May 2008 Archives

Part two of Howard Rheinghold's Smart Mobs, Collective Action, Media, and Democracy has been posted on his vlog. I mentioned the first part about a week ago.

On to the video:

 

From XSSed, more eBay cross site scripting problems:

eBay is again XSSed! Scammers can take advantage of these new critical cross-site scripting issues. They can inject JavaScript code to redirect users to eBay phishing scam pages and to display fake auctions. Victims who click on what appears to be a genuine eBay search results link, are also vulnerable to malware infection. [From New XSS flaws within eBay sites | News | XSSed.com]

Also, a zero day attack in Flash, from Search Security:

The widely used Adobe Flash Player has a zero day flaw that is being targeted by a number of attackers who set up more than 200,000 Web pages to exploit the flaw. The current malware attack has been traced back to Chinese blackhats, who are using a zero day to infect users with password stealers. Dancho Danchev, security researcher The unspecified remote code-execution vulnerability could be exploited to cause denial of service conditions, according to Symantec, which reported the flaw on Monday. [From Adobe zero day flaw being actively exploited in wild]

I've been on the road for almost a week and am finally able to catch up on everything, so here are some of the more interesting tidbits that I've been reading while I'm away.

A bit on log policy from Anton Chuvakin:

I did this VERY fun webcast with WhiteHatWorld this week and a lot of good questions about log management came up. I am answering them here for my readers. BTW, LogLogic product-specific questions can be found on LogLogic website; I am not answering them here. [From Anton Chuvakin Blog - "Security Warrior": More Log Management Questions - Answered!]

Some questions about the ethics of vulnerability research from Information Security Magazine via TaoSecurity:

One of my favorite sections in Information Security Magazine is the "face-off" between Bruce Schneier and Marcus Ranum. Often they agree, but offer different looks at the same issue. In the latest story, Face-Off: Is vulnerability research ethical?, they are clearly on different sides of the equation. [From TaoSecurity: Response to Is Vulnerability Research Ethical?]

Now some Bruce Schneier on selling security:

It's a truism in sales that it's easier to sell someone something he wants than something he wants to avoid. People are reluctant to buy insurance, or home security devices, or computer security anything. It's not they don't ever buy these things, but it's an uphill struggle. The reason is psychological. And it's the same dynamic when it's a security vendor trying to sell its products or services, a CIO trying to convince senior management to invest in security or a security officer trying to implement a security policy with her company's employees. [From Schneier on Security: How to Sell Security]

I'll post the latest vulnerabilities I've been following in the next post.

Another major XSS vulnerability, this time with 70 million users at risk ...

... a critical cross-site scripting vulnerability affecting Facebook.com - according to Alexa is currently ranked the 7th most used site on the web.

Malicious people can exploit this issue to execute script code in the context of Facebook or obtain sensitive information from its users, such us cleartext authentication credentials with a fake login form. It should be noted that this XSS vuln leaves millions of unsuspecting Facebook users vulnerable to malware, spyware and adware infection. [From Facebook vulnerable to XSS. Over 70 million users are at risk. | News | XSSed.com]

Howard Rheingold has posted work related to his 2003 book Smart Mobs that is as relevant today as his classic The Virtual Community was in 1995

Here's the summary that he's provided:

Smart Mobs, Collective Action, Media, and Democracy, Part 1 In Fall, 2007, James Fishkin's Center for Deliberative Democracy and Jim Lehrer's Newshour program brought together 300 Americans to talk about democracy. By The People, was broadcast on PBS in January, 2008. I was invited to address this assembly. I talked about Smart Mobs in relation to the public sphere--the citizen discourse that undergirds democracy. The following video, first of two parts, courtesy MacNeil/Lehrer Productions. Site implementation by Ideacodes [From Howard Rheingold's Vlog]

And here's the video:

I moved this blog from Wordpress to Movable Type 4 a couple of weeks ago, and I am completely sold. Don't get me wrong, Wordpress is fabulous software. If has a lot going for it:

• It has a large development community producing myriads themes and plug-ins.
• It is cleanly written and easy to customize if you're the coding sort.
  
• Each and every page is dynamically generated (give or take a cache), so posts and comments appear instantaneously. This is extremely friendly for conversations in the comment threads.
• There is a huge user-base making it very easy to find answers and support online.
• It's offered as a managed install by many hosting companies.

Most of those advantages, however, are a function of popularity. There are lots of people using, supporting, and coding for it. As a result, it's also very commonly targeted by vulnerability scans. It doesn't have the best security record, and older versions of the software are low-hanging fruit.

The dynamic generation of pages has it's drawback as well -- it's resource-intensive. Every time somebody hits a page, the database is queried. I use Dreamhost, which while offering a lot of value for my hosting dollars, doesn't have the fastest servers on the planet, and all those database cycles slow site response down significantly.

This is where Movable Type shines. Instead of dynamically generating pages on request, the pages are written out as flat html whenever the changes are made. This means that the server seems snappy and responsive even on a slower host. The flip side of this is that posting and commenting takes longer since it's writing changes to disk.

While there aren't as many themes out there to download and adapt, the ones that Movable Type ships are slick and very easy to modify (very tight css + a few graphic elements). I haven't found a need to do much to them other than change colors and the banner graphic.

As far as the cleanliness of Movable Type's code base, I have know idea. I haven't needed to customize it at all. The most common reason I have to modify open source projects is for custom authentication schemes, but Moveable Type supports OpenID right out of the box. Unified identity management is a difficult problem to solve, and allowing federated authentication without changing a line of code is a major feature in my mind.

Movable Type also has a very simple and easy to use "template" system that makes tasks such as generating a sitemap very easy. It might be a little steep for a non-technical user, but if you can read or write the most basic of code, there will be almost no learning curve at all.

So, in summary, Wordpress is great software, but I'm sticking with Movable Type for three reasons.

1. Speed. It is the fastest load in the game.
2. Flexibility. It's OpenID integration and templating system allow me to do almost anything without resorting to rewriting any code.
3. Security. It has had only nine medium or severe vulnerabilities in the last five years. Wordpress has had 18 so far this year alone (according to the National Vulnerability Database).

So there you have it, a case for Movable Type by a long time Wordpress user.

The beauty of this project is that a map can be wonderfully intuitive for a human operator. Multiple data domains can be crossed very quickly based on geographic proximity even if the datasets themselves have no obvious keys in common.

I've been thinking a great deal about the challenges of intelligence gathering, and this may be a powerful way to visualize log data in a way that is quick and meaningful to business owners -- a clear summary of attack sources and methods that doesn't require much technical detail to comprehend.

From Federal Computer Week:

Virtual Alabama, at its heart, is a mash-up -- a program that pulls data from various places and presents it in a very user-friendly display. In this case, the system is based on Google Earth. It starts with a map and then it overlays the map with all types of data.

So when tornadoes struck Alabama earlier this year, officials used the system to view the damage, even comparing before and after images. Officials also were able to pull in data that showed the location of potentially hazardous materials that might have been disturbed by the tornadoes.

Consider how the system might help in an event such as the 2007 Virginia Tech shootings. Were that to happen at the University of Alabama, state officials could draw from one database to get schematics on the buildings and then another for class schedules so that they would know which classrooms were in use. Finally, they could use Virtual Alabama to tap into images from cameras in the building. [From Buzz of the Week: Wowed by Virtual Alabama]

Here is another example of selling a technology as "secure" simply because it doesn't involve Windows. Linux has it's share of vulnerabilities. For that matter, so do Firefox and Skype.

Marketing any desktop solution as secure will encourage users to ignore security best practices. Additionally, Splashtop will allow the mounting of external storage; though the system's main hard drive is not being connected, it's not too hard to imagine a scenario where malware is either installed on an external USB drive and then migrates to the system drive at the next full boot or where malware installs some custom code during runtime that allows the mounting of the system drive.

Calling anything "secure" in marketing literature is just asking for trouble.

From ZDNet UK:

On Wednesday, DeviceVM, the company behind the distribution, said the hardware manufacturer would be putting Splashtop — which Asus calls "Express Gate" — into a million motherboards a month. Splashtop includes a Firefox-derived browser and the Skype internet-telephony application.

Splashtop is described by DeviceVM as a "secure web-surfing environment", and is embedded on motherboards so that it can be booted within seconds, as an alternative to booting up a full operating system. It first appeared on high-end Asus motherboards in October 2007 and has since been put onto the more mainstream M3 series, but, according to Joe Hsieh, general manager of Asus' motherboard business unit, it will now be extended to the entire range. [From Asus to embed Linux into all motherboards - ZDNet.co.uk]

There are always going to be studies that show how much data breaches cost companies, mostly because it's a factoid that security researchers think will persuade the C-level types.

The flip side is that the frequency of these data breaches among peer organizations lessen the impact when it "happens here" and that the financial downside is just a cost of doing business.

It can also promote a culture of cover-ups. If it's a common thing, then there's no reason to make a big deal of it.

From Gene Schultz over at Hightower Software:

A recent study by the Ponemon Institute shows, for example, that 55 percent of participants in this study said they had been informed of more than one security compromise involving their personal data over the last two years, and eight percent said that they have been informed of four or more of such compromises.

The Ponemon Institute's study also shows that 63 percent of the survey participants reported that the letters they received after data security compromises had occurred contained no information concerning what to do to safeguard their data afterwards. Furthermore, the majority of the respondents indicated that more than a month had transpired before they were finally informed that their personal data were compromised. At the same time, however, 98 percent of those who had fallen victim to a data security compromise actually became victims of identity theft afterwards. Most significantly, almost one out of every three individuals who were informed of a data security compromise involving their personal data have ceased doing business with the company that experienced the incident. [From High Tower Blogs > Security Insights » Blog Archive » The Business Costs of Security Compromises]

from Adam Shostack at Emergent Chaos, 6/16th of Chileans personal information leaked by hacker:

A hacker in Chile calling himself the 'Anonymous Coward' published confidential data belonging to six million people on the internet.

Authorities are investigating the theft of the leaked data, which includes identity card numbers, addresses, telephone numbers, emails and academic records.

Chile has a population of about 16 million, so that's 3/8ths of the country.

See "ALERTA: Se filtran datos personales de 6 millones de chilenos vía Internet" (Google translated). The blogger, Leo Prieto, gets a rude awakening when he reads the law, "¿Es privada la información personal en Chile?" (see translated version)

More than a third of a nation has been compromised by this "Anonymous Coward" (Slashdot reference anyone?), making this one of the most significant data releases to date. I bet the American media ignores it completely ...

Martin McKeay has pointed out two new-to-me Wordpress security plug-ins. The first is an installation scanner that helps identify risky settings. The second is an automatic upgrade plug-in.

Wordpress doesn't have the greatest security record in the world. This graph from the National Vulnerability Database illustrates the number of medium to high risk vulnerabilities in the software over the last five years:

Security is one of the reasons I started exploring Movable Type, but for those who still use Wordpress, these plug-ins are invaluable.

From rbnexploit, RBN - Partners Official Sponsors of ICANN?:

Russian Business Network (RBN); what if they were out to own the Internet by owning the DNS? The Internet totally relies on DNS (Domain Name System) so obviously this must be the stuff that Hollywood movies are made of, but this nightmare scenario is more real than any of us would like to believe.

This article draws a few of the ingredients together, it is important to stress this is not to discredit ICANN, but to show just how RBN and their associates are applying themselves to the weakness of DNS allocation and exploiting ICANN's vulnerability via influence, commercial sponsorship and registrar development.

This one may fall into the tin-foil-hat arena, especially considering the following text:

The background research and this summary article has been around four months in the making within the community. It should be emphasized there is considerably more 'who' and 'what' which will be presented in full later.

The "there's more evidence, but it's secret" line is a classic for conspiracy theorists. It may pan out or it may not, but the article does raise a couple of very interesting points.

First, organizations such as ICANN are designed to be completely open and transparent (and they should be). An completely open dialogue requires full and complete disclosure, however, and it's very easy for malicious entities such as the RBN to participate without that disclosure, which adds significant risk to the process.

Congress requires all lobbyists to be registered so that our representatives know who they're talking to and what interests they represent. It allows them to control to dialogue and keep entities such as drug cartels from influencing US policy. Whether that particular system works or not, it still addresses an important need.

The second issue they raise is one of trust. The most fundamental trust most web entities (such as small online businesses) make is with their registrar and hosting provider. Registrar/Hosting companies have propegated so quickly that reputation economics are useless in making a vendor decision, so price/performance is the metric many entities use in choosing a registrar/hosting solution. This makes it far too easy for entities such as the RBN to victimize their customers without any possibility of recourse.

At any rate, I look forward to any information that makes the article's case more directly. It promises to be interesting.

from O'Reilly Radar, Google Friend Connect Previews Tonight:

Later today Google is going to preview Friend Connect (it's not live yet at http://www.google.com/friendconnect), a product that lets any website host OpenSocial applications. These applications will enable a site's user to interact with their social network from other sites (assuming they are logged in). Initially users will be able to see their networks from Facebook (using their APIs), Google Talk, and Orkut. Future participants will include hi5 and plaxo.

Initially Google will be letting websites in slowly. Upon acceptance webmasters will be able to submit their website (URL and name) and select colors. They can then select applications for their site from a new application gallery.

The user experience is simple. When a user comes to a site in the Friend Connect program they can sign into any social network that is sharing their data. Their data is not actually shared with the site. Impressively Google is supporting OpenID and OAuth in addition to their own standard OpenSocial.

This sounds like it's expanding identity management from the authentication piece that projects such as OpenID and Shibboleth tackle to explore a richer version of identity.

Lots of people want to hack you. Despite persistent stereotypes about bored teenagers, cyber-crime is big business. A search on the Russian Business Network should end any doubts about that. Physical world criminals have very simple motives; they're after valuables -- money, jewelry, electronics, cars. Cyber criminals really aren't any different. If you want to know what they're after, follow the money.

Q: "Willie, why do you rob banks?"

A: "Cause that's where the money is."

-- Willy Sutton, depresson-era bank robber

There are three things every user has that are valuable to cyber criminals:

• Financial Assets and Intellectual Property.
• Computing Resources.
• Identity.

The first of these things is the most obvious. Financial records -- including bank account and credit card information -- are almost as good as cash to a criminal. Even if individual assets are modest, when aggregated with other victims, the value of the information is significant and is sold and traded online.

Intellectual property is similarly valuable as the MPAA will attest to. While most intellectual property -- an unfinished novel, plans for the new deck, and the latest vacation pictures -- probably aren't as valuable as a major motion picture, piracy does occur. If the machine contains IP belonging to a commercial, governmental, or academic institution, it could be extraordinarily valuable or compromising.

The value of computing resources isn't quite as intuitive. Every modern computer has storage, network bandwidth, and processing power. All three of these things are useful to a criminal.

Storage is the most obvious commodity they're after. Why would a criminal store black market files on their own machines when they can do it anonymously on somebody else's? All of those pirated movies that the MPAA is hunting down have to be stored somewhere. So does the source code for the most recent catastrophic virus outbreak. And then there's child pornography. There are serious legal consequences if it's found on a computer, and criminals love to transfer that sort of risk to the unsuspecting.

Bandwidth is valuable for similar reasons. A computer's Internet connection connection can be used to host this illicit content for downloading. It can also be used to attack other machines. A botnet is a collection of computers that have been hacked and can be controlled remotely by the attacker. These huge groups of hundreds of thousands of compromised machines can be used in coordinated attacks against individuals, businesses, and nation states.

Processing power is a little bit more subtle. Keep in mind that encryption is at the core of security technology. It's what keeps passwords, communications, and commerce private. Without it, anybody could listen in during online banking sessions and while credit card numbers are sent to online stores. Essentially, encryption is just very complex math which, given a big enough calculator, can be solved. While this doesn't seem as immediate a risk as bandwidth and storage, it does pose a viable long-term threat.

The final and most universal asset that every end user has is identity. This is a dual threat -- first to your personal assets and second to the assets and intellectual property of any person or organization trusts you.

Identity theft is all over the news these days. This type of identity threat is the theft of a victim's real-world identity. But what about a victim's online identity? Highly targeted phishing e-mails that appear to come from a trusted individual or organization are much likelier to succeed than random spam. Another attack would be to use a victim's electronic credentials (usually a password) to access an employer's intellectual property or financial assets -- employees who's username and/or password can be cracked or discovered open an employer's network up to attack from the inside.

Cybercrime is clearly a problem that threatens all types of computer users from the board room to the backyard; everyone is a target.

This document is intended for a non-technical audience. It's a sketch for part of a document I'm working on that introduces business users to online risks and best practices...

I attended the Institute for National Security Education and Research (INSER) Cybersecurity 2008 event this morning at the University of Washington this morning where I listened to a very interesting talk by Deborah Frincke called "On the Horizon: How Research in Cybersecurity is Changing and How it Remains the Same." While the talk covered a lot of ground, one particular topic sticks out in my mind.

Right now, research dollars and commercial products are focused on responding to the problems we have right now. Keep in mind that issues that are current for defenders were hatched by the attackers days, weeks, or months ago. We basically have two tools in our arsenal that the bad guys made obsolete a long time ago -- signature-based defenses and attacking worm/bot command and control mechanisms. Research into "next generation" defenses are solving two-year-old problems, and there isn't a lot of funding looking even two years to the future, let alone five to ten.

There's clearly something broken in the economics of information security. This Defcon event isn't serious research into new attack vectors, it's a demonstration of how trivial it is to bypass signature-based products. An open and honest dialogue between security vendors and greyhat reserachers is good thing and should be encouraged -- open research benefits both sides, whereas the blackhats working in the shadows keeps security vendors playing catch-up.

Race to Zero Makes Headlines from DEFCON Announcements!:

The Race-to-Zero anti-virus challenge was announce scarcely a week ago, and already the controversy surrounding it has bubbled all the way up to Wired. The contest's basic premise is that competitors will be given sample virus code and rewarded for modifying that code in such a way that it defeats common AV products.

AV vendors have made their discomfort with the idea clear, with various spokesmen for the industry voicing concern about the creation of new threats to existing AV products. Contest organizers have countered that the contest is categorically not about creating new virii, rather it is about demonstrating the speed with which currently blocked virii can be modified to defeat current virus-blocking software.

 

Also, from news.com and PC World.