Malta Info Security

Sadly, the past few weeks has left me very little time to write about my rants. The first month has already passed by and I barely realised. In truth the next 5 months are a sort of marathon in that I have three exams coming up (one of the CISM) and a thesis to finish off. On top of that, I have an ISACA presentation to give at the end of March (more details later on) and a full time job I guess I shouldn't grumble -- and I won't. My replacement eTc-3850 thin client is still for sale, so if you're interested, drop me an email. It is still boxed and never been used.

Ok, back to a good article I read on Securology here's one that struck home on a number of points. It's a little lengthy so I won't be quoting a lot of it - however the core of it revolves around the idea that a job in computer security is not all rosy as it might seem. Varied ideas tend to exist about the glory of CSI like investigations and huge pay packets however the truth is somewhat much more down to earth. The reality according to Securology exposes the following:

1. Perfect Security is not possible.
2. Most security work is really about making sure everyone else does their job "correctly".
3. Security Response jobs suck.
4. Security Operations jobs suck more.
5. Security Planning jobs are set up to fail.
6. Security vendors have to sell out
7. Pen Testers and Consultants have Commitment Issues
8. Exploit writers perpetuate the problem.
9. Security Educators either are paranoid or should be.
10. Security Media don't really exist.
11. And Security Bloggers are the worst above all.

Each section is expanded and talked about and I encourage you to read the original article (see below for source). Being a security guy myself, I would say that they are somewhat true - and kinda got me frowning - however somewhat over-stated too. It's not all bad, though ... really!

A good point comes out of point 3 - Security Response jobs suck...

... It may seem like CSI or something, but jobs that deal with responding to incidents suck. Except in high profile cases, computer forensics and true chain of custody techniques are not followed-- and if you want a computer forensics job, you'll probably have to work for a large government/public sector bureaucracy (and all the fun that goes with spending tax payers' dollars), which means you'll be primarily working on child pornography or drug trafficking cases and riding daily the fine line between public good and privacy infringements (warrantless wiretaps come to mind).

Others are aimed to put you off... and encourage you to head for a farming job!

If you're already in a security career and find yourself disheartened by the lacking options around you (because you've realized that it isn't the glamorous field you once thought), but find that you have an amazing affinity towards learning all that you can, this might be a saving grace that will prevent you from leaving everything you've learned behind and taking up a job as a dairy farmer (or some other similar job that will not require you to touch a computer)

I work in an environment where our department is very centric to several other security departments. We interact with all other departments the idea being that there is a defined separation of duties. In these cases, on the several skills of a security analyst has got to be communication. That essentially means that you must both have a technical varied background and be a people person capable of assessing (not only your needs) but also those of others. The reasons for this is obvious - you need to state your point from a security angle, balance your opinion vis-a-vis usability and be in a position to help implement/facilitate solutions that are security centric. Not an easy job -- but hey, then what are we paid for ? ... and yes it also means that to a certain point we have to be educators.

To close this article, here's Securology's ending... I sense that the writer must have been in one of his low moments - nevertheless - heads up... its not all grim.

If you hope to change the world with your career, may I suggest a rewarding opportunity teaching high school math or science in a public school system? The pay is for shite, and there will be harder days than being a security professional, but your pupils will be grateful for your job well done later in life-- even if they don't manage to get around to tell you. Besides, everyone knows Americans spend what they make-- just learn to make ends meet on a teacher's salary.

Source

Posted by Donald Tabone

Dear All,

A CISSP exam will be held on Saturday 18th April 2009 at Computer Domain new building in Mosta located in Constitution Street. Exam Registrations close on the 13th of March 2009. We are advised that there is no need for you to have followed a course to take the exam.

Computer Domain address: Domain Building 102/104 Constitution Street, Mosta MST 9055, Malta Tel: (+356) 21-433 688, (+356) 27-433 688 Fax: (+356) 21-438 729 www.computerdomain.eu www.computerdomain.net

Posted by Donald Tabone

Onto another interesting piece of news I stumbled upon earlier today - prick your ears - a recent study by Craig Wright; a forensic expert; show that...

...after a single overwrite of the data on a drive, whether it be an old 1-gigabyte disk or a current model (at the time of the study), the likelihood of still being able to reconstruct anything is practically zero. Well, OK, not quite: a single bit whose precise location is known can in fact be correctly reconstructed with 56 per cent probability (in one of the quoted examples). To recover a byte, however, correct head positioning would have to be precisely repeated eight times, and the probability of that is only 0.97 per cent. Recovering anything beyond a single byte is even less likely.

They presented their paper at ICISS 2008 and it has been published by Springer AG in its Lecture Notes in Computer Science series (Craig Wright, Dave Kleiman, Shyaam Sundhar R. S.: Overwriting Hard Drive Data: The Great Wiping Controversy).

The original article correctly talks about the implications from a security point of view. Its important to bear in mind that remnants of an edited document are still present in several places such as temporary files, swap-files and who knows where else.

Really, to ensure that nothing more can be recovered from a hard disk, it has to be overwritten completely, sector by sector.

Free software out there that employ all sorts of wiping techniques from simple algo's to military grade algo's like Darik's Boot and Nuke ISO (DBAN) might no longer be neccessary as a simple tool like dd in Linux will do the job perfectly.

Echoing this post

Posted by Donald Tabone

Time to get certified!

Clear Dimension Ltd is organising a COMPTIA Security+ course on the 23rd of January 2009.
We are advised that there are the last few places remaining for this course.

For more information contact:

Clear Dimension Ltd.
Charmaine Buhagiar - charmaineb at cleardimension.net
Tel +356 27018611
www.cleardimension.net

Posted by Donald Tabone

So talk about strong authentication --- here comes a animated film from Dreamworks in March 2009 called Monsters Vs. Aliens. Trailer is hilarious and starts with an example of what could be called "very strong authentication" :) can't wait to see what more they come up with.



Echoing this post

Posted by Donald Tabone

It's been a while since I last posted something re. digital forensics mostly due to the fact that I've been cramped down by studies and work. Nevertheless, I came across this document by Brett Shavers entitled Virtual Forensics - A Discussion of Virtual Machines Related to Forensics Analysis. A brief summary of the 35 page document is quoted below.

The time of virtual machines has come and will only become more commonplace. Although a virtual machine is nearly identical to an actual computer system, there are differences that need examiners should be aware. Given the capabilities that are inherent in booting forensic images into a virtual environment, this should be the first choice in the restoration of any forensic image as it not only saves time in the restoration process, but it can be repeated as many times as needed, quickly and easily.

Early in the PDF, we get a primer on VMWare files (such as .VMDK and .VMSD files) and continues to describe the pro's and con's of using virtual machines as a forensic OS. Later, he discusses topics like using VM's for antiforensics i.e. using a good tool for bad things followed by a number of How-To's.

I cannot help but say that this is a very good read, graphically supplemented and full of valuable information whether you're wanting to learn more about VM's or analyzing a VM's for possible intrusion or compromise.

Download it here.

Posted by Donald Tabone

An article I initially read on Slashdot came a bit as a shocker to me.

The Times of London reports that the United Kingdom's Home Office has quietly adopted a new plan to allow police across Britain to routinely hack into people's personal computers without a warrant. The move, which follows a decision by the European Union's council of ministers in Brussels, has angered civil liberties groups and opposition MPs.

Under the Brussels edict, police across the EU have been given the green light to expand the implementation of a rarely used power involving warrantless intrusive surveillance of private property. The strategy will allow French, German and other EU forces to ask British officers to hack into someone’s UK computer and pass over any material gleaned.

“To be a valid authorisation, the officer giving it must believe that when it is given it is necessary to prevent or detect serious crime and [the] action is proportionate to what it seeks to achieve,” Acpo said.

Whilst the reasons behind all this may be good, I really don't endorse this 'rarely used power involving warrantless intrusive surveillance' for a variety of reasons that mostly defy a lot of security premises individuals are usually told to take. Privacy is a fundamental right even although The Association of Chief Police Officers (Acpo) said such intrusive surveillance was closely regulated under the Regulation of Investigatory Powers Act.

Police might also send an e-mail to a suspect’s computer. The message would include an attachment that contained a virus or “malware”.

... the methods described are also questionable, and hardly seem legit...

Richard Clayton, a researcher at Cambridge University’s computer laboratory, said that remote searches had been possible since 1994, although they were very rare. An amendment to the Computer Misuse Act 1990 made hacking legal if it was authorised and carried out by the state.

He [Richard Clayton] said the authorities could break into a suspect’s home or office and insert a “key-logging” device into an individual’s computer. This would collect and, if necessary, transmit details of all the suspect’s keystrokes. “It’s just like putting a secret camera in someone’s living room,” he said.

... so whilst this type of activity is known across the board to be illegal for common mortals, we are now saying that the UK Police not only CAN carry this out, but also don't need a warrant..... stinks to me.

As a commentator on Slashdot said

I used to think V for Vendetta was fiction. It's starting to look like a documentary...."But again, truth be told, if you're looking for the guilty you need only look into a mirror." [youtube.com]

Continue reading "Legitimised 'remote searching'..."

Posted by Donald Tabone

Welcome to a New Year...

All I seem to read over the past few days are predictions for 2009.. what's going to be hot and what is not.. Of course I have a few ideas of my own and I think that one of prevalent things for 2009 will be digital media streaming. Typical network media tanks like the popcorn hour box or the egreat box will become more diffused as people opt to stream media over their local LAN to their full HD LCD TV's. Will BlueRay catch on? Hmm.. I dunno. The idea of replacing my current library of DVD's with BlueRay ones seems quite expensive. Moreover, I need a BlueRay DVD player. Personally I'd opt for video on demand, streamed in HD quality

Some security news that caught my geek eye on the first few days of the year revolve around the elegant MD5 attack. Some people are considering it harmful today especially once you see how they managed to create a web skeleton key with 200 PS3's that can perfectly impersonate any website on the internet. Ouch........

Our research team, consisting of 7 researchers from the United States, Switzerland and the Netherlands, was able to execute a practical MD5 collision attack and create a rogue Certification Authority trusted by all common web browsers. This allows us to perform transparent man-in-the-middle attacks against SSL connections and monitor or tamper with the traffic to secure
websites or email servers.

The infrastructure of Certification Authorities is meant to prevent exactly this type of attack. Our work shows that known weaknesses in the MD5 hash function can be exploited in realistic attack, due to the fact that even after years of warnings about the lack of security of MD5, some root CAs are still using this broken hash function.

So how will this affect current forensic tools that use this cryptographic mathematical function? Surely yes. As processor speeds and general computing power increase, forensic software like Encase must evolve if decisions in a court of law are based on such cryptographic functions used in official forensic packages. An interesting read is how NVidia GPU's crack WPA2, 100 times faster than conventional CPU's - and here we're talking WPA2!! Besides being a serious threat to online trust, the search for new hashing algorithms goes on as the NIST publishes its first round of candidates... Schneier has a good article posted here on this. My guess is that we are to expect this area to evolve.

2nd ouch hit me when I read about the DECT standard adopted by common day cordless phones and several other devices having been hacked...

The standard is also used in baby monitors, emergency call and door opening systems, wireless debit card readers and even traffic management systems. In Germany alone, where 25C3 is held, there are an estimated 30 million active DECT devices. DECT uses standard cryptographic procedures for authenticating the base station and terminals and for encrypting data transfers.

More on this here.

So what's in store for security people in the coming year? ComputerWorld seems to think that professionals with SAP security experience are probably the hottest of the hot right now... and that interest in security professionals remains strong across the board. I would tend to agree...

When it comes to demand for certain types of security professionals, those with SAP security experience "are probably the hottest of the hot right now," says Herrin. But interest in security professionals remains strong across the board. "Companies can't ignore security requirements, even in tough economic times," says Stephen Pickett, CIO at Penske Corp. and past president of the Society for Information Management. There's also strong interest in people with network and wireless security skills, as well as those with Certified Information Systems Security Professional accreditation.

Source

So it's looking grim, but hopefully not for long... nevertheless, eye's open next time you checkout online.. meanwhile checkout the Browser Security Handbook written by Google's Michal Zalewski - to easily figure out what works where!

More details...

Posted by Donald Tabone