A Django site.
December 29, 2009

Inside Security News
insecnews
is about »
» GSM encryption attack lowers privacy to zero

In Europe mobile phones use the GSM standard to communicate with the carries. Encryption was and still is used to protect the calls and special intercepting abilities are built-in to the standard to assist law-enforcement.

Early versions of GSM use a weak encryption algorithms (e.g., A5/1) that are out of date and everyone now (hopefully) should be using UMTS (3G) (i.e. USIM) which include newer and better encryption algorithms.

What Karsten Nohl [2], his team and contributors have achieved is to utilise the advances in processing power (e.g., CUDA) to pre-calculate a code book[2] that will enable real-time decoding. Obviously the attacker will have to have access to the encrypted packets. This can achieved by setting-up a fake base station.

If you are thinking of doing this in the UK you will need special licence or permission from Ofcom or face the possible consequences [3].

Once again the weaknesses are known and the fact that this type of attack has emerged just demonstrates that relying upon incomputable algorithms is not always the best option. The only way to staying ahead of the game is with new encryption implementations.

Links Used:
[1] - http://news.bbc.co.uk/2/hi/technology/8429233.stm
[2] - http://events.ccc.de/congress/2009/Fahrplan/events/3654.en.html
[3] - http://www.ofcom.org.uk/radiocomms/ifi/enforcement/illegalbroadcast/

September 9, 2009

Inside Security News
insecnews
is about »
» Blue Screen your shinny Windows Vista/7 box

An exploit is making the rounds that affects Windows Vista and 7 which have SMB (i.e., SAMBA or file sharing) enabled. The researcher, after a small change in the SMB Header has managed to crash the SRV2.SYS DLL which fails to handle malformed SMB headers[1].

"\x00\x26"# Process ID High: --> :) normal value should be "\x00\x00"

Solution:
As of now: Funny enough disable file sharing if and when not needed, or implement a rule to block SMB ports.

Links Used:
[1] - Full Disclosure: Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D. - http://seclists.org/fulldisclosure/2009/Sep/0039.html

August 7, 2009

Inside Security News
insecnews
is about »
» Facebook PI, the spy who knew.

Facebook. A composite word that has nothing to do with a face or a book. Maybe if you post your face then we have at least a face. Still it is the top of the top in social networking, keep many in touch and up-to-date with their weird and wacky friends (yes I did say you are weird, get over it!).

If you have been using it lately (those who do) you may have noticed some weird behaviour in one of its facilities. This facility is the 'Friend Suggestion' option that can be obviously deduced that it would suggests people/ friends you may or may not know. Which you would in turn add, remove or just ignore.

The thing that is starting to spook people is the suggestion [1] of people/ friends that you may know in real life, have no affiliation on Facebook (as in no common friends etc.) and yet it knows that you might be interested in them or know them from somewhere/ somehow. I read some forms really quickly and can only deduce that it is either people who have supplied their email account details and Facebook has used the accounts to make connections with people and their emails [2].

Why you would want Facebook to have your contact details I have no idea. But that is a personal matter which I do not agree with.

Yes I know Facebook must have some other complex algorithm that some how finds other people you might know through facts found on your profile or numerous degrees of separation etc. It is really spooky though when people are suggested when they have no commonalities, no common friends, nothing as they are new users on Facebook, and yet it knows to suggest them to you.

Beware of what you post and what applications you use on Facebook as everything can be used!

From a marketing perspective, it is a win for Facebook. Funny eh, but true! But who knew, they do!

Links Used:

[1] Yahoo Questions - Facebook is too scary .. how the heck does it know? - http://uk.answers.yahoo.com/question/index?qid=20090717220041AA5xudy

[2] insidefacebook .com - Facebook Now Suggesting Friends Found in Imported Contact Lists? - http://www.insidefacebook.com/2009/06/12/facebook-now-suggesting-friends-found-in-imported-contact-lists/

July 3, 2009

Inside Security News
insecnews
is about »
» When numbers boomerang and collide in AES encryption

I was really surprised, yes there is a pattern to me being surprised and my blog postings (I blog usually when something surprises me), to read[1, 2] that AES has been attacked [2] (i.e. cryptanalysis attack by using a related-key boomerang attack) which presents weaknesses (local collisions) in the AES algorithm. Still it is claimed that we are still secure as it might be possible to reduce the complexity to 2110.5 data and time,compared to the current 2119, which attacks are still both computationally unfeasible for AES-256.

2119 * wishes it is so!

Links Used:
[1] Bruce Schneier, 'New Attack on AES' - http://www.schneier.com/blog/archives/2009/07/new_attack_on_a.html
[2] Alex Biryukov and Dmitry Khovratovich, "Related-key Cryptanalysis of the Full AES-192 and AES-256" - https://cryptolux.uni.lu/mediawiki/uploads/1/1a/Aes-192-256.pdf

June 30, 2009

Inside Security News
insecnews
is about »
» Masked man or masked password?

I was reading this article[1] on theregister.co.uk about the usability of masked (i.e., hidden) password fields on GUI forms and webpages. It is just crazy to even think that showing the password field is a good thing compared to current practice that has the password fields masked with dots or asterisks.
My arguments:

  1. Attackers will be fine with screenshots of when you login to webpages instead of keyloggers
  2. What about remote screen sharing and when you have to login to a service or webpage?
  3. What if I have a colleague looking at my screen and I need to login somewhere? Sorry can you please leave till I login because you can see my password.... everyone can see it really (even the person across the street with the telescope(not that you should).

There are probably more but I can not think of any right now. I think you get the point. It is a just a bad idea. Maybe they should make the field UV and no one can see it unless they are wearing special glasses (a bit better solution, I think).

Link Used:
[1] Reported by out-law.com - "Masked passwords must go" - http://www.theregister.co.uk/2009/06/30/masked_passwords_usability/

May 7, 2009

Inside Security News
insecnews
is about »
» Disk Study 2008-2009

We do the disk study every year and really look forward to what might pop up. It is a bit like the feeling you get when unwrapping gifts at a birthday or Christmas. This year[1-7] we had some very interesting drives come our way. As Prof. Andrew Blyth said “While it's not getting worse, its not getting any better either” which is really worrying.

Let me take this opportunity to mention also that we use AccessData as our analysis tool and that the drives provided were all randomly and blindly delivered to us.

We had two drives containing data from the Scottish NHS hospital with confidential patient data and a disk from the German embassy in Paris (France) containing interesting security logs.

The case that has made the headlines is that of a drive found in America by the partnering University (Longwood University) contained test launch procedures etc. I also think that the drive involving a US-based consultant, formerly with a US-based weapons manufacture, that revealed account numbers and details of proposals and $50bn in currency exchange was as equally interesting.

Update:
Details from the following companies are included in [5], they are Laura Ashley, Lanarkshire NHS, Ford Motor Company, Swindon Council and Nokia.
Updated content and links at 16:32

Full coverage can be found at:

[1] http://news.bbc.co.uk/1/hi/wales/8036324.stm

[2] http://www.theregister.co.uk/2009/05/07/data_destruction_survey/

[3] http://www.telegraph.co.uk/news/worldnews/northamerica/usa/5289638/Sensitive-US-missile-defence-data-found-on-computer-disk-bought-on-eBay.html

[4] http://www.dailymail.co.uk/news/article-1178239/Computer-hard-drive-sold-eBay-details-secret-U-S-missile-defence-system.html

[5] http://www.channel4.com/news/articles/science_technology/sensitive+data+on+ebay+computers/3129857

[6] http://www.guardian.co.uk/technology/2009/may/07/data-loss-hard-drives

[7] http://www.guardian.co.uk/technology/2009/may/06/data-loss-lockheed-missile-defence

November 24, 2008

Inside Security News
insecnews
is about »
» When viruses will rule the world...virtual world

The day after three London hospitals[1] were hit by a virus/viruses (Mytob[7]) and they had to halt their entire computer systems for 24 hours, Microsoft announced [2] that it will be offering its antivirus suit (all-in-one security and PC management service) Live OneCare from next year for free under the name Morro. Initial criticism[4] and analysis[5] of Microsoft's move has made its rounds on the internet with some agreeing and some disagreeing. In the end the results will show.

Trusted security packages should be commonly found on personal and coorporate computers. When learning[6] that roughly 30 million Windows PC machines were/are infected with a fake antivirus software (e.g., Antivirus Pro 2009) that tricks customers into paying for a service and situation the malware created in the first place, is a joke. If we are then to feed into the equation the reports that ‘UK identities sold for £80 online’[3] and take into consideration the many problems that companies and governments are having with securing our information we can conclude that we should be extremely cautious with our PCs and information.

I think viruses at some point in time will rule the world. Even for a few seconds, they will provide their master with complete access to what ever his or her heart desires. How this power will be exercised no one will know. Yet we all dread it. Yes I have thought of the diversity in operating systems that will make this case nearly implausible, yet I have a compelling feeling that we are getting close to online world virus domination.

Links Used:
[1] BBC News, Computer virus affects hospitals - http://news.bbc.co.uk/1/hi/england/london/7735502.stm

[2] BBC News, Microsoft to offer free security- http://news.bbc.co.uk/1/hi/technology/7737520.stm

[3] BBC News,UK identities sold for £80 online - http://news.bbc.co.uk/1/hi/uk/7732569.stm

[4] Ars Technica, Symantec and Kaspersky on OneCare's death: good riddance - http://arstechnica.com/journals/microsoft.ars/2008/11/20/symantec-and-kaspersky-on-onecares-death-good-riddance

[5] Securityfocus, Microsoft hopes free security means less malware - http://www.securityfocus.com/news/11538?ref=rss

[6] TheRegister, Scammers making '$15m a month' on fake antivirus - http://www.theregister.co.uk/2008/10/16/fake_av_scam/

[7] ComputerWeekly, Mytob virus spreads in hospitals - http://www.computerweekly.com/Articles/2008/11/20/233497/mytob-virus-spreads-in-hospitals.htm

September 15, 2008

Inside Security News
insecnews
is about »
» A Hacker Cause : CERN site defacement

Let us see how the Greek defacement of a CERN website is a cry for unity in the online Greek Security scene dominated by hacker bullies, wannabes and script-kiddies .

A few days ago (i.e., 9-10 Sep. 2008) one of CERN’s websites, the Compact Muon Solenoid Experiment (CMS) monitoring site (i.e.,http://cmsmon.cern.ch), was hacked and defaced by Greek hackers going by the name Greek Security Team (GST). What is interesting is that BBC has a report on the matter[1]. After reading the original defaced webpage from a screenshot a user has left on a blog [2], I think the BBC is reporting things incorrectly. As a fluent Greek speaker I can read and understand the message the hackers are trying to pass on and interpret it accordingly.

Unfortunately the BBC [1] reports:
‘The CMS website displayed a page with a mocking message, in Greek, which included the line: "We are 2600 - don't mess with us".’

And

‘The number 2600 is often used by the hacking community. It is believed to have originated in the US in the 1960s with the discovery that a tone of 2600Hz played down the line could be used to access restricted parts of the national telephone system. ’

All this is well and correct but the message the hackers left is not that. After reading the text it is clear that the message is targeting other so called hackers/security individuals that chat all day and provide no knowledge or product to the security community. The phrase "We are 2600 - don't mess with us" is supposedly that of these so called individuals/script-kiddies that use this phrase (and ‘2600’) to discourage and intimidate others without providing any meaningful results (i.e., loosely translated πράξη ) . It is clearly an Internet social states cry for reform for the online Greek Security communities.

It is also mentioned that the defacers also patched a security bug. .. who knows.. only the site admin.

Obviously there is more in the defacement posting but I will not sit and translate the whole document as it is not the purpose of this blog posting.

Personal disappointment
Might I also add at this point that I enjoyed the freedom of looking around at the different sites provided by the CERN project. I think I was on that site (i.e.,CMS mon.) recently and I could see the live status of the CMS project. Now the site has been taken down, my curiosity has to be limited to what news sites report. Some of the disadvantages of web page defacements, public access denied!

Links Used:

[1] -BBC News - 'Big bang' experiment is hacked - http://news.bbc.co.uk/1/hi/technology/7616622.stm
[2] - The Daily Buzzz - 'Hackers HACK Large Hadron Collider’s computer system! How Safe…' - http://www.dailybuzzz.com/science/hackers-hack-large-hadron-colliders-computer-system-how-safe

August 11, 2008

Inside Security News
insecnews
is about »
» Cyber-attacks, don’t forget your armour plated screen and Pong.

When you hear news like this it is hard not to write about it.
It seams that there is another cyber-attack on Georgian web sites, which include The Georgian presidential (www.president.gov.ge) and other government websites (such as www.parliament.ge) as reported [1]. As [2] reports this is the second round of attacks, since the initial attacks on the 20 July 2008.
Obviously the attackers are using zombie machines, that have been infected with Malware/Trojans that gives them full control over the machine. These are then used to coordinate attacks (e.g. DDoS (Distributed Denial of Service – in layman’s terms nothing is reachable online from either side.)). Wonderful I know.

Since this is not the only recent event (i.e. Estonia) to happen, it should make other countries/governments rethink their reliance on the Internet and the connected world. This has been stressed in many academic papers (e.g. the ECIW 2008 conference had a paper on the cyber-attacks on Estonia [3]), none the less cyber-attacks should be taken into serious consideration.

There was a nice debate we had with some individuals at ECIW 2008, on whether cyber-attacks can cause a state of cyber-terrorism [4]. The question put forward would be Are people terrorised by being denied access to certain online facilities/services? …therefore it constitute as cyber-terrorism. The conclusion was simple, no, to which everyone/at least most of us agreed too.

Denial of Service is just a very very frustrating position to be in. Sure your message/email cannot be conveyed through the Internet (at least we still have SMS and newspapers) and sure it is very bad for companies that rely on the Internet to do business.

In the end, Do you as an individual feel terrorised by being denied online services? (a good note here to make is that ISPs can contain Internet connectivity within country’s borders (i.e.,when being attacked from PCs in other countries) therefore, theoretically, online commerce within the imaginary country borders is possible.)

Links used:

[1] TheRegister.co.uk - Russian cybercrooks turn on Georgia - http://www.theregister.co.uk/2008/08/11/georgia_ddos_attack_reloaded/

[2] Shadowserver Foundation - The Website for the President of Georgia Under Attack - Politically Motivated? - http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080720

[3] Ottis Rain, (2008) ‘Analysis of the 2007 Cyber Attacks Against Estonia from the Information Warfare Perspective’, 4th European Conference on Information Warfare and Security, University of Plymouth, UK

[4] Wikipedia - Cyber-terrorism - (correct on the date of this blog post) - http://en.wikipedia.org/wiki/Cyber-terrorism

August 1, 2008

Inside Security News
insecnews
is about »
» Is your DNS secure? Not much you can do anyway!

With the patch for the DNS exploit (US-CERT's Vulnerability Note VU#800113 [3]) being rolled out, The Register reports[1] of users being redirected to fake google sites. At the end of the article there are two test sites. I tried both tests and both had good news. The Uni.’s domains check out to have a GREAT (in green) source port randomness and GREAT transaction ID randomness.



1. tested 2. tested

At least I won’t be getting any dodgy ad-based obscene material in my searches for journal articles and conference papers.

Don’t forget to test your ISP: https://www.dns-oarc.net/oarc/services/dnsentropy , Keep an eye out if they are vulnerable and tell us the results.

Update: Sure you could change your DNS entry and have your requests directed to OpenDNS. That is up to you, and how paranoid you are.

Links Used:
[1] theregister.co.uk - Black hats attack gaping DNS hole -http://www.theregister.co.uk/2008/07/31/dns_cache_poisoning_goes_wild/

[2] DNS-OARC - Web-based DNS Randomness Test - https://www.dns-oarc.net/oarc/services/dnsentropy

[3] US-CERT's Vulnerability Note VU#800113 - http://www.kb.cert.org/vuls/id/800113