Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for February 2009

Infosec Awareness

with one comment

posterie1

As Dirty Harry once said: “A man’s got to know his limitations” I found this today as I was looking for posters to put into a security awareness program. Not the usual fare and surely NOT going to be used by the client, but, thought I would share…

The Seven Deadliest Social Networking Hacks

leave a comment »

Here’s a look at the seven most lethal social networks hacks:

  • 1) Impersonation and targeted personal attacks
  • 2) Spam and bot infections
  • 3) Weaponized OpenSocial and other social networking applications
  • 4) Crossover of personal to professional online presence
  • 5) XSS, CSRF attacks
  • 6) Identity theft
  • 7) Corporate espionage

Full story here

Hmmm well, yeah, been there done that on the “impersonation and the Corporate Espionage” Actually, it’s a good thing to create an online persona for doing such work. It just goes with the territory though, the more you put out online, the more possibilities there are for abuse of your data.

Add to this all the XSS and other attacks out there that are browser centric, and you have quite the vector group for attacks on persons and entities.

Gotta love the “social” engineering!

Written by Krypt3ia

2009/02/17 at 01:40

Stopping The Insider

leave a comment »

Bruce Schneier on “The Insider Threat and it’s Mitigation”

1. Limit the number of trusted people. This one is obvious. The fewer people who have root access to the computer system, know the combination to the safe, or have the authority to sign checks, the more secure the system is.

2. Ensure that trusted people are also trustworthy. This is the idea behind background checks, lie detector tests, personality profiling, prohibiting convicted felons from getting certain jobs, limiting other jobs to citizens, the TSA’s no-fly list, and so on, as well as behind bonding employees, which means there are deep pockets standing behind them if they turn out not to be trustworthy.

3. Limit the amount of trust each person has. This is compartmentalization; the idea here is to limit the amount of damage a person can do if he ends up not being trustworthy. This is the concept behind giving people keys that only unlock their office or passwords that only unlock their account, as well as “need to know” and other levels of security clearance.

4. Give people overlapping spheres of trust. This is what security professionals call defense in depth. It’s why it takes two people with two separate keys to launch nuclear missiles, and two signatures on corporate checks over a certain value. It’s the idea behind bank tellers requiring management overrides for high-value transactions, double-entry bookkeeping, and all those guards and cameras at casinos. It’s why, when you go to a movie theater, one person sells you a ticket and another person standing a few yards away tears it in half: It makes it much harder for one employee to defraud the system. It’s why key bank employees need to take their two-week vacation all at once – so their replacements have a change to uncover any fraud.

5. Detect breaches of trust after the fact and prosecute the guilty. In the end, the four previous techniques can only do so well. Trusted people can subvert a system. Most of the time, we discover the security breach after the fact and then punish the perpetrator through the legal system: publicly, so as to provide a deterrence effect and increase the overall level of security in society. This is why audit is so vital.

The rest of the article can be found here

Much of this needs to be taught to corporate America still today. All too often they also think that by instituting all of these protocols and more, you can “stop” the internal threat. They would be wrong as Schneier points out later on, but, still the perception persists. Sure, you may cut down on this kind of thing, but you will never outright stop it.

Vigilance is key.

But here’s my thing. He starts off with the Makwana case. Ya know, the Indian guy who had all the access to plant the logic bombs in Fannie Mae? Well, here is where I get on my high horse. Why oh why did they give this guy, an Indian contractor, a guy from a country with a porous border with Pakistan, such access to ALL their important servers?

What were they thinking?

You have to take things like this to account you know, when you hire tech help from anywhere you must do background checks etc. Get a feel for who the person is and where they are in the head space. Of course this may not give you any idea at all that they are going to screw you, but, its better than not doing it at all.

Of course these folks at Fannie have never been so good at security. Surely their telling the guy he was fired but could work the rest of the day was EPICALLY stupid and a real recipe for FAIL… But, I have seen that before in other places. What are people thinking?

Anyway, Bruce has a point and I thought perhaps it should get some more sunlight than just the WSJ.

Written by Krypt3ia

2009/02/17 at 00:53

Apple fixes dozens of holes with OS X security update

leave a comment »

Apple released a Mac OS X security update on Thursday that contains fixes for more than two dozen vulnerabilities, including one in Safari RSS that could lead to arbitrary code execution and one in Remote Apple Events that could disclose sensitive information.

Also fixed are a vulnerability in AFP Server that could trigger a denial of service and vulnerabilities in Apple Pixlet Video, ClamAV, CoreText, Python, SMB, and X11 that could lead to arbitrary code execution. Another fix closes a hole in Printing that could allow a local user to get system privileges and one in DS Tools that could expose passwords to other local users.

Security Update 2009-001 can be obtained from the Software Update pane in System Preferences or Apple’s Software Downloads Web site.

Apple also on Thursday released Safari 3.2.2 for Windows, which fixes a vulnerability that could allow execution of arbitrary JavaScript in the local security zone. That update is also on Apple’s download site.

So, you hear that all you Macheads out there? Go download the patches because if you don’t you will be r00t3d! And lose that smug sense of security superiority will ya? She ain’t as secure as you think…

Written by Krypt3ia

2009/02/17 at 00:32

Posted in Cyber, Hacking, Infosec, Security

The Wrestler, A Micro Review: I’m an old broken piece of meat

with one comment

Mickey Rourke has come back to the screen with a redemptive movie. Of course, the character he plays does not get the redemption that Mickey seems to be enjoying now, but man, what a depressingly good flick. My favorite line of the film, as well as moment, is the “Old broken down piece of meat” comment to his daughter. Mickey knows what he is talking about.

On another note… I must say seeing pretty much ALL of Marisa Tomei in this film surprised me.. Pleasantly I might add…

See this film.. But bring the happy pills for after.

Written by Krypt3ia

2009/02/16 at 00:51

Posted in Micro Review, Movies

The Devil We Know

leave a comment »

Robert Baer was a station chief in the Middle East as well as an operative for many years there as well as other places. He has written a few books post his service in the CIA, the latest being “The Devil We Know” The book is about how we should approach Iran today post the Bush administration.

His thought on approach would be to actually engage Iran and bring them to the fold. Since treating them as a pariah and not talking to them at all, we have made an enemy that much more dangerous post our invasion and botching up of Iraq, the bullwark that held Iran in place. Since the fuckup, we have only increased Iran’s power in the region and potentially accelerated their plans on nuclear ambitions as well as others that they have.

I tend to agree with Mr. Baer on much of this… After all, keep your friends close, but your enemies closer…

For some more you can see the videos from YouTube

Written by Krypt3ia

2009/02/16 at 00:15

The End Is Nigh

leave a comment »

Well, this guy is a gloomy Gus huh? Unfortunately, I think some of what he is saying has some merit. I believe that potentially this could get very very bad indeed. Everything is tied together really and if the system cannot be re-set back onto the tracks, I fear that the derailment will only continue to happen at an even pace.

It is hard to concieve that this situation could reach the epic proportions that we saw in the “Great” depression but, given as the gent points out, there were no credit cards then etc. The monies being stolen now are mostly virtual in nature and as he states, gold, seems to be the only “solid” currency that he would invest in. Of course we all know what happened back in the GD when there was a run on gold. The government froze it all. So, get your gold now before the shit hits the fan again.

I also agree that the crime rates will be going up. I personally have seen what I feel is a spike in that in my own area here but given things could get worse for people (post 100K jobs being lost in one month, benefits from the local/state/federal drying up, and of course state governments going bust financially) I can foresee an uptick in crimes like bank robbery etc. In fact, this has already been in evidence but not necessarily in the news as much. A bank insider told me of some incidents that perhaps I just missed on the local news… Who knows… But, it’s happening as people become more desperate.

Now of course the source of this interview of Gerald Cerente is on a Russian news report. So, one has to look at that with a more jaundiced eye in the Putin era of nouveau Soviet mind. So, please, I do take that into account on this. I guess what I am saying though is take it with a bag of salt, but, do consider what you might do were these things come to pass.

How would you survive?

Written by Krypt3ia

2009/02/15 at 18:46

Suicide Club: Just Whack.. But I think I am understanding the Japanese youth mind more…

leave a comment »

Little kids, chicks, half naked teen girls, and a wood planer! Only the Japanese could come up with this!

Little kids, chicks, half naked teen girls, and a wood planer! Only the Japanese could come up with this!

So I decided to look up “Suicide Club” on You tube today and what do you know, it was up there in ten minute chunks to watch. After the film was all said and done (with some missing time as I think the content was too “out there”) I found myself rather intrigued, confused, and grossed out, but in a silly bad horror way.

Plot Line:

54 Japanese “Hyper super cute” school girls (ya know the kind you see in anime and manga) clasp hands together in a line at Shinjuku station and leap in front of an oncoming train.. *SPLAT* Heads and limbs everywhere. Soon after kids start to off themselves in various greusome ways and the cops have no idea what the hell is going on, except they hear the term “Suicide Club”

Interspersed with this are images of another “super cute” group of pre teen “backstreet girls” who sing a song about.. Well, emailing them? I guess. Anyway, they seem to be involved somehow subliminally.. Long story short, an Otaku hacker girl kinda figures things out, mayhem ensues, and, well more suicides… Need I say more?

Whoa… If it were bloodier I would have to be wearing a plastic garbage bag like at a Gallagher stand up routine! Anyway, I digress…

Mostly though, I think I started to get on the trail more of the Hikikko Mori mindset as well as perhaps the Otaku in watching this film. Sure, it was silly and really, even without the time gap, confusing trying to make out just what the hell was going on. This is especially true of the whole scene involving the “girl band” and the underground lair with the removal of skin with a wood plane. *Ick! Ouch!* Of course that belies the whole issue of the “Skin Rolls” being sent to the cops…

*ugh just had a bad salmon skin sushi roll image in my head!*

It was just kinda arbitrary and, well of course creeptastic in a sadistic sexual way that the Japanese have really mastered. Mmm yeah…

The hardest thing to wrap my head around was the whole thing where the kids have this Q&A session with the Otaku Hacker:

little kid: “Are you connected with yourself?”

little girl: “Are you severed from yourself?”

little girl 3: “Did you come to repair your connection?”

What the…? Are they really phone repair kids or what? I am kinda lost there in the scheme of things at first. Then I begin to think about my Zen teachings and think perhaps they are talking about “one-ness” Maybe? They go on about being severed or not severed after death and its there that the bread crumbs end.. One of those damn Myazaki anime birds must have ate em…

In the end I was left thinking;

“Whoa, that’s just fucked up”

I mean, no one but NO ONE does evil creepy scary kids like Japan! Add to this the whole suicide issue going on there and man I am not surprised to hear that people just take a ride out to Aoikigohara and disappear.

Oh well… You watch and decide yourselves..

Sayonara…

Written by Krypt3ia

2009/02/14 at 23:37

Good Advice: Ten ways to safeguard your privacy at work

leave a comment »

A simple list of ten ways to help safeguard your privacy in particular, and security in general, in the event of leaving an employer for any reason, follows. It includes some common sense advice that may seem obvious to some, but at the same time — human nature being what it is — we may often be tempted to ignore the advice when it becomes convenient to do so. Hopefully, having a list spelled out for you will help remind you what you should do to protect yourself, and that sometimes what seems like it is for someone else’s benefit may actually help you as well.

  1. Don’t violate company policies. I’m not a fan of arbitrary rules and overly restrictive behavioral policies myself, but that doesn’t mean you should violate rules set by the employer and your immediate supervisor whenever you feel like it. Not only can this potentially cause problems for the employer and hasten the approach of any potential loss of employment there, but it can also give the employer more reason than usual to invade your privacy where the law and corporate policy allow. Remember that the more you violate company policy, the more scrutiny you’re likely to attract if you get fired or laid off — or even if you leave on what look like good terms from your perspective. Even if they only find some minor hint of policy violations a month after you leave, this may lead to a more in-depth examination of what you have left behind, and potentially to attempts to gain legal access to information about your life outside of the workplace in a worst-case scenario.
  2. Don’t log instant messages. If you are allowed to use any of the various IM networks at work, it is best to keep any messages unrelated to work from being logged on company resources — such as the computer on your desk. Comments made about frustration in the workplace can come back to haunt you if found lingering on the hard drive, and a laissez-faire policy in good times may turn into a fishing expedition for incriminating statements you may have made when your name comes up in the list of people to lay off. If anything suggestive of misbehavior on your part comes to light, this may lead to further investigations, prying into your private communications even more. It’s best to just avoid leaving tracks, even if they seem innocent now, because of how they may be interpreted under other circumstances.
  3. Use encryption for private communications. If company policy allows for private communications from the company network, it may be a good idea to encrypt everything so that potentially embarrassing private emails and IMs will not be logged by network traffic monitoring systems, in addition to ensuring you do not leave such communications lying around on the hard drive when you’re done with them. Otherwise, the content of those communications may end up on some hard drive over which you have no control at all, archived in perpetuity. Even if you have an IT department role that allows you access to the logging servers, it is best to minimize the number of places that such information gets stored in plain text.
  4. Don’t trust everything to encryption. While encryption tools are a great resource for protecting privacy, they are not a silver bullet. It is always possible that encrypted communications may be later decrypted, whether because the encryption scheme is cracked at some future point or because you don’t have a chance to clear your encryption keys from your workstation before being escorted out of the building, allowing someone cleaning up in your wake can get his or her hands on those keys and possibly crack whatever passphrase you use to apply the keys to encrypt and decrypt.
  5. Don’t bring your private encryption keys to work. Using public key encryption schemes such as any of the several options for OpenPGP that exist is a good idea, of course, and can help ensure greater privacy in your life. You may be tempted by convenience to simply copy your encryption keys from home to your work computer, but that’s a bad idea, mostly because of point 4 above. Instead, you should generate a new key set at work if you want to use OpenPGP there, and ensure that anyone who communicates with you via that set of keys knows that it is ultimately more subject to compromise than your more private, “home” keys. If and when you leave your employer, or have reason to believe it may have been compromised (many employers still install keyloggers on company desktop computers to monitor employee behavior, after all), inform everyone that uses the public key for that set of keys to communicate with you privately that you are invalidating the key set. If you have uploaded the public key to a keyserver, you should invalidate the key on the keyserver as well.
  6. Protect your private IM and email passwords. It is generally best to avoid using the same IM accounts at work that you use at home, since instant messaging networks often do not encrypt login transactions between the client and the server. Just as the communications themselves may be intercepted by network traffic monitoring software, including tcpdump, so too can your user IDs and passwords for your IM accounts be intercepted, sometimes even if the messages themselves are encrypted by some third-party plugin. The same can be true of emails, if your email logins are not encrypted. If you employ standard Unix mail user agents, tools such as getmail and sSMTP can help you ensure those logins are protected — as well as rest of the session. It is possible to use complete session encryption with Gmail, too, and GUI mail clients usually provide some mechanism for ensuring logins at least are encrypted if the server supports it. When such options are not available, though, it is best to avoid using an email account you use elsewhere, just as it is with IM accounts.
  7. Don’t store browser history or Website passwords not directly related to work. To the extent possible, you should ensure that you leave no tracks when browsing the Web. Many browsers, such as Firefox 3, provide a built-in password manager that can be used to automate the process of entering passwords for the plethora of Websites you may visit regularly. Some of you may not be aware that many of them — again like Firefox 3 — can allow you to recover those passwords in plain text if you forget them and need to remind yourself what passwords you have used. This may allow a former employer to do the same thing after you are not longer in the office. Browser history can be likewise problematic, allowing a glimpse further into your private habits than you may like, or even serving to heighten suspicion and motivate more investigation and prying into your private life similar to the potential effects of inferences drawn from IM logs.
  8. Use encrypted proxies for private browsing. Just as you can encrypt IMs and emails to protect your privacy, you can also protect Web browsing from local eavesdropping at work. You can use OpenSSH as a secure Web proxy, for instance, so that all that is seen on the local network when you fire up your browser is encrypted traffic sent to a computer at your home. The advisability of this may be open to question, however, as any encrypted proxy traffic may appear suspicious to very watchful netadmin, and you may have to explain why you have near-constant encrypted traffic streaming to some off-site computer outside of your normal duties at work.
  9. Don’t store the sole copy of anything important at work. It is often the case that employers will escort employees out of the building when employment is terminated for any reason, without giving them the opportunity to recover anything from company computers. Sometimes, you may get invited to speak to a specific contact in the IT department, and have him or her recover any files for you that you need, but of course if that is the case the process can be long and annoying, and since it isn’t their data, it may be prone to being lost somewhere along the way. Perhaps worse, any such files are likely to be scrutinized before being turned over to you, to ensure that they do not contain company secrets or otherwise present a risk to the business or its resources. It is better to ensure that anything you don’t want to lose, but need to have available at work, is not only stored on a work computer.
  10. Never give your employer reason to distrust you. Show the highest levels of integrity, even if you are angry with your employer over some deceptive behavior or other breach of trust by the employer. Do not sink to your employer’s level. Don’t skimp on reporting what you use, don’t try to arrange surplus supplies and other resources for yourself — just don’t try to “get away with” anything at all that might impugn your character in the eyes of the employer or any third party to which the employer may present evidence of your “misdeeds”. Even if you trust the chain of management all the way to the highest levels, in an uncertain economy it may be possible that business resources will fall to creditors, and your personal security may then be at risk. This risk can only be compounded if any evidence of your behavior can be construed by someone looking for excuses to pry into your life as justification for such an investigation. Always take pains to protect the company’s security as well as your own, and avoid conflicts of interest or the appearance of impropriety, to the extent reasonably possible. In times of economic desperation, in an increasingly litigious world, good intentions are often not enough to protect you.

Finally, always remember that in many ways your employer’s security is also your own security, and security measures employed by someone else for his or her own benefit may prove beneficial to you, too. When it comes to security, we’re all in this together. Don’t let disputes over employment transition distract you from that fact.

Ok, well, that was an interesting list and a good one I think. Now, lets look at this from another perspective. Many places actually will allow you to do some of the things in the list like use IM. Many places though now are not allowing that traffic in the first place. So, you might be able to use that encrypted proxy to tunnel out your IM, so if indeed you are doing that, be sure to not keep logs!

On the Crypto for mail etc, yeah, keep your keys on your USB drive kids. in fact, one might even consider a USB live distro for such things like the IM, Email, and storage of files that you want to keep private. However, as many places are disallowing USB drives anymore with rules and software packages, you might not have this option either…

So, I guess the word of the day is “Don’t violate the rules” cuz if you do they will come after you and walk you out. Trust me, then your drive will be imaged and someone like me will be poking through your stuff for the company to use against you later.

Written by Krypt3ia

2009/02/14 at 03:38

New And Improved Storm Botnet Morphing Valentine’s Malware

leave a comment »

Waledac, formerly known as Storm, tries to keep a lower profile while it expands

Feb 11, 2009 | 02:29 PM

By Kelly Jackson Higgins
DarkReading

<!– –> The botnet formerly known as Storm is ramping up its ability to evade detection by automatically generating thousands of different variants of its malware each day as it spreads and recruit more bots.

Waledac — the new and improved Storm — is using its favorite holiday, Valentine’s Day, to spread the love with signature phony greeting cards and romance-themed email that Storm so infamously spread in the past. “Over the last 24 hours, we’ve seen over 1,000 new variants [of Waledac code],” says Pierre-Marc Bureau, a senior researcher with Eset, which expects Waledac to eventually pump out thousands of variants a day. “It was a bit lower than what we are expecting. It may not have reached many of our clients yet.” That said, it’s still a big jump from the around 10 new versions a day Eset had seen the botnet creating, he adds.

One of Waledac’s latest attacks comes in the form of a puppy love e-card with a Valentine’s-related link, as well as other warm and fuzzy-looking email. Subject lines include the usual “a Valentine card from a friend” and “you have received a Valentine E-card,” but once you click the URL to retrieve the message, Waledac’s malware is downloaded onto your machine. Another attack uses a phony pop-up that appears to be from Microsoft stating the machine is infected with spyware. That leads to a fake antispyware site that not only infects the machine, but also tries to sell the victim its scareware, according to Patrick Murray, director of product management for Marshal8e6.

“The authors have started adding supposed magazine endorsements and other elements that one would see on a reputable anti-malware site. The graphics within the pop-ups themselves seem to be professionally designed at this point, so it is very critical for users to treat email from unknown persons with extreme caution,” says Ryan Sherstobitoff, a vice president with Panda Labs.

Meanwhile, constantly changing the look and feel of its malware is consistent with the new and improved Storm’s M.O.: to avoid attracting too much attention like it used to do. Researchers last month confirmed that Waledac was basically Storm reincarnated, but with all-new malware and a more sustainable architecture that’s less likely to get infiltrated and shut down. The notorious botnet Storm went MIA last fall, and researchers started to write it off. But the operators of Storm made a comeback this year with new binary bot code and stronger encryption, plus it replaced its peer-to-peer communications among its machines to HTTP, which helps camouflage its activity among other Web traffic. HTTP also makes it tough to distinguish a bot from a command and control server.

Joe Stewart, director of malware research for SecureWorks, says Storm and Waledac are completely different, however, when it comes to code and files. “It’s definitely not the same programmers,” he says. But the botnet’s overall behavior and strategy is generally the same, he says.

Other researchers agree that the botnet’s operators are taking a lower-key approach so far, while employing some of the same tactics they did with Storm — using traditional social engineering lures of phony events and holiday email, as well as trying to mask the malware by changing it regularly.

Despite the Valentine’s rush, however, Waledac’s spam volume hasn’t increased greatly, Stewart says. “It’s curious why not,” he says. One theory is the botnet operators are mainly focused for now on building out their infrastructure, which, according to different bot-hunters, is anywhere from 10,000 to 35,000 bots — nowhere near its heyday of multiple hundreds of thousands of zombies.

So what is Waledac after? “Once it gets on a PC, it starts searching the hard drive for email addresses and default passwords. And it sends that information back to the C&C server using HTTP,” Eset’s Bureau says.

“Our gut is it’s mostly a spam operation similar to what Storm was doing,” he says. “And it can use as much as it can from the infected computers, stealing usernames and passwords.”

Waledac isn’t the only botnet running Valentine’s Day spam scams. So far, it’s not pumping out anywhere near the volume of Valentine’s spam as the Cutwail botnet, for example, which is sending 6.5 percent of all Valentine-related spam now, according to Symantec’s MessageLabs, which reports that Valentine’s spam accounts for nearly 10 percent of all spam as of this week.

Eset’s Bureau says Waledac so far has registered 115 domain names this month, most of which are Valentine’s Day-related.

So Monday should be fun huh? I foresee some infections in those late Valentines cards….

Written by Krypt3ia

2009/02/14 at 02:49

Posted in Hacking, Infosec, Malware