Category Archives: Security

Security

Exploit Intelligence

Leave a comment

Dan Guido’s SOURCE Boston presentation is called Exploit Intelligence.

He suggests that the over-emphasis on vulnerabilities and a failure to assess threats will result in poor risk management. With so many vulnerabilities, it is best to prioritize based on threats — focus on the most likely exploits. Or you could say spend your defensive resources on making the known attacks less likely to work. That might mean using controls other than just patching.

This is an old song but still a good one. PCI DSS has tried to push the same message for a couple years now. But Dan has put some nice data together to illustrate his point and he seems very adamant about change. I particularly liked the part when he said

This analysis process and data should be picked up by the security industry and used effectively. AV companies have been doing you a disservice by not doing this in the past. They should start now.

They should have started a long time ago. But we also should be careful what we demand from vendors.

If we leave service definitions fairly open to interpretation and then force AV vendors to offer attacker capability evaluation (e.g. threat analysis or “kill chain models” if you must call it that) it will probably show up as a new $30/year premium subscription upgrade option with not much else changed.

Oh, wait, he included a “data should be…used effectively” clause. That always works.

History, Poetry, Security

UK Surveillance of WWII German POWs Reveals Private Beliefs

Leave a comment

There is a fascinating new twist for historians interested in German culture during the Second World War.

When German historian Sönke Neitzel ran across a bundle of documents in Britain’s National Archives in 2001, he could hardly believe his eyes: He had found transcripts of conversations between German soldiers secretly recorded while they were being held as prisoners of war during World War II. These were private conversations between soldiers who didn’t know that a third party was listening to and transcribing their every word.

Their British and American captors had hoped these conversations would provide them with militarily useful information. But they learned little about weapons depots or secret weapons. Most of what the transcripts reveal is what everyday life is like for the foot soldiers in a war, as they fight, kill, and die.

“I’ve developed the need to throw bombs,” reads one passage. “It sends tingles up your spine, it’s an awesome feeling. It’s just as good as shooting someone.”

I am curious if any poetry was found in these transcripts. So far I have not found any mention of it.

The real twist in this story comes when the historian and a psychoanalyst try to portray all war as equally criminal due to the requirement to kill.

According to Neitel and Welzer, there were without a doubt some committed Nazis among German soldiers during World War II, whose convictions told them that killing Jews was the right thing to do. But these, they say, were in the minority.

They also argue that the acts of violence committed under the Nazi regime were no more violent than those committed anywhere else. They believe that an ideology, such as Nazism is not the biggest factor that leads to atrocities. Instead, they say, it is a military values system that turns men into murderers.

It sounds like an anti-war argument. Regardless of motive, it fails a simple philosophy sniff test.

First of all, they use the term “minority” to call out “committed Nazis” so they obviously use some sort of criteria to distinguish their values from other soldiers. This alone proves that not all soldiers are equal-minded in war. From there it is just a matter of finding the right test pattern to identify exceptions to the rule.

Second, they say an ideology is separate and distinct from a military values system. They equate the latter to a job. While it is tempting to accept this analogy, and think of soldiers simply as professional killers, that would be an overly simplistic view of management ethics.

Take butchers, for example. Kosher butchers, Halal butchers…they too are professional killers but their ideology and their value system are not so easily separated. They use concepts and definitions of humane killing. Remove the religious foundation and replace it with health codes or even family traditions and you still will find ideology mixed with values and regulated by management.

Third, military values systems are not all historically equal. Historic comparisons often bring up stark differences in treatment of prisoners, to name one obvious example. The British definitely did not have the most humane military value system in their conflicts but the fact that we can differentiate them at all proves the point.

So Neitel and Welzer can claim that all killing in war is equally criminal, but that seems to me to be a hypothesis built upon their own views and personal definition(s) of atrocity. Others may approach the topic with the philosophy of finding the differences in self-defense versus aggression, for example.

And I suspect that German soldiers serving in Afghanistan today probably resent being linked to the military values system under Nazi rule. Military values across different eras have some things in common but that does not make them equal.

Security

iPhone keeps a database of all your movements

4 Comments

I recently wrote about a German politician who successfully fought to get location data from his mobile provider.

A commenter said mobile devices have to be in constant contact with the provider, so there is bound to be location data. Fair enough, but my hope was to focus on why data is stored and why users are not made aware so they can opt-in or out.

Perhaps the following example will be more clear, as it removes the network and service-model entirely. Last year it was publicly disclosed that the Apple iPhone keeps a record of movement in a local database.

iPhoneTracker is an application that can read the database of locations stored on your iPhone as well as the backups made with iTunes.

You should see something like this:

-rw-r–r– 00000000 00000000 28082176 1297319654 1297319654 1282888290 (4096c9ec676f2847dc283405900e284a7c815836)RootDomain::Library/Caches/locationd/consolidated.db

That text in brackets just before ‘RootDomain::’ is the name of the actual file on disk that holds the location data. Since it’s an SQLite database file, you can use any standard SQLite browser, I’m using this Firefox plugin:

https://addons.mozilla.org/en-US/firefox/addon/sqlite-manager/

Open up the file, choose the ‘CellLocation’ table, and you can browse the tens of thousands of points that it has collected. The most interesting data is the latitude, longitude location and the timestamp. The timestamp shows the time in seconds since January 1st 2001.

Apple is not a provider, and there is no (yet) known use of this information. Yet their mobile devices by default store a detailed database of your locations. They even back it up, so you can monitor any Apple iPhone user’s movements just by reviewing their iTunes sync data.

Why is Apple collecting this information?

It’s unclear. One guess might be that they have new features in mind that require a history of your location, but that’s pure speculation. The fact that it’s transferred across devices when you restore or migrate is evidence the data-gathering isn’t accidental.

[…]

By passively logging your location without your permission, Apple have made it possible for anyone from a jealous spouse to a private investigator to get a detailed picture of your movements.

I guess the advantage over the German politician is that you don’t have to sue Apple to see your data. The disadvantage is that the privacy laws directed at providers do not apply. You have been tracking yourself, but just didn’t know it.

Apple conveniently left it in plain-text format for anyone (e.g. a provider) to read and sell. Some of it might be askew because it is using tower triangulation instead of GPS but I would wager they could easily upgrade the accuracy.

I recommend anyone with an iPhone (or iPad) download the application and create their own “What six months of your life looks like to Apple” web page. Even more fun could be to write an application that pollutes the database with exotic location data to show an iPhone going on virtual vacations.

Updated to add: Apple’s name for the location tracking file is “consolidated.db”, the same name as a radical anti-fascist industrial band from the late 1980s. Hat tip to Jeremy Allaire for mentioning them to me. Ha, how far Apple has come since then, when we used to consider ourselves so alternative and secure on a Mac. I’m sure it’s total coincidence; that and the fact that disposableheroesofhiphoprisy.db was far too obvious.

Security

Pwn2Own Exploit Breaches Top-Secret US Lab

Leave a comment

Dan Goodin points out the correlation in The Reg

The security breach at the Oak Ridge National Laboratory is at least the second time since 2007 that computers have been hacked when employees were duped by phishing emails. The most recent compromise was initiated by messages that were manipulated so that they appeared to come from the lab’s Human Resource Department, The Knoxville News Sentinel reported.

According to a follow-up post, a link included in the fraudulent email, which first entered the lab’s systems on April 7, exploited a critical vulnerability in IE that Microsoft fixed last Tuesday. It was the same bug that fetched a security researcher a $15,000 prize in the recent Pwn2Own hacking contest.

The Pwn2Own exploit was announced March 10, 2011.

Microsoft has fortified IE with a security sandbox that isolates it from more sensitive parts of the operating system, so Fewer had to exploit a design flaw in to break out.

“The (sandbox) escape I found was pretty easy, to be honest,” he said. “Surprisingly so.”

In all, he said it took him about six weeks of full-time research to find the bugs and write working exploits for them.

So, six weeks to write a working “use-after-free bug” exploit from scratch and then less than three weeks from release to breach of a “top-secret” facility.

There definitely is some need for analysis of the social engineering aspects of the attack, but another really interesting angle is related to how Microsoft left customers exposed for a month before it released the patch for the Pwn2Own vulnerability — Security Bulletin MS11-018, April 12, 2011.