Sunday Jul 24, 2011

CVSS Worksheet

Common Vulnerability Scoring System (CVSS) is commonly used to rate security vulnerabilities. It helps system administrators prioritize response to security holes. Oracle provides CVSS ratings and base scores for most vulnerability fix announcements. You can calculate the score for a vulnerability using NIST CVSSv2 calculator. To use the calculator one must be familiar with CVSS v2.0 guide.

Here is an attempt to provide a simple, intuitive and illustrated worksheet to calculate CVSS v2 base score:

You can access the standalone CVSSv2 Worksheet here.

Wednesday Mar 23, 2011

Everything you need to know about cryptography in 1 hour

A good talk by Colin Percival about cryptography with introduction and common mistakes made while using cryptography in applications. Recommended for anyone who does anything with cryptographic algorithms and software.

Wednesday Jul 30, 2008

Secure your Wi-Fi networks now!

Last time I visited an Internet cafe in Bangalore to scan a few documents I was in for a surprise. They asked for a photo ID before they offered me any service, even if it is just to scan a couple of documents to my USB stick. That is a good thing - makes it difficult for terrorists to operate and communicate.

This person apparently had his WiFi network wide open for anyone to access and abuse it. It is suspected that terrorists used his network or mail account to send a warning email hours before the blasts in Ahmadabad where about 54 people were killed.

He says "I'm not an IT professional. I have no idea how all that works". It is as good an excuse as saying "I am not a locksmith. I have no idea how to lock my doors". Search google or ask a friend.

Some amount of blame rests with folks who make these Wi-Fi devices and not making them easy to operate in a secure by default mode.

Monday Jul 28, 2008

Notes from the 20th FIRST conference in Vancouver

I was at 20th FIRST Conference Vancouver last month. Forum of Incident Response and Security Teams is a community of folks who work behind the scenes to keep the world running - from people securing your banks to people protecting your national infrastructure. Here are pointers to some of the interesting topics from the conference:
  • Fast Flux networks Fast Flux nets are where compromised computers are used to temporarily host malware.

  • A talk on "Applied Security Visualization" demoed state of art of network visualizations and tools. There is a live CD project called DAVIX which aggregates the tools.

  • An interesting demo was of "RFID hacking" - where Adam Laurie demonstrated duplicating company badges and electronic passports with gadgets that cost less than $100. He could take his scanner near a passport with RFID (aka E-passport) and display holder's information including passport photo

  • A Keynote presentation from former security chief of OLPC (One Laptop per child) talked about features of OLPC as something as a great advancement in security - for eg. the ability that only a open dialog box can open files! (BTW, that sounds very similar to what we call in the UNIX setuid - that only password command can change passwords)

  • A presentation about Mozilla development process talked about how testing is done: they are always running enormous number of test suites against the latest tree. They don't rely on the developers to do the testing for changes.

  • Honey spiders - that crawl spam and phishing sites in search of malware and execute or analyze them.

  • Atanai Sousa showed how a phishing malware operated in Brazil, giving insight into how the spyware and malware have an upper hand in capturing your bank passwords weather you type them or use any other practically useless mechanisms invented to circumvent keyboard spys.

Overall it was good listening to stories direct from people in the battleground, to get an understanding of real world problems and threats they face. It also gave a good opportunity to meet product security folks other companies and CERT folks from around the world - many whom we communicate over email daily.

Tuesday Nov 27, 2007

Bank Robbery

8:30 pm at a deserted Bank of America ATM: as I drove into the parking lot, what I saw made my hair stand up. An old windowless car was the only one in the parking lot. Two people were dragging sacks of something hurriedly into that car. That made it look like a text book bank robbery, except they weren't wearing any masks, nor holding guns up in the air. Looking at the volume of the bag it looked like they would have emptied millions of dollars. Our robbers then accelerated past me, innocently smiling at me. They looked like senior citizens burgling banks for fun!

I got down the car and went towards an ATM and there is no sign of breakage or forced entry; all lights were on inside the bank and the scene looked perfectly normal.

What our thieves looted wasn't bank but the trash container!! It was completely empty as if the trash was cleaned up.
Either they were from a garbage pickup company which used cars instead of garbage trucks or they were the identity thieves trying to piece together account details from ATM receipts, or merely garbage thieves hoping to make money at the recycling unit. One thing for sure, I'll go get a good paper shredder tomorrow!

Wednesday Jul 05, 2006

Installing err Recovering Windows XP

Factory Ferrari 4000 came with two partitions: one about 3G of unknown junk and another about 40G installed with Windows XP. One of the few things I did on my Ferrari 4000 was to blow away its Windows partition and reuse its space attached to a ZFS pool. Adding or removing partitions to a file systems is not only possible, but also easy with ZFS - the last word in filesystems!

Everything was fine, until I had to fill a form on an US Government site, which had a page, which had a big button titled "Continue" and above it were these words written in red, font size X-Large: "CLICK THE CONTINUE BUTTON ONLY ONCE. DO NOT CLICK IT AGAIN AFTER YOU CLICK ONCE. PLEASE WAIT FOR THE NEXT PAGE WHICH MAY TAKE SOME TIME TO LOAD.." I faithfully clicked the button once, the mouse pointer showed busy signal and the page was waiting to load ... 1 min ... 2 min ... 15 min ... it is still waiting! I have no idea what would happen if I clicked it again. Well after some investigation, it seemed, that brainless site either used active-X or some other critically insecure Technology (or No-tech-logy), that refused to work on Firefox, not even on the latest Opera 9 (it is available for Solaris x86 right on their download page!)

At any cost I had to submit a form in the national interest of United States, and thus had no option but to re-install Windows. I hadn't thrown away the recovery CDs, because like everything else that came with the laptop, they happen to be Company property. I backed-up all data on Solaris partitions just in case the Windows recovery program happens to erase them. I Inserted the recovery CD and rebooted. It started restoring windows. It took about 45 minutes, changing three CDs in the proces, before it said "Recovery complete". (Ah, Solaris install from a single DVD is so painless and faster)

I rebooted and was delighted to see that GRUB is still there and showed an option to boot Windows. On booting windows, it said "Preparing to start windows for the first time.." ... BEEP ... A black screen and a small dialog "Setup was not complete"; with a single 'OK' button. I clicked the OK button and it rebooted. May be I had inserted the CDs in wrong order, when it asked disk 1 of 2... may be it rebooted before installing everything ...

So I restarted the recovery process all again.. After another 45min to 1 hour of listening to the Recovery CDs whirl inside the drive, I encountered the same dreaded black screen with a short dialog box that said "Setup was not complete".

Third attempt, meanwhile few friends knock the door, and to get them directions to somewhere, I had to reboot in Solaris to use Google maps.

Fourth attempt, 45 mins.. big black screen with small dialog box that is laughing at me "Ha Ha Ho.. Set up is not complete. Hu Hu Ha Ha". Here I am sacrificing my comfort of Firefox browser on Solaris desktop environment, in the interest of safety and security of the people of this country, to submit an online form of utmost National importance to United States, more critical than war in Iraq or the rhetoric in Iran; and this silly small evil dialog shows up from nowhere and throws up a meaningless OK button like a North Korean missile ... and laughs at me.

Not accepting defeat, I tried for the fifth time. Just like North Korean missiles do not carry the name or brand which supplied the underlying Technology, nowhere in the recovery program can you see the brand name of Microsoft. While searching for the brand name I saw the vital clue which was the main reason for failure to set up, even when the recovery program hailed it a success. This whole brainless recovery thingy was going on to the factory default 3G partition, too small to fit the recovery bits.

Then I picked up a Linux Rescue CD that had QtParted tool and deleted the 3Gig partition and the old Windows 40Gig Partition to create a new 20G FAT32 partition meant for the recovery tool to reinstate Windows XP to that partition. It went fine this time, and when I saw the chiming XP animation, I knew Victory isn't near yet.

The most crucial part is now to get the latest updates from Microsoft headquarters, quickly before the vanilla system gets infected with numerous worms, launching deadly packets targeted at my Widows RPC ports. I quickly navigate to Start -> Control Panel -> Security -> Check for Windows Updates.. It goes connects to headquarters and the very first message from there is "Please try our Windows Genuine Advantage tool!" That is like a silly pepper mint jingle advertisement to a soldier in distress, needing critical supplies. It took two reboots and about 60 minutes to completely reinforce the system with latest updates. Much more time to upgrade than it took to setup.

Finally, bruised and hungry, when I clicked on that button which had the large red text above saying 'CLICK ONLY ONCE' I felt victorious!

Well, While not all software is perfect,
Imperfect software sold at hefty prices is cheating,
Charging for imperfect software bundled with a laptop is extortion,
Asking money for its security updates is blackmail,
It is also greater threat to world peace and security than North Korean missiles.

Saturday Jul 01, 2006

Sun on FIRST Steering Committee/Board of Directors

In the Annual General Meeting of (held last week), where elections are held for half the members on its Steering Committee for a two year term, Derrick Scholl of Sun was elected as a member of Steering Committee and Board of Directors. Congratulations to Derrick! I see it as a recognition for Sun being an important and responsible member of world wide security community.

sayings of an hearer


« July 2016