Pencils Down

This weblog is about my experiences in software development

Browsing Posts tagged Security

A set of upperclassmen from Michigan accepted the challenge to break into the proposed Internet voting system that would be in use in Washington D.C.  Kind of a nice idea: there are so many residents that are living abroad.

You can read the report at Attacking the Washington D.C. Internet Voting System.

When I read the report I was at first amused at the bad practices in place.  Later it started to bother me.  Got shivers from bad memories of the plans for SOPA.  I really don’t understand though:  if you are doing something of a technical nature that you really don’t have any expertise in why not hire some people who know what they are doing?

So we have:

  • I am sure there was enough slushy funding available to get good people to develop a secure system.  They obviously did not do that.
  • Use really bad practices.  At this point I guess nobody was paying attention anymore?
  • Throw down the gauntlet to people who know better that they couldn’t possibly break in!
  • Not even pay attention to the process and notice that someone did break in.

Reminds me of some parents bragging about how great a <pick you sport> little Johnny is.  When you see him actually play you are saddened by their ignorance and embarrassed to watch anymore.

I don’t know about you but I get phishing attempts on a daily (seems like hourly at times) basis.  The phishing is in a couple of categories:

– Slick – these really look like the supposed company.  But then they fall on their face with a yahoo email address or oddball url for ‘click here’ to enter your info.

– Wordy – these are jam-packed emails from innocuous sounding senders with reasonable titles as well.  Maybe I do know a John Galway?  And he’s writing about the Patriots game (something I care about).  It’s only when you scroll down to the ‘stop email’ link that you can clearly see it’s phishing.

– Pathetic – English is definitely not the first language of the sender.  Typically not one complete, correctly spelled and grammatically correct sentence.  Worse is the Asian character set email – complete jibberish.

– Million dollars – any number of swindles – African, Libyan, Middle East, orphan, cripple – you name it

So, given the bunch of junk that streams in continuously – does it work?

I have to believe everyone knows better about the Million Dollars; will ignore the Pathetic; realize the Wordy is junk.  Even the Slick should sound alarms once you realize the kind of information being provided (of course, it’s too late – just clicking put you on a spam list)

Now, then, who is accepting the phishing attempt?  I am guessing close to zero.

Then why keep sending them out?

It takes time to build a phishing list (or money to buy one).  Takes money and time to develop an email program that won’t get you cut off from your ISP.  If someone actually responds you have to do something smart (money and time) with the information to take advantage of it.

I wonder if the key is ‘close to zero’ acceptance and the laws of large numbers.  Assuming you got 0.0001% response of any kind it would be just a matter of time before you had a quantity of information to work with.

Still feels like a complete waste of time (and money).  Why not spend that much (time and money) on developing a neato iPhone or Droid app?

Just read Ghost in the Wires, the autobiography of Kevin Mitnick, a celebrated phone phreak/hacker.

I don’t know what I expected.  I have read most things by Bruce Schneier for some time along the security vein, so I guess I expected something with a technical angle to it.  Mitnick provides that, but the overall impression of an OCD person who can’t control his behavior:

  • In jail he uses the pay phone to break into phone systems.
  • While on parole he breaks into phone systems.
  • When on the run from a federal warrant he breaks into phone systems.
  • When he knows he is about to be arrested for breaking into phone systems he proceeds to break into more phone systems.

I wonder if most phreaks are obsessed.  I somehow had the impression it would be something of a lark, kind of an i’m bored, it’s the weekend, i wonder how this works.

I can see where illegal types would be attracted to doing this.  I know there are things out there the could be grabbed.  But I wonder if even a crook would be so completely obsessed.

After a while it became cumbersome to read on about some new exploit.  You know he’s going to get caught, pay a heftier fine, spend more time in jail and he just can’t help himself.  Feels like seeing anyone obsessed with some other aspect of life: just makes you want to walk on by as quick as possible.  You know they won’t listen to advice or seek help.

While reading through a CEH test guide there is a set of articles on steganography. I think most people are familiar with encoding bits in a JPG. A more interesting example was using complete in the clear text in an XML file. The trick is to place your special ‘hidden’ text in the XML, but outside of any tags. For example:

<root id='folders>

This text is in the XML file but not visible using standard parsers since not part of any tag<tag1>blah</tag1>

<tag2 id='something/>

</root>

I could imagine some larger XML file without pretty print that you would have no idea there were something embedded even if you looked at it.

Recently was trying to get a service running.  In order for them to enter my information in their system they needed my birthdate and last four digits of SSN.  It was explained to me “this is a VMS system and the field is required in order to enter your information”.  Oh, in that case…

I thought about explaining that given my birthdate and current location there are algorithms that can guess at the rest of my SSN number to a 95% accuracy. 

I thought about telling the person that my birthdate was none of their business.  That age based marketing programs targetting my age bracket were rampant and I didn’t want to be subject to them.

I thought about asking the person what their security programs were in order to protect my information, really my identity.

I thought about asking why someone would design software that required these fields.  Are they just just required or even worse keys to my record in a database?

I thought about asking why on earth someone is still using a VMS based system for their business.  Isn’t there something a little more modern available that does the same thing?

I thought about just using 1/1/1900 and 9999.  But I bet there system actually had checks in there to verify that the birthdate and SSN were in range.  Also, if you could put in junk like this someone else probably got there first.

There was some slight anguish as I really wanted this service to be set up.  It was a good deal.

In the end I just said, “Sorry, I can’t provide you with that information.  Thanks anyway”.  To which the phone caller had no idea how to respond.

I wonder if people are better off not knowing how computer systems are made and maintained.

Great article on highly voted programming errors – includes examples, workarounds, attacks.  Article is at http://cwe.mitre.org/top25/

 The 2010 CWE/SANS Top 25 Most Dangerous Programming Errors is a list of the most widespread and critical programming errors that can lead to serious software vulnerabilities. They are often easy to find, and easy to exploit. They are dangerous because they will frequently allow attackers to completely take over the software, steal data, or prevent the software from working at all.  (click on link above for more)

I work at a large defense contractor.  There are two levels of shareware licensing that need to be addressed for any product that is used:

1) Will the product be used in the field, in a production environment?

2) Will the product be used on the corporate LAN?

Any new product has to go through a rigorous review by legal staff to review the exact license involved in a product.  They are looking for the clause that says “We own your company after 12 days of use”.  Surprisingly, there are some open licenses that have such clauses.  Pretty gutsy – just count on coders not actually reading the legaleeze.

Use on the LAN means the product must also be reviewed for security breaches.  While a defense contractor has real security levels that conform to government standards, I think this is a reasonable test for any corporate tool.  Again, some products fail the security test by either including silliness (such as Google toolbar poking back at google.com on a regular basis) or outright virus/spam.

Use in production means the software will reside on a defense product in the field.  Whole new levels of pain to evaluate the product for holes.  Not surprisingly, there is a lot of Not Invented Here coding that goes on just to avoid such a review.