Stephan Schwab - security tag

FBI: Universities and colleges need to protect against espionage

Wed, 27 Jun 2007 19:02:45 GMT

Usually I stay away from politics, but this news is a bit too creepy to me. I would have never thought that Universities and schools some day will be seen as a target for espionage. The FBI believes they are.

Scientists working on public Universities publish the results of their work and everybody can read it. Those publications have always been available on the whole planet and with the Internet the distribution of this material is even easier, which in itself is a good thing. Knowledge needs to be universally available, as that's the only way for the ongoing development of mankind. There is too much dumbness in this world. People who lack education don't know how to interpret things they see and hear and might eventually follow the wrong leaders.

These days a growing number of people seem to think that dangerous technologies are better kept away. There is a lot of talk going on about protecting the security of X, Y, and Z. You can insert your favorite item you want to protect. Who determines what a dangerous technology is? Is it only stuff that allows for the development of more powerful weaponry, is it something that creates vast amounts of cheap electric power without burning oil, is it crypto stuff useful to protect privacy (your own, your trade secrets, the secrets of any government), or might it even be software to streamline manufactoring processes of any kind?

I'm not a scientist working on anything security related, but still I have been affected by crypto regulations and fear that trade secrets might be disclosed in a jurisdiction other than the one where my client is located.

Since the very sad incident called 9/11 government agencies in a growing number of countries seem to be on a frenzy to protect everything and everybody of anything and anybody. What is required to put some rationale in to stop all that security hysteria? There is always a risk involved in anything one does. All that security talk on all channels apparently makes people believe more and more that everybody is under some kind of attack from "the others".

When will the development of Open Source software become outlawed? After all more and more important software that drives business and manufacturing processes, finance operations and more uses Open Source.

Isn't publishing the source a means to avoid manipulation, a means to create trust? Source code contains knowledge the same way as a scientific paper does. And there is a lot of software that can be used to protect or attack other systems out there. What about virtual rootkits or the Blue Pill technology?

Links:

Surveillance where you would never expect it

Wed, 13 Dec 2006 20:56:27 GMT

Researchers at Washington University in Devices That Tell On You: The Nike+iPod Sport Kit:
As part of our research, we built a number of surveillance tools that malicious individuals could use to track Nike+iPod Sport Kit owners. Our tools can track Nike+iPod Sport Kit owners while they our working out, as well as when they are just casually walking around town, a parking lot, or a college campus. The tracked individuals don't even need to have their iPods with them.

And Bruce Schneier comments:

Schneier on Security in Tracking People by their Sneakers:
Unless we enact some sort of broad law requiring companies to add security into these sorts of systems, companies will continue to produce devices that erode our privacy through new technologies. Not on purpose, not because they're evil -- just because it's easier to ignore the externality than to worry about it.

That's exactly the point. Many times people do stupid and dangerous things because they don't know any better. Unfortunately when it comes to technology sloppiness and the pressure to get the product out the door easily creates that kind of side-effect. From technologist one should expect to think a bit harder. Unfortunately in almost all cases business people define when something is ready and it's hard to hold something back although there are issues that have not been addressed yet.

ID required to be seated in a pancake restaurant

Sun, 03 Dec 2006 20:21:48 GMT

I'm just speechless what kind of security measures some people come up with:

John Russo has been a victim of identity theft. So when he was asked to fork over a photo ID just to be seated at an IHOP pancake restaurant, he flipped. "'You want my license? I'm going for pancakes, I'm not buying the Hope diamond,' and they refused to seat us," Russo said, recounting his experience this week at the Quincy IHOP.
(from The Associated Press)

Hackers Zero In on Online Stock Accounts

Mon, 20 Nov 2006 04:19:52 GMT

It's been only a question of time:

Hackers have been breaking into customer accounts at large online brokerages in the United States and making unauthorized trades worth millions of dollars as part of a fast-growing new form of online fraud under investigation by federal authorities.

(washingtonpost.com in Hackers Zero In on Online Stock Accounts)

Maybe using a proprietary client software for that kind of application is not a bad idea after all. It will need to communicate with the server over some kind of remoting protocol, but that communication can be encrypted.

There is another problem:

One way is by placing keystroke-monitoring software on any public computer in a library, hotel business center or airport.

Probably the login for such critical application should require an external device where the user enters a PIN or key of kind. German banks have been offering such a solution for home banking, but unfortunately not a lot of people were willing to buy the devices. Another drawback is that the user won't have access to his account on the road unless he carries a laptop and the device. But a little inconvenience is better than to loose a large amount of money.

Who Owns Your Computer?

Mon, 25 Sep 2006 03:47:20 GMT

If left to grow, these external control systems will fundamentally change your relationship with your computer. They will make your computer much less useful by letting corporations limit what you can do with it. They will make your computer much less reliable because you will no longer have control of what is running on your machine, what it does, and how the various software components interact. (By Bruce Schneier)

This will probably be true for hardware and software aimed at the consumer market which is very much dominated by the entertainment industry in all its variations. That entertainment industry not only consists of Hollywood film studios or music labels. It includes ventures like MySpace.com, Flickr, YouTube and other large scale web services that are not clearly aimed at paying professionals.

A consumer PC will probably no longer be the same grey box as those used in offices. There will be a distinction. The consumer PC will be a device to entertain the consumer and allow to use certain useful services to create user generated content. And maybe it will be the consumer PC that will not have a local copy of MS Office installed, but use a web based office suite. Maybe all those Web 2.0 companies already got it and are just waiting for the locked down devices to appear. Who knows?

Large corporations most certainly will be interested in buying trusted computers for their employees as well. As experience over the years has shown: PCs with a multi-purpose operating system that gives the user too much freedom can create a lot of trouble. Locked down workstations, with exactly that set of tools the employee needs, might be seen as a blessing from the point of view of management and IT department.

What is left are those devices used by developers and others. Open source software, free software, etc. won't go away. But it might well be that certain services on the web won't trust requests coming from such untrusted devices.

Virtual machines as crash test dummies to detect infections

Mon, 25 Sep 2006 03:45:26 GMT

This could be the most important milestone in the history of intrusion detection systems ever. FireEye announced a new appliance that uses virtual machines as crash test dummies to detect infected devices on a network:

FireEye technology uses virtual machines as a sort of crash test dummy for network security. Potentially damaging network traffic is sent into the virtual machines where the impact can be analyzed. If suspicious traffic is revealed, a responsible course of action can be taken to stop the network infection. No actual machines are harmed in this process and the damaged virtual machine is fully restored for reuse.

Although FireEye's website doesn't tell much yet about how it works Dark Reading, a ZD Net blog and Security Vibes provide some more information.

Apparently the appliance executes several virtual machines (VM) with instances of the Windows operating system and Windows applications used in the enterprise. Those VMs are then used as targets for the potentially harmful traffic. If a VM gets infected it should reveal suspicious network traffic and then the appliance takes action.

According to the information currently available the appliance is not in-band, but connected to a monitoring port on a switch to be able to see all packets passing through the switch. If harmful traffic is found the switch port it originated from is turned off.

Further the VMs resemble the different releases of operating systems the enterprise uses. That means one VM for each combination of Windows version (NT, Win 2000, XP) and service pack. That's quite a lot of VMs.

This sounds almost too good to be true. I can think of a lot of questions about how this really works and how it will scale. The idea by itself is brilliant. There is no doubt about that.

Some of my first thoughts about the implementation challenges were:

A 100 mbps link, if fully used, transmits about 750 MB per minute. That's slightly more than the content of a CD-ROM. On a typical DSL link with 256 kbps utilization it would still be 1.9 MB per minute.

The appliance has to send this amount of traffic simultaneously to all the VMs and check whether any of them shows strange outgoing traffic short after. If there are 10 VMs we are talking about 19 MB per minute that have to be processed in the case of the tiny DSL link. For the fully utilized 100 mbps link it would be 7.3 GB per minute.

Further the appliance needs to remember where the data came from. Without that knowledge it can't shut down the switch port of the infected device. Not every virus or worm starts sending packets right away. What if it waits an hour or a day?

As the appliance needs to wait for VMs to be become infected, it has to clean up and restart the infected VM in a clean state. That takes a moment. What will happen, if there are already several viruses or worms active in the network or new infections happen shortly after another? The load of the appliance and its memory requirements will increase. For every infected VM a fresh copy needs to be available in the background. I guess there will be a limit on how many infections can be detected or handled.

I'm not saying it's impossible to create such a device. But it is definitely a big challenge. And if FireEye has made it, then it will be a big success.