There is something quite surreal with what is happening with John McAfee; the author of the popular McAfee Antivirus and who is rich, lives in Belize and has recently been accused by the authority to have murdered his neighbour. Instead of being with the police he has fled, arguing this was a conspiration and that the police (or someone) was after him. This on itself is already a bit odd, but his subsequent actions are even more bizarre…
You would think that someone who believes the whole system is corrupted would try to flee the country, but no. John McAfee is staying in the same city, posting a blog about his escape, offering $25K to anyone who can help him catch the “real” killer and even describing the numerous disguise he has used to approach his house and the police around it, doing his own investigation…
I made my feelings very clear about the use of Dropbox in the enterprise, through a previous post. I still believe Dropbox and similar other cloud sotrage solutions such as Google drive or Sky Drive are a timebomb waiting to happen for many companies who are busy securing their infrastructure but forget to look at the data leaving their premises through the back door. Or just not appreciating how tablets and smartphones are driving their users’ behaviours and requirements.
There will be a lot of red faces if/when Dropbox and Co announce they have been hacked.
However, I have recently come accross a great tool that can help reducing the impact of such a bad scenario. It is called Boxcryptor.
Boxcryptor creates an encrypted folder under your Cloud Storage directory (i.e.: Dropbox) and allows for files to be encrypted on the fly thus making it much faster and transparent than the solution I described before with Truecrypt. The encryption keys are stored locally and only known to you. Their client runs on many different platforms, Mac, PC, iOS, Android.
Boxcryptor works very well but it is important to note a difference in software behaviour between a MAC and a PC.
On a MAC, if you install boxcryptor it will create an encrypted folder in your Cloud Storage directory.
It will also create a new “disk” which gives you direct access to that encrypted folder.
You then have a choice, you can either drop files to this “disk” or to that encrypted folder in your cloud storage directory. Those 2 actions are the sames and the files will be encrypted in both cases.
On a PC, if you install Boxcryptor it will create a folder in your Cloud Storage directory. Note that I did not say encrypted folder. It will also create a new “disk”.
The difference between the PC and MAC implementation of Boxcryptor is that, on a PC, files are only encrypted if you drop them into your Boxcryptor disk. They will not be encrypted if you drop them in your cloud storage boxcryptor folder directly. That folder and the boxcryptor disk are not the same. Those 2 actions are therefore not the same.
This could be confusing, and a user may forget about that difference and copy sensitive files directly onto his cloud storage boxcryptor folder, thinking those files are going to be encrypted when they are not.
To be fair, there is a readme file in the Boxcryptor “encrypted” folder. But the chances are nobody will read it and more importantly, could forget about it.
My recommendation is to get used to copy files to the boxcryptor disk only. That way, you are always sure they get encrypted (and that the software is running in the background!).
I have contacted the authors and they are aware of this behaviour difference. Although they did not commit on any release dates, they are apparently working on it.
Security Onion is an Open Source Linux distribution that makes deploying an IDS/NSM a very easy task indeed and I highly recommend you try it at home. Especially since you can do everything in a VM…
If you have ever been through a Snorby installation yourself, you will appreciate this distribution even more as everything is done for you. The installation process only asks a couple of questions and you should be ready to monitor your network, analyse data through full packet capture within 15 minutes!
The latest beta is even better, and lets you use your own Ubuntu flavoured distribution if you prefer not to use the default one provided. It runs on Ubuntu 12.04 and comes with Snort, Suricata, Bro, Elsa, Sguil and more.
This video below gives a great summary of what this is all about (it is an hour long, but like any good movie you won’t see the time fly ;)
The author and presenter, Doug Burks, also answers an interesting question near the end of the video about HTTPS traffic and how it could be handled as part of an IDS solution. Specifically, he gives the following advice: to use viewssld or bro.
Viewssld, is a tool that can intercept and decrypt HTTPS traffic, but only to sites you own as explain HERE, because you need the private RSA key of the traffic you want to intercept and analyse.
Being able to see https traffic to sites you own is good, but really, what you need is to see all Https traffic. Especially since that traffic could be from a malware calling home or a mean to bypass corporate web filtering solutions.
There are other (expensive) interception proxy solutions available, which can intercept all https traffic, but I always though that by basically implementing a Man in the Middle HTTPS proxy it would mean users get certificate validation warnings every time they try to access something like https://www.example.com and get instead a certificate back from https://my_interception_proxy.com.
Having said that, there is a great paper that was published by Dell back in March during Blackhat 2012. It describes how the use of a public root SubCA (if you can get one!) in Interception proxies can help make this process less visible/disruptive to the user. They also describe the use of Transitive root trust to achieve a similar goal.
But back to Doug Burks/Security Onion’s video, where he also mentions the use of Bro and leveraging its network anomaly monitoring capability. I see that as a quick win and one that is easy to implement for free!
The idea is that malware or hackers are more likely to use self issued certificates and by analysing anomalies in https traffic through bro, you should be able to identify https traffic which do not follow certificates standards and are not fully trusted. Therefore, even if you still can’t see what is being transmitted you would at least get some indication something is wrong and where to look further (i.e.: IP source, further pattern analysis, etc).
My hat off to Doug Burks and all the other Security Onion contributors!
PS: For more info on SSL and how it really works, there is also a great READ HERE.
This is something that is increasingly needed, but is Kaspesrky the best entity suited to produce such OS? To contribute/review it, certainly. But to drive its development? I am not so certain. I would have thought that developing an OS requires more specific skills than just security ones. One could argue that making security the core skill used in developing that OS should make it more secure but I would argue back it could also introduce performance issues… And performance is a health/security risk on its own, especially when speaking about critical systems such as process control environments.
Kaspersky Labs is engaging with different vendors and ICS operators, so they should get some kind of expertise on what their systems require. Another interesting point is how Eugene Kaspersky ends his blog announcement, that “there will be some details that will remain for certain customers’ eyes only”. Should a truly secure environment be closed rather than open source?
Then there is the question of support and its backend infrastructure, longevity of the company, etc…
To conclude, this is a great initiative but creating an OS is not just like creating a new application…
There is something about deception, it can bypass a lot of security controls through a very basic principle, to make you believe about something that isn’t there. It is a bit like magic.
Like this WEBSITE, where you can see an example of what the new HTML5 fullscreen function could make you believe. That you are on a bank website, where in fact you are on a phishing site. The previous link is harmless and only serves as an example, one I would advise you to try yourself (you can’t enter any details anyway in case you haven’t understood it isn’t really a Bank of America website).
Basically, they use the HTML5 Fullscreen function to recreate your browser TABS and URL. If you are not used to browse the internet in full screen mode then you would see the trick straight away. However, if you are following the trend to browse in full screen mode, especially on mobile phones or on MACs where apple has fully integrated it with the latest OS X (10.8), then it is something to watch out for. Very often, the most crude and simple hacks are what work best.
RSA recently announced their Distributed Credential Protection (DCP) technology which should help address the impact of passwords leakage/theft when the system where they are stored gets compromised. They accomplish that by splitting up stored credentials across different systems.
In its current implementation it uses 2 servers. 1 server (BLUE) stores the password XOR to a random number and another server (RED) stores that random number.
When a user wants to authenticate it uses his password to XOR it with his own Random number. It then sends the transformed password to the BLUE server and the new random number to the RED server.
The BLUE and RED servers then compare the stored password with the one the user just provided. At this stage, I guess it must communicate to the RED server to get the corresponding random numbers.
I think it is a great idea, and it leverage what is called Threshold Cryptography, which is “the art of chopping a secret into little bits”. A few things come to mind though:
- Why only using 2 servers, this could be expanded to use multiple servers. Each with different security settings/OS thus making it harder to compromise
- Why only applying this to passwords, what about documents/files?
- To verify the password is correct, the servers must be communicating at some point to get the XOR password and the Random number used. If that’s the case, then if the BLUE server gets compromised what stops the attacker to miss-use the communication/protocol and leverage the compromised BLUE server to gain information from the RED server, thus removing the need to compromise that server too? I could not get enough information at this time on how RSA verifies the passwords are valid, so I would hope they have thought about that in their design.
- Again, this will not stop the number one issue with password. Human weakness. (post-it, simple passwords, eavesdrop, man in the middle/coffee shop, etc)
It is definitely an interesting technology, which I hope to learn more about soon!
According to this FRENCH WEBSITE, a major security vulnerability has been disclosed at the Ekoparty 2012 Security Conference which affects some android handsets. It it is possible to reset those affected handsets to factory default settings and in the process wipe out all data. This vulnerability exploits a “secret” code that can be used to trigger the factory reset automatically, without asking any confirmation from the user. That code is: *2767*3855#
There are different methods known to date to push that code onto those handsets:
- SMS in Wap Push mode (where the user would have to click on a link)
is contained in the HTML page.
So far, it has been confirmed to work against the Samsung Galaxy S3, the Galaxy Beam, S Advance, Galaxy Ace and Galaxy S II and some HTC devices.
As Korben wrote on his blog, there might be some interesting browsing experience in store for those handsets owners in the coming days.
Thinkst is a small security organisation and one of its member recently published a post on their blog regarding the security of an encrypted USB drive. One of his friend lost the password to his USB Freecom Self Encrypted Drive (SED) drive and one of the protection in place was the need to power cycle the hard drive after every 5 bad attempts. This meant a brute force attack was impossible due to the time to plug/unplug the device.
Here comes ingenuity, although the author call this a “lame hack”, I actually really like it as he thought outside the box (pun intended). He basically build a new controller to automatically power cycle the drive, and managed to find the lost password after 500 attempts.
I don’t do electronics and am always impressed when hackers use it to bypass security barriers!
CloudFlare is an interesting young company, a few years old, as introduced in this Bloomberg article. Although it is tempting to just describe it as being similar to Akamai because it provides web acceleration and DOS protection through the use of a Content Distributed Network (CDN), it is also different. As explained by its founder, Matthew Price, it can understand, analyse and protect all requests to a website, not just a subset. It also has a different price model starting with a free offering and generally being much less expensive than the competition even with its pro/business/enterprise options.
In a nutshell, CloudFlare appears to be a service that can help optimise and protect any websites for no or little money.
What actually prompted me to look into that company, is a recent hacking incident they were the victim of. One that saw its founder’s gmail account compromised through a Google password recovery bypass, using a flawed AT&T voicemail redirection. This was used to leverage a Gmail Enterprise Account flaw in its dual Factor Authentication which resulted in the compromise of one of CloudFlare customer account. Although the hacker had a bit of luck as it needed a phone call to reset Google Mail account password to go to Matthew’s voicemail, it was a fairly sophisticated attack.
But what impressed me the most, and the reason why I see CloudFlare in a very positive light even after this successful hack, is how this company responded and how it disclosed the details of the attack. I really think the timeline as shown below (taken from the CloudFlare website) is a very effective way of representing an attack, its reasons of success and the countermeasures taken. You can read more details about this attack on the company’s blog.