FTP pubstro

An increase in attacks meant to setup high speed, public, distribution networks (pubstro) seems to be spreading. In a nutshell, this means vulnerable servers are being used as hosts for hidden ftp servers with little impact on other data that might be exposed on the host. Nothing especially new here other than the amazing efficiency of the attacks, which leads to robust “networks” of compromised systems, as well as the fact that breach laws are now in effect. The odd situation with market forces in this scenario is that attackers seem better at writing code to remotely install agents to generate revenue than many of the companies that are actually supposed to be in charge of the servers themselves. If this rate of change goes unchecked, my guess is that developers may see a more lucrative future in stealing resources than in being tasked to try and prevent them from being stolen. But who should bear the cost of the disincentives?

Some discussion on Educause suggests even fully-patched Windows 2000 systems are at risk.

Microsoft labels Sony DRM as spyware

Jason Garms finally stepped up to the plate on Saturday, November 12th, 2005 and announced that Microsoft’s internal Anti-Malware Engineering Team formally acknowledges Mark Russinovich’s October 31st, 2005 blog entry and will now add Sony’s DRM software into its anti-malware software. That’s right, twelve days after the news broke and two full days after exploits were documented in the wild, Microsoft has quietly announced on a blog that they are going to update their signatures.

Here is Microsoft’s criteria for determining what is spyware, and here are some comments I made earlier.

Quite frankly, we all know that people dumped Microsoft’s anti-spyware software once it was revealed that they cave to companies for odd reasons (which begs the question of what spyware company wouldn’t apply pressure if they know they can — hello, spyware is all about being annoying and persistent, no?).

But even so, I am really disappointed that Microsoft continues to show that they are not the kind of company that a user or company can bank on if they need security. Sony has had to eat so much publicity about this issue that just about everyone and their dog is aware of the issue (contrary to what Thomas Hesse, President of Sony BMG, suggested in an NPR interview, that people don’t know enough to care about root-kits). Just take a look at an anti-virus company who started addressing the issue the very day the news of the root-kit broke. F-secure claims that they were even working on it prior to Mark’s announcement because they were fielding reports about the same suspicious behavior.

The Inquirer responded to Microsoft’s blog announcement on Sunday, November 13th, 2005, with an excellent write-up on why this giant company, yet again, seems to entirely miss the point on what it means to establish trust with users. In brief, one might summarize their point as something similar to the old adage “it’s not the crime, it’s the cover-up”:

So, what do we end the day with? Microsoft dipping a toe in the water and saying it will remove a solitary DRM infection. No future pledges, no strong stand. I was honestly hoping MS would stand up and plant a stake in the ground about things like this. A week later with a murmur in a blog is not the response of a market leader.

Mark has an excellent summary himself today, called “Sony: No More Rootkit – For Now”, regarding the Microsoft announcement as well as the Sony soundbite from NPR. Most importantly, he clarifies that the viruses are just a symptom of bad security:

The viruses simply take advantage of the Sony rootkit if it’s present, but could just as easily install their own rootkit to hide their presence on the system. If a user activating the virus, which is transmitted as an email attachment, is running with administrator privileges, the virus can install a kernel-mode rootkit just as powerful as Sony’s. But even if the virus is activated from a non-administrator account it can install a less powerful, though still effective, user-mode rootkit. The bottom line is that it’s not rootkits themselves that are the problem; it’s the inability to manage the objects that they hide that creates security, reliability and manageability problems.

His point that Sony owns the IP not the computer just reminds me of the story about people who “own” their cars and want the error codes under the Right to Repair Act. Transparency of technology and the ability to protect oneself from predatory corporations are gearing up to be tough issues for the next few years.

Davi

There’s something funny to me about seeing the name “Davi”. It’s unique enough that I rarely have the luxury of finding my name directed at some other person.

So, imagine my surprise when I was doing some research on poetry and came across a recent childrens’ book called A Boy No More, by Harry Mazer. The protagonist has a Japanese American friend who is named “Davi Mori”. I find it very odd to see the reviewers saying “Davi” this and that.

What does this have to do with security? I suspect many people who have common names use a number of other criteria to determine who is actually the subject of a phrase. Voice recognition, or even intonations, must be a big part as well as context. In a reverse sense, when someone calls me on the phone and can not pronounce my name correctly, I can immediately identify them as a stranger.

Oh, and speaking of strangers, I only just discovered that Davi Walders is a famous poet. It’s not clear how she pronounces her name, though, or if it is an abbreviation/nickname.

Password Cracking Stats

Well, I was wandering around with an 80% dictionary attack number stuck in my head (too many l0phtcrack reports, perhaps), when I decided to see if I could actually find some published data.

There are a few minor articles that say a 30% dictionary attack is typical, with 5-10% username attack, but they never produce a breakdown to make their numbers compelling, let alone convincing.

Then I happened to find a paper by Daniel Klein originally for the United Kingdom Unix User’s Group in 1990 called “Foiling the Cracker: A Survey of, and Improvements to, Password Security“:

13,797 accounts were tested from around the world. Page seven and eight give a breakdown on length and type of passwords:

“The results are quite disheartening. The total size of the dictionary was only 62,727 words (not counting various permutations). This is much smaller than the 250,000 word dictionary postulated at the beginning of this paper, yet armed even with this small dictionary, nearly 25% of the passwords were cracked!”

User name 2.7%
Common name 4.0%
Female names 1.2%
Phrases and patterns 1.8%
Dictionary words 7.4%

And so on…

6 characters 1160 34.7%
7 characters 813 24.4%
8 characters 780 23.4%

I find the numbers on character length surprising since they seem very similar to what I encounter today. Best practices have struggled to get beyond the six characters mark for years (partly due to system limitations, but mostly due to user resistance to an eight character minimum).

Thus, before we can draw too many conclusions about length we have to consider the relationship between the age of the systems, the experience of the administrators, and the skill of the users.

An excellent paper. I highly recommend it, especially since it underscores the extant body of knowledge regarding password cracking. And yes, I am serious about the 80% number I mentioned, but my data is much more recent than 1990. People are usually so embarrassed/scared by their own data that I will have to be extremely careful with how/where/when I present detailed findings, but I also feel that someone has to step up and try to establish a new baseline. What should be considered “reasonable”?

Hidden Spyware Removal

Just a quick note to say that during a recent incident I found spyware that seemed to repeatedly re-infect a Windows XPSP2 system with all the latest, greatest antivirus and antispyware utilities. It would reappear a few seconds after I had removed it with the Spybot S&D utility. I ran Mark’s RootkitRevealer and it reported that the Firefox cache had numerous hidden items in its cache as well discrepancies in the cookie.txt file itself. That was all I needed to realize that clearing the Firefox cache would prevent the re-infection, but it raises the issue of how the browser cache/cookies are set to reinfect a system with malware, yet the anti-spyware doesn’t pick them up in the scan(s). My objective was to get the system to a stable/clean state, but if I have more time and see another case I will dissect the code and see if I can get the spyware utilities to clean more thoroughly.

The 419 Attack

It always bothered me that the 419 scams in Nigeria seem to be linked to people who say that they are just playing the game of open markets. In other words, attackers ask why they should be blamed if they simply prey on others’ greed.

A new story appeared last Thursday in the Guardian that reinforces much of what was reported a few years ago:

The email scammers here prefer hitting Americans, whom they see as rich and easy to fool: maghas [slang from a Yoruba word meaning fool] are avaricious and complicit. To them, the scams – known as 419 after the Nigerian criminal statute against fraud – are a game.

A “game” that has victims rather than players, hardly can be called a game at all. Instead, it is an example of carefully crafted social engineering that allows attackers to transfer value (from victims to themselves) without proper authorization. The interesting thing about the attack, in this case, is how it uses political or even cultural prejudice to establish credibility.

I presented a report on this with Harriet Ottenheimer at the Central States Anthropological Society’s meetings in 2004. It was called “Urgent/Confidential — An Appeal for your Serious and Religious Assistance” and provided details on the attack taxonomy and social engineering methodologies.

Might be time to publish the paper to help clarify how people remain susceptible and what can be done to reduce the risk.

Fashion before justice

The Register reports that a teenage girl in England apparently convinced a judge that an ankle-tag would look odd with her choice of clothing, and she therefore was able to easily circumvent the curfew conditions of her bail. One must wonder whether the judge also called for a more effective/discrete tag (is their purpose to be obvious to others?) or just did not really think the teen would recitivate for “grievous bodily harm against another woman”.

The BBC report mentions that the girl said she did not answer the door during her curfew because “she was asleep at the time”, which presents an interesting value map for security:

Fashion > IDTag > Sleep

Motor Vehicle Owners’ Right to Repair Act

I posted portions of the following comment on Schneier’s blog today. Thought it deserved a place here as well.

This is an excellent quote, discovered in a Wired story called “Drivers Want Code to their Cars“:

“‘There is really no time in my schedule for sitting around a car dealership listening to some fat guy in a clip-on tie tell me that the problem is my fault,’ [a 2002 car owner] said. ‘Instead of explaining anything to me they just pull out a warranty sheet with a highlighted portion indicating that they don’t cover Check Engine light problems.’

A bill floating through Congress could help people like Seymour by forcing automakers to share diagnostic codes with car buyers and independent mechanics. The Motor Vehicle Owners’ Right to Repair Act would give Seymour the means to determine whether the Check Engine light signaled another gas cap vagary or a major oil leak. The legislation would also allow Seymour to choose an independent — and possibly cheaper — repair shop instead of being forced to go to the dealership.

The legislation argues that consumers own their vehicles in their entirety and should be able to access their onboard computers.”

I think that’s “own” as in “beer”, not speech…

I know it’s a stretch, but imagine personal computer users making the same kind of demand (ok, forget the clip-on tie part). You would have a legal precedent for a “right to repair”, which could be extended to a need for source, no? How does IP get protected when you give away the details needed to make repairs, or should IP rights be placed above the right to prevent harm or even just maintain value for a buyer? More research required.

Ariane 5 flight 501

Wired picked up some of the details of the Prius software bug that I mentioned this past Sunday. It looks like several major news outlets carried a story on this as far back as May 2005. Wired mentioned the Prius troubles in an article called “History’s Worst Software Bugs“. I am disappointed that they didn’t bring up the fact that dealers are still selling the buggy version of the car.

One of Wired’s “worst” is the Arianne 5 flight 501 disaster. Since I am personally familiar with the event (from work at UIowa Dept of Physics and Astronomy) I might be biased, but I must say that while I’m not sure it was one of history’s worst, it certainly makes a great case study. I use it regularly in presentations on risk management. For example, the backup code was the exact same rev as the primary, and thus the bug (floating point error) that caused a failure in the primary…yup, you guessed it…oops.

Wired suggests a Wikipedia version of events, but their second link points to the original European Space Agency ESA) report “ane5rep.html” (also found hosted at MIT). The ESA provided a very clear analysis of the source of the problem:

“The reason why the active SRI 2 did not send correct attitude data was that the unit had declared a failure due to a software exception. The OBC could not switch to the back-up SRI 1 because that unit had already ceased to function during the previous data cycle (72 milliseconds period) for the same reason as SRI 2.”

But even more interesting is that the floating point error itself could have been handled many ways, or the trajectory tested more accurately, but “It was the decision to cease the processor operation which finally proved fatal. […] The reason behind this drastic action lies in the culture within the Ariane programme of only addressing random hardware failures.”

Dare I say, the risk of software bugs was mis-managed?

Sony gets a memo

The Inquirer reports today that Sony is getting sued, by the ALCEI (Electronic Frontiers Italy):

“According to the press release here, and the complaint here, the Italian group ALCEI is suing Sony over the rootkitting DRM infection.”

This is a response to Mark Russinovich’s rather thorough and powerful complaint about his discovery of a Sony root-kit on his Windows PC after installing a player from one of their music CDs.

No luck with the trackback yet, so I’ve cross-posted some of this on Schneier’s blog as well.

the poetry of information security