service

By alfredo reino Comments
Categories: Products and Security

This is cool.

The work on QRBG Service has been motivated by scientific necessity (primarily of local scientific community) of running various simulations (in cluster/Grid environments), whose results are often greatly affected by quality (distribution, nondeterminism, entropy, etc.) of used random numbers. Since true random numbers are impossible to generate with a finite state machine (such as today’s computers), scientists are forced to either use specialized expensive hardware number generators, or, more frequently, to content themselves with suboptimal solutions (like pseudo-random numbers generators).

[…]

To ensure high-quality of the supplied random numbers (true randomness) and high speed of serving, we have used fast non-deterministic, stand-alone hardware number generator relying on photonic emission in semiconductors. The used Quantum Random Bit Generator was previously developed at Rudjer Boskovic Institute, in Laboratory for Stochastic Signals and Process Research (for details, see below).
To achieve high availability of the service, several network access modes are developed, or shall be developed. These include transparent acquisition of random numbers using C/C++ libraries, web services (access over the SOAP protocol), and Mathematica/MATLAB client add-ons. 

You can visit que QRBG site, download the client of your choice, and start getting true randomness in no time (registration required)

14
Jul

Helix v1.9 released

By alfredo reino Comments
Categories: Products and Security

Talking about forensics…

Helix v1.9 released

The new Helix v1.9 version was released yesterday (see the CHANGELOG for the updated packages)

Download Helix v1.9 here.

12
Jul

Antiforensics

By alfredo reino Comments
Categories: Rants and Security

There is an interesting article by Scott Berinato at CSOonline about the widespread use of “antiforensics” tools, and how they are changing the information security landscape in general, and the forensics practice in particular.

This is antiforensics. It is more than technology. It is an approach to criminal hacking that can be summed up like this: Make it hard for them to find you and impossible for them to prove they found you.

The concept is neither new nor foolproof, but in the past 12 months, forensic investigators have noticed a significant uptick in the use of antiforensics. This is not because hackers are making more sophisticated antiforensic tools, though some are. Rather, it’s because antiforensic tools have slid down the technical food chain, from Unix to Windows, from something only elite users could master to something nontechnical users can operate. What’s more, this transition is taking place right when (or perhaps because of) a growing number of criminals, technically unsophisticated, want in on all the cash moving around online and they need antiforensics to protect their illicit enterprises. “Five years ago, you could count on one hand the number of people who could do a lot of these things,” says the investigator. “Now it’s hobby level.”

The article describes some tools currently used, such as Timestomp, Slacker, Sam Juicer, etc. and how the “arms race” has moved from the disk to memory.

It would seem that the forensics practice is currently sitting at the bottom of a “trough of disillusionment“.

Some months ago I prepared a presentation about “Forensics in the Corporation” (sorry, only in Spanish!) which should have been really called “Why everything you learned at forensics training won’t be really useful in the real world”. And I didn’t include anything about antiforensics, just focusing on the technical, political and organizational challenges that big corporations pose to the forensics investigator.

The forensics practice is much too focused around the PC world. That is, you normally have physical access to the “suspect” machine, you can power it off or unplug it from the network, hard drive sizes are reasonable, and some expectations are always met. That is fine. This kind of forensics work… works! But mostly in the workstation/laptop world.

What about servers? Virtualization, huge storage capacities (SAN, NAS, RAID arrays, etc.), distributed systems (as in “distributed all over the world”), business critical systems that cannot be unplugged or turned off (come on, in how many LOB servers could you do such things?)

I’m sure the forensics practice will evolve in the following years. I’m sure it’ll be damn interesting to see.

11
Jul

Firefox (with IE) vulnerability

By alfredo reino Comments
Categories: Products and Security

Interesting 0-day vulnerability in Firefox when installed in a box already running Internet Explorer (i.e. all Windows machines).

Firefox installs three protocol handlers, which lack some basic input validation. It seems that IE is able to launch Firefox in such a way that arbitrary commands are passed onto the shell (with the privileges of the current user)

Read the details at Jesper’s blog.