Phill Hallam-Baker's Security Blog
Monday, March 22, 2004
Wired News: Brits Going at It Tooth and Nail
Wired News: Brits Going at It Tooth and Nail

This story worries me, but not because I am a fan of social conservatism, I think that if people want casual sex that is their own affair. Nor does it appear to be a major health risk, if people use condoms there should be no problem.

The part that does worry me is all the personal security issues. Announcing to folk you don't know that you are available for casual sex might not be the safest thing to do. What do you do when it turns out that the sexy 20 something girl you thought was sending the message turns out to be the 6' 3", 350lb guy sitting a few rows down who stole the phone off the last guy he mugged this way?

The 'toothing' craze appears to be a blue-tooth phenomena. At present it seems to be a mainly UK thing, but something similar might be happening in Japan where GPS positioning is starting to become common.

It does not even need to involve a cell phone. I guess a similar thing could happen through meetup type bulleting boards. It need not even involve sex. The role of sex as a pioneer of new forms of social interaction is well documented. What if this same type of technology was to be used for non-sexual encounters?

For example, I am really into woodworking at the moment. My Delta Unisaw should be delivered today. Now fine-woodworking is not an unusual hobby, it is likely that on any given day a plane or hotel would have someone else with a similar interest. Perhaps we could meet up for dinner and conversation? But the difficulty of finding them is the problem.

People criticize the net for breaking social connections but the truth is that modern lifestyles did that decades ago, the net is the biggest factor putting society back together. We should think hard about how to allow this type of thing to happen safely.

Sunday, March 21, 2004

Even with cryptography there is no such thing as 100% risk free

Acme Klein Bottle
You can tell a coffee shop is geek oriented when it serves its 'bottomless cup' of coffee in a Klein Bottle
Thursday, March 18, 2004
TAP: Web Feature: Rational Security. by Matthew Yglesias. March 16, 2004.
TAP: Web Feature: Rational Security. by Matthew Yglesias. March 16, 2004.

I don't intend to get into politics to any great extent in this blog, but one point that this article makes is that the Bush Administration is focused on terrorism supported by state actors.

This type of terrorism certainly existed in the 1980s. The IRA received funds from Libya. Iran supported terrorist groups in Lebanon. More recently the Taleban supported Al Qaeda in Afghanistan and the Taleban was in turn largely the creation of President Musharaf and Pakistan.

But this is not the case today. State involvement in terrorism has been almost completely eliminated. There are many reasons for this, in particular the end of the cold war, the Israeli withdrawal from Lebanon. But one of the most important factors was the fact that the US and other countries made it plain that support for terrorism whether covert or overt would be considered cause for war.

It is now necessary to change the strategy, not because it failed but because it succeeded. Eliminating the state sponsors of terrorism was the easy part. The Taleban government is gone and it is not comming back. But Al Qaeda is still functioning despite having absolutely no state support whatsoever.

Sunday, March 07, 2004
NewsForge | A peek at script kiddie culture
NewsForge | A peek at script kiddie culture

OK so a second bite at the same article, lets take a look at those DDoS schemes.

According to the article the ISPs are unresponsive to take down requests, the FBI do not take notice. I know that people keep making this complaint but there are high tech crimes units in the major cities and they are looking to takedown these guys. And at the moment the demand is such that DDoS is being treated as if it was a littering offense.

I think we need a better primer on how to prepare a case for law enforcement. I guess it is possible if you read the article carefully that the desk guy thought this particular person had been getting evidence by hacking.

We can't expect to do this with law enforcement in the loop every time. Lets change the model, law enforcement only get involved if the ISPs fail to act, and instead of just going after the hacker there is a liability for the ISP.

This is consistent with fire department model of government security regulations. You can do pretty much anything to your house decoration wise. Government only gets involved when safety is the issue. In particular the fire dept won't let you build a house that is a fire-trap, in part because it might set fire to buildings arround it.

Here we have ISPs that are forwarding bogons. It seems to me that this should not be that difficulty to prevent. A $500 box performing passive listening at the cable head end could sound an alert when there is a bogon attack. You don't have to look at every packet, all you need to do is to look at a sample. If you see an ethernet MAC spewing bogons you shut it down.

Another approach would be to push the bogon prevention right to the cable modem. Why on earth would these let bogon injection take place in the first place? Sure there will be some hacked modems, but DDoS is comming from hijacked machines.

Cable modems, NAT boxes and the like should have limiters built in to prevent the creation of ridiculous numbers of SYN packets or outgoing UDP packets to reserved system ports like DNS. It is pretty easy to think of numbers that should be no inconvenience to any legitimate use, and there could be an option to turn them off in any case. But why give every home user the equivalent of a loaded machine gun when they don't need or want one?

Reduce the value of your machine to a hacker, reduce the probability of attack?

NewsForge | A peek at script kiddie culture
NewsForge | A peek at script kiddie culture

This article pretty much shows that little has changed in the past ten years except for the number of the perpetrators. Although this is described as 'script kiddie culture' it sounds as if the hackers described have rather more skill than the usual knob-turner types.

I am not sure that anyone ever claimed that hackers did not find out some exploits on their own. But hackers have always found it easier to take ideas from others than come up with their own. Reverse engineering patches is just a twist on a trick used by Kevin Mitnick, he intercepted reports of security vulnerabilities in VMS sent to their security expert.

We know that whenever a patch for a serious security vulnerability is released it is almost always reverse engineered and turned into an exploit. I spent some time discussing this issue with some Microsoft engineers at RSA Europe. The next version of the update tool will work more like patch does, instead of distributing full executables it will circulate diffs. This might appear to make reverse engineering easier, actually it does not really because the same information can be found by running diff.

I don't know that there is a satisfactory solution here. One way might be to use linkers that make arbitrary variations in the order of modules in the final image. This has two problems, first it is probably not that hard to reverse engineer (no harder than doing it in the first place) and second you might end up causing changes to program behavior.

Blocking the reverse engineering hole might not work anyway, it might just chase the problem further upstream. The number of hours hackers spend looking for code vulnerabilities is a whole heap less than the number of hours spent in security reviews. Looking at the code is the stupid way to do it, and the attackers are not stupid, not are they particularly interested in hard work if they can avoid it.

You don't have to start from a patch, you can start from any user bug report. Every time a computer program crashes it has lost control somehow. If you start taking crashes seriously you can start to work out why they are going wrong and you may find a way to find a hole.

What this comes down to is having to change the way we write programs. We have to start taking designed for security seriously. With few exceptions most security problems come from failures of bounds chacking. Its that old buffer overrun bug from assembly language and C. It never ceases to amaze me how Denis Ritchie has been so successful at pinning the blame for the consequences of his screw up on the Redmond club.

Moving to use of managed code (Java, C#) would make a big difference to the security of systems. Stripping down O/S distributions to the bare bones would. I don't think messing with update distribution would have the same effect.

Saturday, March 06, 2004
ISP hammers Bob Vila site with spam suit | CNET
ISP hammers Bob Vila site with spam suit | CNET

One of the big problems with legislation is that it is a blunt instrument that does not necessarily hit the people you want it to. Is Bob Vila a spammer? Possibly, but not very likely. Is Bob Vila selling penis potions, mortgages or inviting you to help move money out of Nigeria illegally? Almost certainly not.

The problem here is 'deep pockets'. Civil law is much more effective at keeping legitimate businesses honest than it is at stopping the schemes of the out-and-out criminals.

Rather than filing lawsuits to determine whether someone opted in or out, lets use technology. Last year I proposed a scheme that would allow someone to send a token along with their mailing list subscription that would be returned with every email sent as 'proof' that they had really subscribed to the list. It is pretty easy to make this completely transparent to the end user and mailing list admin alike. In fact it allows some of the longstanding mailing list problems to be cleaned up like how to subscribe or unsubscribe cleanly.

Hopefull more on this soon

InfoWorld: Windows XP SP2 could break existing applications: March 04, 2004: By : Platforms
Infoworld reports that Windows XP Service Pack 2 may break some applications because of security enhancements. I hope the firewall changes break Gator and Comet Cursor real good.
Thursday, September 04, 2003 / News / Nation / Saboteurs hit spam's blockers
Hiawatha Bray's article on the DDoS attacks against spam blacklists highlights a key problem with running Internet infrastructure on an amateur basis. It is one thing to provide a successful service, quite another to provide a service that can survive a determined attack.

The DDoS attacks against the spam blacklists were significant but nowhere near the level that critical infrastructure such as the DNS system or key Internet peering points such as MAE West suffer on a daily basis. The DNS system is attacked over 1000 times a day.

Spamcop's Haight is quoted as saying that he beleives that there may be a link between the attacks and organized crime but doe not have any evidence. There is abundant evidence of a link between spam and organized crime, mainly because the vast majority of spam scams are organized crime. Identity theft, advance fee fraud, etc. are all scams that require substantial organization. What we do not have is conclusive proof that the attacks were launched by spammers, although it appears that the same worm that was used to plant trojans for the DDoS attack has also been used to send spam.

The nexus between hacking and spam has always been close and has recently become much closer. Hackers sell their skills to spammers, helping them evade spam filter controls. Hackers also sell captured machines, email addresses and credit card numbers. Spam is the way you make hacking pay.

It is also interesting to note that Hiawatha is using the term 'blocklist' rather than blacklist. It appears that the blacklist maintainers have recently realized that their name has 'diversity' problems. I prefer to use the original name for a number of reasons. First, I think the name change is more about avoiding guilt by association than avoiding giving offense. Second the term blacklist does not have a racial origin, it comes from the Athenian practice of ostracism where the local population would vote to expel someone from the city. A black shard of pot (ostra) indicated that the victim was to be expelled.
Monday, August 25, 2003
The Outlook is better than most think.
Scott Rosenberg raises the old 'viruses are caused by Outlook' claim. Well yes viruses are more likely to affect outlook than other clients, but no the reasons have little to do with the design of the code.

Older versions of Outlook did have bad habbits, like automatically running possibly malicious code when the user clicked on an attachment. This behavior was not unique to Outlook, Netscape Communicator would at one time automatically run Javascript code when it displayed an email with HTML code. Microsoft fixed outlook over two years ago. Anyone can download a patch for Outlook paid edition or download a complete upgrade for Outlook Express.

I get annoyed when people blame viruses on end users, they are an architectural flaw. The fact is however that all email programs currently used on the Internet share the same flaw - they do not authenticate the source address that an email purports to come from. This is how spammers can hijack my email address to send spam - and have done so on many occasions in the past.

A typical virus spreads by reading a victim's email address book and sending out copies of itself to each address in the book. More recently viruses have disguised their origin by using a source address that is also chosen at random from the email address book.

This behavior has two consequences, first the virus must be able to read the victim's email address book to spread. Outlook makes this easy because the address book is readable through a standard API. It is possible to do this with any mail client, but a virus can only spread from an infected host if it reads the address book format of the particular user who is infected. Eudora - and for that matter most other email clients have a tiny market share compared to Outlook - about a tenth of outlook's installed base. That means that a virus that attempted to propagate through Eudora will be passed on to a tenth the number of new victims at each stage than a virus that attacks Outlook. This difference has nothing to do with design, it is all about how viruses spread.

If the virus problem was merely the design of outlook one would have expected the problem to have reduced after the patches went in two years ago. Instead the virus problem is far worse because so many people have broadband connections these days.

This suggests that viruses would be less of a problem if there were more email clients in use. Actually this is not quite the case. More email clients would certainly slow the spread of viruses that could only infect one type of email client. However it is not difficult to write a virus that attacks more than one type of client at a time. The only reason this does not happen is that there is not a big enough incentive.

A better solution would be to design an email client in such a way that malicious code simply could not read the address book. This is impossible on an operating system such as Windows 98 where the O/S does not provide compartmentalized security. It might be possible with some effort to create such a system on Windows 2000 or Windows XP and is certainly possible using the next generation security technology from Microsoft 'the operating system formerly known as Palladium'.

OK so much for propagation. What about the other consequence of the way viruses spread? Pretending to be another person has become an essential technique for viruses to propagate. It follows that we can reduce the rate of spread of spam by preventing viruses (and spam) using this impersonation technique. This means using security mechaisms such as S/MIME which Outlook, Lotus Notes and Netscape all support and Eudora conspicuously fails to support.

The key to stopping virus propagation is to ensure that each time a virus infects a victim the infection will be passed on to an average of less than one additional victim.

Powered by Blogger