Security Resources

Archive for the Software and OS Category

Encrypting the Web: Who is Doing What?

The Electronic Frontier Foundation (EFF) has updated their report on the support of various encryption and security methods by popular online service providers. Best to check out the original post directly, but you can also download the full graphic here that is current as of this post.

Can Your Systems Withstand a 200Gbps DDoS Attack?

SandThe numbers are amazing – and should concern anyone with critical systems that rely on IP connectivity, and those operating in data centers with this kind of “attractive” bandwidth…  (emphasis below was added)

Fueled by Super Botnets, DDoS Attacks Grow Meaner and Ever-More Powerful
Ars Technica (04/17/13) Goodin, Dan

Prolexic reports that the average amount of bandwidth being used to carry out distributed denial-of-service (DDoS) attacks has surged dramatically in the last three months. Prolexic estimates that the average bandwidth used in DDoS attacks was 48.25 Gbps in the first quarter, nearly eight times the average during the same period last year. The duration of the average attack also grew in the first quarter, from 28.5 hours in 2012’s first quarter to 34.5 hours this year. Prolexic says it has seen attacks using as much as 160 Gbps and expects to see attacks using up to 200 Gbps by the end of June.

This massive surge in attack volume has been blamed on the growing use of super-botnets, which send malicious traffic using infected servers rather than infected personal computers, with hackers targeting servers for common Web applications. The most well-known of these new DDoS attacks have targeted major U.S. banks and been attributed to the militant wing of Hamas, but Prolexic says the manpower, technical skill, organization, and resources required to pull them off suggest they are the work of highly coordinated bands of veteran cybercriminals, likely hiring their services out to third parties.

Web Link

Destructive Malware – The New Trend?

newsThe concerning trend of malware being used to create mayhem within an organization or across a large population of disparate devices seems to be here to stay.

Within the security industry, one must think about what the response needs to be if, for example, enterprise security systems were targeted in such a way as to bring them down for days at a time. Whether through a vulnerability in the OS, connected devices (IP cameras, etc…), or software that manages the system(s), the threat is real. It is plausible that targeting physical security systems will be especially attractive due to the potential for capturing “private” video, interacting with the physical world (door control, sounding alarms), or gaining notoriety for breaching systems that are perceived as more secure than others.

More on the topic can be found here.

Two Critical Security Issues You Should Tackle Today

warning… if you haven’t already, that is.

There has been a barrage of coverage lately addressing ongoing security issues with Java and Universal Plug-and-Play (UPnP). Summarizing a mountain of detail that is only relevant to a small percentage of users, the takeaway is that almost everyone should: (1) Disable Java in the browser OR uninstall it completely; and (2) Disable UPnP on your router AND test it for remote UPnP vulnerabilities.

Excellent step-by-step instructions are available for uninstalling or restricting Java, but if you are running the latest version, a new control panel setting allows you to easily disconnect Java from your browsers, which is the most common way that it would be exploited. I wanted to remove the software completely, but one of my favorite mind-mapping applications (FreeMind) requires it, so if you are in a similar bind, preventing Java’s use in browsing sessions is the next best thing. Keep in mind, that JavaScript and Java are two completely different things – you will need JavaScript on many web pages for proper functionality, and it is built into the browser, so you will not be altering it by restricting/removing Java. Limiting JavaScript is a good idea (using a plug-in such as NoScript), but again, this is a separate issue.

As for UPnP, the technology is built into many routers, and is supposed to make connection of networked devices easier by automatically opening ports and configuring network settings. Unfortunately, convenience doesn’t always coexist with security, and UPnP has been shown to have a number of vulnerabilities. Your best option: Turn it off in the router’s administration portal, and also run a Shields Up test to ensure that your router is not exposed to attack from outside the network. Keep in mind that some routers have been found to leave UPnP on regardless of the setting in their configuration screen, while others reportedly do not offer an option to disable it, so your mileage may vary…

More on UPnP:
CERT Advisory
Rapid7 Whitepaper


Is Everything We Know About Password Stealing Wrong?

note_encryptedFrom Microsoft Research comes an interesting article about the viability of password stealing as a criminal business (in the context of committing financial fraud/theft). Here is a summary:

Federal Reserve Regulation E guarantees that US consumers are made whole when their bank passwords are stolen. The implications lead us to several interesting conclusions. First, emptying accounts is extremely hard: transferring money in a way that is irreversible can generally only be done in a way that cannot later be repudiated. Since password-enabled transfers can always be repudiated this explains the importance of mules, who accept bad transfers and initiate good ones. This suggests that it is the mule accounts rather than those of victims that are pillaged. We argue that passwords are not the bottle-neck, and are but one, and by no means the most important, ingredient in the cyber-crime value chain. We show that, in spite of appearances, password-stealing is a bad business proposition.

Link to the full report.

Big Data, SD Storage, Business Intelligence Articles

newsSeveral articles floated up recently that are worth review:

1. Business Intelligence in Retail

From Axis Communications, a summary of a LPRC study commissioned in late 2012 that addresses retailers’ adoption and use of IP video. Not surprisingly, the data shows an increase in the number of companies seeking sales, operations, and marketing improvement through the use of intelligent video (video analytics). This is reassuring, since image quality and resolution have been consistently discussed as the primary motivators, while their value continues to be debated. Of the ~25% of respondents who reported that business intelligence was a primary factor in selecting IP video:

  • People Counting was by far the most used non-LP analytic application, with 46.3 percent of
    respondents deploying this feature, up from 27 percent in 2010;
  • Dwell Time Analysis (20 percent) and Heat Map or Hot/Cold Zone (18.2 percent) usage
    increased in 2012, while 38.3 percent of respondents use video analytics to detect POS fraud;
  • Queue Counters are used by less than 10 percent of companies surveyed, yet 50 percent say
    they may use this application in future. Similarly, while no respondents said they utilize Out of
    Stock Alerts today, more than 56 percent say they may use them in the future;
  • Nearly 32 percent of respondents utilize surveillance to help analyze “shopping & buying
    behavior,” with 20 percent using video to measure shelf and product placement effectiveness

2. Big Data Requires a Cautious Approach

Beware the Errors of Big Data summarizes Nassim Taleb’s position that big data must be used with great care in order for it to be useful. His primary observation is that “modernity provides too many variables, but too little data per variable. So the spurious relationships grow much, much faster than real information. In other words: Big data may mean more information, but it also means more false information.”

He asserts that this is not necessarily bad, however, since big data can be effectively used to debunk a theory or conclusion, rather than draw new conclusions whose basis is made questionable by big data.

As the claims around big data continue to make their way into the video intelligence, security and integration space, the article (and the author’s book, Antifragile) are worth a read.


3. SD Card Video Storage (recording at the edge)

From SDM Magazine comes an article on the current state of SD card (flash memory) storage for video. While it only addresses the current trend of cameras supporting off-the-shelf SD memory cards, and not more reliable types of flash memory, the article does touch on some of the applications and limitations of this approach. Thanks to demand from the consumer market – driven by tablets, high megapixel cameras, and ultrabooks – the capacity, cost and reliability of SD cards is improving constantly. For many commercial and residential applications, it is virtually certain that this type of distributed recording will be the norm in just a few years. It will be a welcome and exciting change for end users and service providers – and a terrifying one for DVR/NVR vendors who haven’t yet figured out their migration to a cloud/SaaS model.

Technician Infects Control Systems via USB

dhs_logo_smIn the 4th quarter of 2012, the Industrial Control Systems (ICS) team within CERT responded to multiple instances of power plant and utility control systems being infected with malware. In at least two of these, featured in ICS-CERT Monitor articles, the use of infected USB drives was identified as the means of transmission. Both cases illustrate the need for rigid backup and removable device policies. In one, the drive was used as the sole method of backing up critical workstations, and the other involved a third-party technician unwittingly infecting equipment while updating software using a USB drive. An important reminder to all who service networked devices…

As discussed in previous posts (see Hardware Hacking category), vulnerabilities in equipment connected directly to the Internet are capturing most of the attention these days. ICS-CERT recently summarized “Project SHINE,” which filtered and researched systems identified via the SHODAN search engine, looking for those most likely to control critical infrastructure. In the end, they determined that 7,200 devices (out of an initial list of more than 500,000) were directly related to control systems. With assistance from CERT, the group of researchers has been notifying owners about the potential exposure to attack, but this issue will be with us for a long time to come.

ICS-CERT also published a summary of the incidents by sector for 2012:

ICS-CERT Incidents by Sector 2012


Additional Information about SHINE:  “SHINE stands for SHodan INtelligence Extraction. Managed by Bob Radvanovsky and Jake Brodsky of InfraCritical, it is a project to locate probable sites where control systems hardware may be running openly (without encryption or authentication of any sort) on the Internet. These include everything from hospital patient monitoring systems, building automation, Distribution SCADA RTUs, PLC gear, smart meters, traffic control systems, point of sale systems, security and fire alarm systems, and so on.”

The Shodan search engine can be found here.

POS Malware Found in 40 Countries

PC_with_creditcardsAs reported by the Israel-based IT security firm, Seculert, malware has been found in POS systems in 40 countries, stealing credit card information from hundreds of thousands of consumers. Why should this matter to security integrators? Read on…

“Dexter” – the name given to the malware – appears to target Windows based systems and servers, and uses a command and control server to tailor attacks and collect stolen data. It is custom-made, and has been used over the past 2-3 months to infect hundreds POS systems. Some of the targeted systems include big-name retailers, hotels, restaurants and even private parking providers.

One of the unknowns is the method of delivery, since many of the affected systems are servers which would typically not be used for web browsing or other common tasks which might result in infection. It is believed that the attackers may have compromised other computers or devices on the same network, then launched an attack on the server from inside the target’s network.

Once installed, Dexter looks for processes that correspond to specific POS systems, and when it finds them, dumps the memory and parses it for credit card (track one and two) information to send to the C&C server. End-to-end encryption, which protects data from the card reader all the way to the payment processor, would prevent the attack from being successful – but adoption of this technology is slow due to the cost of new hardware.

Security integrators should be concerned about the possibility of their hardware being an attractive vector for future attacks. With the proliferation of DVR/NVR systems (and other security equipment) that integrate with POS – or those that simply share the store LAN/WAN – attackers may find these targets irresistible. PC-based video recorders, in particular, would provide a powerful platform from which to probe the network and infect vulnerable systems. See this post for additional thoughts on the subject.

RFID and Zigbee Hacking – Security Directors Beware…

In the security world, few technologies have become more entrenched than proximity-based access control. The cards and readers are everywhere – and overall, they provide a level of convenience and security that far exceeds the systems they replaced, such as mechanical locks, barcodes, magnetic stripes, and the like. A typical access card operates in the same manner as an RFID tag – since it is essentially the same thing. A reader emits RF energy, which energizes a coil inside the card powering a small circuit, which in turn, communicates a unique ID number back to the reader. There are many data formats and matched reader/card frequencies involved, but almost all systems operate in this (simplified) manner.

Over the years, there have been many documented examples of proximity access control hacking. From card emulation and brute-force transmissions at the reader, to surreptitious card data capture. So with that in mind, why revisit the subject here? The answer lies in the proliferation and rapidly declining cost of RFID components and other low-energy RF communications, which are poised to transform the way in which we connect and interact with systems and assets of all types.

The growing popularity of RFID tagging (especially in retail), environmental monitoring, intelligent edge devices, and building automation has spurred the development of a wide range of wireless/RF-enabled data collection and triggering. Examples include Zigbee (and similar 802.15.4 products), advanced RFID readers, and Z-Wave. For some developers, security is an afterthought, since the equipment is believed to be so obscure and/or specialized that it is unlikely to be attacked. What we are beginning to see, however, is that the same tactics used by “war-drivers” in the early days of commercial WiFi can expose insecure platforms and potentially open the door (pun intended) to serious security problems.

The good news is that security can be engineered into most of these platforms – in fact, it is often a core component – but it must be “switched on” and used properly. Follow the links below to read about some of the vulnerabilities and hacks that exist today. In practice, being aware of the potential for hacking – especially with immature products, proximity cards, etc… will help you make good design decisions. For example, once you understand how an access badge can be cloned – you probably won’t allow that badge to also disarm your alarm system, even if the vendor promotes it as a convenience feature. Likewise, if you are testing a new Zigbee-based data collection solution in your retail store, have a discussion with your vendor about how security has been implemented – and even if you like the answer, keep that network isolated until it is well-proven.

More on this subject:

Wardriving for Zigbee: Blog article describing a method for finding and mapping Zigbee networks

Kisbee: Open-source hardware project to capture Zigbee wireless communication

Bootable RFID Live Hacking System: A platform for hacking MIFARE access control cards

Proximity Card Cloning: HID ProxCard-II, ISOProx, and others

iClass Card Details and Cloning

RFID Tutorial

Long Range Cloning: 125KHz Proximity Cards

Everyday Encryption

Following the suggestions for password management posted recently, I thought I would also share my preferences for personal data encryption.

Years ago, at least for me, using PGP or one of the proprietary security suites to protect data on a hard drive was far too onerous. I would usually give up shortly after installing the software due to the number of steps required to encrypt/decrypt data, the speed of the processing, or some other user interface issue. As a result, I would revert back to “security by obscurity” – hiding folders, placing documents inside zip files, etc…

The good news is that encryption solutions have come a long way. If you are trying to go paperless – or even if you just store copies of your tax returns as PDFs – then you have no excuse reason to avoid them any longer. My preferred solution is a popular one: TrueCrypt

TrueCrypt software is available for Windows, Mac, and Linux and has more features than you would want to read about here – the best of which is creating “secure containers” for files you want to protect. The best part is that it’s free (though a donation is money well spent). In short, once you create a file container, you “mount” it as if it were a separate hard drive on your system, and simply copy files in and out. When you un-mount the container, your files are protected by the level of encryption you initially selected during setup, which can be incredibly secure – incorporating multiple passes and multiple encryption methods, if desired. TrueCrypt can also protect entire drives, but unless you have huge amounts of data to store, this is not necessary.

Speaking of whole-drive encryption, you may have heard of solutions offered by your operating system – like BitLocker / EFS (Windows), or the Disk Utility in Mac OS X. While these solutions can be used to protect your entire hard drive (or portions), I find them more likely to cause problems for the casual user. Unless you need to secure every single file on your system, having one or more TrueCrypt containers makes more sense. You can easily back up a container as if it were a file (because in encrypted form, it is), which makes it easy to keep secure copies on cloud services or removable media. If you backup files from an encrypted drive to an unencrypted drive – they are no longer protected. Of course, you have to actually USE the TrueCrypt software for it to be effective, which is one argument for whole-disk solutions.

As an aside, if you need an extremely lightweight solution for just a few files, then definitely check out AESCrypt. It does little more than just encrypt and decrypt one operation at a time – but it is free, open-source, and very secure.

Finally, don’t just take my word for it. Do some reading and decide for yourself! Here is an article to get you started: LifeHacker “Five Best File Encryption Tools

Page 1 of 212