[SecurityRatty] tag: frames

A Simple Situation Model for Complex Events

Tue, 15 Jul 2008 05:29:06 +0000

In an earlier post I explained why situation modelling, and preferable an object-oriented situation model, is one of the key attributes of CEP. Unfortunately, I have yet to find a situation model for complex events, so I offer a few simple baseline concepts here. Your comments and improvements are much appreciated.

1. A situation model of a complex event is an abstract representation of a described or experienced situation that we wish to detect in real-time.

2. Situation models are composed of four primary objects:

a. A spatial-temporal reference framework (spatial locations, time frames, window size)
b. Entities objects (people, objects, system)
c. Properties of entities objects (velocity, amount, size, price, direction)
d. Object relational information (spatial, temporal, causal, dependence, proximity, network, taxonomy, classification)

3. Situation models of complex events may have three levels of model representation:

a. Situation model (event-specific)
b. Episodic model (coherence sequences of events)
c. Comprehensive model (a comprehensive collection of episodes)

Hence, in a nutshell, it is imperative that we have a situation model for representing complex events if we are going to move CEP forward. The simple model in this post may or may not be the right one to develop, but at least we have something to talk about. Ideally, the model should be object-oriented, althought it does not have to be.

When we have a workable model for situations in the context of event processing, we will have a working model for complex events. Then, with a working model of complex events, we can build a working model for complex event processing.

References: The New Theory for Situation Models

Cisco IPS Jumbo Frame DoS

Wed, 18 Jun 2008 17:22:45 +0000

For a networking company, that’s gotta hurt.

From Cisco:

Cisco Intrusion Prevention System (IPS) platforms that have gigabit network interfaces installed and are deployed in inline mode contain a denial of service vulnerability in the handling of jumbo Ethernet frames. This vulnerability may lead to a kernel panic that requires a power cycle to recover platform operation. Platforms deployed in promiscuous mode only or that do not contain gigabit network interfaces are not vulnerable.

Cisco has released free software updates that address this vulnerability. There is a workaround for this vulnerability.

Update or workaround? Which is it then? At the very least get your patch on.

Article Link

Dead, Dead, Dead: Cities Accept Muni-Fi's Absence

Sun, 20 Apr 2008 08:54:28 +0000

Local paper taunts Tempe's failed muni-Fi effort: Symbolically, a display celebrating the kickoff the city-wide Wi-Fi network built by NeoReach-cum-Kite-cum-Gobility is falling apart in front of the mayor's office, the reporter notes. I have to add "stucco" to the list of quotidian problems that tripped up metro-scale Wi-Fi. In many parts of the U.S., stucco isn't in a homeowner's vocabulary. But in large swaths of sunny states, especially the southwest and southern California, homes are finished by slapping plaster on chicken wire and calling it good--it's got good insulation. Where wallboard over balloon wood frames doesn't really obstruct Wi-Fi, the chicken wire coupled with the density of the plaster is as effective as the water always present in brickwork in keeping signals out. I had this conversation recently about plaster with Rio Rancho's city manager, too.

The reporter notes other common threads of problems with metro-scale networks: lowballed budgets, which turned out to underestimate infrastructure costs (nodes, real-estate rights, utility pole issues), low demand, and weak signals inside homes. Tempe apparently had 1,000 subscribers at one point, in a city of 166,000 (2005 census estimate).

The articles states, "The upside is Tempe and other Valley cities didn't spend taxpayer dollars." Of course, as I've noted before, the idea with a wireless network should be to both conserve expenses and reduce them. "Taxpayer dollars" is a shibboleth of those who believe government can solve no ills. Those who believe that are typically also fine with government overspending by paying large companies as private contractors rather than working in a public/private partnership that reduces expenses and yet puts most dollars into the private sector--just in smaller firms.

Gilbert, Ariz., one of several Arizona cities that was contracted with Kite, reaches fifth stage of mourning, acceptance: Gobility, Kite's ostensibly current owner, hasn't communicated with the city in two months, and its elusive head wouldn't comment for this article in local paper. The city isn't too depressed.

Oklahoma City is OK with lack of Wi-Fi network for public access: They're pretty pleased with their large mesh network for emergency services.

Are your digital devices Certified Pre-0wned?

Mon, 17 Mar 2008 13:11:45 +0000

I took part in the L0pht Reunion Panel at the Source Boston conference in Cambridge, MA last Friday. It was a lot of fun to get back together with the “band” and pontificate with no holds barred about the latest security threats, just like we did in the old days.

One of the questions asked of the panel by moderator Michael Fitzgerald (who did a kick-ass job) was, “What scares you the most these days?”. My answer was the proliferation of of inexpensive digital devices made in China that we plug into our computers. The malware problem is getting tricky to dodge. First you couldn’t open email attachments you weren’t expecting. Then you had to worry about surfing even trusted websites with JavaScript turned on, even with the latest patched browsers. Now you have to worry about plugging in the shiny new digital toy you got as a gift. Perhaps its a digital picture frame, digital camera, music player or silly programmable gizmo. Welcome to the age of factory installed malware –the age of devices coming Certified Pre-0wned.

The Associated Press writes:

Recent cases reviewed by The Associated Press include some of the most widely used tech devices: Apple iPods, digital picture frames sold by Target and Best Buy stores and TomTom navigation gear.

In most cases, Chinese factories — where many companies have turned to keep prices low — are the source.

We all know malware is starting to fly under the radar of black list style detection. Low volume malware is flooding the AV labs’ capability to build detection for it. The digital picture frame sold at Sam’s club was infected with previously unknown malware that stole passwords and turned off AV software.

An additional threat that has been reported is devices have been found infecting the flash memory cards that are often inserted to upload photos. From SANS:

“Recently I found a virus on it called Troj_Agent.SAO, which is what Trend Micro named it. Anytime you plug a removable device into it, it would create two files Autorun.inf and autorun.exe. The exe would place itself in the recycler\recycler folder and the .inf would place itself on the root of the removable drive as a hidden file. At first I thought this virus came in on one of our employee’s pen drive but after further investigation I discovered that the files that the virus uses were created on the kiosk the day it was shipped out to us. Also our vendor is using this kiosk in some of their stores at the moment and there have been reports that the kiosks have given their customers a virus. “

We are back to the days of the floppy or “sneaker net” attack vector. Do you know who has touched your SD card or USB drive? Don’t use it in public. Don’t share it with multiple machines. Dan Geer told me he once tossed a USB drive into an audience with the slides for a presentation he just delivered on it. About 10 people passed it around and copied off the slides. It came back with a virus on it. And this was at a security conference.

Malware in MP3 players

Sun, 16 Mar 2008 12:25:39 +0000

Following on from the story about dodgy Cisco hardware, it seems that some of our popular consumer electronic gadgets such as MP3 players and digital picture frames are infected with malware before they even leave the factory. A number of online news sources are running the same story as reported here. Queries about connecting up one personal device or another frequently escalate to my desk because the policy in place forbids non-company equipment on company networks. I believe that this is a sensible policy to have and the latest news backs this up. Introducing any consumer device onto your network, in the same way as introducing consumer software, is an unnecessary way of increasing your exposure to malware risks. You don't need to be doing it. Now here's another reason why. As I said the other day, malware remains the greatest threat.

Throw away your digital picture frames

Tue, 19 Feb 2008 00:36:49 +0000

Surely time itself has warped and it's suddenly April 1st. Come on, if you read the following, wouldn't you first think it was a hoax, as did I?

Virus from China, the gift that keeps on giving

An insidious computer virus recently discovered on digital photo frames has been identified as a powerful new Trojan Horse from China that collects passwords for online games -- and its designers might have larger targets in mind.
"It is a nasty worm that has a great deal of intelligence," said Brian Grayek, who heads product development at Computer Associates, a security vendor that analyzed the Trojan Horse... The authors of the new Trojan Horse are well-funded professionals whose malware has "specific designs to capture something and not leave traces," Grayek said. "This would be a nuclear bomb" of malware.

Mocmex is its name. Reportedly, it can evade hundreds of anti-malware and firewall products, including the Windows Firewall. I suspect that this succeeds only when users are logged in as administrators, so here's yet another reason to stop doing this altogether, as is the US Government with its new Federal Desktop Core Configuration for Windows XP and Windows Vista.

The virus actually propagates to just about any kind of removable USB storage device, jumping from various well-concealed hiding places on your PC whenever such a device is inserted. Picture frames are implicated because the virus apparently originated in the factory where the frames were built (in turn sold by Best Buy, Sam's Club, Target, and Costco, but now discontinued). Amazingly, according to the UK security firm Prevx, over 67,500 variants of this thing exist!

Even more amazing:

[Mocmex] isn't the only piece of malware involved. Deborah Hale of Sans said the researchers also found four other, older Trojans on each frame, which may serve as markers for botnets -- networks of infected PCs that are remotely controlled by hackers.
There is W32.Rajump, which deposits the same piece of malware that infected some of Apple's video iPods during manufacturing in October 2006. It gathers IP addresses and port numbers from infected PCs and ships them out, according to Symantec. One destination is registered to a service in China that allows people to conceal their own IP addresses.
Then there is a generic Trojan; a Trojan that opens a back door on PCs and displays pop-up ads; and a Trojan that spreads itself through portable devices like Mocmex does.

More reasons to disable Autorun, I suppose. Yet this isn't a cure-all: if you're logged in as administrator, the virus helpfully re-enables Autorun. Sheesh! If you own one of these frames, SANS suggests that you take it to a friend who has a Mac or Linux box and plug it in there. Yeah, that's good advice; there exist no viruses for these operating systems, correct? It's irrelevant which operating system you're using -- if you run with full privileges, you'll get 0wn3d soon enough.

It's fascinating that the thing targets online games, although it could certainly harvest just about any private information stored on your PC. Mining online game accounts might be pretty profitable, you know. Consider the number of people who pay real money for virtual (=fake) stuff in World of Warcraft, Runescape, and whatever else. I suppose losing their passwords to picture frames might help such people regain a tenuous foothold on reality.

Insignia photo frame virus much nastier than first thought

Sat, 16 Feb 2008 19:20:03 +0000

Ugh, we were already sick of digital photo frames -- and now it looks those now-discontinued virus-ridden Insignia units from Best Buy and several other models produced in China were carrying a much nastier trojan that we'd originally heard.

Who says Politics doesn't pay and why can't I find clients with pockets this deep?

Mon, 21 Jan 2008 18:10:00 +0000

I have never drank the political coolaid. I have little faith in big party politics. Give me an independent politician who does not have to toe a party line and I'll show you a politician who has half a chance of being a decent advocate of the people.

I think one of the greatest wrongs that politicans commit is in their thinking of voters as idiots. I use the Washington Post article of 1/17/08 as a prime example. Staff writer Carrie Johnson writes in the Business section that GAO investigators will look into "NO-BID Contracts" irregularities involving the Justice Department.

This all came about when a firm led by the former Attorney General, John D. Ashcroft, drew attention for receiving lucrative (more like outrageous) contracts to oversee companies accused of fraud and other wrong doings. One firm in particular, Zimmer (famous for their "Zimmer Frames"), agreed to pay Mr. Ashcroft's firm between $28 and $52 million dollars to resolve kickback allegations.

Two questions spring to mind; 1) How much was the original "kickback" amount when they can now afford to pay out $28,000,000.00 to $52,000,000.00? and 2) Does the recieving of (as much as) $52 million dollars by a former high ranking politician from a company with it's back up against a wall not sound like a "kickback" in of itself?

What does Mr. Ashcroft's firm deliver as a result of this outlandish payment? Well, as a "monitor", they will make sure that Zimmer stops making illicit payment to doctors for using Zimmer products. There's got to be more than that, surely? Kind of. Ashcroft said that he has already made several trips to Indiana to "understand Zimmer's troubles." Several trips to Indiana for $52 million dollars? Did they buy their own luxury jet just for those trips?

Private investigation firms all across America conducts similar services on a daily basis, only for a mere fraction of what Zimmer has paid to this former Government official. As a private security business owner I can attest to the fact that a typical investigation company would be delighted and thrilled to receive 2% - 3% of this amount and in so doing would employ highly skilled investigators with backgrounds and certifications such as Certified Fraud examiner in the FBI, United Nations and other Govt. and corporate investigative agencies.

You can be sure that Mr. Ashccroft is not the only former government offical riding the gravy train. The article states that several other former government officials with ties to the Bush administration have been awarded similar contracts since 2001.

Myth vs. reality: Wireless SSIDs

Tue, 16 Oct 2007 03:08:58 +0000

Do you ever wonder sometimes how it is that some ideas just won't die? Like the thought that not broadcasting your wireless network's SSID will somehow make you more secure? This is a myth that needs to be forcibly dragged out behind the woodshed, strangled until it wheezes its last labored breath, then shot several times for good measure.

Folks, there are fundamental differences between names, which are public claims of identities, and authenticators, which are secrets used to prove identities, and I've written extensively about this before. An SSID is a network name, not -- I repeat, not -- a password. A wireless network has an SSID to distinguish it from other wireless networks in the vicinity. The SSID was never designed to be hidden, and therefore won't provide your network with any kind of protection if you try to hide it. It's a violation of the 802.11 specification to keep your SSID hidden; the 802.11i specification amendment (which defines WPA2, discussed later) even states that a computer can refuse to communicate with an access point that doesn't broadcast its SSID. And, even if you think your SSID is hidden, it really isn't. Let me explain.

All 802.11 wireless networks, regardless of the kind of operating system or encryption you might use, also emit unencrypted frames at times. One kind of unencrypted frame is an association frame. This is what a client computer, or "supplicant" in the 802.11 protocol vernacular, emits when it wants to join a wireless network. Contained within the frame, in clear text of course (since the frame is unencrypted), is the SSID of the network the supplicant wants to join.

Both Windows XP and Vista work best when your access points broadcast their SSIDs. XP really doesn't behave well at all with nonbroadcasting SSIDs. Vista has some added smarts to improve this a bit. Normally, Vista continually sends probe requests for nonbroadcasting networks. These probes are similar to unencrypted 802.11 association frames, and will generate clear-text responses from the access points if a nonbroadcasting network is present. You can reduce, but not entirely eliminate, these probes by configuring the wireless client to probe only for automatically-connected nonbroadcasting networks.

Both these behaviors make it very easy for an attacker to discover your SSID. The bad guy, perhaps a contractor or a guest in your facility, could run one of many wireless sniffer programs and simply capture the hundreds of association frames or probes that litter your air. No amount of "hiding" configured in your access points can prevent this kind of traffic interception.

So there you have it, simple SSID discovery. The old axiom remains true: security by obscurity is no security at all. Hiding an SSID will not hide a wireless network, so ignore any such advice -- and it's amazing how often I continue to see this. By the way, also ignore any advice that says to use MAC address filtering. It's amazingly trivial to spoof the MAC address of an allowed supplicant -- simply sniff the traffic, look at the MAC addresses, and use the neat little SMAC utility to change your MAC to one that's permitted.

Nonbroadcasting networks are not secure networks. The right way to secure a wireless network is to use protocols that are designed specifically to address wireless network threats. If you're still using WEP, either static or dynamic, I encourage you to move to WPA2 as soon as possible. For those of you at home running XP and have kept it updated, or if you're running Vista, then, you simply need to enable WPA2. We've got some additional guidance for home/small offices and for enterprise networks with certificate services or without. If you have hardware that's more than two years old and you can't upgrade it, check to see whether it supports WPA (an interim specification released before WPA2 was ratified). Both WPA and WPA2 are built on sound cryptographic principles, they're proven in the field, and they'll keep the bad guys out -- even when you're broadcasting your SSID to the world.