Falsehoods [people] believe about [topic]

Wednesday, June 20th, 2012 | Jim Cheetham | 1 Comment

I’ve just picked up a nice new entry on the “Falsehoods [people] believe about [topic]” meme … this one is “Falsehoods programmers believe about networks” and comes from Errata Security, a very good resource.

Here’s the top 5 :-

  1. Data on the network cannot be altered.
  2. Encrypted data on the network cannot be altered.
  3. Data cannot be accidentally corrupted, because TCP has checksums and Ethernet has CRCs
  4. If it’s inside my perimeter firewall, that means I have total control over it
  5. If it doesn’t return an error, then send() sent all the data that was asked of it.

A small list at the end is “Falsehoods network administrators believe about networks” …

  1. There is no IPv6 on my network
  2. NAT automatically blocks all inbound attacks
  3. We know all the devices attached to our network at any given time

This joins the two well-known “Falsehoods programmers believe about …”; Time and Names, their top entries are …

  1. There are always 24 hours in a day.
  2. Months have either 30 or 31 days.
  3. Years have 365 days.
  4. February is always 28 days long.
  5. Any 24-hour period will always begin and end in the same day (or week, or month).
  1. People have exactly one canonical full name.
  2. People have exactly one full name which they go by.
  3. People’s names fit within a certain defined amount of space.
  4. People’s names do not change.
  5. People’s names change, but only at a certain enumerated set of events.
  6. People’s names are written in ASCII.
  7. People’s names are written in any single character set.
  8. People’s names are all mapped in Unicode code points.
  9. People’s names are case sensitive.
  10. People’s names are case insensitive.


Passwords, policies, and cracking

Tuesday, May 22nd, 2012 | Jim Cheetham | Comments Off on Passwords, policies, and cracking

Here’s an overview of a new OWASP project called Passfault, that tries
to help assess password strength in ‘real world’ terms :-

One of the developer’s assertions is that password-creation policies are
not helping users to create secure passwords.

His examples provided on the Analyser website suggest that the problem
he is attacking is what I would call “the fallacy of the pass*word*”.

 Weak Passwords that pass typical policies:
qwerQWER1234!@#$ – !1cracked – cracked7& –
Strong Passwords that fail typical policies:
udnkzdjeyhdowjpo – seattleautojesterarbol

I ran my diceware script (grabs random numbers from random.org and looks
up on the diceware wordlist) and tested the pass*phrase* “52nd temper
musk” (this was the first output from the script).

The passfault analyser said “Time To Crack: 17 centuries Total Passwords
in Pattern: 50 Quadrillion”. I’m not sure that his approach is
completely useful …

However, the overall idea is interesting. Instead of saying how
passwords should be formed, he is suggesting that they should be assessed in terms of how long they would take to crack. I have a few issues with that … First comes a glance at the Verizon Data Breach Investigations Report 2012, which tells us that “Brute force & dictionary attacks” are a reducing technique (although still at 29% a useful one). Their fuller results table for the Hacking mechanism shows :-

  • 55% — Exploitation of default or guessable credentials
  • 40% — Use of stolen login credentials
  • 29% — Brute force & dictionary attacks
  • 25% — Exploitation of backdoor or command & control channel
  • 6%  — Exploitation of insufficient authentication (e.g. no login needed)
  • 3%  — SQL injection
  • 1%  — Remote file inclusion
  • <1% — Abuse of functionality
  • 4%  — unknown

So having a “stronger” credential takes us out of the first 55% category — but so did even a weak password policy. Inside the 29% is still the best place to find password cracking carried out.

There are of course two main approaches to password cracking — online and offline. The Verizon stats don’t differentiate between the two, but I’m sure that online (where you just try credentials against the live service) is more common, because it is the easiest. In order to exfiltrate a stored password database, you have to have penetrated the organisation already, to some extent, and at that stage the password db is just an additional weapon.

Online password cracking should be dealt with by having account lockout and retry delay systems; there should be no way that the attacker should be able to test more than a small handful of potential passwords before the source of the attempts is blacklisted from the network, and the target accounts are locked (at this point you have to stop and consider your account lockout procedures: if your response is to send a “reactivate” link over external email, how do you verify it isn’t an attacker who is reading the target’s mailbox?).

So instead of instituting a password policy, even one that guides you to make selection by strength directly instead of indirectly, you’d be better off making sure that attackers can’t continue knocking at the doors all day long without being detected & blocked.


How MITMproxy has been slaying SSL Dragons

Monday, April 16th, 2012 | Jim Cheetham | Comments Off on How MITMproxy has been slaying SSL Dragons

I’ve just returned from the excellent OWASP regional conference in Sydney (the one with the long name of OWASP AppSec AsiaPac 2012), where I presented “How MITMproxy has been slaying SSL Dragons“.

The presentation covered the basics of what MITMproxy is (a developers/pen-testers HTTPS interception/modification proxy), why such software is useful, and what MITMproxy itself is especially good at.

The section on how to use MITMproxy ran about 90% successfully over the live Internet, which is always a risk for a demo at a conference!

The slides are available here, as the original LibreOffice ODP format, or as a PDF. They are Copyright © The University of Otago, released under the CC By-SA 3.0 NZ license.

Sealand, the Data Haven

Thursday, March 29th, 2012 | Jim Cheetham | Comments Off on Sealand, the Data Haven

There’s a nice and very detailed article over on Ars Technica covering the history of the micronation Sealand operating as a Data Haven …

Written by James Grimmelmann, Associate Professor at New York Law School, http://arstechnica.com/tech-policy/news/2012/03/sealand-and-havenco.ars covers the history, motivation and inevitable failure of the HavenCo business, as well as a good part of the history of Sealand itself. There is a significantly longer and much more detailed paper (80 pages) published by Mr Grimmelmann in the University of Illinois Law Review journal for those who enjoy more in-depth discussions.

And no, WikiLeaks is not going to be able to move servers to Sealand in order to avoid prosecutions, sorry.

Keeping PC software updated

Friday, March 23rd, 2012 | Jim Cheetham | Comments Off on Keeping PC software updated

One of the most important protections against malware is to have up-to-date versions of software in use. The base OS and some applications are very good at checking and updating themselves, but there are lots of applications that leave it up to you to check; and who has time for that?

The security services company Secunia has recently updated their Personal Software Inspector application, and you can find the v3 beta version available free of charge at https://secunia.com/psi_30_beta_launch/

This app scans your Windows PC, looking for outdated software; it then downloads and installs the updates for you. I have a Windows virtual machine here that I occasionally use, and it has very little installed on it at all; PSI still found updates for Firefox, Opera and most importantly Adobe Flash!

If you are responsible for maintaining the state of your own Windows PC, I’d recommend adding Secunia PSI to your toolbox.

LCA2012 — MITMproxy presentation

Thursday, January 26th, 2012 | Jim Cheetham | Comments Off on LCA2012 — MITMproxy presentation

At the LCA2012 conference earlier this year I presented “MITMproxy — use and abuse of a hackable SSL-capable man-in-the-middle proxy“.

The video of the talk is now available in a number of places :-

MITMproxy is a python-based console tool to help you inspect & alter the HTTP conversation between a client and a server, regardless of whether it is over HTTPS or not. “It is not an attack tool”, but instead is a powerful tool for debugging applications at either end of the conversation.

Giving a talk at an LCA conference is excellent fun, and very rewarding. I have 6 months to come up with my next submissions!

New PuTTY — security vulnerability

Tuesday, December 13th, 2011 | Jim Cheetham | Comments Off on New PuTTY — security vulnerability

There is a new version of the excellent & venerable PuTTY tool, due to a security vulnerability that might expose your session passwords in memory.

http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/password-not-wiped.html contains the details of the problem, and http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html will help you find the files you need to address the problem.


Thursday, December 8th, 2011 | Jim Cheetham | Comments Off on Netograph

Dunedin-based security researcher Aldo Cortesi has just launched netograph.com, a project that analyses the data websites store on your machine when you visit them.

It reports on the off-site resources that make up a page, things like remote images and third-party JavaScript. It also identifies persistent storage in the form of browser cookies, HTML5 cookies and Flash object storage.

Sample Netograph website report

Plugins are available for Chrome and Firefox that allow you to preview the Netgraph report for a site before visiting it. Currently the project is scanning all links mentioned in submissions to Reddit, Hacker News, Delicious, Pinboard, and Digg.

Privacy Monitor

Wednesday, December 7th, 2011 | Jim Cheetham | Comments Off on Privacy Monitor

The Information Security Office is dreaming of a White Christmas this year.

Especially now that we have a Privacy Monitor …

Following on from the post on Instructables.com that showed how to hack an old LCD monitor by removing the polarised film and re-inserting it into a pair of glasses (http://www.instructables.com/id/Privacy-monitor-made-from-an-old-LCD-Monitor/) we did pretty much the same thing to create our Christmas Decorations this year :-

Direct Link: https://blogs.otago.ac.nz/infosec/files/2011/12/ISOwhitescreen.flv


NoScript available for Android Firefox

Wednesday, October 19th, 2011 | Jim Cheetham | Comments Off on NoScript available for Android Firefox

The excellent & highly recommended NoScript addon for Firefox has been released on the Android platform (and Maemo, but I’m probably the only person here who has one of those). This addon blocks JavaScript, Java and Flash activity on webpages, giving you a simple way to selectively re-enable trusted providers and restore the full page functionality temporarily if you need it.

https://www.infoworld.com/d/mobile-technology/noscript-security-tool-released-android-maemo-176280 provides a nice writeup; NSA is the distribution point for the add-on itself.