[SecurityRatty] tag: times

Debunking the Latest Fear Mongering News on WPA security

Mon, 13 Oct 2008 05:07:51 +0000

I had been meaning to write about recent exaggerated claims that WPA security had been hacked, but George Ou beat me to it. The buzz comes from Elcomsoft's Distributed Password Recovery. The innovation is that they use NVIDIA GPU acceleration for password cracking and can distribute the crack across a network to multiple clients and their NVIDIA GPUs. The GPU acceleration, they claim, "reduces password recovery time by a factor of 20." They also take the unfortunate approach, in a press release, of massive gains in cracking WPA and WPA2 protection, and that they can "...break Wi-Fi encryption up to 100 times faster than by using CPU only." 100 times! 2 orders of magnitude! That must be a lot, right? Well, probably not. This is where George Ou calls shenanigans. First, he points out that this only affects password protection systems that rely on password complexity, and that, as a general rule, the time involved is proportional to the complexity of the password. So if your password would normally take a million years to crack, it would take 10,000 years with this system. Draw your own conclusions. He also points out, just to get past the WPA buzzwordism, that this is a more general attack mechanism and could, for example, be used against certain VPN systems. With respect to WPA/WPA2 specifically, the attack is generally useful only against home users, because they are generally the ones using PSK (Private Shared Key) authentication. "It has zero affect enterprise mode WPA deployments which use TLS protected authentication such as PEAP or EAP-TLS. Internal LAN authentication schemes such as NTLM and LDAP are also significantly weakened. SSL authentication schemes are not vulnerable to this particular attack." If you are relying on password complexity for protection then his advice, and mine, is old news: first, if you're a business, perhaps you should be using a TLS-based authentication system. Also, you should make sure that your passwords are sufficiently complex and changed often enough. Ou has some specific advice about this in his column, but as he says, there are usually easier ways to get passwords (like offering people chocolate for them) than to spend years cracking them with thousands of dollars of computing power.

The Importance of Advance Planning in Executive Protection

Sun, 12 Oct 2008 16:10:00 +0000

I was delighted to see the Herald Standard quoting an executive/close protection agent regarding the importance of Advance work.

Sy Alli is an E.P./C.P. team leader for "Limited Brands Inc.," and was speaking at the California University of Pennsylvania's 2nd annual conference on Corporate and Homeland Security.

Mr. Alli was describing a previous trip to Indonesia where he was in charge of the advance to make sure everything was in place before the Principal arrived out with the other protective agents. Very accurately, he described the need to cover every minute detail from the routes of travel to the alternative routes and to include such important features as local hospitals should medical treatment be needed.

Another important point highlighted was the need for agents to have access to contacts in different countries who could assist with logistics, general and specialized support on the ground, current political situations, etc.

Far too often I am approached by security persons (and not even all are qualified/trained in executive or close protection)who find out that we may have overseas work and want to be included. On some occassions, those requesting to be included on the detail did not even have a current passport!

If you are serious about making a career out of this line of work, you owe it to yourself to do your homework. Over the years I have developed hundreds of contacts all over the world who will respond immediately and who can be trusted to support us in any number of situations and scenarios.

This took a lot of preparing and involved constant contact. It is not something that you throw together a day before your client is scheduled to arrive in a country. If you have people in different parts of the country, or world if you wish to work globally, who can assist when you are in need, you will be able to facilitate your client in a way that will not only gain his/her admiration, but will undoubtedly cement your position in that client's security detail.

In these unsure times, there is a lot to be said for knowing your job is safe for the foreseeable future.

New Tool For Graphics Cards Threaten Wireless Networks Encryption

Fri, 10 Oct 2008 19:19:36 +0000

Russian firm ElcomSoft has applied GPU acceleration technology to a new password recovery tool that allows PCs or servers running supported NVIDIA video cards to break Wi-Fi encryption up to 100 times faster than is possible by using conventional microprocessors. Recovery times for Wi-Fi keys are increased by a factor between 10 to 15 in [...]

Expanding Response: Deeper Analysis for Incident Handlers

Fri, 10 Oct 2008 04:38:00 +0000

To achieve my GCIH Gold, I recently completed a paper called Expanding Response: Deeper Analysis for Incident Handlers, now available in the SANS Reading Room. The premise was to further expand on the topics discussed in my Malware analysis tools post. This paper includes tools discussed at various times in my toolsmith column in the ISSA Journal, and includes details on Argus, HeX, NSM-Console, and NetworkMiner.

Abstract:
"The perspective embraced for this discussion is that of an analyst who is working a process to determine the exact nature of malicious software on his network. He is in receipt of the above mentioned .exe and .pcap files and seeks to further his understanding with the use of less typical tools. She begins the process with the network capture, and then takes a closer look at the binary to see what can be learned and what the impacts of an outbreak on her network might be."

del.icio.us | digg | Submit to Slashdot

Innovators, Imitators and Idiots

Tue, 07 Oct 2008 04:32:33 +0000

Charlie Rose interviews Warren Buffett:

Charlie Rose:
And so when you look at where we are going, there seems to be two issues that are apparent to me at least, risk and leverage. We just lost sight of risk and leverage of what was appropriate?
Warren Buffett:
Yeah. Again, because it pays off for a while. You know, you can lose leverage, and it's the only way a smart guy can go broke. If you owe money, you can't pay them out. You just pay for everything, you do smart things, you eventually get very rich. If you do smart things and use leverage and do one wrong thing along the way, it could wipe you out, because anything times zero is zero. But it's reinforcing when the people around you are doing it successfully, you're doing it successfully, and it's a lot like Cinderella at the ball. I mean you know at midnight everything is going to turn to pumpkins and mice; right? But if the evening goes along, I mean, you know, the guys look better all the time, the music sounds better, it's more and more fun, you think why the hell should I leave at quarter of 12. I'll leave at two minutes to 12. But the trouble is, there are no clocks on the wall. And everybody thinks they're going to leave at two minutes to 12.

Its effectively the job of leadership to know when to take the punch bowl away and to have the credibility to do this. This is also the risk-reward balance that infosec must try to strike, part of the answer is differentiating risk and uncertainty. As our current financial situation shows, its a hard thing to pull off

Charlie Rose:
And should wise people have known better?
Warren Buffett:
People should always know better.
Charlie Rose:
Yeah.
Warren Buffett:
I mean people -- people don't get -- they don't get smarter about things that get as basic as greed and you can't stand to see your neighbor getting rich. You know you're smarter than he is, and he's doing these things, you know, and he's getting rich, and your spouse is getting unhappy with you because you aren't doing -- pretty soon you start doing it. And so you get what I call the natural progression, the three Is. The innovators, the imitators, and the idiots. And that's what happens. Everybody just kind of goes along. And you look kind of silly if you disagree. I mean, you know, you could have these crazy Internet valuations in the late 1990s, but they prove themselves out in the market. The next day they were selling for more than they were the day before, and people said, you know, you're crazy if you don't get in on this. So it's very human. Now, with housing it's something even more dramatic than that, because most people aspire to own their own home. And if you really think that houses prices are going to go up next year and the year after, you feel if I don't buy it this year, I'm going to have to buy it next year. That's not true of an Internet stock. But it's true of a home. And when somebody makes it very easy for you to do it by saying you don't really have to put up my money, you can lie about your income a little, or we'll give you 100 percent mortgage, you're going to do it, because everybody that's done it has been proven right. You have what they call social tools, and, you know, you're going to feel like an idiot if you didn't do it, because the house cost more.

And this is why its hard to pull off. There is a lot of human emotion and envy (*). I think the point Buffett raises about innovators, imitators and idiots is a useful one for infosec. We see all kinds of new projects and technologies that have risks and rewards associated with them, its helpful to categorize these under innovation (high risk but possible game changer), imitators (so called best practices), and idiots (sheep mode - blind risk acceptance). We can get some traction here to use these concepts to understand what to do when assessing say the architectural and oeprational risk of a system.

Finally, we should always spend some time to consider infosec decisions in a broader long term economic context and this is also true of our current financial crisis

Warren Buffett:
Oh, I think confidence will come back. I will tell you this. This country is going -- be living better ten years from now than it is now. It will be living better in 20 years from now than ten years from now. The ingredients that made this country, you know, the miracle of the world -- I mean we had a seven for one improvement in the average American standard of living in the 20th century. Now, we had the great depression, we had two world wars, we had the flu epidemic. You know, we had oil shock. You know, we had all these terrible things happen. But something about the American system unleashed more and of a potential to human beings over that hundred years so that we had a seven for one improvement in -- there's never been any -- I mean, you have centuries where if you've got a 1 percent improvement, then it's something. So we've got a great system. And we've got more productive capacity now than we ever have. The American worker is more productive than he's ever been. We've got more people to do it. We've got all the ingredients for a sensational future. It's just that right now the athlete's on the floor. But we -- this is a super athlete.

Again, we want to look at risk events in a broader, long term context. In Buffett's words its - "be fearful when others are greedy and greedy when others are fearful." As the world panics and Jim Cramer is melting down on TV, Buffett is quietly writing checks with both hands, buying $3B of GE, $5B of Goldman, $6.5 of Wrigley/Mars and so on. Uncertainty is one thing, it could be 6 months it could be 5 years until this thing turns around, but risk is another - you hedge your risk with price and long term advantages, i.e. moats. People will still eat candy in a bad economy.

* Buffett's partner Charlie Munger calls envy the stupidest of the seven deadly sins, because only you feel bad, there is an upside to all the others. He said you can pay someone on Wall St $2 million a year and they will be perfectly happy until they find out someone across the hall is making $2.1 million and then they will be miserable. Which is an insane way tolive.

Acceptable risk in changing economic times

Sun, 05 Oct 2008 20:00:00 +0000

You know the game "chicken"? That describes what it feels like as companies push for more growth and innovation in a time of increasing economic uncertainty. Today's business landscape is like a volcanic field, with eruptions taking place left and right. Rising fuel and commodities costs have changed the equation for many businesses. The effects ripple from suppliers through layers of the value chain to businesses that might not initially have thought they were at risk.

Article in the Irish Times

Fri, 03 Oct 2008 09:43:49 +0000

On Wednesday I was interviewed by the Irish Times.

Modelling The Global Financial Meltdown

Thu, 02 Oct 2008 02:33:20 +0000

Yesterday I received a call from Penny Grosman, Senior Editor, Wall Street & Technology. Penny was interested in my opinion, “Will risk management applications be the next killer app for CEP” on Wall Street. I enjoyed talking with Penny. She caught up with me leaving a tailor’s shop in Chiang Mai, so I hope she did not mind hearing my stories of buying unique Northern Thai cotton fabric and designing my own casual shirts in the economic turndown.

We read many stories on the net where folks claim that the current financial crisis could have been avoided with more or better use of technology. This is expected, as software companies and IT professionals will often try to piggy-backtheir business development strategy on the “crisis of the day” to sell more goods and services. Honestly, in this current situation, the main technology that we needed was simple, accurate financial models.

For example, in the chart above, the US economy was doing quite well with US federal funds rates low. Housing prices in the US were skyrocketing and there was a concern about inflation. There was an understandable concern the sustainability of that economy.

So, in perhaps one the most ill-advised Federal Reserve actions of many decades, the folks at the helm of the Fed decided to raise their lending rates around 500 percent over a two year period.

As we all know, primarily because of the action by the Fed, the world faces perhaps the worst economic disaster in modern times, while the US Executive Branch and the Congress fight over how to spend $700 Billion taxpayer dollars to inject liquidity into the markets to try to head off a global financial disaster.

It is amazing to me that the US Federal Government, or their advisors, does not have simple financial models with cause-and-effect analysis such as:

Homeowners with adjustable rate mortuages will not be able to make payments;and
Housing prices will fall dramatically; then
Homeowners will default on loans where the collateral is much less than the asset value, and
Banks will suffer great losses, and
Lending will come to a halt, then
Banks will collapse, then
Wall Street will exit the markets in panic
… and more trouble….. !!

There are and continue to be a lot of discussion and opinions about how risk management needs improvement. and I agree. We will also read folks talk about how technology can be used to help solve this problem, including CEP/EP and related software (see also Capital Market CEP Fantasy Land). However, as much I would be pleased to see more CEP/EP applications and use cases, I do not believe that event processing technology is really very useful to solve the core problem of the current financial crisis.

The core problem is, seemingly, that our “financial experts” do not even have simple models that will illustrate what will or could happen when you raise the fed lending rates 500 percent in two years in an economy pregnant with adjustable rate mortgages.

To me, this does not appear to be rocket science. The negligence by the US Federal Reserve and their advisors is astonishing.

John McCain: Desperate and Reckless

Fri, 26 Sep 2008 14:54:27 +0000

Normally I would not blog about political topics here, but this is an extraordinary time in history and extraordinary times call for extraordinary posts from time-to-time.

John McCain is, objectively, a bad decision maker, desperate and reckless. He knows that his party is in trouble and that the Democrats have the advantage; so what does he do?

First, he picks a very conservative, inexperienced female governor from Alaska who, until recently, did not even have a US passport, as his running mate. This was an obvious act of desperation, thinking that he could pull the Hillary votes in the election. A heartbeat from the US Presidency at a time when there are two ongoing wars and our country on the verge of economic collapse and he gambles with a “Hail Mary” touchdown pass? This is not the man we need as President.

Then, not even a member of the Banking committee in the Senate, and self-described “not knowledgeable on economic issues”, John McCain tries another “Hail Mary” pass by rushing off to DC to “save the world” and tries to demand Obama suspend his campaign and the debates? The US is on the brink of economic collapse and McCain puts politics and election desperation above the future of the country? This is not the man we need as President.

During the same period, Barack Obama has proven to be cool, intelligent, and a good decision maker. This should be obvious to anyone with the mind to actually think what is good for the country and not about politics.

John McCain is desperate and reckless. We don’t need desperate and reckless people leading this country.

250k of Harvested Hotmail Emails Go For?

Thu, 25 Sep 2008 08:13:08 +0000

$50 in this particular case, however, keeping in mind that the email harvester is anything but ethical, this very same database will be sold and re-sold more times than the original buyer would like to know about. Moreover, what someone is offering for sale, may in fact be already available as a value-added addition to a managed spamming service.

With metrics and quality assurance applied in a growing number of spam and phishing campaigns, filling in the niche of email harvesting by distinguishing between different types of obfuscated emails by releasing an easily embeddable module, was an anticipated move. What's to come? Spam and malware campaigns across social networks "as usual" will propagate faster thanks to the ongoing harvesting of usernames within social networks, that would later on get imported in Web 2.0 "marketing" tools targeting the high-trafficked sites and automatically spamming them.

From a spammer's perspective, geolocating these 250k emails could increase their selling prices since the buyers would be able to launch localized attacks with messages in the native languages of the receipts. Is the demand for quality email databases fueling the developments of this market segment, or are the spammers self-serving themselves and cashing-in by reselling what they've already abused a log time ago? That seems to be the case, since there's no way a buyer could verify the freshness of the harvested emails database and whether or not it has already been abused.

For the time being, we've got several developed and many other developing market segments within spamming and phishing as different markets with different players. On one hand are the legitimately looking spamming providers offering "direct marketing services" working with lone spammers who find a reliable business partner in the face of the spamming vendor whose customers drive both side's business models. On the other hand, you've got the spammers excelling in outsourcing the automatic account registration process, coming up with ways to build a spamming infrastructure -- already available as a module to integrate in managed spamming services -- using legitimate services as a provider of the infrastructure.

Despite that the arms race seems to be going on at several different fronts, spammers VS the industry and spammers VS spammers fighting for market share, the entire underground ecosystem is clearly allocating a lot of resources for research and development in order to ensure that they are always a step ahead of the industry.

Related posts:
Harvesting Youtube Usernames for Spamming
Thousands of IM Screen Names in the Wild
Automatic Email Harvesting 2.0
Dissecting a Managed Spamming Service
Managed Spamming Appliances - the Future of Spam
Inside an Email Harvester's Configuration File
Segmenting and Localizing Spam Campaigns
Shots from the Malicious Wild West - Sample Four