Category Archives: Security

Security

SSLstrip counter-measures

3 Comments

SSLstrip is a very easy tool to use that sits in between a victim and a legitimate website and switches their traffic from HTTPS to HTTP. If they continue to use the website in HTTP, the tool steals their passwords.

The author presented an example data set in 2009 that showed in 24 hours he was able to find a little over 100 passwords by setting up an attack in front of a single TOR router. He further boasted that not a single user stopped using the websites when his tool switched them to a non-SSL page.

The tool has to be on a network such as an open wireless to gather victim traffic. Many have also speculated about compromise of a host internal to an organization. Once a host inside a company has been compromised, then the tool can be installed to redirect local traffic by spoofing ARP tables. The stolen passwords, or other sensitive information, then can be sent back outside the organization.

A paper from George Mason University called “Prototype System to Protect against SSL-Stripping Attacks” suggests SSLstrip attacks can be defeated by forcing secure HTTP traffic using a special proxy. It sits in-between users and a web-site to prevent network traffic from redirection and interception by a rogue proxy like SSLstrip.

The client-side tool needs to be installed on all hosts to be secured on the a business’ or organization’s LAN, and the client’s browser will be configured to route all HTTP traffic through our system. As mentioned above, the routing of HTTPS traffic is not modified. Whenever the client host starts up, the client and server use public key encryption to establish a shared secret key.

When the user makes an HTTP request, the client tool generates a random number to prevent replay attacks, encrypts it along with the HTTP request using the shared secret key, and forwards them to the proxy server

(1). The proxy server stores the random number and forwards the HTTP request to appropriate web server
(2). When a response is received
(3), the proxy server computes a Hash-based Message Authentication Code (HMAC) of the response, using the HMAC-MD5 algorithm
(4). The server then appends the HMAC and the original random number to the HTTP response, encrypts it all
and sends it back to the client
(5). The client verifies both the HMAC and the random number
(6). If both match, the message was not modified in transit. If they do not match, the tool alerts the user to possible tampering.

Energy, Security

UK snowfall uncovers marijuana growers

Leave a comment

The heat generated by growing plants indoors, combined with poor insulation, led police to a “cannabis factory” in northern England

Members of the community reported suspicions about what was happening at a rented house in Montrose Road, Leicester.

When officers began checking out the information, they noticed the house was one of the few in the area without snow on the roof. Cannabis factories tend to be very warm due to the high number of industrial-strength lights used to encourage plant growth.

Officers obtained a search warrant, and yesterday (Thursday December 16) they raided the house. They discovered around 300 plants worth tens of thousands of pounds, and a sophisticated growing system.

[…]

“By closing this drugs factory we have disrupted a significant criminal enterprise, and stopped a large amount of drugs from reaching the streets of Leicester.”

Marijuana raids always mention a number of plants and 300 seems to be fairly common, as reported in California, Connecticut, Kansas, Florida, Idaho, Pennsylvania….

At first I was curious how 300 compares with other amounts reported for “significant” indoor finds so I searched by incrementing 100s (400, 500, etc.); I gave up when I reached 6400 (more than a ton, estimated at $9 million). That could melt a lot of snow.

The Leicestershire Constabulatory concluded their report with this quick guide to “cannabis factory” spotting:

* Windows obscured at all times
* Heavy condensation on windows
* The distinctive smell of cannabis
* Lights being used at odd times
* Deliveries of large items late at night

History, Poetry, Security

Republicans abandon 9/11 first responders

Leave a comment

Al Jazeera scoops America’s news networks on the latest 9/11 story and Republicans abandon first responders, as explained by John Stewart:

The Daily Show With Jon Stewart Mon – Thurs 11p / 10c
Worst Responders
www.thedailyshow.com
Daily Show Full Episodes Political Humor & Satire Blog The Daily Show on Facebook

The Republican position can be found summarized in a NY Daily News story about Senator Susan Collins (Republican from Maine), who called Capitol security for protection when first responders told her they would visit to lobby for the bill. That is a strange story on its own, but here is the Republican position in brief:

Republicans oppose the bill’s plan to raise funds by closing tax loopholes on foreign companies that funnel profits through third parties.

That point of opposition makes little sense alone since there also were other methods of funding on the table.

Gillibrand and Sen. Chuck Schumer, both N.Y. Democrats, have offered at least five other ways to pay for the measure, suggesting a deal could get done.

Republicans also could have presented their own solutions for funding.

Rather than move ahead with suggestions, work on the bill themselves, or just let it go to a vote, the Republicans in the Senate did nothing but block and ignore the bill. Even after all demands had been met by the President, the Republican Senators continued to delay and walk away.

Sen. John Ensign (R-Nev.) said he voted against the first responders bill because Republicans had threatened to vote against everything until tax cuts for the rich were extended and a measure to fund the government was passed.

Despite the fact that President Barack Obama had met the GOP demands, Senate Republicans continued to block action in the upper chamber until everything was complete and signed into law.

[…]

Sen. Sam Brownback (R-Kan.) also said he opposed moving forward on the bill because he wanted to get to tax cuts and the budget first. “I wanted to get to other items,” he said. He then added, upon further reflection, that he had actually been out of town and wasn’t around to vote to filibuster the bill. Brownback will become Kansas governor next and, he said, he was busy back home crafting the budget. He is recorded as not having voted.

They do not mince words. They were entirely focused on tax cuts for the rich. It not only was their number-one priority, they actually refused to accept anything other than that or their own budget needs as a priority. The health and safety of first responders, many of whom are in need for help this very minute, were ignored entirely.

Wow. Republican Senators feel they can openly say they have taken a stand (to protect tax cuts for the wealthiest few) with complete disregard for impact to the lives of men and women who now suffer as a result of service and dedication to their country.

The personal stories found on NY Daily News drive home why this has become a truly shocking and sad moment in American history.

[Disabled Ground Zero workder T. J. Gilmartin] hasn’t been able to work since 2008 and the youngest of his daughters is 15. Without the Zadroga bill passing, he will have very little money.

“I have three daughters to worry about,” he said, his voice cracking. “If this doesn’t happen, I don’t know how I’m going to do it. My daughters just lost their mother.”

Media matters, like The Daily Show, says the story is that there has been no story.

…the larger point here is that Republicans are now practicing an unprecedented brand of obstructionism and they’re doing without having to pay much of a political price. Why? Because the press is giving them a pass. The press is pretending what Republicans are doing is normal and everyday. It’s not. It’s radical.

I see it slightly differently. The story was ignored, which is terrible, but the story still may be heard. It at least has been reported online.

What is truly disturbing is the shallow and short-sighted ethics expressed by Republicans; a simple question now may be raised that could significantly harm American volunteerism, patriotism and national security. JFK famously told young Americans “Ask not what your country can do for you — ask what you can do for your country.”

The Republicans in the Senate, with their odd agenda, have just reformulated that question:

“Ask not what your country can do to protect your health and safety – ask what you can do to help us extend more tax breaks to the wealthy”.

History, Poetry, Security

Stop. Look. Listen in America

Leave a comment

The BBC has a hilarious guide to American culture by Kevin Connolly

He points out that America may be rife with religious and violent zealots

To Europeans, for example, a gun is a weapon, pure and simple.

To many, but not all Americans, it is a badge of independence, and self-reliance – the tool of the engaged citizen who does not think that either the criminal, or the forces of the state, should have a monopoly on deadly force.

There is a great deal of irony in his dichotomy. Americans portray their terrorist enemy as a religious and violent zealot; the irony really comes out in the next paragraph.

Show [Europeans] a gun, and we picture a muscular ne’er-do-well in a balaclava menacing an elderly sub-postmistress.

An American is more likely to visualise a plucky homesteader crouching between an overturned sofa in a burning ranch house, preparing to defend his family to the death.

…unless you ask an American to describe a terrorist who must be disarmed, and then they will visualize a plucky homesteader crouching between an overturned sofa in burning ranch house, wearing a balaclava, like this guy:

In terms of religion, this section is spot-on:

If anything, over time, it is getting more religious rather than less. The motto In God We Trust was not added to American banknotes until the 1950s, for example.

Americans tied themselves in knots two years ago agonising over whether a black man, or a white woman could yet be elected president.

But here is a safe prediction. It will be a very long time before an atheist or agnostic gets anywhere near the White House.

A stark contrast with Europe where the opposite is increasingly the case.

A comedian recently pointed out that India has only been a democracy for about fifty years, and yet it has elected multiple religions, races and several women to their highest office without controversy. America’s democracy is past 200 years old but still struggles with acceptance of leaders from different races, religion and gender.

The report is not all critical, however. I also enjoyed his commentary on American security language.

…the daily American way with language is touched with brilliance, taut and crackling with life.

My favourite example is the simplest, the old railroad crossing sign that simply says: Stop. Look. Listen.

Impossible to shorten or clarify, it was written by an engineer for a country of new immigrants with limited English. It is not long, but it is still in use today, a rare example of perfect writing.

I look forward to the day America updates its 50s McCarthy-ist propaganda text of “In God We Trust”, which has been wildly successful, with something less ironic. It sounds like “Stop. Look. Listen” would be an excellent candidate.