From Security Weekly Wiki
Jump to navigationJump to search

Episode Media


Technical Segment: Computer Physical Security, a real life story

AKA, Storytime with Larry...

Why is it that it is always the small details that trip people up with physical security - it is always thos small things that don't get though of that cause a problem...

For example, take a typical home office, where a security professional is concerned - like me. Even at home, you use good passwords, lock your machine, encrypt data, patch, use hardened system with AV and a good firewall (software and hardware). You don't surf on that machine, download pr0n, or music, and so on. This computer is your life blood. You don;t even let your mom or your wife use this computer. Ever. Not even under duress of withholding sex.

You have video surveillance, an alarm, good locks, and motion sensors. You watch too much "It Takes a Thief" for even more tips, like rosebushes planted under windows.

Your special PC has a redundant internet connection using diverse paths, and diverse technologies.. Separate paths for redunant netowrk cable. wire. You consider running fiber due to the difficulty, but realize that most of your "last mile solutions" are copper, and abandon the idea.

You provide a separate breaker for this equipment. You buy UPSes...and a spare, and plug all of the appropriate equipment into them. You wire the electrical panel in the basement so this separate circuit can be powered by generator, or DC powered inverter (even if it is manual failover).

You think you have all of the details covered. You make one small but potentially fatal mistake.

The UPS is placed on the floor.

The cat decides to whiz on your UPS.

You and the cat are shocked, albeit in different ways.

Although the impending doom is impressive, including the flying scared cat, neat sparks, awesome smoke, intriguing noises, and wonderful smell, it all could have been avoided:

By elevating the UPS off of the floor. Or providing appropriate security access to the office proper.

The devil is in the details.

Stories for Discussion

Can you really turn a cell phone into a Mic? - [Paul Asadoorian] - This story sure states that you can, in addition to tracking individuals.

A related story: Cell Phone h4x - [Larry] - Some stalker has apparently been harassing a family through their cell phones including turning them on remotely. I thought CDMA research, was illegal (not that illegality stops hackers), but some of the hacks seem quite interesting - turning on via timed setting on the phone perhaps...

nasl command line tutorial - [Paul Asadoorian] - Nessus gives you some neat results when scanning services for vulnerabilities, sometimes its hard to replicate with more specific tools. Nasl is a great way to get that info, such as the details on a cert or mDNS info from a Mac. It can be easily scripted too!

Vulnerability in WinHex - [Paul Asadoorian] - As a security professional, its important to practice what you preach. Monitor vulnerabilities in software that you use, especially ones you use often. For me, its Thunderbird, Firefox, Adium, Colloquy, Netnewswire, and Parallels. All of this software is critical to me, it holds my keys, email, personal information, and are the primary gateways into my computer. Of course, I must also keep tabs on updates from Apple, which are automated and something that I know about anyway. [Larry] - Paul, we covered the WinHex thing last week, but I think the rest of your comments have definate value.

Virus uses Bittorent to propogate - [Larry] - FRom my recollection this is a first. Impard-A uses AIM and Messenger to send spoofed messages that link to an exploit payload. Once exploited, the worm searches for bittorrent.exe and uses it to download more components, and then begins to seed the components. The components apparently include the IRC C&C connetcion tools... What a "neat" idea for virus propogation, even if it is a bit scary.

"0-Day Exploits", "Patch Tuesday", and "Exploit Wednesday" - [Paul Asadoorian] - WTF, I go on vacation and the security industry loses its mind, forgets what 0-Day really means and Mcafee goes crazy. Its simple, evil bad guys are finding vulnerabilities and exploiting them, well before we even can label it as a "0-day", release a patch for it on "Patch Tuesday", and notice people exploiting it on "Exploit Wednesday". If you don't practice defense in-depth, drop drawers and bend over. [Larry] - The security industry has officially gone insane.

Audit year round! - [Larry] - Some organizations have an audit schedule that allows 4 months "off" - My advice, and that of the NFL, os to use those 4 months to perform additional audits, and "pre audit work" to stem any issues form the next audit. The downtime is also a great time to meet with your auditors and set expectations, and talk about how they can even help more.

iPhone - The new security threat? - [Paul Asadoorian] - Its obvious that I cannot go on vacation anymore, because the security industry seems to get way out of line when I'm not around :) Question: How does the iPhone pose any more of a threat than Windows Mobile phones, Blackberries, mobile phones in general, and anything else mobile that has bluetooth and wifi? If you can, standardize on one, and lock it down, manage it, and monitor it. Thats your only chance.

Websites overtake E-mail for h4x - [Larry] - Some are arguing that compromised websites have over taken e-mail as the method of choice for distributing malware to unsuspecting users. Apparently this is due to increased e-mail security, and significant holes in protection for web delivered attacks.

Virtual Machine Detection - [Paul Asadoorian] - Awesome presentation/paper on VM detection, all the methods, red pill, vmdetect, etc... A MUST read.

MS Excel 2000-2003 Vulnerability - [Larry] - I'm putting out the call for more info on this, as there are NO details. It appears to be issues with the sheet name formatting, but what exactly? Te exploit contains a single spread sheet. When tested on a fully patched Office 2003 installation on a windows sandbox, it crashes. On an OSX sandbox with fully patched Office 2004, it crashes. Hmmm.

Breaking TPM BlackHat talk pulled - [Larry] I hope that this is not due to vendor pressure. It looks like the talk was going to release a tool that could attach the Trusted Platform Module chip itself, and fooling the system that it was trusted when it really wasn't. One of the demos involved accessing Vista Bitlocker, by pwnage of the TPM chip. Man, I wanted to see this.

Quicken Has a Backdoor - [Paul Asadoorian] - First, I am really liking the Heise Security News feed, good stuff. Second, don't put a backdoor in your program that is only known to the vendor, supposedly this was put in to help people recover their passwords. Yikes, once the key is cracked, game over.

Hacking truck shipments with RFID - [Larry] - A quote from the article "researchers from PacketFocus Security Solutions and Atlas RFID Solutions used standard tag readers and antennas to read the electronic product code (EPC) labels on boxes loaded into an 18-wheeler tractor-trailer...". Wow. Want to know what, and how many of a product that your competitor is shipping? How about knowing which trucks to rob? I think I need to invent an RFID shielded tractor trailer, or a retrofit.

Unofficial Ubuntu Torrents Trojaned - [Andy] - It appears that many unofficial torrents of Ubuntu 7.04 have been trojaned with keyloggers and ad loaders. In general when you're downloading a software package you should make sure you get it from the official source. Sometimes those can be compromised too though. Really the best solution is for the project to either sign hashes of their released files or produce signatures for the files themselves.

Vulnerability in Kerberos - kadmind - [Paul Asadoorian] - I can't stress enough that you need to secure your management applications, just as you would secure an Internet facing service (to a point anyhow). This includes using secure protocols, allowing access only from IP addresses that are allowed, monitoring logs for anomalies and un-authorized access, and keeping things patched. If someone jumps off another server an 0wns your Kerberos database, explain that to your boss, right before you clean your cube and go home, for good.

Intel C2D Bugs - [Andy] - It appears that Intel's Core2 Duo processors have some serious issues -- some in the MMU. Particularly some of these errata may cause the processor to ignore read-only and NX bits for memory pages.

Other Stories of Interest

Cellphone Virus writer nabbed - [Larry] - the author of Cabir, and other symbian viruses was nabbed in Spain...

AV Oops for a giggle - [Larry] - Symantec announces new product, and at the demo Kaspersy AV update notification pops up on the screen. Apparently Symantec trusts Kaspersky AV better than their own. Ouch.

Cocktail Condoms - [Paul Asadoorian] - I have an interesting story about this, of course if you leave your drink while you are in the bathroom, can't they just remove the condom? I may use this when fishing, to prevent bugs from getting in my beer :)

Apple Finally patches the IPv6 type 0 routing header issue - [Andy] - This was disclosed in early May and affected multiple OSes. Now Apple's finally fixed it!