Relax Security

Still alive and kicking

2010-06-28T10:12:00.002+02:00

I will soon start to publish again some notes on security standards. Stay tuned

Another "Advanced Message Queuing Protocol" AMQP site

2009-04-21T11:34:00.001+02:00

www.amqp.org/

Interesting concept: Open reliable messasing in a Web 2.0 world

2009-04-21T11:24:00.001+02:00

See http://www.imatix.com/for more information

electronic Voting

2007-07-27T14:36:00.001+02:00

Electronic voting is currently deploying at very high speed into both european and US countries, please share your views on this and the possible problems/advantages this could have for democracy.

questions: should we leave our democratic controls to computers and the govs?

Viruses - not only for Windows

2006-11-09T10:40:00.000+01:00

Until now, most, if not all, only plagued the Windows world, leaving other systems' users, like MacOS X, with a warm, comfy feeling of security. They were wrong. Last week, a new proof-of-concept virus that infects MacOS X executables was published. For those who want to get a peek on the technical details, see here.

Of course, it's only a proof-of-concept, never to be seen outside the labs, but it proves that a Mac virus is possible. In other, seemingly unrelated news, the Month of Kernel Bugs project has started. The first bug, published with proof-of-concept exploit code, attacks the wireless drivers of Mac systems.

So there you have it: an attack vector, and infection techniques. It's only a matter of time before someone puts the two together. So take the initiative: keep your Mac updated, enable the firewall, and install anti-virus software as soon as possible. It's not too late yet, but it's time...

Additional resources

2006-08-22T22:21:00.000+02:00

Security Engineering

Threat Modeling

Security Guidance Index

Microsoft regulatory compliance planning guidance

2006-08-08T21:31:00.000+02:00

For all those that have to deal with it...

See

MS Regulatory guidance

C U

Freeman

Vista Security Blog did open this month

2006-08-08T21:20:00.000+02:00

Hi folks,

just short notice to mention that a new security blog on vista security just opened this month...nice place to ask questions to MS Vista product management team about the effects of IE7+/Vista virtualization, UAC and the like...

regards,

Why phishing works

2006-06-08T14:43:00.000+02:00

If you only have ten minutes of free time today, spend them reading "Why phishing works" by Rachna Dhamija, J.D. Tygar and Marti Hearst. These researchers (from Harvard and Berkeley) have conducted an experimental study of people's reactions when faced with potentially fraudulent sites. The test subjects were showed 19 web sites, some of which being legit, while others were taken from phishing sites archives, and they were asked to distinguish which sites were legit or fake. To say that the results are appalling is an understatement.

On average, 11.6 sites were correctly identified. The worst score was 6 correctly identified sites, and the best was 18. Nobody got full marks. Interviews with the test subjects showed that little to no attention is paid to the security icons and other visual clues given by the browser (padlock icons, color changes when viewing SSL sites, ...). Knowledge of X.509 certificates were of course nil, and unsurprisingly, dialog boxes warning that an SSL certificate did not match the web site (or was self-signed) were clicked through without being understood (when read). Another interesting fact is that two legitimate sites were incorrectly identified as fake in 50 percent of the cases or more.

The test subjects were not computer illiterate. Some of them spent over 80 hours per week using computers for work or at home. They were just normal computer users, like your aunt Irma or your neighbour. The bottom line is that the current security user interface of browsers is not good. And no amount of pop up dialogs will make things better. There is a real need for a new paradigm in this field, and nobody's got the answer yet. So if you have anything to do with security software development or user interface, send this paper to your UI specialists. This will give them something to chew on.

2006-05-25T11:21:00.000+02:00

The Dark Arts are many, varied, ever-changing and eternal. Fighting them is like fighting a many-headed monster, which, each time a neck is severed, sprouts a head even fiercer and cleverer than before. You are fighting that which is unfixed, mutating, indestructible.

"Your defences must therefore be as flexible and inventive as the Arts you seek to undo."
- Severus Snape (HBP9)

New challenge for security components providers

2006-04-30T19:15:00.000+02:00

Hi all, it's been quite a while, got a lot of work to do just like Y'All folks.

I've come accross some of the papers of a quite good book: Security and Usability-Designing Secure Systems that people can use edited by Simson Garfinkel and Al..

Some of the papers are a little bit too academic to be really usable in real world, but at least they show the basic path to our new big challenge: how to make "security things" usable for mortal people while not annoying them with unwanted messages and avoiding them being tricked by "bad guys".

I think that unless you make your UI business area knowledgeable, this can difficulty be done: to make this understandable to mortal guys, you must make sure that it relates to semantics of the business service they are interacting with. If you don't have this kind of semantic inclusion in user interface, the security system will have to rely on syntaxic concepts that are difficulty "grasped" or can difficulty be verified by the users: URLs with cabalistic signs in it,....

Just as general purposes application were too tied to the underlying technical infrastructure and had to make huge efforts on usability (remember the editor of the early 90's or the command lines of the 80's ?), secure systems will have to do the same kind of efforts during the coming years.

Kernel Mode IRC Bots and of the futility to eradicate malware

2006-04-13T13:44:00.000+02:00

IRC Bots are a kind of malware that manage to
get installed on your system (installation
vectors range from exploiting browser
vulnerabilities to automatically install, to
ndocumented add-ons to those nifty screensavers
your kids love so much). Once installed, the
malware connects to an IRC channel (IRC is one
of the oldest forms of instant discussion forum),
and waits for orders. Depending on the orders,
the malware then tries to propagate, attack
other systems, relay SPAM, ...

Until now, these IRC bots runned in user space,
making their detection and eradication
possible. But a researcher has just published
the sources of a proof-of-concept IRC bot that
runs in kernel space [1] & [2]. What that means
is that, should that kind of bot become widespread,
detection and eradication will become impossible
once the malware is installed.

Is that news? Well, no. I strongly believe that,
once a system is compromised, the only safe
option is to nuke it from Moon high, and
re-install from a clean image. Even a Microsoft
security official admitted so in a recent interview.
Why is it so? Because there is no way to be
completely sure that your anti-virus has
identified the exact variant of the malware,
and that it has subsequently removed all
instances of infection, all registry entries
or hidden files. And this is not just for
Windows systems: once malware gets installed
on your system, it's not your system anymore.

This does not mean that anti-viruses are not
necessary: they are just limited in what they can do,
and are just one layer of protection that aims at
preventing malware from installing on your systems
in the first place. So d'ont get rid of them, but
keep them well-updated!

German Postbank Uses e-Signatures to Curb Phishing

2006-04-10T02:22:00.000+02:00

The Register reported that the German bank Postbank is going to introduce electronic signatures to all email correspondence with its customers in an attempt to curb phishing.

Related posts and articles:
Security as a legal obligation. Sarbanes Oxley in the European Union
Dutch Consumer Organisation Wants Embedded Security in Internet Products and Services
European ISPs, Microsoft and Interpol Will Cooperate

Dutch Army Captain Not Prosecuted for Losing USB-Stick

2006-04-10T02:19:00.000+02:00

A Dutch army captain will not be prosecuted for leaving his USB-stick in a rental car.
More on Rechtennieuws.nl

Police password database exposed

2006-04-06T10:26:00.000+02:00

The database of people who had signed up to receive
New South Wales (Australia) Police media releases
has been unwittingly exposed on the internet this week.
This database contained among others the names,
addresses, and passwords of subscribers. This incident
highlights a lot of points that need to be taken care of
when writing and deploying web applications:

1. The passwords were stored in plain text. This shouldn't
ever, ever happen. Passwords are secrets, and must
remain so! If your application needs passwords, don't
store them, but salted hashes.

2. The passwords were mostly poorly chose: passwords
like "enforcer" or "diaryy" or just the same as the
username were common. Your application should
prevent users to choose poor passwords. Libraries like
cracklib can be used to detect weak passwords and
eliminate the "low hanging fruits".

3. The application was probably not meant to be
accessible by everybody. It was found just by following
links present in other pages. This is yet another failed
attempt at security by obscurity. This kind of "protection"
does not work well, and can only be used as one layer,
after all the other protection layers are in place.

4. Google indexed it all. The original web page has been
pulled off, but all the information is still available (at the
time of this writing) by putting the right query in
Google, and asking to view the cached pages. Google and
other search engines happily follow any link they can
find, including from directory indexes if they can get
access to them. First, directory listing should not be
allowed. Second, maybe a robots.txt file will prevent
Google and other "well-behaving" web spiders from
accessing your data. But it will above all tell
"mischievous" web spiders where the juicy data is. If some
information should not be accessible by everybody, protect
it with adequate access control means, like a .htaccess file.

5. Should you get hit with such problems, Google's
procedures to remove content from its caches can be found
here.

New Internet Explorer Vulnerability

2006-03-30T10:33:00.000+02:00

Late last week, a vulnerability in Internet Explorer
was disclosed: when an html tag contains a great number
of JavaScript event handlers (like 'onClick') Internet
Explorer crashed. It was at first thought that the
result was only a denial of service, but a code
execution exploit appeared after a few days. It looks
like history is hiccupping, because this scenario is
exactly the same as with the Graphics Rendering Engine
vulnerability at the beginning of the year.

Just like in January, it looks like the vulnerabilty was
know by the underground for a while, and that it was
(and is still) exploited, by planting malicious pages on
hacked web sites. And again just like in January, third
parties have provided patches for the vulnerability, that
you can install while waiting for Microsoft's official
update (here and here). The difference is that now there
are two independant patches, instead of just one.

Now the 100€ question is: should you roll-up those third-
party patches? The short answer is obviously "It depends".
The long answer is of course more convoluted, because
there are a lot of factors to take into account. First,
there is the severity of the vulnerability. Contrary to
the January vulnerability, exploiting this bug doesn't
allow the attacker to execute code with SYSTEM privileges,
but with the privileges of the current user. What are the
privileges of your users? A lot of them are always logged
in with administrator privileges, which gives full
control over the system. So you have to know what are the
commonly used privileges of your users.

The next factor is: do you trust the people who have
produced the patches? Won't they use the gullibility of
people to make them install their own kind of malware? One
of the patches was developped and published by eEye, which
is a rather well-known security services company, that
employs some very competent people. The other patch was
published by another security services company, though not
as famous. eEye provides source code for their patch,
but how can you be sure that the executable is the product
of the source code you have downloaded? All in all, just
this factor is an interesting dilemma, and your security
policies should give you a good hint for an answer.

Finally, there is the question of your environment. These
third-party patches have probably been tested as
thoroughly as possible. But do these companies have access
to all the vulnerable versions of Internet Explorer on all
Windows platforms? Probably. In all languages? Maybe. Did
they test them all? Probably not, because that's exactly
what takes the most time to Microsoft: testing the patch
on all combinations of their software. And also in your
environment comes the question of the number of systems to
patch (and from which the patch will have to be
uninstalled when Microsoft publishes an official update),
and the interaction with specific software you may be using.

So, let's wrap it all up: should you roll-up these third-
party patches? It depends. But should you decide to do it,
first make sure you test the patch of your choosing on
production-like systems before, and test them thoroughly.
And maybe when your tests are done, Microsoft will have
published their own, official and QA-tested patch...

No comments

2006-03-30T08:51:00.000+02:00

Prometheus was not a fool...he is right

2006-03-29T23:17:00.000+02:00

More information click on the "prometheus link".

Prometheus stole fire from Zeus and gave it to the primitive mortals on the earth. Zeus did not punish Prometheus alone, he punished the entire world for the effrontery of this rebel god.

[...]

Zeus had many plans for the reshaping of creation. Zeus said that knowledge and divine gifts would only bring misery to the mortals and he insisted that Prometheus not interfere with his plans.

Dispite Zeus’ warning, Prometheus took pity on the primitive mortals and again, he deceived Zeus.

Prometheus gave the mortals all sorts of gifts: brickwork, woodworking, telling the seasons by the stars, numbers, the alphabet (for remembering things), yoked oxen, carriages, saddles, ships and sails. He also gave other gifts: healing drugs, seercraft, signs in the sky, the mining of precious metals, animal sacrifice and all art.

The gift of divine fire unleashed a flood of inventiveness, productivity and, most of all, respect for the immortal gods in the rapidly developing mortals. Within no time (by Immortal standards), culture, art, and literacy permeated the land around Mount Olympos (Olympus).

When Zeus realized the deception that Prometheus had fostered, he was furious.

He had Hephaistos (Hephaestus) shackle Prometheus to the side of a crag, high in the Caucasus mountains. There Prometheus would hang until the fury of Zeus subsided.

prometheus steal fire to bring it to men

2006-03-29T22:46:00.000+02:00

The Blacksun

2006-03-29T22:44:00.000+02:00

European ISPs, Microsoft and Interpol Will Cooperate

2006-03-25T01:45:00.000+01:00

On line fraud is increasing and the public authorities can't always cope with it. Interpol and the European ISPs (press release in pdf) and Microsoft (Microsoft EMEA press release) announced cooperation in order to combat on line fraud. Their first goal is to reduce phishing.

Skype reverse-engineered

2006-03-23T11:26:00.000+01:00

Researchers have presented a very interesting paper
during the last BlackHat Europe, about reverse
engineering Skype. For those who have lived in a
rocky place far from any network connection during
the last two years, Skype is a Voice over IP application
that can be used for free to communicate between
users of the application. Paid services exist, that allow
people to make calls towards non IP telphone networks.

Skype works using peer-to-peer technology, using
people's systems and network connections to route calls
within the Skype network, and make a lot of effort to
work through almost any firewall. For systems and
network security administrators, this is worrying. First,
because it turns your networks and systems in call
routers and telephone lines, which may create bandwidth
problems, software instability issues, and everything that
goes in turning an ordinary station into a server.
Two, because telephone calls originating from your
network, maybe holding confidential information, pass
through systems you don't control, and that you can't have
any guarantee on - unlike a phone company's network,
with whom you have a contract. Finally, those same calls
are passed using closed software, over undisclosed,
proprietary protocols.

That's the reason some people have started to try and
reverse-engineer the program and the protocols it uses, in
order to understand whether call privacy can be ensured,
and provide information on how to block Skype traffic
when it's against your corporate policies. That effort has
been surprisingly difficult. Not only are the protocols
encrypted and proprietary - that was already known - but
the program itself goes to great lengths to prevent reverse-
engineering. The researchers have had to peel layers upon
layers of protection, some very elaborate. During the
process, they also found some pretty serious
vulnerabilities, which could be exploited tu turn the Skype
network in 'the biggest botnet ever' (sic).

What do your policies say about Skype usage?

Biometrics Are Not Reliable, Says EU Data Protection Expert

2006-03-18T02:39:00.000+01:00

Biometrics are not reliable, says EU data protecton expert (source: EUobserver)

An EU data protection supervisor, Peter Hustinx, has criticised the use of biometrics as unique identifiers for European citizens, saying fingerprint or DNA identifications can be inaccurate. He leads an independent body that monitors EU data protection. He says that recent proposals to interconnect important EU data bases - notably to identify suspects in the fight against terrorism - raises a number of questions in relation to data protection.

IBM B2B Security Survey: German Companies Take Cybercrime Very Seriously

2006-03-16T02:19:00.000+01:00

According to a recent IBM B2B Security Survey, 63 percent of IT managers in German companies think that cybercrime is a bigger threat to their company as other crimes. On an international level this percentage is estimated at 40 percent of all companies.

Some background reading on cybercrime:

European Network and Information Security Agency, ENISA

Cybercrime file of EurActiv

Cybercrime section of the US Department of Justice

New RFID (Radio Frequency Identification Devices) Policy for Europe

2006-03-16T02:17:00.000+01:00

The EU has a new RFID (Radio Frequency Identification Devices) Policy for Europe.

Some background reading about RFID:

For a critical comment see: RFID: Europe Wants to Tag You.

Hartmut Pohl, Professor für Informationssicherheit an der Fachhochschule Bonn-Rhein-Sieg is not against RFID points at some privacy issues: "Keine Anonymität mehr mit RFID-Chips" (in German in the newspaper Die Welt).

RFID Journal Wikipedia on RFID, with RFID Legislation, Regulation and standardization

Legal Implications of Using RFID Highlighted

Legal fears hold back RFID adoption

RFID tags can be infected with a virus

MS ACE team

2006-03-14T21:16:00.000+01:00

Microsoft ACE team did make available their new threat modelling tools allowing development team to enhance the global security of their application.

More information on http://blogs.msdn.com/threatmodeling/

a very good tool in my opinion worthwile taking a serious look at it.

The Future of Privacy

2006-03-07T00:17:00.000+01:00

Bruce Schneier published a very interesting essay on his blog "The Future of Privacy" where he also refers to privacy legislation in the European Union:

"(...) We're never going to stop the march of technology, but we can enact legislation to protect our privacy: comprehensive laws regulating what can be done with personal information about us, and more privacy protection from the police. Today, personal information about you is not yours; it's owned by the collector. There are laws protecting specific pieces of personal data -- videotape rental records, health care information -- but nothing like the broad privacy protection laws you find in European countries. That's really the only solution; leaving the market to sort this out will result in even more invasive wholesale surveillance. (...)"

Read the whole thing here.

Dutch Consumer Organisation Wants Embedded Security in Internet Products and Services

2006-03-02T22:02:00.000+01:00

The Dutch consumer organisation (Consumentenbond) started a petition on its website demanding that computer suppliers, Internet providers and companies providing services on the internet must offer secure products and services. They advocate that such suppliers and providers offer embedded security into their products and services, just like car manufacturers offer safe cars and microwave manufacturers sell safe ovens.

The Dutch consumer organisation argues that consumers increasingly make use of their computer and the Internet for e-banking, e-mail, and e-commerce. However, it seems that their personal data are relatively easy to abuse. Security software (virus scanner, spywarefilter, firewall) is often too complicated for an average consumer. A security software that is “ok” one year isn’t “ok” anymore the next year. According to the consumer organisation this means that the consumer would constantly have to change his security software. They agree that consumers still need to take care of safe behaviour on the Internet and maintenance of their security software.

I think that the discussion about what can be “reasonably expected” from service providers as "good housefather" (“bonus pater familias”), but equally also from customers, is becoming increasingly important. Security is not a new legal obligation: it’s already a legal issue for all EU companies since the early nineties; of course a lot depends on the applicable legislation.

On the one hand the knowledge of the average consumer about computers and the Internet is increasing. Therefore one can also reasonably expect an increased knowledge of the security issues involved, such as spam, hacking, phishing, pharming, virus etc. Private companies such as banks, e-banking and e-business providers are constantly warning their customers for security issues. Governments are also publicly warning for Internet related security issues. Just like the average consumer knows he has to fasten his seat belt when driving his car and knows the “don’t try this at home” stuff, I can imagine that almost every “average consumer” receives spam and phishing e-mails in his mailbox but knows by now that he shouldn’t click on every pop-up, hyperlink or attachment he receives.

On the other hand the security attacks become more and more sophisticated and are - as far as I can understand it - sometimes even difficult to spot for professional IT and security people, and the average user is not an IT or security expert. There is also an increase in politically motivated attacks.

So the question is: where is the balance between the “reasonable obligations” of the service/product provider on the one hand and “reasonable obligations” of the user on the other hand?

I believe we can expect from an average user that he knows the difference between leaded and unleaded gasoline, but can we expect that he really grasps the impact on his engine of the difference between 95 octane and 98 octane? The average user, consumer or professional user, does not want to think about security or technology: what really counts is what the technology does for him. However, this average user can’t be regarded as a totally security ignorant user either. The “reasonable security awareness” of the average user is increasing, and it should by now. He should understand that he needs a regular update of his security software, just like he goes to his garage to have his car serviced, and he should take care of safe behaviour on the Internet, just like he tries to avoid traffic accidents.

When there is a breach of security and this breach is the cause of damage for a user, the matter shall be decided on a case-by-case basis. Generally speaking and making abstraction from certain country or sector specific legislation, both service provider and user (consumer and professional user) can then be judged with the concept of “bonus pater familias” in mind. The case doesn’t necessarily have to be tried in court but can also be solved by mediation or other alternative dispute resolution methods.

I am not an IT-security expert but I am confident that the private sector will do a good job of finding a way to reduce security issues. I prefer this instead of more government regulation.

AOL Sues Over Identity Thefts, Uses New Law

2006-03-02T21:50:00.000+01:00

Reuters : AOL sues over identity thefts, uses new law.
Related: America On Line Safety and Security Center

US Federal Trade Commission Settles with CardSystems over Data Breach

2006-02-27T14:01:00.000+01:00

In September last year a California judge ruled that Visa and MasterCard did not have to notify individual consumers whose account data was stolen by a hacker in a mass cybertheft disclosed by MasterCard in June last year.

Now the payment processor CardSystems Solutions, that exposed 40 million credit cards to the risk of fraud when a hacker took advantages of security failures, has agreed to settle US Federal Trade Commission charges. The Register reports that independent security audits will now be required every other year for 20 years. CardSystems Solutions and its successor Solidus Networks (which does business as Pay By Touch) are also obliged to implement a comprehensive information security programme.

May common sense avoid us to enable worlds like these

2006-02-26T19:02:00.000+01:00

If you have some time to spend...take a look at these films, very interesting how the "security needs" of people can be re-targeted at other aims:

Gattaca
Equilibrium
Minority Report

Lots of important things not to forget about when being a security professional, isn't it ?

What is very interesting in Gattaca and equilibrium is the capability for human to put interpersonal relations above the society system the're living in and to obtain some limited, unknown but important victory against the "disfunctions".

Emotions can be the drivers of drastic changes in society... money is not everything after all, despites all what is said today around the benefits of some "rigid" society plans draw by a few for all of us....and our children

Too Many New Gadgets, Too Much Information at Risk

2006-02-24T01:21:00.000+01:00

New York Times: Too Many New Gadgets, Too Much Information at Risk: Loss, theft and viruses are major issues as corporate use of PDA's and pocket PCs increases. Preemptive security options are available however, as this article describes. (Via BeSpacific)

Related: Risks of Losing Portable Devices (Bruce Schneier), PDA Security Tips (Networks and Security).

Standard security... A pandora box (second take)

2006-02-23T21:28:00.000+01:00

Remember my post on the inherent weaknesses of standard horizontal security providers vs a proprietary systems that could include some standardized interface but focused on a specific vertical business area ?

Here is a new proof of it: horizontal cross-markets security doesn't work, because it doesn't use checks that are fine-tuned to the specific business you want to secure and the specific threats that must be addressed by that business to continue to "float".

Just take a look at: http://isc.sans.org/diary.php?storyid=1118

Security patterns are only basic security countermeasures.
- What is good in them is that it is low cost, because embedded in the toolkits your receives from you software editor and you don't have to hire very specialized people to obtain a decent security.

What is bad with them is that:
- business owners and developpers think it suffices to know what pattern to use and how to call the appropriate "SSL API" to secure a vertical market business system.
- generic attacks work on generic security systems and generic attacks have a better ROI for an attacker.

Question is : what worth/criticality is your business: A Ford-T or a Rolls-Royce....

Universities are you there?

2006-02-23T20:52:00.000+01:00

Hi again,

I was searching on the web for security educational programs that could be followed by young student eager to reinforce the handful of people trying to keep critical infrastructures safe in these troubled times of marketing, outsourcing deregulated and "hype & time to market-led" economy.

I must confess that what I found focused a lot on:
- Cryptography and the related associated mathematics (number theory, statistics, ...)
- in some case security protocols analysis.
- Basic abstract security models (Bell-Lapadula, ...)

At the industry educational side, I found a lot of whitepapers and courses around how to design a network and (less often) application firewall architecture,...I found a fair quantity of sites (OWASP, ...) talking of "secure coding rcommendations" and giving threat modelling "checklists"

but there were very few possibilities for people wishing to understand what are the underlying foundations (and practical limitations of them) of current operating systems and advanced programming languages security models and implementations.

There was very very few education possibilities for people working in companies whose goal is to conceive and develop "security code" whose goal is to enforce security "building blocks" to pass through all the security development lifecycle steps as described in

http://msdn.microsoft.com/msdnmag/issues/05/11/SDL/default.aspx

Maybe a good course to include in universities curriculum. My opinion is that this kind of subject should be part of a "Computer Science specialisation branch" into "operating systems" and "software engineering". It has been for too long neglected.

This is a wake up call to our beautiful Belgian Universities...Don't only talk of it during one hour, make security an "IT curriculum specialization" branch in itself, otherwise there won't be enough man to handle the current challenges.

Mac OS X ripe for picking

2006-02-23T09:45:00.000+01:00

First post from me on Prometheus! You'll see that my interests are
mostly in operational security, privacy, and other such light
subjects. This first post is about Mac OS security...

Lots of Mac OS X users believed that their platform was much more
secure than the rest, and that worms and vulnerabilities would not
reach them. Most security professionals had the intuition that,
while the Mac OS model is sounder than others, it was just a questio
of time and exposure before malicious hackers turn their attention
to the re-emerging platform. This week has proved them right.

First, a trojan - dubbed OSX/Leap - has been slowly spreading via
iChat. This was a proof-of-concept, and users almost had to be
willing to be infected for the worm to work.

The next day, another worm, OSX/Ingtana.A, showed that a Mac OS
Bluetooth worm was feasible. Once again, it was a proof-of-concept
that barely left the labs.

And three days ago, Heise published an article on what they
thought was a vulnerability in Apple's Safari web browser. Shortly,
it is possible for a malicious user to disguise a shell script as
any other file - image or movie, for example - and still have the
script executed when the link is followed. Exploitation requires
no user interaction. What was already bad became worse the next
day, when it was realised that the vulnerability was not in
Safari, but much deeper in OS X's Finder, allowing it to be exploited
through other channels, like email.

There is a workaround for Safari, but not for the rest, and Apple
hasn't published a fix yet. The bottom line is that Mac OS users
are now at the same place as Windows users a few years ago:
their favorite platform can be exploited without any user
interaction, with the root cause being the very user-friendliness
that makes them like their systems. It's very hard to make
ease-of-use and security go hand in hand, and this is one more proof.
Maybe systems should be a bit less user-friendly, and users better
trained?

Tired of security...drink wine..same headache ... but better taste

2006-02-15T22:12:00.000+01:00

Customer Care Depts be ready: IE 7 is coming at light speed

2006-02-15T22:01:00.000+01:00

Quite a day:It's been a bunch of Microsoft announcements around IE7 changes...impressive from a "I want to protect my PC viewpoint".

Question is: will the community and the users be capable to digest so radical evolutions ?

Customers had problems to understand what a certificate was all about.

Now there is yet another concept "higher assurance" website and other (low assurance ? ex high assurance) website certificates....

it becomes more and more complex to develop something coherent and understandable in a specific business context using a browser as "application container".Security warning messages are differents between each IE releases, infocards come in, etc => how will independent software vendors explain this to their customer base.I know some that could be tempted to say well maybe Fat clients were not so clunky after all and at least customer experience was stable, controlled by the application developper and uniform in a specific business context.

when using it, I saw strange differences between IE 7 beta 1 and IE 7 beta 2 when clicking on the "SSL lock" (the one just on the right of the URL bar).

In IE 7 beta 1: Displayed certificate information summary seem logical to me:

it indicate the CN of the certification authority that did issue the ssl website certificate.This is inline with the "issued by" display when you double click on a certificate in earlier versions of the "view certificate details" .

IE 7 beta 1 displayed text is
"SSL secure (128 bits) you should send confidential information only if you trust the organization listed what is a certificate ?

Certificate information followed by :

- the "O=" information of the website ssl cert
- the "C=" inforomation of the website ssl certWebsite certification

provided by : CN field of the X509 certificate of the issuing CA.

In IE 7 beta 2, everything seems to have changed, clicking on the "SSL lock" (the one just on the right of the URL bar), I have:

Secure connection

"O=" field of the issuing CA has identified this site as "CN of the website ssl "
cert Owner unverified
Location unverified.

Limited information about this website is available. You should send confidential information only if you trust this website.
What is a certificate.

It took a long time to educate customer/users to check the "issued by" field of the certificate details (= CN of the issuing CA cert), why now change the field identifying a Certification authority to the "O= " field ?

I think the IE 7 beta 1 "security message" is better because it relies on several years of education to customer and users for a lot of companies offering services on the internet and remains inline with past versions of windows and IE making easier the understanding for customer....simplicity in security communication to users is of primary importance here...

What is "owner" in this security message ?
What is "location" in this security message ?
to which X509 website and issuing certificate field does these "semantic notions" correspond ?
What is "security semantics and policies" around these items ?

Well ...if you have some ideas about how Ms implemented distinction between "higher assurance" ssl cert websites and "normal what we used until now" ssl cert websites...

pls enlighten me

EU Safer Internet Day and Filtering Software

2006-02-14T00:24:00.000+01:00

On 7th February 2006 the Safer Internet Day was celebrated by 95 organisations in 36 countries across the world, including 24 EU countries, Russia, Argentina, New Zealand and the USA. Organised under the patronage of the EU Information Society and Media Commissioner Viviane Reding, Safer Internet Day 2006, featured a blogathon or “blog-marathon” during which wide range of organisations and special guests promoted internet safety by making postings and inviting comments from visitors, children, schools and parents.

The European Commission’s safer Internet programme can be found here. Part of this programme is a study aiming at an independent assessment of the filtering software and services. By "filtering" is apparently meant "parental control and spam filtering products or services" and not something like this...

For more, see (already from October 2003 but some parts are still relevant) Documentation of Internet Filtering Worldwide by Jonathan Zittrain and Benjamin Edelman at the Berkman Center for Internet & Society - Harvard Law School. They provide country-specific studies and other studies like e.g. about IP addresses, Google.

For a more recent update and overview visit OpenNet Initiative with of course lots of case studies and also a small pdf on the legal implications of Internet filtering.

Lawyers: Beware Google's desktop search

2006-02-12T23:12:00.000+01:00

Robert J. Ambrogi writes that the version 3.0 of Google Desktop Search could be a significant headache for lawyers. Is client confidentiality threatened?

A new feature of the 3.0 version is that it allows to search across multiple computers provided they are all tied to a Google account. Google temporarily stores copies of the indexed files on its servers and the data is stored temporarily to allow the new index information to be sent to the other computer. Admittedly, after a period of time, Google automatically deletes the data.

Taking into account the recent attempts of the US government to obtain personal information stored by Google and other search companies, even temporary storage of a lawyer's files on Google's servers could threaten client confidentiality. Robert J. Ambrogi concludes: given this, go ahead and download the latest toolbar, but think twice before enabling its ability to search across multiple computers.

Security and Legal Issues

2006-02-12T22:35:00.000+01:00

On this blog you'll also find some posts about legal issues related to security. A first appetizer can be found here. It's about "Security as a legal obligation. About EU legislation related to security and Sarbanes Oxley in the European Union."
Don't worry. We will avoid the "legal mumbo jumbo" or keep it to a strict minimum ;-)

Is standardized security "a pandora box" ?

2006-02-12T22:00:00.000+01:00

Quite Tired today, so don't be too hard on me for my "hectic" way of writing.... I'll do better in future posts, promised :-)

I did read last week a very cool paper today that helps a lot understand windows access control.

http://www.cs.princeton.edu/~sudhakar/papers/winval.pdf

It left me under the impression that current evolution of adding more and more access controls layers only adds to the difficulty to developpers to understand how to protect their application/services and their customer's PC and maybe benefits more to "security certification" provider than to application security enhancements.

Windows OS ACLs were complex, no problems folks...let's add .net CLR and managed code or JVM with administrator configurations, user account protections that make things even more complex... their security behaviours are driven by obcure registry settings....

Developpers created "service-focused fat clients" that they mastered quite well...Today "hype" push them to use "browser based applications" where they're forced to trust the browser with all the hidden registry settings, extensions and APIs.

These have huge consequences for the security of application or the services accessed via the browser.

Generic middleware in a specific business context doesn't know which security decision to take because it is too generic and not focused on the specific application security needs...

These middleware leave the "security decision" to:

- the unspecialised user using "generic messages" that don't allow the user to understand the real consequence of the warning message for the current business application he is working with (banking, health, ...)

- the "new mighty god" aka "the system administrator", that most of the time as only an "empirical knowledge" of his art and is not the one that really does understand what is to be protected because he doesn't own the business or did develop the application that directly serves a specific business.

The more your applications depends on third party middleware, the most you take the risk that this middleware options, security messages, ....can open your business application and services to new types of attacks...

Security is about control of what is happening in an application. When a lot of the application security rely more and more on external and complex systems, it can only be made weaker.

Example: Who still know what "BrowseNewProcess" registry settings means for the security of a cookie based system..any idea anyone ?

"Think Track": what do we protect when using OS vendors "security best practices" ? The customer PC, well maybe...

but, hey, it is realistic to think that a "generic security model" protecting the PC is valid and efficient whatever the service accessed by the PC? Isn't the standardisation now showing clearly its limits? How to secure something standard where all the details would be known by would be attackers?

Interesting background paper on this:
http://www.ccianet.org/papers/cyberinsecurity.pdf

What must the service provider (and service developper) really do ? protect the PC or protect his service from attacks that would be launched from the customer PC that would have been taken over ? Both ?

Threat modelling is some very powerful tool: by identifying first what the service provider (business owner) wants to protect, it can lead the security architect to the conclusion that maybe what is protected by OS vendors security best practices is not what does really matter for the service provider and that maybe the application security architect should strictly limit the trust he puts in the OS, browser and other middleware standard security.

Why ? simply because standardisation of the security in these elements allows also for would be attackers to standardise their attacks and have a bigger ROI because it can be launched at massive scale.

Must we come back to an age of proprietary security systems and protocols ? Is "security through obscurity buried or is it coming back very quickly simply because it would force the attacker to target a specific system (higher cost for him) and will limit the scale of attacks (limited only to that specifically targetted system)?

Worth thinking about it ..no ?

Two good books

2006-02-10T17:34:00.000+01:00

Started reading two books lately.... Real Digital Forensics from Keith T. Jones and "Core Security Patterns" from Christopher Steel and al. Both are quite interesting....anyone in mood of launching "books discussion here" ?

2006-02-09T21:35:00.000+01:00

Today, I completed the blog with very interesting links treating of software security architecture and engineering.

I also renamed it "Prometheus".

Prometheus was a rebel god; in defiance of Zeus, he gave fire and other comforts to the mortals on the earth.

Prometheus means also "thinking in advance" and "consideration for the future". This is one of the quality of any security architect.

On the difficulty of finding "real security architects"

2006-02-08T22:26:00.000+01:00

Wow... today was a security architect "hiring quest".

Finding someone with:
- real IT security architecture knowledge
- understanding of what is a security protocols and attacks on it
- having knowledge of what a smart card is
- understanding "system and middleware security"
- being capable of have a criticize look at standards.

without only relying on "prefab" assimilated information is becomes harder than ever...

IT Security industry has never had more certifications but has still less and less real secure systems conceptors....

Standard middleware security or not

2006-02-06T21:43:00.000+01:00

So...ok, first time to blog in my life...

just came accross some interesting papers on SAML 2.0 and the more I read, the more I think that when things become so difficult to grasp, their complexity make them inherently insecure and difficult to maintain...main problem is the fact that they attempts to covers a too large scope and are focusing on too many options.

Occam razor should drive security architect and engineers....