Category Archives: Security

Big Critical Patches for Java, Flash and QT

I have been spending a lot of time working on video and voice streaming vulnerabilities.

You would be surprised how at risk companies are today simply by nature of their voice systems, if not properly secured, especially those that try to maintain a globally coherent communications fabric.

What do you get if you mix the dream of a 1980s phreaker with the fantasy of a 1990s blackhat? Today’s multimedia business platforms.

It therefore seems oddly appropriate to read about several personal computer-based multimedia formats that have just been flagged for critical vulnerabilities.

Patch now.

Flash — https://www.adobe.com/support/security/bulletins/apsb07-12.html

Java — https://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-102934-1

QuickTime — https://docs.info.apple.com/article.html?artnum=305947

And the next time you sit in a conference room laden with the latest technology, ask yourself how you really know who is listening.

Fluke

by Dana Goodyear, in Dream of Safety

Don’t go—let me explain.
There’s no one else.
Just this hanger-on,
eating in the dark and fearing
for its life. For the life of me
I can’t get rid of it.
It’s feeding at the heartmeat,
making scrimshaw of the bone.

For some reason I wish she had said gnawing….

Graffiti Analysis and Law Enforcement

Working on a global intrusion detection system today, four years after Gartner incorrectly predicted they would no longer be relevant , presents a number of challenges. Most notably, creating an accurate signature for an attack, let alone an attacker, can be a very sophisticated and delicate process that requires non-trivial amounts of intelligent (i.e. human) intervention.

I recently spent the better part of a day discussing this with Marty Roesch of Sourcefire/Snort fame. He really gets it.

However, rather than bring up the individual vendors and their issues directly (IDS mud-slinging is so 2003), I would like to put forward an example of a similar practice — tracking graffiti by signature analysis:

“In addition to having a dramatic impact on graffiti, it will have an impact on tracking gangs. I’m excited about it.”
– Los Angeles County Supervisor, Don Knabe

“It’s a way to focus in on those vandals who really are creating a big problem through multiple acts over long periods of time that we haven’t been able to get at, because at best, we only get him on one count.”
– City of Paramount, City Manager Linda Benedetti-Leal

“We are able to track all of the graffiti and specifically the individual taggers, and identify where they were putting up their graffiti”
– Capt. Todd Rogers of the Los Angeles County Sheriff’s Office, Carson Station

Yes, all of those graffiti-crazed taggers are to be identified by their signatures. Clever approach. Who would have thought you could use painted signatures, or “tags”, to identify people? Yes, I’m being sarcastic.

Eye

Now they can be charged with many more incidents than just the one where they are caught in the act. Or in other words, now police can read tags and identify the source, just like the people who write them. Or are the police hoping to prove (e.g. nonrepudiation) the source of a tag? Technology always has that mystical charm, no?

Notable problems with this, let alone the controversy over fingerprint analysis, can be found in the history of other signature analysis:

An example of a paradigm shift in the handwriting world occurred when the writing instrument of choice changed from a nibbed pen (such as a fountain pen) to the ballpoint pen in 1945. Because the ballpoint pen uses highly viscous ink and a non-flexing tip, it produces a writing line with little or no shading (stress) . Forensic document examiners in the late 1940’s had to adapt their analysis techniques in order to account for the loss of this traditionally important data.

Do different paint cans make an impact on the tag comparison? What about a switch between paint and marker? What about someone tagging over another person’s tag — layers of graffiti or defaced signatures?

More interesting, perhaps, is the case of forgeries. How will a graffiti tracker handle one gang trying to frame another gang? Will individuals forge others’ tags to get them taken off the street, and then simply use randomness (e.g. enlist a group to each paint the same message with their own style) to avoid capture?

The more traditional signature analysis experts raise another issue:

Because of the pattern of fluctuations found in a normal signature, any digital signature that is fraudulently captured or stolen can only be used once. The second usage of a “stolen” signature would prove it is non-genuine since it would be an exact (or near-exact) match to a signature used for an earlier transaction. This is in direct contrast to a stolen fingerprint file which would be expected to be exactly the same on each transaction.

What then with a graffiti perpetrator using a template? If a spray-paint tag is actually exactly the same because it is based on a fixed image, what will the graffiti tracker do to detect the source of the image?

Attack detection is not just about picking a stereotype, or a simple image of a “bad” actor and going on in life. Detection continues as a security practice, far more than prevention, because it is based on intelligent and adaptive practices that tries to make sense of constantly changing patterns to provide measurable results. The testimonials above are hopeful about the future because they have an optimists’ view of detection — the new silver bullet — leading to prevention. In reality, the detection will be complex and require ongoing intelligence for oversight.

The technology available for signature analysis is still only as capable as the people who manage it. None of these detection systems make any sense as prevention investments without humans, or until artificial intelligence is relevant.

Gartner was foolish to confuse the technology so badly — the skills needed by a cop to arrest a felon are entirely different than those for an investigator who needs to solve a crime. On the other hand, it is important to acknowledge the fact that the author of the Gartner report (Rich Stiennon) now works for a company that sells all-in-one (e.g. confused, complex, and master-of-none, or silver-bullet) security boxes.

Zen Sarcasm

Not sure where these came from, but I found them amusing:

1. The journey of a thousand miles begins with a broken fan belt.

2. It’s always darkest before dawn. So if you’re going to read your neighbor’s newspaper, that’s the time to do it.

3. Don’t be irreplaceable. If you can’t be replaced, you can’t be promoted

4. Always remember that you’re unique. Just like everyone else.

5. Never test the depth of the water with both feet.

7. Before you criticize someone, you should walk a mile in their shoes. That way, when you criticize them, you’re a mile away and you have their shoes.

8. If at first you don’t succeed, skydiving is not for you.

9. Give a man a fish and he will eat for a day. Teach him how to fish, and he will sit in a boat and drink beer all day.

10. If you lend someone $20 and never see that person again, it may have been worth it.

11. If you tell the truth, you don’t have to remember why or when.

12. Some days you’re the bug; some days you’re the windshield.

13. A closed mouth gathers no foot.

14. There are two theories to arguing. Neither wins.

15. Experience is something you don’t get until just after you need it.

There could be more about the importance of nothingness, or the lessons from passive versus active involvement, but at least it is funny.

Number 13, for example, could be taken to mean that a closed mouth is best because there is less risk. However, this seems counter to many Zen sayings that laud open spaces for their utility, and do not try to fight against the risks of utility.

Tao Te Ching #11, as translated by Charles Muller, gives a fine example:

Thirty spokes join together in the hub.
It is because of what is not there that the cart is useful.
Clay is formed into a vessel.
It is because of its emptiness that the vessel is useful.
Cut doors and windows to make a room.
It is because of its emptiness that the room is useful.
Therefore, what is present is used for profit.

But it is in absence that there is usefulness.

An absence of speech versus a closed mouth. Very different images to me. Both could lead to less interference and therefore an opening of the mind. So a closed mouth might make sense, but it is not the best representation for openness. I guess that is what makes the above a Zen Sarcasm list.