By danx on Nov 14, 2005
In the great tradition of many Sun bloggers, here's my South Park Portrait:
Trusty assistant servicing prototype antenna
So, with dog leash and poop bag in one hand, and laptop running Kismet in the other, I gave it a try (hardware details below). However, as soon as I got outside, Kismet immediately found about 10. By the time I got done walking (10-15 minutes), Kismet found 60-some APs. 40 are displayed on the screen--that's all that would fit.
Security usage The main reason I did this is I was curious how many APs are in my neighborhood and how many are secured. Of the 40 or so APs, 10 (25%) were wide open, 24 (60%) were secured with WEP (which can be broken in a few minutes with downloadable software), and only 6 (15%) were secured with WPA (see column "W": "N" open, "Y" is WEP, and "O" os WPA).
Channel usage Looking at channel usage (column "Ch"), channel 6 was the most popular, the typical default, with channel 11 coming second. Channel 1 is the least popular, so that is usually the best to use. Note that if you or someone else has a 2.4GHz wireless phone, it's most likely to interfere with the upper channel,11, rather than 6 or 1. Other channels are used, such as 4, 6, 7, but those overlap with two out of channels 1, 6, and 11. Only channels 1, 6, and 11 should be used as the other's overlap (for example, channel 5 overlaps with channel 1 and 6).
Hardware Details For my wardogwalking, I used my IBM T40 Thinkpad. It has an IBM 11abg II wireless adapter and runs SuSE Linux 9.3 with Kismet (it also runs Win XP and Solaris 10). I used the built-in laptop antenna (instead of a "high-gain" antenna, which would have had better reception). I don't have a GPS, which real wardrivers use to plot where the APs are located.
Kismet output after dog walk
Toorcon 7 is the annual Computer Security Conference held in San Diego. I think of it as a smaller-scale version of Black Hat or Defcon in Vegas (more toned-down than Defcon and less-commercial than Black Hat). I like it because it's local and cheap (as I'm paying for it). Previously, I have notes for Toorcon 6 (2004) and Toorcon 5 (2003)
This year's conference moved from the Hyatt to the Convention Center, with views of San Diego Bay and Coronado Island.
The thoughts below are not my own and I don't necessarily endorse them. Also, my summaries of other people's thoughts may be inaccurate, so don't take anything for gospel here :-). Trademarks are the property of the respective owners.
Also, I didn't cover everything. There were two tracks and not everything was worth repeating.
Or: An Internet Legend is sick, and I get to rant instead
Current operational security focus: firewalls, IDS, & Antivirus
Potter's Pyramid of IT Security Needs, from top to bottom:
Next step: Network Security
OS Selection important: MS Windows vs. Linux.
Microsoft Windows A complete system and then some: flexible, productive, works. Tightly integrated applications: MS creates kernel and apps.
Linux - "Bazaar": community-created with loose coordination.
Future (two wild conjectures)
By Simple Nomad, Nomad Mobile Research Centre, www.nmrc.org and BindView.
The other keynote. Here's the major ways hackers are caught. Overall principle: "Laziness" == Jail time".
(Note: Sun has a tool for hardening and auditing Solaris systems (and that I work on) called Solaris Security Toolkit )
Bastille Linux is for Hardening and Assessing Linux. Hardening enabled HP-UX, Mac OS X, Linux (RedHat flavors, Mandrake, Debian, SuSE, and Gentoo), and soon Solaris. Assessment enabled for Redhat, Mandrake, and SuSE Linux, but not others.
Why harden? Hardening is setting system config settings to make it more resilient to attack. Hardening is not sexy (like firewalls). More people now know their system is a useful target for attack. Useful by the attacker for the next hop to the target, for distributing warez, botnet, phishing, fake websites, etc.
Patching not fast enough—still have windows of vulnerability. Average patching speed: Redhat increased from 7 to 30 days. Windows 30 days. Sun decreased from 90 to 30 days.
Proactive security decreases odds of attack, establishing policies in advance.
Hardening is "configuring a system for better security." Deactivating unnecessary programs, using file permissions and ACLs, and tweaking OS parameters to limit access to what's needed, Using Least Privilege: giving just what they need and a little bit more. Using Minimalism: turning stuff off you're not using. Hardening is easy with available tools. About 95% of Linux exploits mitigated with hardening (e.g., man or nmh exploits not stopped).
Kernel-level technologies (Trusted OSs, such as SELinux) are complementary to hardening and good to use.
By Foofus, Foofus Networking Services
This concerns a problem with vulnerability enumeration tools tend too give massive output that needs to be analyzed. This talk is about a framework to visualize the network data. This is by looking at trust relationships between hosts. Uses matrices and matrix inversion to compute trust networks. An example implementation is looking at password-based trusts between MS Windows hosts (OWNR). Graphically shows the likelihood if one host can be attacked from another. Can visually see (beneficial) effect of removing various accounts on graphs (usually admin accounts). Tools incomplete, not user-friendly. Written in J Software. Using AfterGlow to visualize graphs. Visual graphs very persuasive to non-technical people (PHBs).
Joe Grand of Grand Idea Studio. Talked about historical attacks, how to analyze new devices, and RFID technologies. Threat vectors are interception (eavesdropping), interruption (fault generation), modification, and fabrication/man-in-the-middle (counterfeit/spoofing).
Why attack? Rip off competitors (IP), steal services, forge ID to gain system access, and privilege escalation (feature unlocking) Can find out how to attack systems with trial and error and vendor docs.
Example attacks: Rainbow iKey 1000 (EEPROM dongle with weak key algorithm, xor with md5("rainbow")). Master admin password key is "rainbow". Epoxy not secure—can just scratch off.
Another authentication token: Dallas Semiconductor iButton. Java-based. DS1991 iButton has 3 48-byte keys. Used a lot in Europe for cashless transactions. Supposedly on password errors, return "random" data, but data was predictable (equals input + constant), not "random." Can use dictionary attack against it.
Biometrics: considered more secure than passwords, but physical characteristics hard to keep secret. Can lift fingerprint, face, or voice. Stealing finger or fingerprint gives new meaning to "hacking" and "digital theft!" Gelatin finger works 80%, can eat afterward.
Intel NetStructure 110 (crypto accelerator). Uses serial port management console that can be attacked. Opened box and used strings to find OS on EEPROM (BSD). Still had debug symbols. Found password based on mac address. Uses weak crypto (xor of constants).
MAC address cloning is easy. Usually stored in EEPROM. Sun SPARC: set in NVRAM with prom-monitor. Also NS, Ansel, Microdyne, Linksys, Genius, Winbond, and almost every NIC.
RFID uses radio waves (RF) to ID. Becoming popular just now. RFID chips has a unique serial # (tag). Active &mmp; passive (power or not). Four frequencies, most LF or HF (low, not UHF, uW). Tags are read-only, read/write, or crypto. Most tags have no security—just need to know frequency, so can easily "snoop". Tags come in capsules or thin and flat (for retail). Gillette® has 35% loss from plant to retail. Easy attacks: label switch, cover, or destroy. Reader attacks: read cell phones going by on a bridge. TI uses a weak 40-bit homemade key cipher (reversed engineered from a Powerpoint slide). Proximity Card Simulation by Jonathan Westhues. Other tools available. Can read/write with rf-dump (Java-based).
By Roger Dingleline, EFF, http://tor.eff.org/
Bad people doing great (viruses, botnets, phishing, spam). Criminals have anonymity (have motivation to get it), but normal people and government don't. Lots of legit needs of Anonymous communication (privacy, commerce). Used by EU PRIME project. Used by Navy group in Gulf. Could be useful for, say, DoD Net: hard to get on, but once there—you're home free.
_ / \\ /|oo \\ (_| /_) _`@/_ \\ _ | | \\ \\\\ | (\*) | \\ )) |__U__| / \\// _//|| _\\ / (_/(_|(____/ (jm)
Jason Scott (textfiles.com/) produced an 8-episode documentary on DVD about BBS (www.bbsdocumentary.com). The episode he screened was on Fidonet. On first thought it sounds as dry as dust (or neon-green ASCII chars). However, it's not about obsolete technology—it's about people behind it. FidoNet founder Tom Jennings. Scott interviewed people about the creation of Fidonet, to it's height in 1995 (30,000 nodes), and subsequent decline (15,000 nodes 2005). An interesting part was the great amount of conflict and flamewar it generated. Ken Kaplan was in charge of the master "SysOp List" that he had to push out to 30,000 or so nodes. It created tremendous phone bills. To defray this, he accepted donations. However, his accountant said he had to pay taxes on it. To avoid this in the future, he and other Fidonet founders created a non-profit IFNA ("if-naa"). Unfortunately, the paranoid thought this was a move to gain dictatorial control over Fidonet, or at least it had the future potential, along with commercializing Fidonet and possibly enriching a few. Even today people involved still are disgusted with the rabid politics of Fidonet.
In the end, IFNA was disbanded and Kaplan and many others, including Fidonet founders, quit in disgust. Fidonet still exists today in smaller form. Many Fidonet "nodes" can be accessed by telnet, not just a modem. One of Fidonet's growing uses is in third-world countries with low-bandwidth or high-censorship (e.g., Vietnam).
Next day, Sunday noon, Mark Grimes of SAIC talked about SCAIDA networks, which are private Control Systems networks. I missed most of this driving around the ballpark crowd barriers. His main point is the network conventions are private and not available to the security community. This is security by obscurity, and he feels that is a bad approach. This is not necessarily his employer's opinion. SCAIDA is suffering the same weaknesses that Internet used to have (or have more frequently). An example he gave was ARP spoofing. ARP is the main protocol used to ensure security—that the correct devices are connecting to the network. ARP, however, is easily defeated. An audience member gave another example about Nuclear power plants are going wireless. Wires are very expensive because it requires physical recertification of the plant. However, wireless (such as 802.11) is notorious for poor encryption protocols. He suggested a Ziggy war driver can easily break into a plant.
Christopher Abad of Cloudmark and The Math Club http://www.the-mathclub.com/
Showed using Adobe Photoshop to model data, such as password length. This makes it a lot easier to visualize problems. Read binary files as a .raw grayscale graphics files, then modify the file with histogram and color picker tools. Showed using Adobe Photoshop to even decrypt a file (although tedious).
By "bunnie" (Dr. Huang), bunnie studios LLC. Famous for hacking MS Xbox encrypted keys.
Lots of stuff going into one package or one chip now (Moore's Law). Discussed methods of opening packages (acid, brazing)—dangerous. X-ray lab often easiest and safest. Scopes, microprobes. No secrets in silicon—can't encrypt, and can remove shields. Silicon design is hard, so lots of debug and test resources in silicon. Design is modular and layered. Often locking in hardware uses weak encryption. Sometimes there's a bug and encryption or locking is not enabled at all.
This year's panel was Jim Blanco, Computer & Tech Crime High-tech Response Team (CATCH), Robert Morgester, Dept. of Justice, Dan Hubbard, Websense, and Simple Nomad (moderator) and Weasel, both of Nomad Mobile Research Centre (aka Simple Nomad). The panel's goal is to discuss the legal aspects of computer security with law enforcement and legal people.
Discussed disclosures of vulnerabilities. DOJ not interested in exploit writers (although Corporations harmed are very interested). DOJ interesed in those who use it and those who give it to them. DOJs problem is they are overwhelmed by an overwhelming number of cases.
ID theft (DOJ): everyone will be a victim. Problem is neglect by corporations--you have a right to sue them. Class action a possibility.
DOJ guy said sniffing packets over wireless networks (without permission) is wire tapping. He said problem is old laws written for a land-line culture. Also protects you from government wiretaps. Lots of heated discussion.
More discussion about spyware and ID theft. DOJ guy says to call him if you get a well-documented spyware case. He wants an example made of someone. ID theft a big problem because lots of small and big corporations do not encrypt their customer data.
Indian Life at Mirror Lake, 1878.
Watercolor by Constance Frederica Gordon-Cumming (29.5'x19.25').
[Click to enlarge and for more images]
The first art exhibit in Yosemite Valley was held in 1878 by Lady Constance Frederica Gordon-Cumming, a travel writer from a wealthy Scottish family. Lady Gordon-Cumming taught herself how to paint, and had help from prominent artists visiting her home. She traveled the world, mostly the Pacific and Asia, and often alone. Lady Gordon-Cumming was a prolific writer, and painted over a thousand watercolors of landscapes. She visited Yosemite in 1878, after arriving in San Francisco from a trip to Tahiti. She intended to visit for three days, but ended up staying three months. She says “I for one have wandered far enough over the wide world to know a unique glory when I am blessed by the sight of one . . .”
Of her art exhibit, Lady Gordon-Cumming says:
I have myself held rather an amusing Great Exhibition this afternoon. Latterly I have repeatedly been asked to “do portfolio” for the edification of various friends; but the people who took the keenest interest in all the sketches were just those who had not seen them, so I had promised them all to have a grand show before I leave the valley. That sad day, alas! is drawing near; so, having issued a general invitation to every man, woman, and child in the neighbourhood, I borrowed a lot of sheets from my landlady, who allowed me to nail them all round the outside of the wooden house. To these I fastened each sketch with small pins, so that the verandah became a famous picture gallery.
I certainly have got through a good deal of work in the last three months, having twenty-five finished drawings, and as many more very carefully drawn and half coloured. Most of these are large, for water-colour sketches—about thirty by twenty inches—as I find it far more troublesome to express such vast subjects on a smaller scale.
I was amused by the zeal with which one of the guides constituted himself showman, and went round and round the verandah descanting on every drawing. Hitherto he has always been so busy with tourists, that I had not previously discovered this kindred spirit. He did his work thoroughly; for when I returned from my walk, I found him still hard at it! I was much gratified by the enthusiasm of the Yō-semité-ites, as they recognised all their favourite points of view, and vouched for the rigid accuracy of each,—that being the one quality for which I have striven, feeling sorely aggrieved by the unscrupulous manner in which some celebrated artists have sacrificed faithfulness of outline to make grand Nature fit their ideal.
Technorati Tags: yosemite
The Solaris Security Toolkit provides a flexible way to harden a Solaris system, making it more secure from malicious attack. This software may be installed during a unattended Solaris JumpStart install, or installed after Solaris is installed and booted. Solaris Security Toolkit supports Solaris 8, 9, and 10 on SPARC and x86 systems. Solaris 2.5.1, 2.6, and 7 can be used, but are not supported.
One size does not fit all. The degree of hardening depends on your site requirements. For that reason, pre-canned scripts provide various levels of hardening. The secure.driver closes all ports except for ssh. The server-secure.driver leaves frequently-used server services open. The following discusses customizing the server-secure.driver to your site-specific needs. Once customized, your systems can be hardened in an automated way using one or more configurations you established.
I won't go into all the details of use and customization of Solaris Security Toolkit, but I'll give enough details to get you started. I'm only covering interactive use in this example. For unattended JumpStart installs, see the Administration Guide.
# uncompress SUNWjass.pkg.Z # pkgadd -d SUNWjass.pkg
# /opt/SUNWjass/bin/jass-execute -d server-secure.driver
[SUMMARY] Results Summary for APPLY run of server-secure.driver [SUMMARY] The run completed with a total of 85 scripts run. [SUMMARY] There were Failures in 0 Scripts [SUMMARY] There were Errors in 0 Scripts [SUMMARY] There were Warnings in 2 Scripts [SUMMARY] There were Notes in 68 Scripts
# /opt/SUNWjass/bin/jass-execute -a server-secure.driver
[SUMMARY] Results Summary for AUDIT run of server-secure.driver [SUMMARY] The run completed with a total of 85 scripts run. [SUMMARY] There was a Failure in 1 Script [SUMMARY] There were Errors in 0 Scripts [SUMMARY] There was a Warning in 1 Script [SUMMARY] There were Notes in 20 Scripts [SUMMARY] Failure Scripts listed in: /var/opt/SUNWjass/run/20050721092746/jass-script-failures.txt
[FAIL] Template /root/.profile does not match target on system.
# svcs telnet STATE STIME FMRI online 9:06:31 svc:/network/telnet:default
# cd /opt/SUNWjass/Drivers # cp user.init.SAMPLE user.init # cat >>user.init JASS_SVCS_DISABLE="svc:/network/telnet:default" export JASS_SVCS_DISABLE \^D
# /opt/SUNWjass/bin/jass-execute -d server-secure.driver
# /opt/SUNWjass/bin/jass-execute -u
It's a good idea to periodically run jass-execute -a (Audit mode) to verify disabled services are still disabled. If a service becomes enabled (say, because of admin error, a patch, or installing other software), run jass-execute -d (Apply mode) again to lock down the service.
Sometimes you may want to apply the same customized changes you made with Solaris Security Toolkit to multiple systems, or you want to save the changes you made off the system. To do this, you create "customized" package JASScustm with the following command:
This creates this package, which may be installed in lieu of SUNWjass. Customized changes such as user.init are included in the package at /opt/SUNWjass/JASScustm.pkg
Solaris Security Toolkit downloads and documentation is available at http://www.sun.com/software/security/jass/ These documents are available:
Many Glacier has this great hotel the Park Service is renovating. I love those old turn-of-the-century hotels (previous century turn, of course). It has a great dining room with large picture window views. Also a nice diner with pasta and other stuff.
The first day we spent on the Going To The Sun Road. It's a dramatic road cut into the cliffs. Very scenic, but go early as it's prettier and more wildlife is about, and the road gets crowded later on. We saw lots of mountain goats and bighorn sheep. Later in the trip we say black bear and grizzly bear, but that was early in the morning. The rangers say "bear bells" are ineffective for scaring bears--you should just use normal conversation to keep them away. We spent other days hiking to waterfalls around western St. Mary Lake and Two Medicine.
The western part of the park is drier and not as pretty, I think. Apgar has a small country diner with good pancakes. Don't order their so-called "broiled chicken" though--it's just deep-fried chicken with lots of breading. I recommend the diner or hotel restaurant at MacDonald instead. The diner at Rising Sun on St. Mary Lake is not great either--just a burger joint, and real slow. Try St. Mary's outside the park.
We also spent some time across the border in Waterton National Park in Alberta, Canada. For one hike, a morning van shuttle takes you to Cameron Lake and you hike back to town (Waterton) one way. Beautiful alpine countryside. We also hiked to Crypt Lake on the US/Canadian border, taking a boat across Waterton.Lake. The town of Waterton has several restaurants. One to avoid is full of tobacco smoke, but the others are non-smoking. The prices seem higher in Canada, but don't forget the Canadian dollar is only 75-80 cents US.
Once again, I attended San Diego's annual hacker and Security Convention sponsored by a local hacker group. It's cheap ($60), tax-deductible, and convenient for me! (my time, my money).
Disclaimers: These are my notes, so it has typos and isn't highly polished.
I may have misinterpreted other people's words or ideas.
Opinions here are not mine nor my employer.
Here's the best of the sessions I attended:
History. Cryptography invented after the third person in the world could learn to read and write. Traditionally a arcane skill and done by a few clever people. Became common after WW II: Enigma machine worked and put Crypto people out of work. Computer invented specifically to break Enigma machine. Software cryptography came into play in mid-1970's with DES. Became a standard, a technology (not a secret, not a art). Public key cryptography took care of secret key management problem.
Present. Network everywhere. Encryption must be done with non-clever or non-computer people. Adoption and Human Interface Design is current focus.
Problems being ignored:
Digital signatures (DS): problem is in laws, not technology. DS not a signature (signature is an act, not a thing), but more like a seal or voice. Is a DS a commitment? Is it a tamper-evident seal? How do we know? DS pushes liability to signer. Credit card. Email. Agreement. Are users or servers certified? If everyone has a cert, why should they be trusted? Sysadmins more responsible than typical user. Same problem with universal DS as with universal ID cards to fight terrorism. Another example is using DS to fight spam (spammers can get DS also). What does "Non-repudiation (sp)" mean? Need to have accountability when using DS, otherwise not believable.
Blinded signatures. Chom Patent expiry Summer 2005—may be used more once this happens. Certifies something without revealing private information.
Group signatures. Someone in a known group signed, but don't know which one. Gives accountability while preserving privacy.
Reliability—always interwined with security. Security: protect against intelligent attacks. Reliability: protect against unintelligent attacks.
Mediated Locks: Can only put worthless things in a unpickable safe (only a mad person would put valuable stuff there). Must have access to protected keys or data.
Pervasive Encryption: Humans make wrong decisions in the heat of the moment. E.g., security vs. keeping job. Or email vs. IMs or hotmail or dialup modems. Policies need to be setup beforehand to be followed and automated.
End-to-End Security myth. Not possible. What's an "end"? What's important? Close ends lose reliability and usefulness (e.g., spam filter or archiving). Distant ends lose security. "Ends" need to be at appropriate location, depending on these trade-offs.
Digital Rights Management (DRM). Not solvable. Can always be broken. Works against polite or lazy hackers. Doesn't work in real world with cell phone cameras and recorders. Nobody wants it. Works only if everyone honest. Legal liabilities will stop DRM documents in corporations. DRM useful for niche markets though (e.g., government or financial).
The Accountable Net. Can provide privacy and security wht the right questions. Issue is accountability and reputation, not identity (e.g., do you pay your bills?) Authority-based authentication useful (e.g., ,are you a spammer).
Identity Management. Trendy words for single sign-on. Everyone wants it, but trades off security for management. Federated Identity—not useful for end users. Breaks privacy from tying together records.
Hash Functions Breaking. PGP 2 (not sacred because of Zimmerman; don't use—use PGP 5). SHA-1 still safe; can move to SHA-256 if needed. More advances coming. Secure hash functions easy, but fast hash functions are hard. E.g., MD5 half the speed of MD4. Details at www.pgp.com/resources/ctocorner/hashes.html
Advances with little impact. Fast ciphers (don't care which one is being used), public key systems, encryption_authentication. Quantum "Cryptography" interesting physics, but not cryptography. Pet peeve of his.
Sci-fi-like Technology. Unlikely but possible. Quantum computing. DNA computing. Faster-than-light (FTL) information transfer. Unexpected advances in math (factoring, discrete log, AES algebraic equation solution).
Summary. Cryptography pervasive, invisible, interoperable, invisible core technology, and more use in future.
Goal here is not to review USA PATRIOT Act—too complicated. But to review impact to you. There's a patchwork of several laws about privacy. Will talk about some of them 4th Amendment, Stored Communications Act, Electronic Communications Privacy Act, Wiretap Act, Computer Frad and Abuse Act of 1986, and USA PATRIOT Act.
Privacy: right to be left alone (autonomy) and right to control your information. Privacy enables other rights, such as speech, association, or voting.
US 4th Amendment is her favorite (even over 1st—speech). Protects against unreasonable search and seizure. Gives a reasonable expectation of privacy (e.g., in your house). Sometimes have gray areas. If there's a reasonable expectation of privacy, you need probable cause to get a warrant from a judge. With warrant, you must knock and announce. If these not followed, evidence is excluded. PATRIOT Act allows secret search ("sneak and peek").
Computer Frad and Abuse Act. Disallows damage or unauthorized access. E.g., court says this includes spam, DNS search robots, Internet auction or Travel agent spiders, and port scanning. This is if it especially true if it downs or DOSs the computer (must "cause harm"). Otherwise rulings not consistent. Law is vague and overly broad.
Interception of communications. Information more private than just fact there's some communication ("chatter"). Need warrant for information. Rules differ for intelligence agency, law enforcement, ISp, and employer. Wiretapping can't be done (excepts require a wiretap warrant). PATRIOT Act made wiretapping easier: giving support to terrorists. Nationwide/roving wiretaps now legal. Monitoring computer "trespasser" now ok (if no business relationship). ISPs may monitor.
At this time my laptop ran out of power. The two important remaining points. Most of the PATRIOT Act provisions "sunset" (expire) Summer 2005. A nation has the right to defend itself. However, it's important to make sure that, when it's renewed next year they not be so broad as they are now.
Honeypot - a decoy, no production value. Purpose is gathering information. Separating production from malicious(sp) project.
Honeynet - system of Honeypots. Architecture, not a product.
Data Control - no restrictions incoming to Honeypot. Scrubbed/limited outgoing connections (keep honeypot compromises from spreading to Internet). Uses Snort.
Data Capture - Network-based uses tcpdump or Snort. host-based uses Sebek (module that captures all sys_read kernel calls). Attacker can't sniff for monitoring traffic with Sebek (not network based).
Issues - Takes a lot of resources to properly maintain (ton of data). Anti-honeynet technologies available (such as anti-Sebek). Honeynets can attack other Honeynets. Privacy a possible issue.
Honeywall - "control center" of a honeynet. Goals are data capture and control, then altering attacks. Tools used: IPTables, snort, swatch, gr-security, tcpdump, and (soon) ntop. Available on the "Honeywall CD" (a bootable CDROM with a UI).
Future - distributed analysis among different physical locations with a central database.
Profile - used to assess and predict someone's behavior: behavior and appearance. Most things too complex to profile automatically.
Behavioral analysis - used to create a profile, then can preduct future behavior based on a "fingerprint" of known profiles.
Stochastic process - non-deterministic (random or complex) behavior. E. g., traffic, gambling. Can be modeled with statistical models. Static stochastic processes - games of chance or quantum dynamics. Can't predict--can only use statistics.
Dynamic stochastic processes - don't understand underlying model.
Context-sensitive state and changing probabilities.
E.g., "i before e except after c" only true 80% of the time.
Less return with more refinements to rule.
Still 170 words after this grep:
grep -v '\\([rc]ei\\)\\|\\(ei[sdlnkrtzg]\\)'
Primes are deterministic, but sufficiently complex to defy prediction and appears to be stochastic.
Can use frequency distributions to distinguish random data from meaningful data (e.g., DNA sequences, English text, or (poorly encrypted) XOR-ed text is meaningful, PRNG or DES encrypted data appears random).
Markov Process - predicts stochastic processes.
Can use Sequitur (Nevill-Manning Algorithm) to analyze non-context-free (CFG) grammars with a n-gram model to reveal common structures (useful for compression).
E.g., several repetitive patterns in "In the beginning God created the heaven and the earth."
Can use this to identify authors from anonymous text (or author gender or text language or dog bread DNA)
PRNG: Linux good, \*BSD good for 2 high bytes, 2 low bytes not good (predictable). Found by pumping random stream in Gzip and looking at byte distribution. Anyone can do this.
Pkzip was used to classify European language similarities (by how well they compress). Sequitur (dictionary builder) can also be used instead of pkzip, by comparing number of rules generated by Sequitur.
Can use this to identify hackers who break into a system:
sort ~/.bash_history|uniq -c |sort -nr > frequency.dat
Compare output using Stereotype.
"Most Likely Path First" (similar to OSPF routing) tree built of adjacent word comparisons. Can use to identify spam, for example. Can also use to prioritize hosts that are probably vulnerable (looking at activity or open ports).
PGP released over 10 years ago. Other security software developed: SSL/TLS, S/MIME, PEM, MOSS, disk encryption, ecash (wiped out with patents and Paypal), Anonymizer, Mixmaster.
Problem is consumers don't demand privacy (want it, but won't take steps tp protect themselves—it's inconvenient).
"Privacy policies are the opiate of the Internet." A feel-good measure. Some companies violate own policies (e.g., Jet Blue giving out travel info.). Criminals certainly don't obey privacy policies.
Most crypto software "cool projects" but not usable. Political problems also. Often designed by committee and is often bloated with options and details. People often in the know explain encryption software by how it's implemented not by what it does (e.g., "PGP is a public key . . ." not "encrypts and signs files") PGP's "web of trust" is shallow. Too easy to misuse.
SSL is worse than PGP. Has top-down trust model, but easy to get a certificate. Excessive SSL warnings give click-fatigue. Users click through certificate warnings. Verisign says need a trusted third party to use SSL/TLS.
Crypto is a success where it's mandated (e.g., military, banking).
True user-empowering encryption should have: Friendly UI, simplified concepts, 1-click. User goal is not encryption, but to keep email from being observed. No reading, no extra skill required.
Antispam tools work because spammers don't write their own tools—they buy spamware (currently most popular are Dark Mailer and Send Safe). Spammers target AOL, since they are relatively clueless (and buy the junk advertised in spam). Spammers like HTML as you can hide text and malicious script in it.
Early days, spammers identified themselves with X-Mailer headers. Now spam is disguised as being from MS Outlook Express. However, can parse Message-ID to tell spam from real MS OE email.
Hashing Systems. E.g., Razor (open source) Pyzor, DCC, or AOL internal filters. If same message body sent to say 500 people, its spam. Also user-reported spam (but sometimes users report non-spam as spam).
Hashbusting. Spammers adding random gibberish to email body. But, "random" not really random—patterns observable in gibberish. Length of "random" string character range, or location were static. E.g., time(NULL)/4444 used as random email address: email@example.com.
Spammers top priority is avoiding abuse reports to their ISPs (expensive for them). They "list wash" reporters off their list so the ISP doesn't get reports. They encode recipients email address with rot13 in body. Spammers like ROT13, even though it's a trivial "spy decoder ring" algorithm.
Spam software then added templates to specify where randomness and parameters are placed. But it also makes it easy for anti-spam ware. Spamware also hides behind proxies (legit bulk mail and mailing lists do not).
Bayes-Busters. Bayesian filtering popular recently.
Random word sequences used to defeat filter.
However word sequences are the wrong length. Easy to detect.
Look for a high number of HTML tags that don't exist:
li<modem>ke recei<benzedrine>ved th<false>is ema<downey>il Easy to detect gibberish and chaff with long word detection, bad tag detection, or a lot of invalid html. Look for 18th century words (much gibberish is text taken from Project Guttenberg etext).
Many strange email headers in spam, rarely or never seen in normal email. Spam software also has special MIME boundary patterns.
CAN SPAM: Pretty crappy, of course—spammer friendly. One loophole. Only "ISPs" can now bring action. If you host a few other people's email, for example, you can qualify as a ISP and sue spammers.
Complaint system: SpamCop and AOL are good (AOL only for AOL customers). Hard to do by hand (examing headers time-consuming and non-trivial).
Future: download and reverse-engineer spamware (DMCA an issue). Can learn a lot from just spamware docs. Currently SpamAssassin is overloaded writing rules. Spam Assassin has always tried for high-accuracy at the expense of high system load. In future, will have a plug-in system to choose the set of filters to use.
Security systems require knowledge of their environment to operate effectively. I.e., net topology, host, user, local policies. Can't be hard-coded.
Even large companies rarely have their network topology sketched out well. Efforts to write tools (active discovery or passive discovery). But these tools suck.
Active Network Discovery System (ANDS). Usually take an old map and update it. This sucks. Slow, labor intensive, human error, not detailed, snapshot only, obtrusive (triggers security sensors), misses hardened assets and dark nodes, doesn't work through proxies and firewalls.
Passive Network Discovery System (PNDS). PNDS listens to a network to gather info on host OS, general topology, apps and patch levels, peers.
PNDS vs. ADNS: Not static. Deeper information (than just probing). Dark spots: active hosts visible even if scanning hardened (but may still miss a quiet host).
PNDS problems: A large number of sensors, scalability problems for large networks, lots of app knowledge required (so high dev costs). Security.
PNDS Security issues. Can poison PNDS with lots of noise: just plug a laptop in. Can use tcpreplay 2.x to do this. Can flood out old (correct) results. DOS not a problem. Easy to detect.
PNDS Countermeasures. Should be suspicious of changes (non-trivial; easier when DHCP networks segmented). Need to be robust
Summary: Use both ANDS and PNDS for best results. Hard to compromise from outside network. Need inside knowledge. Don't build your own NDS—tricky.
Do you dislike spam? Then vote against Spam King Bill Jones for the U.S. Senate.
Your choice :-)
Technorati Tag: spam
My work at Sun is not on Solaris x86, but software for the high-end UltraSparc systems, Starcat (Sun Fire 15K and friends). Currently, I'm working on Fault Management Software for Starcat.
Technorati Tag: solaris
San Diego, CA, http://www.toorcon.org/
Dan Anderson, September 2003
These notes are on a conference I attended last weekend (on my dime, or actually 500 dimes and tax-deductible). This is an annual conference for people interested in computer security. This includes the whole range of hackers, computer hobbyists, professionals, security consultants, press, law enforcement, prosecutors, FBI, etc. I'm told by someone who also goes to Defcon in Las Vegas that it's like Defcon but without the rowdyness. Toorcon had an open bar party until 3 am, which is way past my bedtime. I've only summarized what I felt were the best of the talks I've attended.
The "con" was held at the Hyatt downtown. Nice place on the bay and the largest coastal hotel in Southern California. Next to us, a local Iranian group was having a banquet. Since I can't read Arabic, I couldn't tell what it was about, but I wish they had a few extra meals :-).
SAIC setup a "root wars" contest where they had various systems, including Solaris, set up with vulnerabilities open. It took the contestents several hours to own the systems, but I think all were had. They gave points for owning systems and took points away for excessive bandwidth used.
The following are not necessarily my views nor of my employer.
I have not verified anything below.
I could have easily misquoted or misparaphrased also.
These are my notes, so it has typos and isn't highly polished.
I may have misinterpreted other people's words or ideas.
Keynote: Past, Present, & Future of Security, Robert X. Cringely
I've read many of his columns, but I've never heard him. He's a funny speaker with a long perspective in the computer industry.
Robert invented the Trashcan for the Lisa. This was motivated by accidentally deleting his book manuscript after it was 2/3's complete on an IBM word processing system that had broken backups.
The main point of his talk was that people worry too much about logical security but forget about physical security. For example, one software company they had a good firewall, but haven't even considered "screening"---capturing screen content from a van that may be parked outside. Social engineering is more common and a lot easier than breaking in through a network. At another company more leaks occurred at the bar across the street than through the network. At the Monterey Naval Postgraduate School, Robert was looking for an Internet connection for his email. No phone jacks, so he looked for a wireless connection. He found 4. The next day he asked the network people there about them, they knew about 1, which was a honeypot, but had no idea there were another 3 WAPs running.
An idealistic attitude among some people was that "information is power." Information will liberate people from oppressive governments and corporations. However, that's not true. Information is not power, but power is power. Lawsuits and court orders to reveal ISP customers is a reality. Another example is China. Robert asked ChinaNet how can you possibly firewall 1 billion Chinese? They said it will probably never work completely, but they will keep trying until it does work. Perfection is not a requirement.
Keynote: Security Has Little to do With Security, Bruce Schneier
The next keynote speaker (How can you have more than one keynote?) was by Bruce Schneier, of Counterpane, on why security has so little to do with (technical) security. His main points was there was to much immediate emotional reactive solutions to security and too much focus on logical security over good planning and also worrying about physical security. There are also tradeoffs--is the solution worth it? Also, security is not always in your control or your decision. For planning, some good questions to ask are: 1) What assets do you need to protect, 2) what are the risks to the assets, 3) how will these risks be mitigated, 4) what is the impact of proposed solutions, and 5) what are the costs and tradeoffs. In any case, risks can never be reduced to zero--there's always some inherent threat.
Bruce was asked about Cyber warfare. He said there's much more concern about physical warfare. That's because cyber warfare (or actually cyber inconvenience) brings unpredictable results. You never know the impact of the disruption in advance, and it's really a inconvenience--and not anything like real terrorism.
Encryption and the DMCA law is being used to lock people into proprietary software. For example, MS is encoding Word documents for it's next version, making attempts by 3rd-party software to read Word documents, such as StarOffice illegal, just like playing DVD movies with open software is illegal now.
He was also asked about his colleague Daniel Geer who was fired from @stake for saying what everyone knows--a monoculture of MS software is a security risk, because security breaches impact almost everyone. He was fired, even though everyone should know what he said is his personal opinion and not any companies he works for. MS is a major client for he company he works for. But, he said, he will have no problem getting a job and the firing gave more attention to the report, especially to the mainstream media, than if the company would have just ignored it.
Top 75 Hacker Tools by Justin Lundy, www.tegatai.com.
Cavaet: some tools sometimes give warnings which require analysis--not blind acceptance.
Vulnerability Reporting and Legal Liability
By Jennifer Granick, director of Stanford's Center for Internet & Society. http://cyberlaw.stanford.edu/security/ Remember, IANAL and I may be mis-paraphrasing. Jennifer reviewed various legal issues, such as full disclosure and DMCA. It was a unique experience to hear a lawyer who's technically competent :-).
Full vulnerability disclosure. There's a dual nature of full disclosure--to exploit systems and protect systems. Disclosure can be protected by free speech rights because disclosure tools are software, which is considered a form of speech. However, it's also a tool that can be used for harm. One important question is is the vulnerability (and software) disclosed with an agreement or intention to be used for illegal acts. If so, it's considered conspiracy and therefore an illegal act.
DMCA goes beyond copyright in that it controls how you use copyrighted works, not just restricting you against making copies.
Security testing is OK and not a violation if in good faith and done with authorization and the results are not distributed to cause harm.
Spyware is illegal unless all parties consent (need a Federal warrant). This includes keyboard monitors, for example.
Reverse engineering is OK for enabling software interoperatability.
Jennifer made a general point that rights in the "real" world have been erroded in the "electronic" world. For example, you can take your car apart and add or modify parts. Do that to an XBox, for example, may get you in jail.
802.11 TGi Proposal by Laurent Butti & Franck Vieysset, France Telecom, sysinfo.com
802.11 has a infamously weak security protocol. Proposed workarounds break wi-fi interoperability.
802.11 TGi proposal authenticates with IETF EAP. WPA subset of IEEE 802.11 TGi. Intended for ratification Q2/2004. Goals are a new framework with high-flexibility authentication methods independent of protocol. EAP has multiple methods, e.g. TLS tunnel, and was originally for PPP. Avoid man-in-middle attacks with handshake protocol. WPA is an existing standard now. Avoids HW upgrades, backward compatible, and may be "good enough." They gave a live demo.
Electronic Freedom Foundation, http://eff.org/share/
Cory Doctorow talked about civil liberties, Internet, and copyright. He's a science fiction and technology writer.
EFF won ruling that email is like phone conversations--can't tap without a warrant. Lost that with recent Homeland Security Act, where any government employee with an excuse can look at your email.
EFF lost copyright ruling, where the Supreme Court said copyright is renewable forever, as long as it's for incrementally limited times.
Previous fears against new technology reducing income to artists unfounded. Piano music rolls, radio, VCRs, and cable TV all had new micro-payment models that resulted in more income to artists than before.
RIAA lawsuits will only result in tools with better anonymity and encryption and higher use of these technologies. Russian State Dept. is telling scientists not to come to America because they put people in jail for talking about the wrong thing.
/dev/erandom -- Provably Secure PRNG
Seth Hardy, tsumega.com
Improves Linux /dev/random and /dev/urandom, including removing unneeded operations.
Discussed random, pseudorandom, quasirandom, uniform distribution, entropy measurement, extractors. Entrophy gathering currently lacks in Linux--keyboard/mouse oriented and not good for servers--but that's another area. /dev/random blocks, urandom doesn't.
Extractor takes "bad" distribution and "smooths" distribution to a "good" one. This is hard, and part of Seth's academic work. Warning: "Provable" does not mean the implementation is unbreakable or bug free.
Solaris cryptography and optimization.