Robotic masters of autonomous flight:
Host Monitoring: Osiris Build for Windows
Perhaps you want a host integrity monitoring solution for windows? Here is a simple recipe to compile the free Osiris agent on windows for windows (so “make test” will work).
Ingredients:
You can get these all from shmoo as a single convenient build kit, or download individually using the links above. The build kit is stable, but the individual items are likely to give you more recent releases.
Install all five in the order listed with the defaults, except for MSYS. Change the installation path of MSYS from the version number to just “c:\msys”. When MSYS asks for the MinGW installation path, enter “c:/mingw”
To compile/install OpenSSL, follow these steps:
- Unpack the tar file. It might be most convenient to put it below the c:\msys directory
- Open the “Configure” file (you can use vi in MSYS but Wordpad may also work) and comment out or delete the following line: “$IsMK1MF=1 if ($target eq “mingw” && $^O ne “cygwin” && !is_msys());”
- Type “perl Configure mingw” to run the Configure script
- If successful, you will see a “Configured for mingw” message and you should have openssl.exe in the apps directory and two lib files (libssl.a and libcrypto.a) at the toplevel
- Type “make test” to verify the build (this will take a while)
To compile/install Osiris, follow these steps:
- Download and unpack the Osiris 4.2.3 source. It might be most convenient to put it below the c:\msys directory
- Start MSYS (Use the shortcut or C:\msys\msys.bat -norxvt)
- Change into the c:\msys\osiris… directory
- Type ./configure with the following options:
–with-ssl-dir=/c/msys/openssl… –with-root-dir=/c/msys/osiris… where “…” is the full pathname and –with-osiris-user=osiris or whatever user it will run as - Once the configure is done type “make”
- To reduce the size of the installer use strip: “strip src/cli/osiris.exe”; “strip src/osirisd/osirisd.exe”; and “strip src/osirismd/osirismd.exe”
- Open explorer and right click on C:\msys\osiris-4.2.3\src\install\windows\osiris_install.nsi, and choose “compile installer”
Tada! Your Osiris agent should be ready to deploy on windows hosts. It will be in the osiris-4.2.3\src\install\windows directory.
SFO Carbon Offset
Air travel creates a huge amount of carbon dioxide, so San Francisco has installed an offset system for travelers in kiosks at SFO
Climate Passport contributions fund the Garcia River Forest, a reforestation project in Mendocino County where redwood and Douglas fir trees are being added to a forest that had been heavily logged. They also go to the SFCarbon Fund, which is steering the money to Dogpatch Biofuels, a bio-diesel fueling station in southeastern San Francisco.
I would much prefer to buy them through the ticketing process so the offsets could be distributed, although there are certainly advantages to supporting local offsets.
ATM fraud advances
News from Prague, just weeks ahead of the Payment Card Industry (PCI) meetings there, reveals new levels of sophistication in ATM fraud. The Prague Monitor reports a foreign gang is thought to be behind the attacks.
The principle by which the gang withdraws money from the accounts resembles a mobile telephone – the gang is capable of producing a copy of the card within minutes after the user inserted it and entered his PIN.
They then can withdraw the money in other countries, for instance, in Bulgaria, Poland or Slovakia.
There are two key attributes to the attack. The first is that the attackers are following the same customer behavior as the banks. They are only attacking on Saturday nights at locations highly likely to see cash withdrawals because of security marketing.
“So far, they have selected exclusively ATMs placed near the banks – either inside of them or directly outside. These ATMs seem more reliable and safe to users because most of them are monitored by cameras,” [police officer Michal] Ihnat said.
They seem safe, but in fact they are lying in wait. An obvious countermeasure here is for customers to alter their behavior and remove cash during the daytime on a weekday. Alternatively the banks could shutdown ATMs at high-risk times. This goes to a simple common sense principle — the higher the convenience of an ATM the lower the ability to protect it.
The second attribute is a wireless and hit-and-run, allowing attackers to keep on the move. The attackers do not return to the ATM to collect data as their compromise is able to broadcast the cardholder information. A detective defense against this could be wireless monitoring to detect when an ATM is compromised, although picking out rogue signals has several problems. Downtown Prague is littered with frequently changing wireless signals and the attackers could easily encrypt and obfuscate their traffic. Another more practical solution would be to keep ATMs within a cage that blocked wireless communication. This cage is more complicated than it sounds, as signals can easily leak, but it would defeat the attack most directly. It also would be an expensive change to the open-air ATM systems.
This is an attack on authentication, which Bruce Schneier likes to discuss. Bruce’s theory of securing the transaction instead of the authentication brings forward another solution: send out-of-band confirmations for ATM withdrawals. A cell-phone call or text to confirm a the amount would defeat these attackers. Again, however, it would be complicated to implement and place a significant obstacle to convenience.