FredOnSomething: Computer Security

The blog has moved

Thu, 23 Jun 2005 03:19:55 GMT

The blog has moved

The present version of this blog will not be updated in the future.

Please visit Fred On Something at his new address at http://fgiasson.com/blog/

I hope that you will enjoy the new format and the future things I will write on it,

Salutations,

Frédérick

Police Technology by Robert E. Foster

Mon, 17 Jan 2005 16:13:23 GMT

Police Technology by Robert E. Foster

Buying a book on internet can sometimes be painful. You don't know what he look like, you just have one or two resumes, no more information on the publisher's website. If you are lucky, there are some comments on Amazon. However, personally, I just buy books on internet now. Why? Because websites like Amazon have astronomical selection of books. You search for a book, you'll find it. Out of print since 20 years? Try Alibris or Abebooks. More and more books are searchable online and good resume are made. Soon, it will probably be the primary place where to buy books.

I have been contacted by Mr. Robert E. Foster. He sent me a really good resume and a lot of information about his new book. I post it on the blog because it's in direct relation with it: the union of security and technology; an introduction for students of colleges and universities. These 3 words (security, technology and education) are enough for me to post this information on the blog. Bellow I put the fact sheet wrote by Mr. Foster. You also can check the table of content, and four reviews [1][2][3][4] of his book. I didn't personally read it (if anyone want to send me a copy of it, leave me a message in my email box and I'll do a review of it with pleasure) but I think it worth his low 33.33$USD.

----------------------

Subject:

The use of the text book Police Technology (Prentice Hall, July 2004) in colleges and universities.

Background:

An often asked question is How does Police Technology fit into current course curriculum? A cursory examination of university and college catalogs will review few that include courses that directly explore police technology such as computers in law enforcement or the management of public information systems. However, nearly every criminal justice program includes a course similar to current issues, critical issues or contemporary issues in policing.

Analysis:

Issue

Police Technology’s Advantages

Terrorism and Homeland Security

Explains and discusses fragmentation and interoperability
Chapter Seventeen is devoted to using the Unified Command Concept as a technology. The development of the National Incident Management System (a January 2005 requirement for federal funding at the state and local level) is explored and thoroughly explained as the Standard Emergency Management System.
The PATRIOT Act and technologies used in conjunction with tracking and surveillance such as traditional wire taps, Carnivore and Magic Lantern are explained and explored.
Privacy, legal and practical issues related to surveillance are discussed throughout.

DNA

The science of DNA is explained, along with the development of DNA databases and the ethical and legal considerations. Several states have had recent legislative changes (including a California referendum) relative to DNA. DNA figures prominently in many recent and ongoing criminal prosecutions.

Community Based Policing

The text defines and traces the history.
The text looks at technologies that may enhance the model.
The text compares and contrasts how technology may actually reinforce the previous model of policing (professional) and not Community-based.

Crime Analysis

The theory and science of crime analysis are explained and explored.
Advanced methods of analysis such as geographic profiling are explored.

Technology Basics

The text is designed for the computer novice and expert. All students will become better end-users

The Internet

The History and technology is explained.
The use of the internet by law enforcement is explored.
Numerous examples are used to show how the Internet may enhance community policing.

Hi-Tech Crime

Computer Crime, Computer-related Crime and technology crimes are defined, explained and contrasted with traditional crime.

Liability

The impact of technology on situations wherein there is a tremendous amount of agency and personal liability, such as vehicle pursuits and the use of force is explored.

Summary

The book explores technology using traditional themes, issues and theories as a common, connecting thread. The work is meant as a supplement to a traditional education in criminal justice. Moreover, because technology has changed crime and the work place, an examination of technology better prepares the student for future studies and employment.

----------------------

Outsourcing to India

Fri, 07 Jan 2005 00:13:41 GMT

Outsourcing to India

What to be aware of before signing the contract

In some of my past posts I worried about some security treats with software development outsourcing. Today as I read my feeds I found a fascinating article on the subject. It was pointed out by a blog dedicated to the subject: The Outsourcing Times. You can read the article there: Outsourcing Contracts: Protecting Project Information.

I’ll not comment the article. It talks by itself. It give some good hints on how-to outsource software development in India and the things that you need to be aware of if you care about the security of your contract.

Invisible doesn’t mean non-existant

Wed, 05 Jan 2005 21:48:14 GMT

Invisible doesn’t mean non-existant

Is because you don’t see a thing that this thing doesn’t exist?

This question can be one of faith or observation. We know that some things exist without being able to see them but with experimentation we can demonstrate that the thing really exists.

Now, is this because you deleted a file on your personal computer that the file is deleted? Depending of your settings, he will be in the garbage bin. So, if you empty the bin, will the file always exist? Obviously not. The file will always be there; only his reference in the file system will be deleted. Okay, if you rewrite on the file’s old sector and/or perform a low format on the hard drive; will the file be finally deleted and not recoverable? Unfortunately not. It will not be easy to recover the file but it will always be there; entirely or partially. Am I crazy? No. It will get time and resources but it’s possible. How? It’s the product of a phenomenon called residual magnetism. The subject gets in the news by ComputerWorld.com some weeks ago.

If my memory is right, I read in Body of Secrets by James Bamford that the NSA is able to recover data on hard drives until between 5 to 7 low level formats. Is this freaky? Not if you don’t have state secret to hide. Remember, they need resources to recover these data. This is not easily done but it’s possible.

Some years ago you would have had been able to get unformatted hard drive in a governmental overstock outlets. Yes, and? You are asking. Think about it, which type of information your government is manipulating? Yes, mostly personal information. I remember that around 5 years ago the government of Quebec had been in trouble because citizen records have been found on old computers’ unformatted hard drives in such a store. This is a real problem. Is the income of a couple of dollars worth the embarrassment? I don’t think so. Are they always doing it? I don’t know; I haven’t been in such a store since then.

The best thing to do is destroying the hard drive, not selling it. You’ll get rid of all related possible problems. Check the price of a gig of storage space. Is the possible resulting problems worth the incomes? Personally I don’t think so.

Mon, 20 Dec 2004 23:06:57 GMT

The operating system oriented security debate is restarted – Phase 2

Examples of what I was saying.

Some days ago I was saying:

"What about the configuration? The complexity of an Operating System with all their services, applications and connectivity hardware is not to forget. A program or a service can be well programmed; without any programming bugs; but only a bad configuration can lead to a security hole. You’ll tell me: Yes but the programming is perfect, without bugs then it’s impossible that such a thing append; if it happened then the cause is the user, not me, so it’s not mine. If you build a hell to configure system then yes it’s your problem. The interaction between a program and their plug-ins or a program with other programs can lead to unexpected behaviors. Usability is probably as important as programming practices"

As you can read, it was not really a great discovery. But today, while reading my blogs entries, I was amused by some of them. Let me point them.

First, Google Desktop. As you can read in the New-York Times:

"The glitch, which could permit an attacker to secretly search the contents of a personal computer via the Internet, is what computer scientists call a composition flaw - a security weakness that emerges when separate components interact. "When you put them together, out jumps a security flaw," said Dan Wallach, an assistant professor of computer science at Rice in Houston, who, with two graduate students, Seth Fogarty and Seth Nielson, discovered the flaw last month. "These are subtle problems, and it takes a lot of experience to ferret out this kind of flaw," Professor Wallach said"

It’s probably one of the best examples of the phenomenon I was talking about two days ago. It’s sure that these problems are really hard to find and need imagination to discover them. But the point I want to bring is that the security of a program isn’t just in function of his code quality. Two programs can be without security flaws but together, security holes appear.

A post from Peter Torr also worth the reading. He was writing about Firefox and its appearance of security. Sure the code is probably not too bad, but some of the features (including the download and the installation) are obscures. So, my two pennies in the conversation is just to emphasis on the plug-ins point. I already said it before but please take care of smalls and cools plug-ins. As Peter said it, you don’t have any way to check their authenticity.

What’s cool with Firefox is that it’s a potentially slim browser, that you can change at will, with the features you want. The principle is great but also paradoxical when you have security in mind. Probably that Firefox is or will be well studied to upgrade and patch security, but will it be the case with all available plug-ins on their website? Let me doubts. The solution? Probably the certification of them. The feasibility? Near null for the moment.

Finally I don’t say to stop using it and not using the cool plug-ins available; but only to be aware of the situation when you are using these types of softwares.

Sat, 18 Dec 2004 15:22:20 GMT

The operating system oriented security debate is restarted.

Please stop your child plays.

I read today an article on Wired News that restart the debate on Linux versus other operating system security issues. The conclusion is:

· 0.17 bugs per 1,000 lines of code in the Linux kernel

· 20 to 30 bugs per 1,000 lines of code for commercial software

These statistics have been collected by the Carnegie Mellon University's CyLab Sustainable Computing Consortium. The problem with these numbers is that they tell nothing. Fine, theoretically I have less chances that my Linux kernel had bugs that cause security threats. It’s sure that there are chances that the core (open source) of an OS was more studied than the softwares he runs. It’s exactly the present situation.

What about all other things that come with all Linux distributions? Are they as studied as the Kernel? Let me doubts about it.

What about the configuration? The complexity of an Operating System with all their services, applications and connectivity hardwares is not to forget. A program or a service can be well programmed; without any programming bugs; but only a bad configuration can lead to a security hole. You’ll tell me: Yes but the programming is perfect, without bugs then it’s impossible that such a thing append; if it happened then the cause is the user, not me, so it’s not mine. If you build a hell to configure system then yes it’s your problem. The interaction between a program and their plug-ins or a program with other programs can lead to unexpected behaviors. Usability is probably as important as programming practices.

How can they resume computer security risks with lines of code? Is anyone can tell me this?

Wed, 10 Nov 2004 02:12:49 GMT

Urban Legends on security
What technology neophytes can think

Last week a came around an interesting "study" done by Secure Computing. What is interesting is to see what people can think about things that they don't really understand. In many cases it's probably the Arabic telephone effect that create such monstrosity. If I have one suggestion to say; it's to read them and discuss about them with persons in your entourage that may think that these urban legends can be true. Remind that one of the best security practice is education; anybody can do it.

There is the list published by Secure Computing:

Hackers can legally break into web sites that lack "warning" notices.
Some Windows system files are really malicious and should be deleted.
Hotel card keys secretly record personal information, which could be maliciously taken advantage of without the person knowing.
Including a fake entry in your e-mail address book will prevent e-mail Trojans.
A digital cell phone can be infected with a virus merely by answering a phone call.
Search engine "crawlers" perform security checks and notify you of vulnerabilities.
Thieves are using lists of "out of office" auto-replies to target homes for burglary.
Free patches e-mailed to you will protect your PC from the latest worm or viruses.
Signing up with a "Do Not Spam Registry" will stop you from getting spam.
Elf Bowling and Blue Mountain Greeting Cards contain viruses.

Enjoy them, laugh at yourself and think that many people can think that they are real possible treats. Just keep in mind that the situation is normal, otherwise urban legend wouldn't exists. Then if you're not sure about a thing that a person tell you; just do some research on a trusted web site and you'll be able to assess the treat by yourself.

Sun, 24 Oct 2004 19:35:36 GMT

Do not give power to your foes

The principle of information pipeline

Many say that information is power. Then, why do you give power to your foes? Is that your wishes? There is the idea being this article: cut the information pipeline of to your enemy to prevent you greater harm.

Do not help your attackers gathering information about your network. The first step of an attack is the reconnaissance of the playground. It’s done by social engineering, physical site reconnaissance, internet search, network mapping and DNS reconnaissance. After they map their target by war dialling, network mapping (ICMP), port-scanning and vulnerability scanning.

... Read the full story...

Fri, 22 Oct 2004 02:10:06 GMT

Articles published by Microsoft this week

All on computer security

This week many interesting articles about security have been published by Microsoft. I just write this little post to let you know about them. The most important publishing was the MSDN magazine issue of November 2004. All articles are about computer security. Articles cover a wide range of subject from cryptography to .NET technology. After this, there was another really interesting article called The Security Risk Management Guide. It was written to help Microsoft’s client to type, build and maintain a security risk management program.

Always on the computer security subject but on another topic: passwords and pass phrases. There are 2 articles written by Jesper M. Johansson: Part 1 and Part 2, and another to come soon.

Finally there is the Security Application section of the .NET framework on MSDS that is always a good reading. It include Role-Base Security, Secure Coding Guidelines, Code Access Security, Security Policy Management, Security Policy Best Practices and Security Tools.

This is all I have to say on this today. Then good reading on Microsoft!

Wed, 13 Oct 2004 01:58:42 GMT

Information Gathering

Get an eye on your teckies

You are an IT department administrator? You have people to supervise (teckies, developers, etc)? Take an eye on them. The problem is that they need information to do their work. Sometimes they don’t find it and ask for it. Sometimes they ask for opinions, review and tips to their pair. There is several ways to ask for this information. Occasionally they use Usenet or Webforums. The problem with these technologies is that all their content is logged. By example, Google get an archive of most of the Usenet groups since ~1997. Most of the times they need to detail their problem to get valuable answer from other users. If he have a problem with the topology of your enterprise’s network, he’ll probably write things about the hardware used, the subnets used and the technologies in place inside your enterprise. At last, most of the time, he’ll ask these questions during is working hours. There isn’t any problem with this fact, but who say working hours also say company’s computer and company’s computer settings like company’s email address and identification. Then they will use their enterprise email to get answers to their questions.

If you understand the problem, you’ll see that you have a post on a Usenet group, sent by one of your teckie or developer, where you have sensitive information about your enterprise’s network infrastructure tagged to it by the email of the so helpful employee.

What you can do? Educate them. The only thing that they want is doing their job. But sometimes they don’t see that they can harm the enterprise by doing this type of things. They only need to be educated to the problem. They only need to be aware of the problem. It’s your job, not necessary their.

If you don’t believe what I say in this post, try it. You’ll be astonished by the results.

Mon, 11 Oct 2004 15:37:50 GMT

Know you Enemy

Does he really know them?

First, I want to excuse me for the lack of posts in the last 4 days, I had other things to do and had a shortage of time. So, the article that I’ll comment is 5 days old but I want to comment it anyway.

There is an article that I need to comment on. The problem with it is that he doesn’t focus on his subject, go everywhere and try to cover a wide question in a little article. The title is "Know your enemy" -- cliché. He writes on 3 main subjects: Companies resources (new network technologies), third world hackers (money as motivation) and others obscure ones (custom software and social engineering). There is what he said about the second subject and I want to comment on:

"Should US companies worry about hackers in Russia and other countries?

Hackers from countries where the economy is less developed than the US
are more motivated by money than by pride when they start trespassing
on US companies - as opposed to US hackers, who are motivated more by
pride than money. (There are many other ways that you can make money
in the US.)

Also, money is a stronger motivator than pride. That's why people
motivated by money are more dangerous. Hackers are businesspeople [if
they are motivated by money]. In most cases, they are probably just
having difficulties in their countries finding and exploring
opportunities to work.

If a company that is hacked into can explore with a hacker his or her
talents in a more peaceful way, the victim can only benefit. If these
hackers are businesspeople, they can be redirected by being offered a
better deal than the one they might get by creating pressure through
hacking.

I deeply believe in this point. It is hard, however, to generalise too
much because every case involves different kinds of people and
different circumstances.

What security measures offer the best protection against hackers?

Keep the hackers occupied if you recognise them as a threat. This
might be similar to what some countries have done with their nuclear
scientists - Russia, for example, keeps them under close supervision
and treats them well, but above all keeps them busy professionally."

The problem is that he make too emphasis on the typical hacker of Hollywood. Really, he is not a threat. The real threats are the criminal groups. They begin to see benefits with cyber crimes and they exploit it. They exploit the internationalisation of the Internet and the lack of law applicability of many countries. This is the real problem. It’s true that the motivator is the money in this case too, but good luck to employ them after. I think that he talk about a minority of cases, and by doing so, he’ll not get rid of the real problem, the real danger, the criminal groups implication in the cyberspace.

It’s my 2 penny to the discussion.

[In addition to the post: 12 October 2004]
---------------------------------------------------

I just read Bruce Schneier’s October blog posts. He talks about this subject the 4 October with Bill Brenner from SearchSecurity.com. It’s interesting to see that I’m not alone to share this view. I know that many other people do too. There is the excerpt from his post:

"What's the biggest threat to information security at the moment?

Schneier: Crime. Criminals have discovered IT in a big way. We're seeing a huge increase in identity theft and associated financial theft. We're seeing a rise in credit card fraud. We're seeing a rise in blackmail. Years ago, the people breaking into computers were mostly kids participating in the information-age equivalent of spray painting. Today there's a profit motive, as those same hacked computers become launching pads for spam, phishing attacks and Trojans that steal passwords. Right now we're seeing a crime wave against Internet consumers that has the potential to radically change the way people use their computers. When enough average users complain about having money stolen, the government is going to step in and do something. The results are unlikely to be pretty."
-----------------------------------------------

Mon, 27 Sep 2004 01:13:30 GMT

Some thoughts and highlights on the Global Information Security Survey 2004 of ErnstYoung.

There are some of my thoughts and highlights that I wish to share with you about the Global Information Security Survey 2004 of Ernst&Young.

First, there is the targeted population: more than 1230 enterprises in 51 countries. 22% of them have more than 1 billion in revenues and 56% of them more than 100 millions.

One of the things that I need to point you out in this survey is what I already observed and I posted on this blog since 3 weeks. This thing is the management-based approached of security. It’s the importance of the employees as a security layer in the infrastructure of the system. Unfortunately, senior management is more trusting than prudent. This situation seems to be the root of many problems.

As many people think, one of the best security layer that enterprises can have is his employees. Ironically, this same layer can also be the weakest link. The problem is that they need to be trained and educated in there role in the infrastructure as a security layer. If you do so, you’ll have one of your strongest link; otherwise, there is a good probability that this layer would be your weakest... Read the full story...

Fri, 24 Sep 2004 23:52:34 GMT

What’s best: block a port or lets Windows Automatic Updates go on?

This is another thing that I ear from the company mentioned in this story. This time, they block all ports, except 80 and few others. Blocking all ports mean the Windows Automatic Updates program’s port too. What do you think is best, blocking a random port or download and automatically install windows patch in your park of about 100 computers? It seems that it’s not every body that learns from experience. After being infected by MyDoom and some other virus, the holes are always open. They will not if they don’t change their mentalities and do a review of their security policies (if they have some).

The purpose of this post is just to give you another example of what companies can do. This is not an isolated case. I’ll come back with some stats for you this weekend.

Thu, 23 Sep 2004 02:40:14 GMT

In the life of some computer security workers for a day.

I just finished reading an interesting article about a day in the life of Johannes Ullrich of the Internet Storm Center's. It was entertaining because this type of article is quite interesting and relatively rare. It’s always interesting to see how other people works in there environment. It’s why I’m posting this today, to show you another point of view of how some people works in the field of computer security (in this case: virus infection response team).

Another interesting blog called A Day in the Life of an Information Security Investigator is interesting to read for the same reason. Chief is mainly writing about anecdotes that he encounter during a day of work.

Wed, 22 Sep 2004 01:23:53 GMT

You need a foundation before rising your house.

Avoid complexity when you talk of security, back to basis

I just get around a really interesting piece of news that talk about the last IT Security Summit conference of the Gartner research center. Normally peoples that talk in these shows talk about what you need in your enterprise to upgrade your security. Normally they talk about the last technology that you need to be up-to-date and a foot ahead of hackers. Victor Wheatman, vice president and research area director at Gartner said the opposite. His speech was about what enterprise don’t need in the field of computer security technology. He says that they need to go back to basis if they really care about their security infrastructure.

" Wheatman also singled out "500-page security policies" and security awareness posters as things an IT manager would be better off not spending company resources on. "You do need security policies, but not ones so large that no one reads them. It is also important to have a business continuity plan. We got a lot of calls when the hurricanes came through Florida, but for the most part, that was a little too late. "

It’s the same as for physical security. If you are not the president of the United-States, you don’t need 10 bodyguards, an aerial surveillance and 15 hidden snipers when you walk on the street. You only need some awareness basic principles. A basic procedure like the code color of Jeff Cooper. More complex the procedure is, less people will follow it. It’s the same principles as them in self-defence. You’ll not use your kung-fu style if you are assaulted in a bar. You’ll use your gross skills that don’t need any reflection to use. You’ll not look at every person and think about all possible scenarios when you walk on the street. You unconsciously check for hints that can lead to a possible threat. It’s the same thing with a computer security policy; you need it as simple as possible for all of your employees. If you protocol is not simple and straight to the goal, your employees will not follow it. You can do one more elaborated for your system administrator, but not for your normal employees, this is not there job and they are a big part of your security infrastructure, take care of them! This fact is a question of human nature.

Another interesting thing that I noted in this article is this discussion:

" Perhaps most importantly, an IT manager needs to demonstrate to the executives within the company how to take better advantage of the systems it already has through the use of security. "

" We have an appalling absence of basic management metrics for our trade. If you can measure a problem accurately, you have the Holy Grail," Smith said. "But what you also must have is a champion at the board level. Without senior-level support, nothing will ever happen and you are doomed. "

I already discussed of this in this article some weeks ago. It just connects my thoughts with this fact.

Sun, 19 Sep 2004 21:12:22 GMT

Where to start in computer security

The root node of your search tree

When someone is interested in a new subject, he try to find an introduction work that will tell him what the subject is about, the fields that compose it, the terminology and references for further reading. You need a start point that will be the root node of your search tree on this subject.

Computer security is not excluded and fit this pattern. I read a post on joatBlog that point me out this article: First Things First - An Introduction to Learning About Network Security. I didn’t take the time to read it this week. I just finished reading it and it’s why I’m writing this post now. It remembered me the methodology of searching on a new subject. The importance of introduction works in a field. It’s why I take the time to share this article with you. If you don’t have any experience in this field and that you want to learn more about it, I recommend you to read it and the references pointed out in it. Moreover, I suggest you to read most of the articles on the SecurityFocus website. This is another great source of information for any person interesting in computer security. I recommend you to read these sources of information before buying any book on computer security. In this way, you’ll know if the book worth his price and the specific field that you want to deepen.

Have a good reading. Remember, if you have any question don’t hesitate to ask me them.

Sun, 12 Sep 2004 21:26:05 GMT

Security consequences of possible proof of Riemann’s hypothesis

...

The problem is that we don’t know if his proof is right. Mathematicians have doubt if Louis de Branges is able to prove the hypothesis. It’ll take time to peer review the proof by the most important mathematicians of Riemann’s hypothesis. If finally the proof is counter verified and became true, it’ll probably take time to know the consequences of the proof and how to use it.

In the case that he is right and that we can find how to use the hypothesis to make many one-way functions with prime numbers not one-way anymore, what will be the consequences? For now, no one; in the future, probably many with asymmetric encryption algorithms. If the dream to prove this hypothesis comes true, you’ll can forget electronic commerce, certification, digital signatures, TCP/IP security, secure telephones, just to tell some. You’ll not be able to rely on public-key encryption anymore as a easy to use method for encrypted distant transmission. We’ll live a boom of “The new most secure ecommerce solution with our new full proof proprietary public-key encryption algorithm”. Think about it, it took thousands years and many brilliant ideas to be where we are now. Don’t think that it will take 2 weeks or 2 months to make a new leap in the field of public-key encryption. When we’ll find a solution, it’ll need months and years to analyse and harden algorithms.

... Read the full story...

Fri, 10 Sep 2004 23:55:21 GMT

Change mentalities
Beware old school administrators.

I was talking with the network technician of a Canado-American enterprise that works in the field of technical didactic materiel like didactic aeration systems, radar system, etc. This is a small size enterprise of approximately 215 employees and exists for more than 45 years.

I was stupefied when I learned that every employees of the enterprise shared the same email password. There was only one password know by some key peoples like administrators and network technicians. The password is saved by the email client software for future email retrieval. If you have some problems with your email client and need the password to get your emails, you only need to ask a technician to come at your workstation and let him enter the global email password... Read the full story...