Monthly Archives: December 2011

Security

PuTTY fixes password leak

Leave a comment

An update just has been released: version 0.62

PuTTY 0.59 to 0.61 inclusive had a bug in which they failed to wipe from memory the replies typed by the user during keyboard-interactive authentication. Since most modern SSH-2 servers use the keyboard-interactive method for password logins (rather than SSH-2’s dedicated password method), this meant that those versions of PuTTY would store your login password in memory for as long as they were running.

PuTTY 0.62 fixes this bug. Keyboard-interactive responses, including passwords, are now correctly wiped from PuTTY’s memory again.

Security

Exploitability of MS11-083

Leave a comment

I noted the anonymous bug revealed by Microsoft called a Vulnerability in TCP/IP that could Allow Remote Code Execution has been given a couple caveats of perimeter controls and performance.

This month we released MS11-083 to address an externally found reference counter issue in TCP/IP stack.

[…]

…we believe it is difficult to achieve RCE using this vulnerability considering that the type of network packets required are normally filtered at the perimeter and the small timing window between the release and next access of the structure, and a large number of packets are required to pull off the attack. As a result, we assign an Exploitability Index of “2” for this vulnerability.

A claim of inconsistent results, which justifies a 2 rating, also begs questions of who found it and how.

Energy, Security

Funnel Triples Wind Turbine Output

Leave a comment

Wind LensIt has a fancy name and design but as you can tell from the photo it is a simple innovation based on a reverse funnel effect. Cleantechnica reports:

The Wind Lens works by creating an area of low pressure behind the turbine that essentially sucks the wind through the turbine, increasing effective wind speed. As wind power is proportional to the wind speed cubed, the wind lens changes the fluid dynamics around the turbine to increase its power.

Can we expect to see datacenters designed around tubines in the near future? Both new power and cooling solutions may be found by engineers trying to harness the wind. I envision a tunnel that flows through a datacenter to power turbines yet also pull heat out and away.

I’ve already written about the overproduction of power from wind turbines in Germany that has forced them to export energy to their neighbors.

Now the Japanese appear ready to take the issue even further by dropping the cost of wind energy below nuclear energy and forcing a giant shift in risk calculations.

Imagine: no more dirty coal power, no more mining deaths, no more nuclear disasters, no more polluted aquifers as a result of fracking.

Fair enough but don’t forget to imagine instead some new risks such as climbing up giant turbines to service them, the impact to weather and wildlife

History, Poetry, Sailing, Security

Chinese Attacks Raise Concerns

Leave a comment

Let’s just get out of the way that there are many examples of wrongdoing by Chinese nationals. Take today’s clash with South Korea, for example:

A South Korean coastguard commando has been stabbed to death and another injured by Chinese fishermen detained for illegal fishing in the Yellow Sea.

Some might look at this story and say it’s an isolated example. Maybe we even can agree that these few fishermen, a tiny fraction of the total number of Chinese on the Yellow Sea, are the ones who do most of the damage. I phrase it that way because of a story I noticed today by the Associated Press: “A Few Chinese Hacker Teams Do Most US Data Theft

As few as 12 different Chinese groups, largely backed or directed by the government there, do the bulk of the China-based cyberattacks stealing critical data from U.S. companies and government agencies, according to U.S. cybersecurity analysts and experts.

This should be good news, right? Only 12 groups in China? Does that equate to something like 0.0001 percent of all the different Chinese groups?

I guess you could say “largely backed or directed by the government” is supposed to add an element of legitimacy, but anyone familiar with China knows that everyone there still is largely backed or directed by the government.

Now here’s the bad news. Despite the tiny number of suspects, officials in the U.S. are not hopeful that they can prove anyone in China actually guilty.

It is largely impossible for the U.S. to prosecute hackers in China, since it requires reciprocal agreements between the two countries, and it is always difficult to provide ironclad proof that the hacking came from specific people.

Always difficult to provide “ironclad proof”? They say it like it is a bad thing. Even if we accept that China has a small number of suspects and that it is always difficult to prove someone guilty I don’t follow the logic to the next part of the article. Enter the U.S. military:

“Right now we have the worst of worlds,” said [James Cartwright, a retired Marine general and former vice chairman of the Joint Chiefs of Staff]. “If you want to attack me you can do it all you want, because I can’t do anything about it. It’s risk free, and you’re willing to take almost any risk to come after me.”

The U.S., he said, “needs to say, if you come after me, I’m going to find you, I’m going to do something about it. It will be proportional, but I’m going to do something … and if you’re hiding in a third country, I’m going to tell that country you’re there, if they don’t stop you from doing it, I’m going to come and get you.”

First of all, this is a deterrence model, which I covered in my Dr. Stuxlove presentation based on the Dr. Strangelove movie by Stanley Kubrick. Deterrence is known to be far from a slam-dunk security strategy. It can create risks of its own which are larger and even much worse than the original threat of attack.

Second, he lost me at the “I’m going to find you”. If it is impossible to prove guilt in the first place then who are they going to find and threaten, people who aren’t proven guilty? I know it’s frustrating to follow loose threads but saying “I’m going to come and get you” can actually create a game in itself, as anyone familiar with Smurf attacks will remember. Someone could purposefully stage attacks to kick-off a premature and misguided escalation (i.e. back to the plot of Dr. Strangelove). The fix to Smurf redirects, incidentally (pun not intended), was not to threaten everyone with massive retaliation but to reduce risk through immunization that prevented the forwarding/relaying of attacks.

Back to the article, I noticed another strange comment that might be driven by an unfamiliarity with Chinese culture.

One of the analysts said investigations show that the dozen or so Chinese teams appear to get “taskings”, or orders, to go after specific technologies or companies within a particular industry. At times, two or more of the teams appear to get the same shopping list, and compete to be the first to get it, or the one with the greatest haul.

Motivated by what? It is tempting to say a paradigm of competition is a universal hacking mantra; perhaps the Chinese are now emulating the American system of competition. Again, however, it sounds very unlike Chinese philosophies and writing, such as the vision of success through following orders and looking backwards, as expressed in The Way of Lao Tzu. 

I have three treasures. Guard and keep them.
     The first is deep love.
     The second is frugality,
     And the third is not to dare to be ahead of the world.
Because of deep love, one is courageous.
Because of frugality, one is generous.
Because of not daring to be ahead of the world,
One becomes the leader of the world.

I also am curious about who really believes it makes sense for China to hold a competition of only two groups out of twelve. If China has almost unlimited human resources, and can launch attacks “risk free”, why would they hold such tiny attack competitions? Why hold back? There must be some risk or there would be far more than twelve groups..if you add up all the arguments in the article, it really does not make much sense.

In any case, perhaps it helps some to compare the twelve groups in the AP article to the nine evil fishermen of the Yellow Sea. Always proceed with caution in building a response so as not to lose control of the situation. The risk of ruthless and underhanded attack has to be factored when investigating and responding to breaches; death of the South Korean commando is tragic. At the same time an opportunity to approach and win insider support from any/all remaining Chinese groups, the ones not attacking, should not be overlooked or underestimated.