[SecurityRatty] tag: tom

DNS Vulnerability Survives Scrutiny of Peer Review

Wed, 09 Jul 2008 21:30:48 +0000

The security community is cynical. So much so, that most of the chatter that’s taken place over the past 24-36 hours has suggested that Kaminsky’s DNS vulnerability was little more than a publicity stunt and that his BlackHat presentation would be an over-hyped rehash of prior art. Granted, one has to suspend disbelief to even consider that something monumental would be discovered in DNS — that’s the protocol itself — but hell, it’s always nice to give a guy the benefit of the doubt.

Faced with nearly a month of criticism and questioning, and understanding the persuasive power of a technical peer review, Dan decided to expand the inner circle, so to speak. Rich Mogull arranged a phone call with Tom Ptacek and Dino Dai Zovi so that Dan could spill the beans and let them decide for themselves whether it was spin or substance. Turns out there was substance.

Now we sit around and wait until August 6th to cram into a ballroom with a thousand sweaty conference-goers to hear the juicy details. And Dan’s presentations are usually packed to the brim even when he’s not announcing anything.

In the meantime… how about patching those servers?

Dear Sir or Madam: Lottery scams proliferate

Wed, 09 Jul 2008 20:00:00 +0000

Tom Ericson, a retired bank employee who lives in Denmark, still can't get over how he lost about €60,000 (US$90,000) in a bogus lottery.

No, I Dont Know the Answer to the Big DNS Secret

Wed, 09 Jul 2008 11:26:37 +0000

Rich Mogull’s executive overview of Dan Kaminsky’s latest DNS vulnerability fluffed a few feathers yesterday:

The good news is that due to the nature of this problem, it is extremely difficult to determine the vulnerability merely by analyzing the patches; a common technique malicious individuals use to figure out security weaknesses.

The typical response I heard was “what do you mean, it can’t be reverse engineered? I’ll just look at the diffs!”

In hindsight, after examining the BIND diffs (yes, I did it too) and discussing with colleagues, all most people saw was UDP source port randomization and a better PRNG for generating the transaction ID, the latter of which would appear to be related to Amit Klein’s cache poisoning attack from about a year ago.

What Rich was really saying is that you can reverse engineer the patch until you’re blue in the face, but that won’t reveal the specifics of the vulnerability.

Dan’s blog post this morning appeared to confirm that interpretation:

DJB was right. All those years ago, Dan J. Bernstein was right: Source Port Randomization should be standard on every name server in production use.

There is a fantastic quote that guides a lot of the work I do: Luck is the residue of design. Dan Bernstein is a notably lucky programmer, and that’s no accident. The professor lives and breathes systems engineering in a way that my hackish code aspires to one day experience. DJB got “lucky” here — he ended up defending himself against an attack he almost certainly never encountered.

Such is the mark of excellent design. Excellent design protects you against things you don’t have any information about. And so we are deploying this excellent design to provide no information.

To translate the fix strategy into a more familiar domain, imagine large chunks of Windows RPC went from Anonymous to Authenticated User only, or even all the way to Admin Only. Or wait, just remember Windows XPSP2 :) This is a sledgehammer, by design. It cuts off attack surface, without necessarily saying why. Astonishingly subtle bugs can be easily hidden, or even rendered irrelevant, by a suitably blunt fix.

Nate McFeters appears to think that Tom Ptacek has figured it out. I’m going to go out on a limb and say that Tom didn’t figure anything out yet but still wanted to write a pithy blog post. I think that if Tom had figured it out, he would have written it down privately and posted the SHA-1 hash, as is the trendy thing to do these days.

Speculation aside, the title of Tom’s blog entry, Dan Kaminsky could have made hundreds of thousands of dollars with this DNS flaw!, does make an important point — Dan didn’t sell the details to ZDI, he used his influence and reputation to coordinate a massive vendor patch effort. That’s an admirable move.

Interview on IMI Tech Talk / KFNX: Cloud Computing and Security

Sun, 06 Jul 2008 17:59:05 +0000

A quick post to say a very warm welcome to IMI Tech Talk / KFNX listeners!

I was recently approached to take part in an interview about Cloud Computing and Security on IMI Tech Talk, broadcast on KFNX News Talk Radio. KFNX is a US based radio station based out of Phoenix, Arizona. More in-depth than the previous opportunity, a range of Cloud Computing technologies were discussed in the 30 minute segment:

Who am I?
What is cloud computing? (*that* question!).
Introduction to virtualization.
Examples of cloud computing services that exist today.
Barriers to entry.
Security issues of processing or storing data in the cloud
cloudsecurity.org

I will update this post when the audio archive of the show is posted.

I did mention I would provide links to useful Cloud Computing resources (as my mind went totally blank during the interview!) - watch for a post next week covering the blogs I read regularly.

Cloudsecurity.org was born as I couldn’t find any dedicated web resource discussing Cloud Computing and Security. If there are subjects you want to see covered, feel free to leave a suggestion in the Skribit sidebar to the right.

I do welcome comments in response to blog posts on the blog itself - don’t be shy :-).

For private communications I can be reached at craig.balding@gmail.com.

My thanks to the IMI Tech Talk team, particularly Tom and Eric.

Enjoy the blog,

Craig

Meme for the Fourth

Thu, 03 Jul 2008 12:18:23 +0000

Among all the bad news, its good to find things that work really well. One thing to reflect on for the fourth is that markets work and they do so primarily because of entrepreneurism. As Tom Barnett says "there is a myth that we built this country all by ourselves." Actually we had access to lots of outside capital and then worked our tails off to leverage it into something much bigger and more profound. Now you can see the same thing happening lots of other places.

But the cool thing is that in 2008 we are not stuck with the industrial age way of initiating this growth pattern - its not all big companies signing deals for timber and such; you can do it at an individual level through microloans and enable someone else to reach the next rung. Best way I have seen so far to do this is Kiva, and there is a nice meme running right now:

Tom Barnett: "...everyone who wants to make a difference should just go ahead and get their own foreign policy and stop waiting on change from above."

Beyond the uber theme of enabling entrepreneurs to make markets, there are two other themes at work here that I love. First, its bottom up not top down. Second, the technology does not have to be perfect, it just has to be good enough. If its good enough amazing things can happen.

If you are looking for something to do on the 4th, surf over to Hoff's blog, where he has started a Security Pro Funding Pool for Kiva. His goal is to raise $1,000 for Kiva businesses. Its an incredibly cool thing to do and a great way to celebrate the good stuff that's been done both in markets and technology. Being a banker to the working poor can be fun. Who knew?

Setting up a Tarpit (Teergrube) to slow worms and network scanners using LaBrea (The "Sticky" Honeypot and IDS)

Wed, 25 Jun 2008 21:14:22 +0000

New Video:Setting up a Tarpit (Teergrube) to slow worms and network scanners using LaBrea (The "Sticky" Honeypot and IDS)
A network Tarpit, sometimes know by the German word Teergrube, is a service or set of hosts that deliberately try to slow malicious network connections down to a crawl. The idea is to put up unused hosts or services on the network that respond to an attacker, but do things to waste their time and greatly slow their scanning (or spreading in the case of Worms). For this video I’ll be using a package called LaBrea by Tom Liston and tarpitting unused IP addresses on my home LAN.

Also, DecaffeinatID Intrusion Detection System ver. 0.07 is out.

A Hot Cloudless Computing Day in Florida

Tue, 24 Jun 2008 15:46:12 +0000

From the Gartner IT Infrastructure, Operations & Management Summit in balmy Florida…

First of all, I’d like to point out a major difference between the Gartner conference and the big Cisco Live user conference going on down here at the same time. Keynotes start at 8am at the Gartner show – and before that is breakfast, networking, etc. etc. John Chambers’ keynote over at Cisco Live starts at 10am. 8am versus 10am. I knew there was a reason I should have been a network engineer…

But here’s something they don’t have at Cisco Live – VP & Distinguished Analyst Thomas Bittman talking about Cloud Computing and the Future of Infrastructure.

(Picture credit: WATBlog)

Point: The idea is that it’s complex to create computing power so we should centralize it among a few providers (Google, Amazon, ebay) to gain economies of scale. Ability to drive down price by centralizing and getting to scale is just too compelling. In this scenario, computing is a commodity; IT is a commodity. Remember Nick Carr’s controversial book, “Does IT Matter”?

Gartner Counterpoint: IT is not a commodity because of constant innovation. So it’s not about a big investment in old/stagnating technology but more about developing and investing in agility. There will be not a few cloud computing providers but thousands.

A quick definition of Cloud Computing by Gartner: a style of computing where massively scalable IT-enabled capabilities are delivered as a service to external customers using Internet technologies.

Cloud Computing Drivers:

connections are becoming pervasive (anywhere, anytime)
response time expectations are shrinking
relationships are online and short-lived

Tom Bittman shared a view of the evolution of the data center – from “Silos to Clouds”. Prior to about 2002, data centers were sprawled siloed organizations focused on component management. Over time, hardware cost went down, flexibility is up spurred by technologies like virtualization and creating fluid pools of capacity that can be moved around intelligently. What we are moving towards is automated, services-oriented environment in data centers that are focused on enabling agility. Ecco Cloud Computing!

Gartner predictions:

By 2012, 80% of the Fortune 100 will be paying for some cloud computing services, and
30% will be paying for cloud computing infrastructure services.

ShareThis

Speaking of Security Podcast #110

Sun, 22 Jun 2008 20:00:00 +0000

Click to Download/Listen (12:39)

Both Gartner and Forrester, two of the leading independent technology and market research firms, recently evaluated data loss prevention (or DLP) vendors in their annual reports on this market. RSA's Data Loss Prevention Suite was named as a leader by both of these firms. Paul Joyal talks about these reports with Tom Corn, Vice President of Products for RSA's Data Security Group. And we continue with another giveaway for Podcast Listener Appreciation Month for all responders to our Authentication Poll! Listen to this week's podcast for the secret word!

Tucson area Domino's Pizza customer information exposed

Wed, 18 Jun 2008 06:43:34 +0000

Technorati Tag: Security Breach

Date Reported:
6/18/08

Organization:
Domino's Pizza

Contractor/Consultant/Branch:
Unnamed former owner of 24 Tucson area locations

Victims:
Customers

Number Affected:
Unknown

Types of Data:
Names and credit card numbers

Breach Description:
Hundreds of credit card receipts dating back as many as five years were found "blowing in the wind" after a former owner of 24 Domino's Pizza stores in the Tucson, Arizona area was found to have been discarding boxes of old records near her home.

Reference URL:
KVOA Channel 4 News

Report Credit:
Tom McNamara, KVOA Channel 4 News

Response:
From the online source cited above:

Investigators found credit card numbers blowing in the wind for anyone to see.

These piles and papers strewn across the alley contain hundreds of old receipts from Domino's Pizza stores.

When we got a call about this, we went down to University Avenue and Euclid and saw these receipts were three, four, and even five years old.
[Evan] Is there any business reason to keep credit card receipts for this period of time? I suppose a case could be made that these should be kept for up to seven years for tax purposes.

We contacted the former owner of 24 Domino's Pizza stores in Tucson.
[Evan] This could have been a very risky breach in terms of overall potential impact considering the number of affected persons. 24 stores, x number of credit card transactions per year, and 5 years could add up to a pretty significant number.

She won't talk with us on-camera, but told us she'd been discarding boxes of old records near her home and somehow all those receipts got loose.
[Evan] Incidents like this tear me up. I very much doubt that this lady had any malicious intention behind her actions, but nonetheless her actions could have caused considerable inconvenience (and possible loss) to a number of individuals. I presume that she just didn't know any better.

We found Scott Brumage's name and credit card number on one of those receipts in the alley.

Tom McNamara asks him, "See that? Recognize that name? Recognize the number?" Scotts nods, "Uh huh."

Tom asks, "Well how'd you feel when we called you out of the blue and told you what we'd found? What went through your mind?"

"It was just kind of surreal at first because I like to think I can trust using my card [because of] the convenience and everything of course."

Scott was startled to see his name and card numbers on our screen.

He says he's ordered a lot of pizzas over the years and expects privacy and protection when he pays for his pepperoni pie.
[Evan] Is this an unreasonable expectation? Maybe it is an unreasonable expectation, given the current environment and considering the bigger picture (merchants, processors, banks, "the system", etc.). I don't think that it is an unreasonable requirement, but requirements, expectations and practices are not in alignment.

Scotts tells us, "I don't know. [I'm] just dumbfounded, other than they need to figure a better way of disposing."
[Evan] It is dumbfounding, isn't it. I often wonder what people are thinking when they do some of the things they do.

The Investigators contacted the Federal Trade Commission in Washington and they say thieves could potentially use discarded credit card numbers even if the card has expired. The numbers on the card in many cases are still the same.

They say there could be enough information on the receipt to help a thief reveal more information about you, such as your social security number.

It's small comfort for Scott. He says, "I'm hoping this is a one time only [situation]. They might have just lost a loyal customer."
[Evan] The impact to the victim is usually pretty clear and easy to quantify. The impact to the business (or organization) is not usually as easy to measure. In a competitive business like pizza sales, companies need to identify and communicate differentiators like ingredient quality, service, taste, price, location, etc. Maybe if customers viewed information security practices as an important differentiator, businesses would put more time and effort into securing information. Pipe dream?

In this case, the Investigators contacted Tucson Police and several officers came to collect the records we found and have them destroyed.

Commentary:
This breach reminds me of a recent discussion I had online with Benjamin Wright in the comments section of the "Cotton Traders confirms that their website was compromised" breach. He makes a very good argument regarding accountability in credit card breaches. My responses to him are included.

Past Breaches:
Unknown

Kiva Update

Tue, 17 Jun 2008 05:21:07 +0000

About a year ago, we signed up for Kiva, which is a microlender. One of our first loans went to Sith Saron, who lives in Siem Reap Province in Cambodia. She needed a $1,000 for a cow, seeds, and a motorcycle for her farm.

Sith Saron is 37 years old and the mother of 7 children. She sells Khmer traditional cakes such as Num Korm, Num Bot, and Num Krouk to the people in her community and usually earns up to $4 each day. Her husband, meanwhile, works in his rice paddy growing crops as well as several kinds of vegetables. Two of her children are employed at a hotel, but the others are students.

The loan had a 18 month pay back date, and just a couple of weeks ago (about 10 months after taking out the loan), she paid the loan in full

Kiva is focused on serving the working poor

Kiva's mission is to connect people through lending for the sake of alleviating poverty.
Kiva is the world's first person-to-person micro-lending website, empowering individuals to lend directly to unique entrepreneurs in the developing world. The people you see on Kiva's site are real individuals in need of funding - not marketing material.
When you browse entrepreneurs' profiles on the site, choose someone to lend to, and then make a loan, you are helping a real person make great strides towards economic independence and improve life for themselves, their family, and their community. Throughout the course of the loan (usually 6-12 months), you can receive email journal updates and track repayments. Then, when you get your loan money back, you can relend to someone else in need.

I really like the last pay it forward part, so the lender can elect to take the money out of Kiva's system or loan it out again, in effect the last business is putting capital back into the system to help the next entrepreneur. Additionally, big props to Paypal which supports Kiva by acting as a transaction processor and waiving fees. What's all this mean? As Tom Barnett says:

everyone who wants to make a difference should just go ahead and get their own foreign policy and stop waiting on change from above.

I added the bold, because the bottom up tools that Kiva, Paypal and the Web give us are really unique, and really powerful to enable through microloans - entrepreuners who we may never meet in countries we may never go to be successful.