Wednesday, July 19, 2006

McKeay Quote - GREAT

I was browsing Martin McKeay blog when I found some stuff he wrote. I have special interest on talking about security to non-technical people, and I found in his site a document with some tips to these people. The last one is so good that I immediately put that on my quote list:

"Use common sense Anything that sounds too good to be true probably is. Don't follow the link from an anonymous email promising quick riches or cheap products. Most of those are just attempts to get your money, and some are going to try and install software on your computer or get information from your computer."

Tuesday, July 18, 2006

HD Moore and responsible disclosure

Vulnerability researchers have the right weapon in their hands to push vendors on faster response times for security issues. I think that the best sample of how this should be done is David Litchfield. He does responsible disclosure, and uses gradually public advisories to push vendors (in his case, Oracle) to a more responsible attitude. HD Moore is being a bit selfish on this IE case, IMHO.

Instant disclosure brings too few benefits to victims (most cases don't have usable workarounds) and huge benefits to a very broad black hat community. I think that the fact that there could be people exploiting the undisclosed vulnerability doesn't mean the rest of the bad guys should also know it.

A mixed approach, with instant announcement of an open issue, without further details (only the product affected and the date when the vendor was informed) is the best option. Public disclosure can be used later if the vendor refuses to fix the hole.

Winternals and Systernals acquired by MS

Another great step by MS in its quest for more secure products. Winternals and Sysinternals have just been bought by Microsoft. I hope to see things like the excellent PSTOOLS package as part of Windows now. And it's not only about products, but about people too. Mark Russinovich is the guy that discovered that famous Sony rootkit.

To MS guys, congratulations again! Enjoy the acquisition (specially the great product called "Protection Manager") and integrate everything that those guys have made into Windows, it will aggregate great value to your product.

Wednesday, July 12, 2006

Schneier and two-factor authentication

Schneier posted in his blog a report about phishers being able to defeat two-factor authentication by using a Man in the Middle attack. They are basically proxying the user credentials to the original site.

What really impresses me is that almost everybody that is suggesting solutions for this are thinking about the problem as "how the original site can identify that the request is not coming directly from the real user?". THIS IS NOT THE RIGHT APPROACH!

Last year I presented a Proof of Concept code in a security conference. That code was created as a Browser Helper Object, but the main concept can be done by other means. The code was created to target a specific web application, an Internet Banking that uses two factor authentication. It doesn't try to steal authentication credentials, but it uses a valid established and authenticated session . In my PoC, whenever the user executes a wire-transfer transaction, the destination account number is replaced by another account. The confirmation sent by the server is also modified to show the original destination account. The user can't notice anything wrong in his experience, but his money has just been sent to another destination.

Why bother about stealing credentials when you can use the session that has been established by the user to perform what you need to do? If you chose to not steal credentials you have the additional benefit of not having to find a way to send them to you. No need to disable personal firewalls, NAT issues, etc.

The real problem (technically speaking) is the user actions (using bogus websites) and his environment (backdoors, trojans, DNS poisoning). Two-factor authentication will not solve any of them.

Monday, July 10, 2006

Base Rate Fallacy and NSA

I usually stay out of USA internal matters, like the VA lost laptop and NSA spying stories. But Bruce Schneier today posted in his blog a very good argument about why the NSA plots to identify terrorists are flawed. The Base Rate Fallacy is a very interesting problem that applies to a lot of detection based security technology, specially those that are anomaly based. Perhaps this is why we still haven't applied this approach to IDSes and Antiviruses.

Thursday, July 6, 2006


The draft fot the new British Standard BS25999 about Business Continuity Management has been published. It's important to take a look (and provide comments), as we know that this is the kind of document that tends to become a ISO standard in a few years. It's available for download here.