Security, the Mac, Mac users – fanatical devotion != secure

Last week, the BBC wrote on security on the Mac and the apparent attitude Mac users take towards security. Highlighting the “Month of Apple Bugs” (MOAB) project web site, the BBC discusses the security reality of Mac computing. I suppose due to the brevity of the article there isn’t a lot of the really good information on security I’d like to see, but the BBC basically showcases the reality of security the MOAB project revealed while still pointing out that ultimately, the Mac has yet to be hit by a big, nasty worm or virus like Linux, Windows, Solaris, and so many operating systems have.

Apple Mac users are still too lax when it comes to security matters, an independent researcher has said.

Kevin Finisterre caused ripples in the Mac community when he started a website in January revealing a different bug in Apple systems each day of the month.

While some observers dismissed the survey, Apple recently issued a patch to plug holes outlined by Finisterre.

Apple owners’ attitude to security was “one of the main reasons we started the campaign,” he said.

Apple makes great play of the fact that its OSX operating has yet to be attacked by a virus while Windows XP machines are plagued with problems.

In the end, real-life commitments prevent the MOAB project creator from continuing regular work on it. He does note, however, that he would be glad to continue working on it if someone could put up the capital required to keep it going.

[tags]Apple security, the Month of Apple Bugs (MOAB) project[/tags]

Next-gen video discs fully cracked

Not long ago, there was news of a successful crack of Blu-Ray and Hi-def DVD copy protection, but it wasn’t a general crack.  The crack relied on a weakness in extracting decryption information from discs, but it was a non-trivial effort.  The new method builds on that to successfully break any AACS protected disc.

As I can understand some of you are interested in how I retrieved the Media and Processing Keys. I will tell what i did.

Most of the time I spend studying the AACS papers. A good understanding of how things worked have helped me greatly in knowing what to find in the first place (and how to recognize something). I may write an explanation of (my understanding) of how AACS works in particular the subset-difference technique (which is by far the hardest to understand) at a later date if you guys want to.

But anyway. Since the moment I found the Volume ID (which was much simpler than I had thought) my thought was to try to find the Media Key. But after some discussion I thought it might be better to go directly for the Device Keys (bad mistake). After looking at files created and changed by software player and trying to recognize Device Keys in memory dumps I was starting to get worried a bit. I wasn’t making any progress.

So I went back to my original idea: do a bottom-up approach. So first I tried to find the Media Key. One of the logical things to do even before that was to search for the Verify Media Key Record in memory. But it wasn’t there. I then started to work on a little proggy that would scan a memdump and see everything as a Media Key: thus trying to verify it with the Verify Media Key Record. No luck.

This was frustrating: all kinds of information was in the memdump but not the Media Key (I sort of assumed/hoped it would). I made several memdumps at different moments but nada, nothing. After throwing it all away I remembered I still had a “corrupt” memdump from WinHex (it failed to finish it because WinHex said the memory had changed). It was really small compared to the others so I didn’t have much hope. But when running it with my proggy: voila! I found it. Which finally gave me hope I was going in the right direction.

There were just two major problems left: how do you detect the Processing Key and if its not in memory how do you find it at all? Well since I now knew how things worked I knew the Processing Key had to be combined with a C-value to produce the Media Key.

OK, I don’t get any of that.  But clearly others do, so I share this for their benefit.  (via boingboing)

[tags]AACS copy protection broken, Next-gen video disc format protections broken[/tags]

Beware unknown Excel spreadsheets

Microsoft has announced that there is, unfortunately, another currently unpatched exploit in Excel.

In its security bulletin, Microsoft warned that “other Office applications are potentially vulnerable” to the zero-day flaw.

Zero-day refers to a flaw for which there is an exploit but no available fix. The Excel vulnerability is Microsoft’s fifth zero-day exploit since December, and part of an increasingly troubling trend.

The zero-day flaw affects Office versions 2000, XP, 2003 and 2004 for the Mac, but not 2007 or Works 2004, 2005 or 2006.

That means don’t open any Excel spreadsheets that you don’t know and trust the source if you are using any of the vulnerable versions.  In related news – if you aren’t already aware, there is a similarly troublesome exploit available for Microsoft Word.  While it is fun to pick on Microsoft, note that this problem is a nearly unavoidable result of increasingly complex software.  Even some of the best known security software and networking tools have had security vulnerabilities in the past.

[tags]Exploit out for Excel, Microsoft Word vulnerability, Secure software is tough – just ask Microsoft (and others)[/tags]

An easy way to steal identities online

Catching up with my online reading a bit tonight, I found a link to a site which will check if your social security number is in their database of known stolen SSNs. I’ll not link to the site directly, because I want to save any of the less intelligent web users who accidentally find me site from doing something not-very-bright (I know both the regular readers of my site are so astonishingly above average intellect that not only would they not fall for this, they can actually read the mind of criminals attempting to steal their SSNs). All you have to do to see if you are in this stolen SSN database is enter your SSN into the handy-dandy search field. This news is a couple of days old already from the DownloadSquad folks, and thankfully there are a number of commenters there who have already pointed out the problem with this service.

So where did they get their data from? Well from the FAQ on their site, here is their response. “The information that powers StolenID Search is found online, by looking in places where fraudsters typically trade or store this kind of information. All information behind StolenID search is publicly available, but not in places where search engines such as Yahoo and Google would look. TrustedID abides by all state and federal laws in the collection and provision of this compromised information. The information behind StolenID Search comes from collection efforts led by TrustedID directly and also from other reputable companies that assist us in finding this information on our behalf. One of those companies is Cyvellience.”

Note that I am not saying StolenID Search is a web site operated by evil ub3r hackers. I am not saying you can’t trust the folks holding this information to protect the information you enter or the information they already have. I’m not even saying you will be exposed to any actual risk of identity theft if you use the site. I’m pointing this site out and warning against using it because giving out this information online just isn’t something you should ever do when you can avoid it. If you ever see something like this, please think carefully about what risk you are taking sending this information to people unknown. The site seems to have the recommendation of some seemingly trustworthy security and privacy resources. The site may be run by the most trustworthy people in the universe, and a chorus of angels may accompany everyone associated with the site to protect them from ever suffering ill. That still doesn’t make me feel I should send them my SSN.

[tags]Brilliant way to steal identities online, How to dupe trusting people[/tags]

Windows Vista – vulnerable already (permanent activation hack, too)

Well, normal consumers haven’t even received the product and we find industrious types working to show us security flaws in Windows Vista. This should surprise no one, but I guess it does, or news of it wouldn’t be such a big deal. “Complexity = insecurity” generally. Vista is an extremely complex system. There will be lots of security flaws discovered. It is unfortunate, but likely unavoidable in software the size of the latest Microsoft OS release. And yet, here I am posting about it.

Microsoft is facing an early crisis of confidence in the quality of its Windows Vista operating system as computer security researchers and hackers have begun to find potentially serious flaws in the system that was released to corporate customers late last month.

On Dec. 15, a Russian programmer posted a description of a flaw that makes it possible to increase a user’s privileges on all of the company’s recent operating systems, including Vista. And over the weekend a Silicon Valley computer security firm said it had notified Microsoft that it had also found that flaw, as well as five other vulnerabilities, including one serious error in the software code underlying the company’s new Internet Explorer 7 browser.

In a separate article, elsewhere on the gr3at int4rweb, we find that there is already a permanent activation hack for Windows Vista, too. This allows you to avoid the “must activate within 14 days or functionality will be reduced” problems.

Until now, Microsoft has an upper hand, with no permanent or foolproof ways to crack or bypass Windows Vista activation request emerged. Instead, various workarounds and tricks to bypass, skip, delay, disable or spoof Vista activation has been suggestion, to various degree of success, such as extend evaluation period, rearm method, install Vista in future year, ‘frankenbuild’ Vista by replacing RTM build WPA files with RC build files, activate against spoofed KMS server, or run and activate Vista with own local KMS server and etc. Now, there is new crack method that able to permanently stop the countdown timer of time left to activate Windows Vista, effectively running Vista OS in full functionality evaluation mode forever.

[tags]Windows Vista security vulnerabilities, Windows Vista activation bypass[/tags]

Don’t open Microsoft Word documents

News of this vulnerability is available in many places. I’ll point to the Secunia posting about the latest announced security vulnerability in Microsoft Word. Opening Microsoft Word documents with Word can lead to your computer being taken over by hostile programs – almost assuredly without your knowledge. Until a patch is available from Microsoft, do not open documents unless you know and trust the document creator.

A vulnerability has been reported in Microsoft Word, which potentially can be exploited by malicious people to compromise a user’s system.

The vulnerability is caused due to an unspecified error in the handling of Word documents and can be exploited to cause a memory corruption.

Successful exploitation may allow execution of arbitrary code.

I’m not even going to do my standard Microsoft rant here. Designing security into a program as complex as Word is hard. Going back and trying to add security to a finished application which wasn’t designed with security tenets in mind is almost impossible. I am almost certain Word was not designed with security as a key component, which means there will probably always be problems like this. And consumers are to blame, as they don’t demand secure applications by withholding money from vendors who don’t design for security. In other words, the buying public is largely to blame for this – Microsoft is just doing what the customers indicate they want with show of dollars.

Microsoft has additional details on MS TechNet and on TechNet blogs.

[tags]Don’t open MS Word documents, Latest big security vulnerability news – MS Word[/tags]

I am right – again – current airport security is garbage

Another day, another fine fine airport security idiocy to report. This time, the danger is a rubber-band ball – probably about the size of a soccer ball. The end result is jail time with no actual charges.

I was departing a small commuter airport in Southern California last week and I found myself in jail! Here’s the story with the facts, and without any “emotional hype.”

About two years ago I made a big, rubber band ball. It’s bigger than a softball, but not as big as a basketball. It’s made of 100% rubber bands, and the core is nothing but knotted rubber bands. It’s been in the trunk of a car that I own and keep down there for most of that time.

I decided to bring it home to Anchorage to work on more, and that proved to be a bad decision.

Continue reading “I am right – again – current airport security is garbage”

Shirt with small pink profile of gun is illegal on planes

Get a good look at this.

gunstripeshirt.jpg

This shirt is illegal according to a customs officer in Birmingham – a threat of arrest was made, in fact.  Of course, I continue to be right that this fake security we put up with is bogus, but even with stupid incidences like this, people still disagree with me.

[tags]Pink gun profile on shirt illegal, Customs officer can’t tell the difference between a real gun and a 3 inch piece of pink fabric?[/tags]

Privacy enhanced computer display

If you work on anything where you really need to protect what is displayed from inadvertant viewing, perhaps you need one of Mitsubishi’s new privacy enhanced computer displays. The short explanation of how the display works is that it rapidly draws the intended image along with the inverse of that image. You wear special glasses to screen out the inverse image, but anyone without the glasses synced to your display only sees grey static due to the blending of the two images.

private-view.png

Continue reading “Privacy enhanced computer display”

More fear based stupidity in the name of anti-terrorism

Sometimes, even I am amazed at how many stupid decisions the people charged with security make. And given how low an expectation I have of intelligence showing up in security procedures, it probably amazes people who know me that I can be amazed by this idiotic occurences. Continue reading “More fear based stupidity in the name of anti-terrorism”

An old discussion on the good and bad of profiling

Is profiling such a bad thing? “Don’t judge a book by its cover,” and all that. Is it wrong to judge based on appearances?

In same cases, actually, it makes sense. Bruce Schneier wrote an article last year discussing some of the good and bad of profiling. It’s still a valuable read. In the end, if profiles are based on good indicators, it can be an effective security tool. Profiles based on bad indicators are not only not effective security tools, but can lead to security problems in retaliation for bad profiling.

On 14 December 1999, Ahmed Ressam tried to enter the U.S. by ferryboat from Victoria Island, British Columbia. In the trunk of his car, he had a suitcase bomb. His plan was to drive to Los Angeles International Airport, put his suitcase on a luggage cart in the terminal, set the timer, and then leave. The plan would have worked had someone not been vigilant.

Ressam had to clear customs before boarding the ferry. He had fake ID, in the name of Benni Antoine Noris, and the computer cleared him based on this ID. He was allowed to go through after a routine check of his car’s trunk, even though he was wanted by the Canadian police. On the other side of the Strait of Juan de Fuca, at Port Angeles, Washington, Ressam was approached by U.S. customs agent Diana Dean, who asked some routine questions and then decided that he looked suspicious. He was fidgeting, sweaty, and jittery. He avoided eye contact. In Dean’s own words, he was acting “hinky.”

. . .

There’s a dirty word for what Dean did that chilly afternoon in December, and it’s profiling. Everyone does it all the time. When you see someone lurking in a dark alley and change your direction to avoid him, you’re profiling. When a storeowner sees someone furtively looking around as she fiddles inside her jacket, that storeowner is profiling. People profile based on someone’s dress, mannerisms, tone of voice … and yes, also on their race and ethnicity. When you see someone running toward you on the street with a bloody ax, you don’t know for sure that he’s a crazed ax murderer. Perhaps he’s a butcher who’s actually running after the person next to you to give her the change she forgot. But you’re going to make a guess one way or another. That guess is an example of profiling.

Yes, “hinky” there is the indication of Ms. Dean’s profiling of the suspect. And it’s a case of good profiling – she didn’t pick this person because of his clothers or his accent or his skin tone, or any of hundreds of other little things I’m sure someone somewhere thinks would be a sure way to tell. She picked him out because he acted in an abnormal way. Killing all the arabs won’t solve terrorism problems, as much as my brother and some folks I’ve worked with might think it will. Stopping all arabs from boarding planes won’t prevent hijackings. That’s bad profiling based on bad indicators. And that doesn’t do anything but generate animosity between ethnic groups (which, by the way is a good way to heighten hostilities, if that’s what you are going for).

Despite what many people think, terrorism is not confined to young Arab males. Shoe-bomber Richard Reid was British. Germaine Lindsay, one of the 7/7 London bombers, was Afro-Caribbean. Here are some more examples:

  • In 1986, a 32-year-old Irish woman, pregnant at the time, was about to board an El Al flight from London to Tel Aviv when El Al security agents discovered an explosive device hidden in the false bottom of her bag. The woman’s boyfriend–the father of her unborn child–had hidden the bomb.
  • In 1987, a 70-year-old man and a 25-year-old woman–neither of whom were Middle Eastern–posed as father and daughter and brought a bomb aboard a Korean Air flight from Baghdad to Thailand. En route to Bangkok, the bomb exploded, killing all on board.
  • In 1999, men dressed as businessmen (and one dressed as a Catholic priest) turned out to be terrorist hijackers, who forced an Avianca flight to divert to an airstrip in Colombia, where some passengers were held as hostages for more than a year-and-half.

The 2002 Bali terrorists were Indonesian. The Chechnyan terrorists who downed the Russian planes were women. Timothy McVeigh and the Unibomber were Americans. The Basque terrorists are Basque, and Irish terrorists are Irish. Tha Tamil Tigers are Sri Lankan.

And many Muslims are not Arabs. Even worse, almost everyone who is Arab is not a terrorist — many people who look Arab are not even Muslims. So not only are there an large number of false negatives — terrorists who don’t meet the profile — but there an enormous number of false positives: innocents that do meet the profile.

Don’t give in to bad profiling. Look for more than just skin color or style of dress.

[tags]The good and bad of profiling, Bruce Schneier on profiling[/tags]

Diebold touch screens on e-voting machines make devices fail

So what can you do when you make a product for electronic voting that security experts have shown to be bad for voting due to insecurity? Well, the best possible thing might not be to make sure the touch screens on those devices will cause them to fail poorly when touched, wouldn’t you think? Yet that’s what happens to the Diebold e-voting machines right now. Thankfully Diebold has a fix – don’t touch the touchscreen. And the company will provide a mouse for every machine.

After a daylong test of the state’s retrofitted voter check-in computers, it remained unclear yesterday whether the $18 million system works well enough for the state’s elections chief to deploy it in the November general election.

. . .

One reason for the relatively smooth test was the addition of a computer mouse to each of the touch-screen terminals, bypassing a software flaw first identified during the Sept. 12 primary and which remained unsolved throughout the day yesterday.

. . .

The e-poll books are supposed to be operated by tapping a small plastic stylus against the computer screens. The terminals are linked together and are used to register, among other things, whether a voter has shown up at the polls.

But during last month’s primary election, on occasion, one machine in a precinct would show voters as having cast ballots, while another would say they had not come to the polls.

To fix the problem, Diebold officials said yesterday the units could be operated with computer mouses and that they could provide the state with 5,500 of them in time for the general election. Or they could install new software and allow election judges to touch the screens.

Yes, you are reading that right. To use the touch-screen based e-voting machines, one has to use a mouse and not touch the touch-screen. If someone does use the touchscreen, well, the device could lose connectivity with the rest of the systems and require a reboot. After the reboot, the user might still be able to vote, but apparently their vote from before the reboot will still be kept in the system. Instant doubling of votes, just by touching the touchscreen after voting!

Lamone’s deputy, Ross Goldstein, said yesterday that elections officials would hear from their quality-assurance consultants and Diebold about whether the underlying software flaw causing the machines to lose sync could be fixed before a mid-October deadline to return the improved units to local election boards.

. . .

When the e-poll books fail to communicate with each other, or “lose sync,” the lists of who has voted in that precinct, which are stored on the e-poll books, don’t match. Should someone try to vote again, an out-of-sync system wouldn’t flag the double vote until the system had been corrected.

A spokesman for Diebold said yesterday that likelihood of such fraud would be low. If the system requires mouses, poll workers would be instructed repeatedly not to touch the screens and to check whether the system is communicating properly.

They also said that yesterday’s test proved that the system works smoothly and that the mouses would not interrupt an election.

OK, I’ll grant – the mouse probably won’t interrupt the election. But I bet all the people touching the touchscreens will. I wonder if anyone else worries about that?

County elections directors, many of whom came to the event, heaped praise on the machines, saying that they eliminated days of work updating voter histories after the election.

“Your instinct is to touch the screens,” said Sandra M. Logan, elections director in Caroline County, as she checked in a voter. “But I think my judges are used to using mouses and would like them.”

Nope. Or at least the elections director isn’t. Because people trained to not use the systems the wrong way after 2 test runs have mostly learned how to not use the systems the wrong way. Which I’m sure will translate into 100% non-misuse in a real election.

The likelihood for fraud if this problem stays in is high. Anyone saying otherwise is flat out lying to anyone that listens. There are groups of people who will do anything to tamper with an election (and no, I’m not talking about liberals). Once they know about a flaw this easily exploitable, they will take advantage of it. Saying the likelihood of fraud is low is akin to saying you trust the criminals will not try to take advantage of a flaw once they are made aware of it. And that would be laughable if it weren’t such a serious issue.

[tags]Diebold voter machines work great as long as not used in manner designed for,Easily exploitable flaw in Diebold e-voting systems no cause for concern according to Diebold[/tags]