Protecting your Data from being slurped up!

How to protect your data from what the The Guardian calls as ‘US border agents are doing ‘digital strip searches’?

The only way I think this is possible in a fool-proof way in the near future is that every has to absolutely implement a two-factor-DDA-authentication. There is not better #security today – period! There ain’t no stinking #AI, #RNN, #DNN, or Boltzmann machine in the world, or #Quantum computer worth its #quibits which can crack this – at least not in the near future.

And of course, when you have friends and family involved, the group authentication is a sure-fire way to stop anyone snooping in. #security

Advice from NSA on how to protect your data from NSA

No, there is no typo in the Subject, this advice is from NSA and should be good if you want to secure your data from NSA. The Register had this excellent write up on Guardian could have protected Snowden. I also like what The Register say:

Use an old-fashioned air gap. Be paranoid

You also could Steganography, using something like SteganPEG, but that is more obscurity, rather than security. The advice from The Register is sound and essentially is good if you are interested in protecting sensitive data. There are essentially four steps parts to this.

  1. Encryption – whilst it might seem hard to the non-geeky (I think we need to find a name similar to ‘Muggles’ – some reference for non-techy folks – of course in a good and constructive manner), it is not very hard. You should use something like GnuGP and create a asymmetric key pair (i.e. a pair of public and private keys). I would recommend you use a RSA based key pair which is 4K bits in length, using a SHA2 512 as the hash function. You should also consider the expiry date for this no more than a year, which will prevent some old keys lying around and being recycled or compromises.
  2. Use Clean Machines – You don’t know what is lying around on that OS and machine – could be some keyloggers for example. It is best to start with a brand new machine, which you re-install. You could either use the Security Enhanced Linux distro, or a harderned version of Windows or something else; NSA has a handy guide. You should also look to use something like BitLocker or TrueCrpyt and use that on a VM which you have built from scratch and is running on that clean machine.
  3. Moving the Data Securely – I think, this is the most difficult thing to do. The only way you can come close enough to do this is using Tor and a hidden service. Of course all the entry and exit points to Tor would be monitored and cannot be trusted. If you don’t know much of Tor, you can read up this guide.
  4. Using a Hidden Service – Use your clean machine only to interact with the absolute minimum to download data and then ensure it always remains disconnected from any network.

I also think the amount of data and information that Google and Facebook has one someone is scary. I like how The Registered ended their article with the quote from one of the UK government security staff:

You would not believe the hoops we have to jump through to access an email, all the legal paperwork that needs completing, when Google has everyone on file and no one blinks an eye

How not to handle exceptions!

Was trying to pay my Electricity bill online via a site called Bangalore One, which is the Governments, premier one-stop shop for Electronic Delivery of Citizen Services.

I could not pay because it seems like some backend services they need for credit card payment is down. How do I know this? Because the site is revealing too much detail! See the exception details pasted below.

This is a great example of what not to do! I have seen this often, and it is lazy developers and even lazier testers who approved this and get this into production. One would have thought that government managing the “Silicon Valley of India” would know better!

It is also interesting to see that they are on a very old version of .NET – running on v1.1.

Timeout expired. The timeout period elapsed prior to completion of the operation or the server is not responding.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Exception: Timeout expired. The timeout period elapsed prior to completion of the operation or the server is not responding.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[Exception: Timeout expired.  The timeout period elapsed prior to completion of the operation or the server is not responding.]
   BangaloreOne.clsBESCOM.fnCheckTransCnt(String LocationRRNo, String StaffCode, Int32 intDeptCode) +381
   bOneWebPortal.BESCOMConfirm.Page_Load(Object sender, EventArgs e) +721
   System.Web.UI.Control.OnLoad(EventArgs e) +67
   System.Web.UI.Control.LoadRecursive() +35
   System.Web.UI.Page.ProcessRequestMain() +750

Version Information: Microsoft .NET Framework Version:1.1.4322.2300; ASP.NET Version:1.1.4322.2300

Facebook and Security again

Facebook and my views of it in the context of Privacy and Security are well known. This conversation with one of their (anonymous) employees detailing a few internal processes and tools is actually quite scary.

Now, I don’t know if this is true and how much of this is true; but if I was working for Facebook then all of this is quite logical and makes sense. And, technically all the things talked about is very feasible and not too challenging (of course am over simplifying here).

I do have to admit that the perf and scalability challenges are quite interesting and would love to sink my teeth in it – I guess I need to look at PHP first. 🙂

Is it time to relook at Facebook again?

I still don’t get Facebook – despite being on it. If I want to talk to someone I will call them, email them, text them, meet them, have dinner with them – get the picture?

I am quite worried about the security and privacy elements of it – or rather the lack of it. Those who know me well (anyone?) 🙂 know I was not always this paranoid but after attending a few Security courses – I cannot bury my head in the sand anymore.

The main issue I have is the commercialisation of the information and it will just get more as Facebook heads to compete with Google – it is my information after all and I don’t feel comfortable sharing so much of it – even after locking it down and setting the various privacy settings. It is very easy to exploit. Take the example where Facebook changed the settings where Google by default would be indexing a lot of this information. And it is you and I as users who had to login and explicitly change a setting to stop it from doing that. Furthermore, despite all the security measures that Facebook might have in place (and they don’t mention how internally within the company walls is the information protected) all it takes is one disgruntled employee (or soon-to-be-ex-employee) to take it all and walk out the door!

The secondary issue I have is the fact that more and more of the information, friends, contacts, etc is marketing and spam (a lot of what we see on Twitter as well). I personally am (thankfully) seeing much less spam on emails these days; but on the flip side I see a dramatic uptick of spam on social site. Not sure if this is because our email spam filters are finally smart enough to work, or perhaps the spammers found the social networking sites to be richer pickings?

It is good to know that there are others out there with the same concern and with some sites such as Suicide Machine allow you to “all your energy sucking social-networking profiles, kill your fake virtual friends, and completely do away with your Web2.0 alterego” [sic]. Of course, all has not been peachy for Suicide Machine at the same time. 🙂

If you are thinking like me and really giving it a go then suggest you seek some help as well to make it easier.

The irony of all of this however is that I will be posting this it to my Facebook wall and also tweeting it.

Implementing malware with VMs – Subvirt

Microsoft Research (MSR) along with University of Michigan have an interesting paper that showcases a new type of malware specifically for Virtual Machines and hosts running the VM’s (Hper-V, VMWare Server, etc). This malware installs a monitor underneath the host of the VMs as a Virtual Machine Monitor (VMM). All VMM’s run in Ring 0 (kernel mode).

Essentially this is similar to a rootkit and they call this a VM based rootkit (VMBR). A VMBR looks to get itself installed underneath the host and essentially runs the target OS as guest. It needs to manipulate the boot sequence to load it self before the ‘guest’ OS. This allows them to run silently with the ‘guest’ OS not even aware of their presence. Of course this makes their detection quite difficult (if not impossible) by the ‘guest’ OS.

They go on to implement a couple of prototypes which subvert both XP and Linux. The paper discusses ways to detect and prevent VMBR’s such as such as security software running even below the VMBR in an isolated layer which is not controlled by the VMBR. Another option is to boot up from a ‘safe’ medium like a ROM drive or a secure VMM which won’t stop a VMBR, but can at least help detect it.

New Worm (BlackAngel.B) spreading via MSN Messenger

Interesting new worm based on the likes of the movies such as the ring or feardotcom spreading via MSN. It is quite dangerous as it disables many security and antivirus software running such as antivirus, firewalls and even Windows programs like the Task Manager and RegEdit. It is easy to recognize, as you will get the following instant message – which downloads a avi (only that is an exe), when you run that your system is infected and all your contacts on MSN will be send the same instant message.

– jaja look a that http://galeon.<blocked>verti2/fantasma.zip
– mira este video http://galeon.<blocked>verti2/fantasma.zip jaja

So, be on the lookout and please do not click on that link!

More information can be found here.

Combating rootkit with rootkit

While I totally agree with the concept of combacting rootkit with rootkit when it comes to the new generation of spyware, etc. (remember Sony’s need for control fiasco), but my concern is there are many lazy programmers (yours truly included) out there and most companies are in a hurry to ship a product out the door without testing as thoroughly as one should, which means when dealing at the Kernel level for most end-users it could be a experience of more BSOD’s.

More DOS Pings

Here are a few more DOS pings from last night, I think these are poor souls who don’t know they have infected machines (or lets hope so). There is one (218.201.43.148) from China belonging to someone called Ming Chen in Chongqing, might have to drop his/her ISP an email.

inetnum: 218.201.40.1 – 218.201.43.254
netname: CQ-CHONGQINGYIDONG
country: CN
descr: Chong Qing Yi Dong IDC Yong HU
descr: 40-43 Duan Qi Yong

person: ming chen
nic-hdl: MC285-AP
e-mail: chenming@cq.chinamobile.com
address: NO.300, L building, 6th street, keyuan, high-tech, industrial zone, Chongqing,400041
phone: +86-13983247186
fax-no: +86-13594249044
country: cn
changed: weichenguang@chinamobile.com 20040625

Firewall log:
Tue Dec 20 05:27:18 2005 1 Blocked by DoS protection 218.201.43.148
Tue Dec 20 05:27:18 2005 1 Blocked by DoS protection 218.201.43.148
Tue Dec 20 05:27:18 2005 1 Blocked by DoS protection 218.201.43.148
Tue Dec 20 05:33:39 2005 1 Blocked by DoS protection 218.201.43.148
Tue Dec 20 05:33:59 2005 1 Blocked by DoS protection 66.235.167.62
Tue Dec 20 05:36:42 2005 1 Blocked by DoS protection 221.203.145.54
Tue Dec 20 05:40:00 2005 1 Blocked by DoS protection 218.201.43.148
Tue Dec 20 05:46:22 2005 1 Blocked by DoS protection 218.201.43.148
Tue Dec 20 05:46:22 2005 1 Blocked by DoS protection 218.201.43.148
Tue Dec 20 05:46:22 2005 1 Blocked by DoS protection 218.201.43.148
Tue Dec 20 05:46:22 2005 1 Blocked by DoS protection 218.201.43.148
Tue Dec 20 05:47:07 2005 1 Blocked by DoS protection 221.1.204.251
Tue Dec 20 05:51:20 2005 1 Blocked by DoS protection 202.96.87.41
Tue Dec 20 05:52:44 2005 1 Blocked by DoS protection 218.201.43.148
Tue Dec 20 05:52:44 2005 1 Blocked by DoS protection 218.201.43.148
Tue Dec 20 05:52:44 2005 1 Blocked by DoS protection 218.201.43.148
Tue Dec 20 05:52:44 2005 1 Blocked by DoS protection 218.201.43.148
Tue Dec 20 05:59:05 2005 1 Blocked by DoS protection 218.201.43.148
Tue Dec 20 06:04:25 2005 1 Blocked by DoS protection 58.18.64.162
Tue Dec 20 06:04:25 2005 1 Blocked by DoS protection 58.18.64.162
Tue Dec 20 06:05:28 2005 1 Blocked by DoS protection 218.201.43.148
Tue Dec 20 06:05:28 2005 1 Blocked by DoS protection 218.201.43.148
Tue Dec 20 06:09:37 2005 1 Blocked by DoS protection 221.203.145.54
Tue Dec 20 06:11:48 2005 1 Blocked by DoS protection 218.201.43.148
Tue Dec 20 06:11:48 2005 1 Blocked by DoS protection 218.201.43.148
Tue Dec 20 06:18:09 2005 1 Blocked by DoS protection 218.201.43.148
Tue Dec 20 06:18:09 2005 1 Blocked by DoS protection 218.201.43.148
Tue Dec 20 06:18:09 2005 1 Blocked by DoS protection 218.201.43.148
Tue Dec 20 06:18:09 2005 1 Blocked by DoS protection 218.201.43.148
Tue Dec 20 06:19:15 2005 1 Blocked by DoS protection 82.49.110.167
Tue Dec 20 06:28:17 2005 1 Blocked by DoS protection 202.96.87.41
Tue Dec 20 06:30:40 2005 1 Blocked by DoS protection 213.142.181.48

Sony Rootkit DRM Saga Gets Messy

From PCMag, Sony’s incredible gaffe – creating a DRM applet that loads prior to the operating system – has caused an incredible furor. Sony agreed to suspend the program, but that’s not all. Now the rest of the world is piling on. Microsoft now says it will delete the rootkit directly with its anti-spyware program, and it’ll be included in the December version of the Malicious Software Removal Tool. And it looks like the Macintosh, which is also affected by the rootkit, might still be at risk.

I would be very careful of any of the new CD’s I buy – if they are from Sony/BMG then they might have this!

Exploit code chases two Firefox flaws

Two vulnerabilities in the popular Firefox browser have been rated “extremely critical” because exploit code is now available to take advantage of them. The cross-site scripting and remote system access flaws were discovered in Firefox version 1.0.3, but other versions may also be affected, said security company Secunia, which issued the ratings Sunday. One flaw involves “IFRAME” JavaScript URLs, which are not properly protected from being executed in the context of another URL in the history list. A second vulnerability exists in the IconURL parameter in InstallTrigger.install(). Information passed to this parameter is not properly verified before it’s used, allowing an attacker to gain user privileges. This flaw could allow an attacker to gain and escalate user privileges on a system.

You can disable JavaScript as a workaround for now, but when a patch is released, I guess I would need to reinstall this all over again. *sigh*. And everyone says (including me) that this is more secure than IE. You can read the details here.

Update: You can more information about the bug and the work around from Mozilla here.

WEP Dead Again?

SecurityFocus has two part article that looks at the new generation of WEP cracking tools for WiFi networks, which offer dramatically faster speeds for penetration testers over the previous generation of tools. In many cases, a WEP key can be determined in seconds or minutes. Part one, compares the latest KoreK based tools that perform passive statistical analysis and brute-force cracking on a sample of collected WEP traffic. Part two, looks at active attack vectors, including a method to dramatically increase the rate of packet collection to make statistical attacks even more potent.

On August 8th, 2004, a hacker named KoreK posted new WEP statistical cryptanalysis attack code (soon to become a tool called chopper) to the NetStumbler forums. While chopper is functional, it is not currently maintained, and the attacks have since seen better implementations in aircrack and WepLab. However, the KoreK attacks change everything. No longer are millions of packets required to crack a WEP key; no longer does the number of obviously “weak” or “interesting” IVs matter. With the new attacks, the critical ingredient is the total number of unique IVs captured, and a key can often be cracked with hundreds of thousands of packets, rather than millions.

One of the tools discussed is Aircrack, which implements KoreK’s attacks as well as improved FMS, aircrack provides the fastest and most effective statistical attacks available. To give aircrack a try, simply collect as many packets as possible from a WEP encrypted wireless network, save them as a pcap file, and then start aircrack from the command line.

More Information: