You are here


Observations on information security.

Parameter substitution attack on antivirus software

Researchers at have found a parameter substitution attack on antivirus software.

One effective antivirus strategy is to watch how a program uses the operating system. Malicious software may tell the system to do suspicious things, like loading an invalid kernel mode driver. The antivirus software checks the parameters passed to system functions to detect and block such things.

However, the antivirus software performs the checks on user mode data. Thus, a subverted user mode program can swap a "safe" parameter for a subverted one after the antivirus check takes place. This is especially true when you have multiple cores.

Post category: 

9-year-old hacks the school superintendent

Jeremy Epstein reported this terrific report to Peter Neumann's Risks List: a school kid logged in as superintendent of schools. This was in Fairfax County, where I grew up. They use Blackboard, just like the college where I teach.

And yes, we're talking about a nine-year-old. It turned out to be a security policy problem. A teacher can add a student to a class, and a teacher has the power to change a student's password.

The kid found out his teacher's Blackboard password. They don't say how in the news, but it may have been written on a post-it, or some other piece of paper, or it may be the same as a password the kid watched the teacher use somewhere else, or it could just be an easy-to-guess choice.

Wordpress tag: 
Post category: 

Security Versus Compliance: Old Guard Versus Digital Natives?

Forrester Research and RSA have published an interesting report on corporate security priorities and compliance programs. The bottom line is no real surprise: companies spend more money on compliance with external requirements like PCI-DSS or HIPAA than they do on protecting their own secrets. These compliance requirements are tied to obvious business needs - you can't do much retail work unless you take credit cards - so it's hard to argue against such expenses. Forrester and RSA show statistics arguing that companies lose more money through lost company secrets. Yet a lot of companies focus their security efforts exclusively on compliance and really don't make a special effort to protect company-specific assets.

Kapersky Labs posted a reasonable summary of the report.

Slashdot's title writers dramatically misread the report, summarizing it under the title "Compliance is Wasted Money." I tend to think of Slashdot as being edgy in a digital native sort of way, so I'm surprised they spun it that way.

I think the report reflects two things. First, companies don't want to spend money to assess their losses from leaked company data, unless they're already inclined to be a secrecy-oriented company. If a company is more inclined towards openness and information sharing, then they don't want to collect such information: bad news makes management look bad, and there's no countervailing data to show a measurable benefit to being a more open company.

Post category: 

Not the Droid

I recently migrated from my venerable Palm Treo 700 to a Blackberry Storm II. In between I had a brief fling with a Droid, but jettisoned it after about a day. There were two problems. First, it's too much like having a laptop instead of a phone, IMHO. Second, I don't like the security model.

When we talk about the "Droid security model" we're really talking about the Android operating system and not about any particular phone. The exact phone I had isn't as important as the mechanisms that are undoubtedly common to all Droids.

The basic problem is that it's too vulnerable to malware like viruses, worms, or Trojan horses. This is a feature of its openness, but not a feature I personally crave on my cell phone. My phone serves a little as an electronic wallet, and I don't want malware in there, even if it limits my choice of apps.

Post category: 

The blunt sword of legislation

Minnesota's Senator Klobuchar has co-sponsored a bill to criminalize certain behavior by peer-to-peer file sharing programs.

The bill is supposed to require a sort of informed consent by computer owners whenever a P2P file sharing program arrives. Here's what the bill wants to require:

• Ensures that P2P file sharing programs cannot be installed without providing clear notice and obtaining informed consent of the authorized computer user.

• Makes it unlawful to prevent the authorized user of a computer from:

1. Blocking the installation of a peer-to-peer file sharing program, and/or

2. Disabling or removing any peer-to-peer file sharing program.

Having taught several networking courses (not to mention having written my share of networking software), I'm not sure where they can draw the line. What constitutes 'clear notice,' and does that include such things as Windows and Apple file sharing? Do these OS vendors already comply with planned legislative requirements, or will they have to update their configuration software?

Does "Microsoft Genuine Advantage" violate the law if it won't let the computer owner block its communication with the Mother Ship in Redmond? If so, how does Microsoft check for people using the same license on two or more computers?

Post category: 

The cost of security failure

Marcus recently finished this 'creative project' as he calls it.
Post category: 

Profiling ("Fingerprinting") a Browser

EFF (Electronic Frontier Foundation) has put up a web site called Panopticlick.

It collects every scrap of info from your browser that it can - a browser will divulge a lot in order to optimize its display of information - so a server can find your screen size, a list of fonts, and of course the operating system and browser versions. This is even without looking for cookies!

So a clever site could try to 'fingerprint' individuals by retrieving system details from the browser.

Wordpress tag: 
Post category: 

Paying for Identity

Marcus Ranum and Bruce Schneier recently had another one of their "face-offs," this time, discussing anonymity on the Internet. Bruce argued strongly in favor of it, but then so did Marcus - with a cleverly nuanced argument.

The problem with Internet anonymity is that it's so incredibly cheap - fraud and spam is easy to do because it's almost free to adopt a new identity on the Internet. Many spam/scam techniques rely on creating bogus IDs wholesale.

Wordpress tag: 
Post category: 

RockYou and Password Choices

A social networking site called Rockyou.Com was hacked a few months ago, and someone was thoughtful enough to tell them about it in December. After some dithering, they announced it to their user community.

Unfortunately, they were trying to do site aggregation stuff - using other site login credentials to link that site to theirs. All very Web 2.0. All very dangerous, especially since passwords were stored in plaintext. Thus, the attackers collected 32 million user login credentials: ids, passwords, e-mail addresses. This was courtesy of a cross site scripting vulnerability.

John, a former colleague, sent me a note about a security group named Imperva that analyzed the list of passwords.

The actual report is poorly drafted - you can't tell how much of the database they really analyzed, or how they chose a set to analyze. However, it seems that they analyzed a sampling of the passwords and compiled a list of the 5,000 most common ones. Which they didn't share. They did share a list of the 20 most common: the most common word was "Password" while "princess" and "Nicole" were the most common names.

Post category: 


Paul Ardoin, a former colleague, has posted some comments on Bring-Your-Own-Computer, the notion that companies should rely on employees' personal laptops. My security-wonk-alarm went off when I read this, but I'm thinking the concept has some merit.

This is somewhat related to the question of using a company car versus the company paying you for mileage on your own car. People in general tend to take better care of their own car.

Wordpress tag: 
Post category: 


Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer