You are here


Observations on information security.

Command Injection Example

I'm assembling an explanation of command injection for my upcoming textbook Elementary Information Security. (yes, yes, it should be finished by now and in production, but things were delayed). This yielded a couple of diagrams that I've managed to squeeze onto a single sheet of 8.5 x 11 paper. Here's a JPEG preview:

Command Injection Poster

It is also available as a PDF file.

Post category: 

Firewall Rule Set Sizes

I've heard a broad range of claims on how large a firewall rule set might be, so I decided to dig around for published data. There are lots of quotes claiming gigantic numbers, but I only found three reports of plausible-looking data collection - one from 2001 and the others from last year. I also have notes from a fourth that I haven't verified.

In practice, firewall rule sets seem to range from 5 rules to over 25,000 rules. Some claim that even larger rule sets may exist.

The number of rules seem to depend heavily on the number of users behind the firewall, and on the firewall's implementation of the rules themselves. If a firewall can create sophisticated rules, then it takes fewer rules to implement the site's policy.

As with everything, small is beautiful. If you have a lot of rules, it's hard to keep them accurate and up to date.

Wordpress tag: 
Post category: 

"Basic Principles" of Information Security

I am finishing up a textbook on elementary information security. Unlike other books, this one targets freshmen and sophomores, and eschews memorization for problem-solving.

Trojan Horse

Sprinkled here and there are concepts we all should recognize as "basic principles" of information security: ideas that transcend programming, network design, and system administration. Now that I'm finished, here is a summary of the ones I covered. I've also noted how they compare to Saltzer and Schroeder's classic list from 1975 and, briefly, the NIST principles in SP800-14.

Post category: 

Fraudulent Public-Key Certificates

We rely on public-key cryptography to authenticate software we download from the Internet, like software updates, some Web-based software, and many device drivers. When we try to install or run such software, the system may automatically check the signature and warn us if it is missing or suspect. The system checks the signature by referring to a public-key certificate associated with the vendor who signed the software.

So what happens if the public-key certificate is fraudulent?

For that matter, what makes a certificate fraudulent, and how would such a thing arise?

A certificate is fraudulent if the name it carries does not accurately reflect the person or entity that actually controls the associated public/private crypto keys. And yes, there have been several cases of fraudulent public-key certificates.

Post category: 

Owning versus controlling hardware

The Register recently wrote about how the latest firmware in Android phones tries to un-jailbreak them. Most smart phones contain built-in features to restrict the types of software they run. The built-in iPhone software restricts it to AT&T and to apps sold by Apple's own store. Blackberry and Android has similar restrictions."Jailbreaking" bypasses these protections to allow the phone's owner to install un-approved software. Android is fighting back in real time.

AT&T system logoSo the battle is on: who really controls a phone, or any other computer-based device? Most of us assume we control our personal computers. But phones are ambiguous. We want them to work reliably as phones, so we're willing to give up some control to the phone company. Back when US phones were an AT&T monopoly, we rented everything: from the network to the wiring to the indestructible desktop handsets.

On the other hand, we buy our cell phones. In AT&T's glory days, the Bell System never sold telephones, they only rented them. As owners, shouldn't we be able to choose the software to run, or the phone company to use?

Post category: 

Stats on OS Popularity

Wolfgang Gruener took the trouble to graph data from either Net Analytics or Net Market (I'm guessing it's really the latter) to illustrate the popularity of recent Windows versions. The main story seems to have nothing to do with the graphs: 66% Of All Windows Users Still Use Windows XP.

While Windows XP was more secure than the systems it replaced, Vista and Windows 7 are much more secure than XP. Or, at least, it's easier to lock down a Win 7 desktop than an XP desktop and still have a usable system.

Mobsters on distant continents can break into business desktops and transfer funds to money mules. No doubt some of the victims are running the newest OS software, but I suspect the vast majority involve Windows XP, if not even older systems.

Post category: 

RAID on Snow Leopard

Apple Snow LeopardI had avoided upgrading to Snow Leopard for several months, and finally completed the upgrade a few weeks ago. It went mostly without trouble, though there were a few minor things that needed to be fixed.

However, I was greeted with "new and improved!" RAID support which, as usual, provides only the most terse of directions. I rely on mirrored RAID to construct off-site backups. When I went to apply my procedure to Snow Leopard, I had to figure out the difference between "Delete" and "Demote" in order to get my backups rebuilt.

[Here's a more recent post to address the disappearance of "Demote"]


Wordpress tag: 
Post category: 

The electronic library debate continues

Cousin Jon emailed me David Pogues' recent blog on copyright, with an observation on digital libraries.

The science and technology world has an interesting analog to the paper vs electronic print music debate. In our world, the problem crops up with professional papers. My own attitude is clear: if I have the choice between downloading a free copy of someone's paper I find on-line, or purchasing a copy from the professional society, I grab the free copy.

Partly this is because the original author doesn't get a penny from publication sales. In many cases the author is lucky if the association prints the paper for free, without requiring "page charges." Another reason is that, in most cases, the paper is actually made available on-line by one or more of its authors.

Wordpress tag: 

CPU-based Security Improvements Adopted Slowly

'Way, 'way back in the 1960s, computer designers tried out different techniques to limit how a computer executed its programs. Some should be pretty well known, like storage protection and the distinction between "kernel mode" for the operating system and "user mode" for applications. Another was data execution prevention (aka "DEP"), where the computer distinguishes between RAM that stores instructions and RAM that stores data. If the program tries to jump into instructions stored in data RAM, the CPU aborts the program.


Fast forward to 2010. Most microprocessors were supporting DEP in the mid 1990s; a few supported it before that. OS support came more slowly. Windows as been using one form or another of this since 2004 in XP Service Pack 2. However, it doesn't matter for most major applications, because they didn't fix their code to take advantage of it. So, if they suffer a buffer overflow, there's nothing to prevent the computer from trundling off to la-la land.

Russian spycraft ain't what it used to be

A wise note written by Johannes Ulrich of SANS Institute outlines cyber security lessons from the recent russian spy arrests. Clearly, information security tradecraft has not made its way into spy schools, at least not in Russia.

A lot of their failures trace back to a stealth search warrant a few years back that netted an encrypted drive. One of the agents fortunately noticed the slip of paper with an obscure set of letters and numbers: the written password.

Wordpress tag: 
Post category: 


Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer