Wednesday, July 25, 2007

Class Critique

Bart Perkins was a guest speaker for our CECS 566 class and he talked about Privacy and Security in the Corporation. He started the discussion by first telling some background history about hacking. He told us that the first hack was done in 1982 and was done through the phone lines. A very good article that has some history about hacking is here:

http://www.symantec.com/enterprise/security_response/weblog/2007/07/the_80s_scene.html

This article discusses some of the earlier hacking groups such as the 414, worms, and viruses.

But, after giving a brief history about hacking he began to talk about costs. Everything cost money in the world, but he specifically talked about how much IT costs in the business world. Direct cost and indirect costs affect businesses in different ways. Much of how secure information needs to be depends on the nature of the information. One interesting issue Bart Perkins discussed was how to make your boss understand why they need to spend money on technology. After a few minutes of the class giving various techniques to make their bosses understand, he boiled it down to the need to make a business plan.

He also gave interesting statistics about the percentage of the IT budget that actually gets spent on security. Sadly, that number was a mean of 7.8%. That being said, he then said that the number one cost of IT was antivirus and spyware software. The one aspect of this that I didn’t quite understand was that isn’t antivirus and spyware software a security cost? Is it not the goal of anti-virus software to prevent hackers destroying and manipulating your data? In a way I am not really sure where he got the 7.8%, but I would have liked to ask where he got that number from and exactly what does security cost mean?

Next, Bart talk about what the biggest IT threat to the company was. Sadly, and truly enough, he said that the answer was the employees. This, I can believe. Employees are the biggest threat and mostly due to their lack of knowledge. From an employee’s perspective, sure, they am going to open that email that has the really catchy subject from a random sender. And yes, they are going to take home laptops, on which contains the personal data of all the employees. The human problem with IT is a very expensive problem.

Lastly, he talked about ways to reduce costs and various metrics to watch a company. He suggested reducing cost by outsourcing. Although terrible for the employees, it does save money for the company.

Overall, I thought that Bart had very interesting comments to say about IT and security in the corporate world. One thing that I didn’t enjoy very much was that he seemed to be all about the company. He was somewhat of a company man if you get my gist. Good for the company, not always so good for the employee.

Class Critique

The last day of class we discussed a type of hacking called "Google hacking". A definition from Wikipedia defines Google Hacking as "refers to the art of creating complex search engine queries in order to filter through large amounts of search results for information related to computer security." The full article can be found here:
<http://en.wikipedia.org/wiki/Google_hacking>
The idea if Google hacking is that since Google does its best to find and index everything that is available on the Internet, use Google to find password and other sensitive data. From the results seen in class, with the proper technique, Google hacking can be very effective. The professor recommended a website: www.Johnny.ihackstuff.com <http://www.Johnny.ihackstuff.com> and said that this website contained a wealth of various Google hacks.
One technique that was demonstrated in class was to search for online web cameras. The search command in Google is: "Active Web Page" inurl:8080. This command will bring up a list of active web cameras and allow a random person to view various places using other people web cameras. A live demonstration of being able to use and see a random person's web camera on the Internet was very inspiring.
I have decided to test some additional commands from the Johnny.ihackstuff.com website. The command that I used this time was !Host=*.* intext:enc_UserPassword=* ext:pcf . This command lists tries to go out and get VPN passwords. With this command I managed to find some group passwords. One example that I found was this. The Penn State Group name is "pennstate" and the group password happens to also be "pennstate". Another example that I found using this command provided the password of "sushisushi". I thought that one was hilarious.

Another command that I tried was filetype:log inurl:"password.log". This search returned 18 results and the content of these files to unbelievable. These files contained the names and passwords of multiple users. But, as with anything, how useful is the information. When I started trying to use these usernames and passwords, none of them seemed to work. Additionally, then I tried to do the same for the VPN connections, none of them worked either. So, although Google might be the best at finding and indexing these files sometimes they aren’t worth very much. And if you’re looking for to hack something specific, it will be much harder to do with Google.

Security Tool Critique

The Tool that I am going to critique is called: PasswordNT_XPCrack.ZIP. As the name suggests, this program can crack and reset windows NT/XP passwords. My experience with this tool was very pleasant. Finding the tool, on the other hand, was much more difficult. Going to Google and searching for a windows password crack is probably one of the better ideas if you want to get some type of spyware and adware installed on your computer. Secondly, finding software that actually works and does what it says is an entirely different story. When I finally found this tool I was very surprised. It is a small file and is only 1.31 MB is total.

The setup for the machine I was trying to crack was a laptop that was running Windows NT. The old laptop’s user had changed jobs and their password was still loaded onto the computer.

To perform the crack I needed a 1.44 MB floppy disk. Surprisingly, in today’s age, they are not as easy to find as they once were. After I had unzipped the file, I ran a batch program that writes information to the 1.44MB floppy. The floppy disk is now bootable and contains an extremely small OS. After a restart with the floppy disk loaded into the disk drive, the OS boots up. Then a menu appears and asks the user what actions they want to perform. After navigating the OS to the correct location of the SAM files, windows password files (for more information you can go here: http://en.wikipedia.org/wiki/Security_Account_Manager) it asks which user account you would wish to modify. After selecting which user’s password you want to modify, it asks if you would like to either reset or crack their password. For my use, I only needed to reset a forgotten password, so I chose to reset. In a few seconds, the change was made. After I restarted the computer and loaded windows, I could access users account without any problems.

There are two aspects of the program that I would have loved to tried out. That is if the crack would work on an XP system and also, if the program could correctly crack the passwords.

Using the program I was very pleased. The actual use took about 5-10 minutes and that mainly was due to distractions and the unfamiliarity with the program. There were not any parts of the program that were confusing or difficult to perform. As mentioned earlier, it took much longer finding the program that it actually did to run. I was very happy with the program and would use it again if needed.

Security Website Critique

The security website that I am going to critique is called cgisecurity.net. Similarly but oddly enough, the actual website for cgisecurity is www.cgisecurity.com. Upon further investigation, both www.cgisecurity.com and www.cgisecurity.net are both the same website.

The website was layout is similar to a forum, but only one person is allowed to post security items. Typically is seems that one item is posted a day. The cgisecurity website has been around since 2000 quote is, “…the oldest application security website on the net pre dating OWASP and other well known organizations.”

The website is broken down into main tabs that run across the top of the page and is broken down into these categories:

  • News
  • Web Server Security
  • Phishing
  • Database Security
  • Application Server Security
  • Library
  • Vulnerability Archive
  • Secure Development
  • Web Services
  • Pen Test
  • AJAX
  • Application Firewalls

Then on the right and left hand sides of the webpage, additional topics and subjects are broken down. On the right and side are popular links by subject. The popular links by subject are specific applications or software and information about how to security them individually. On the left hand side are Topics that contain further information about the website, contact information, various downloads, links, etc.

Advertising on the webpage is at a minimal. There are Google ads located on the lower right and left hand side of the screen. There are also ads for the web hosting company. But these adds are not flashy or obtrusive in any manner. They don’t flash, blink, make noise, and they are all small in proportion to the remainder of the website. From reading a couple of pages on the website, if you have a banner and want to advertise on this site you can, but you need to contact the administrator. So I am not sure if the lack of ads is because the administrators are thoughtful or simply because they lack the sponsorship.

There is also a search feature on the website that lets you search for various key words. There are no advanced search options when searching and it appears to be a simple Google search on the website.

The website also features the ability to translate the entire page into Spanish, English, French, German, and Italian. Additionally, there are mailing lists and RSS subscriptions available.

Current News Item

I was on the New York Times Website and I came across an interesting article about the IPhone. The article is called “IPhone Flaw Lets Hackers Take Over, Security Firm Says” and was written by John Schwartz. The article was published July 23, 2007. The link to the site is:

http://www.nytimes.com/2007/07/23/technology/23iphone.html?_r=1&adxnnl=1&adxnnlx=1185163364-1OTsRJvbylLamj17FY2wnw&oref=slogin

The IPhone is a cellular phone that is created by Apple and has many features that make the IPhone unique. The IPhone has a fully interactive touch screen, mp3 player, integrated web browser, WiFi ready, and much more. For further details about the IPhone go here:

http://www.apple.com/iphone/

Its popularity, however, could also be the cause for many security specialists to take an extra long look at the security on the IPhone. One analyst, Charles Miller, according to the article, has found a whole in the security. Charles can demonstrated the vulnerability by visiting his website with the IPhone. Once connected the website was able to pull virtually anything it wanted from the phone as well as perform various tasks. A more detailed explanation of the vulnerability can be found here:

www.exploitingiphone.com

The article also informed the reader that the vulnerability has already be reported to Apple. The Apple corresponded seemed very gracious and said, “We’re looking into the report submitted by I.S.E. and always welcome feedback on how to improve our security.” Apple’s handled the situation very well. I enjoy the part “… and always welcome feedback on how to improve our security.” It seems that Apple is willing to accept that their product is not perfect and trying to do its very best to deliver the best product it can to their customers.

What I liked about this article is how at the end it compared what is happening with Apple products to what has already happened with Microsoft products. Because Microsoft has 95% of the OS market, they are targeted much more than Apple. Another idea in the article talked about how cell phones are basically computers. The type of security for phones is similar to the type of security needed for desktop-based OS’s. I enjoyed this article because I was informed of the IPhone vulnerability and it also put in perspective the reality of situation when comparing Apple with Microsoft

Wednesday, June 13, 2007

Current News item

I recently read an article about the XO laptop and how they are going to implement the security on these machines. The operating system of the laptop is based off of the Linux, but the security aspects and the functionality are different. The article is from Wired News and is called, "High security for $100 Laptop" and was written by Ryan Singel. The article discusses the functionality of the XO laptop and the security of the laptop. The security system of the laptop is controlled by Bitfrost developed by Ivan Krstic. The UI or user interface is controlled by Sugar and can be explained in more detail here.

First, the goal of the $100 dollar laptop is to be able to supply a computer to every one, all over the world at a price that everyone can afford. With this being said, security is tough because the operator's variety is tremendous. Children and adults alike from all over the world without much or any previous computer experience will be the operators of these machines.

What Bitfrost is trying to do is to make the design so that there are not any initial flaws that will plague the system from the beginning. Hopefully, when the XO laptop is shipped and then opened, the laptop is ready for use without having or needed to install a bunch of updates and patches.

Another feature of Bitfrost is to prevent pop-ups security questions to the user. The security rules for the operating system are already pre-set so the user does not have any interaction in setting up the security of the system. If more security is needed, then the user can go into the system and manually set the needed permissions. Another aspect of Bitfrost is that each of the programs run independently somewhat like on its own VM. This is another layer of security that tries to prevent breaches.

Bitfrost also will distribute public keys that require activation through the internet. If the internet is not available, then dongles will be used to keep the laptop operational. This might sound good in practice, but what is there to prevent the creation mass illegal dongles. If someone steals a XO laptop, they are going to know that without the activation maintenance, then the laptop is useless. I give thieves a little more credit in finding a way to get around the periodic public key maintenance.

Although I would like to believe that Bitfrost can provide adequate protection to the users, I find their optimism foolish. If the OLPC project goes to plan, and even half of the children receive laptops, hackers will find a way to manipulate the XO laptop.

Class Critique

The first class critique I am going to write is about my first day of class. The topics of discussion were Components of information security, Threats (and vulnerabilities), Policy, Mechanisms (controls), Security Goals, Trust and Assumptions, Assurance, and Operational issues.

The first topic, Components of information security, deal with the idea of a three legged approach to security. This CIA model, or Confidentiality, Integrity, and Availability, are the main concepts of what the best way is to secure a system. The idea of Confidentiality is to keep sensitive information secure and away from unintended parties. In information security, the medical field is particularly interested in the Confidentiality of their files because it has sensitive information pertaining to their patient’s records. The idea of integrity is to maintain the correctness of the information. If the integrity of bank files were in question this would cause massive uprising because how would we know that the amount of money in your account is correct? Availability is the last leg and it is just as it sounds. A system has to be available for people to use or what good is it? All of these ideas mesh together to make one secure system and without an aspect, the system is not secure.

Threats to a computer are a broad category and can be broken down into smaller, more definable components: Disclosure (Snooping), Modification or alteration, Spoofing, repudiation of origin, denial of Receipt, delay, and denial of service. A more in-depth description of all of these topics can be found here.

The threats to a computer are targeted toward specific vulnerabilities. These vulnerabilities include but not limited to, hardware, software, data, networks, and people. As long as there is new technology, there will always be new vulnerabilities and threats. Attackers are the people who exploit these vulnerabilities. As with every attacker, computer or non-computer, they need motivation, opportunity, and a method of how to attack. Although an every day burger might use a firearm as their method, a computer attacker might use a virus or worm as theirs.

In general, the class started out well and the first lecture was a nice introduction to information security. As specific and technical information security can be, this lecture provided a nice overview about the topic.