Wikipedia and Information Security

Interesting discussion on Slashdot about the online phenomena Wikipedia. For those who don't know yet, Wikipedia is an online encyclopedia that allows anyone, even you...the Astute Reader...to edit their content.

Many students rely heavily on Wikipedia to pad their research papers until they reach the minimum number of pages. The question becomes: should an encyclopedia (Wikipedia, Britannica, etc.) be used as a cited source in a research paper?

I weigh in with my thoughts on the matter in Slashdot's comments section.

So...what does this have to do with information security? Well...despite the fact that Wikipedia may not be reliable enough to serve as a major source in a graded paper, it is still a remarkable and generally reliable resource for research on any subject you can image.

Personally, I often turn to it to get a general overview on many topics, including infosec. Once I have a baseline on a topic, it is often easy to research certain topics in greater depth from primary sources...

Knowledge is one of our greatest defenses against insecurity - familiarize yourself with the sources of data that are available to you - Wikipedia being one of them. See also my article about vulnerabilities and sources of info on them.

Chalmer

Technorati Tags: information security, wikipedia

What threats are out there?

As you begin to explore information security, you will quickly find that there are more problems than you can possibly keep track of. Lucky, others are diligently engaged in tracking these things for you.

The web-sites listed below all contain details about vulnerabilities or security flaws in popular software and operating systems. It should be noted:

• Some are more detailed than others.
• Some have duplicate information.
• Some have clean user interfaces.
• Some have more detail, more info or more reliability in terms of particular vulnerabilities, however, no one source will have all the info you might want or expect.
• Pretty much all of them allow cross-referencing via the use of standardized vulnerability names as defined by the Common Vulnerabilities and Exposures website.

Take a look at some of the problems that are out there and take a look at how some of the web-sites cover the same vulnerability.

Happy hunting.

X-Force Database (IBM Internet Security Systems)
National Vulnerability Database (National Institute of Standards and Technology)
SecurityFocus: Vulnerabilities
OSVDB (Open Source Vulnerability Database)
Vulnerability Notes Database (US-Computer Emergency Readiness Team)
Common Vulnerabilities and Exposures

Chalmer.

Hash SHA-1 compromised...

This isn't really new news, but the hash SHA-1 (Secure Hash Algorithm-1) has been significantly compromised! So...what does that mean to you?

Hashes are a list of characters that "represent" the contents of a message or file and are intended to represent those contents uniquely. Hashes are expected to have two important properties:

• If I have a hash value, I can't recreate the message or file in a reasonable amount of time
• I should not be able to find two different files that create the same hash value

For example, take the word "HASH". If I use the following values for the letters in HASH

H=1.1
A=3.1
S=4.1

I can use a special formula to create a value that represents the word "HASH".

For example, my (totally fictitious) formula might be:

• sum of the (locations X values)

Where I multiply a number that stands for the location of the letter within the word by the value of the letter and then take the sum of the results.

• the first H is the first letter and has a value of 1.1 => 1 X 1.1 = 1.1
• A is the second letter and has a value of 3.1 => 2 X 3.1 = 6.2
• S is the third letter and has a value of 4.1 => 3 X 4.1 = 12.3
• the last H is the fourth letter and has a value of 1.1 => 4 X 1.1 = 4.4

Adding all of these up gives me 24.0.

The letters SAHH would give me a value of

• the first S is the first letter and has a value of 4.1 => 1 X 4.1 = 4.1
• A is the second letter and has a value of 3.1 => 2 X 3.1 = 6.2
• H is the third letter and has a value of 1.1 => 3 X 1.1 = 3.3
• the last H is the fourth letter and has a value of 1.1 => 4 X 1.1 = 4.4

Adding all of these gives me...18.0, even though the letters in the word are the same...thus we can calculate the hash value and prove that the words are different.

Why is this important? A workable hashing algorithm can help prove that something has not changed since it was created. For example:

• You send a contract to a client and they alter it slightly...something subtle that you wouldn't notice right away...compare the hash value of the two files and you can prove they altered it.
• Many popular files are hosted on multiple sites (called mirrors), but those sites may not be controlled by the author of the file. Once you download the file, you can take the hash value and compare it to the hash value posted by the author - if they don't match, you can tell you have a file that was corrupted during the download or worse yet, has been tampered with by the bad guys.
• Monitoring software on your computer can use hashes to tell that a virus or trojan has altered your files or programs, by periodically checking your current files against baseline values it keeps in a database. Any change to your program results in a different hash and your monitoring software can alert you to the change.

Now that SHA-1 has been compromised, there is the threat (albeit, very remote) that someone can create two different files that have the same value. The computing power and time necessary to do this are outside the realm of normal folks, so no need to panic yet. The folks at the National Institute of Standards and Technology (NIST) are working on creating a new hashing algorithm and should have one in about 3 years.

The take home message:

• don't panic yet
• look for hash values when you download files (especially from mirror sites)
  
• compare the hash value of the file to the author's hash value
• keep your eyes out for future versions of hash algorithms

For more info on hashes, see these articles/sites:

1. Software to calculate hashes: HashCalc
2. Example of a site that lists hash values of their software (the SHA-1 values are listed before each of the "filenames" that end in .iso)
3. More details on hashes by Bruce Schneier
4. NIST's write-up on SHA-1

Chalmer

Your computer, the Zombie

Even with sophisticated information security software installed, you can be at risk. Symantec, the computer security company, has several pieces of software that are vulnerable to variations of malicious code called "Spybot". Spybot opens a back door into your computer system and phones home to it's owner so that the owner can take control of your computer. When your computer gets taken over, it is called a zombie and mindlessly does whatever the attacker wants. Spybot affects older versions of Symantec Client Security and Symantec AntiVirus Corporate Edition. These are both used primarily in businesses. Spybot does not affect the Norton line of home computer security products.



A patch for this problem has been available for months.



What should the Astute Reader conclude from this? Even the professionals don't always get it right...and thus we need to rely on multiple means of defense:

• antivirus software to find most of the viruses
• firewall software to catch suspicious activity such as "phoning home"
• anti-spam software to keep some virus infected email off your system, in the first place
• anti-spyware software to pick up what the others might have missed

This principle of having a multilayer defense is called "defense-in-depth". It is similar to safety systems in your car: bumpers, crush zones, airbags, and seat belts all work together to absorb energy from a crash and minimize or prevent injury. Make sure YOU have all your protective gear in place.



For more details, see this article.



Chalmer



Technorati Tags: Antivirus, zombie, Symantec

Phishing. No pole required.

Phishing is a crime being perpetuated on the unsuspecting computer user to gather private information. Phishing uses technical means such as e-mail, instant messaging (IM) or phone calls to request information such as passwords or login names. Phishing has been around for years, but is becoming more prevalent. Early attempts at phishing were used to steal access to people's online computer accounts (i.e. web-based email), which were then used to send spam or send out copies of pirated software.

Modern phishing often focuses on more direct means to financial gain...namely getting access to your bank, credit card or other financial accounts (i.e. PayPal, E-bay).

Victims of phishing will receive a message from the attacker that asks for specific personal or private information. For example:

• Mr. Smith, due to problems with your PayPal account, we need to validate your username and password.
• Ms. Wilson, we are upgrading our servers and need all account holders to provide additional important account information, such as date of birth and address.

Some of these messages can be extremely realistic looking, with authentic looking logos, etc. Many will include dire threats, like the PayPal example to the right. Click it for a larger version. The message will often provide a web-site to visit where the victim can input their data. Close examination of the web-site address (URL) will show that the web-site is not the real web-site. For example:
www.usabank.login.com might fool some people into believing they were really going to a login site associated with www.usabank.com.

Defenses

Your Brain: Your best defense against phishing is to be constantly on guard. Companies have no need to ask you for your username or your password to revalidate your account, etc. If anyone asks you to provide additional information about yourself or account, after you have set up the account originally, then immediately contact the company directly using one of the following methods:

• Use your browser and type in the real URL for the company you are dealing with and verify on their website whether they are changing their data gathering requirements (guaranteed...if they need more info from you, it will be listed on their homepage).
• Find the phone number for the company (i.e. the number on the back of your credit card or on your company's true website) and give them a quick call.

Anti-phishing Technology: Other defenses include technologies that are being included with modern browsers such as Firefox 2 and Internet Explorer 7. Firefox uses as part of it's anti-phishing technology a list of known phishing sites. When you attempt to visit such a site, Firefox will notify you that the site is bogus. Firefox has a test site set up to allow you to see how their system works: http://www.mozilla.com/firefox/its-a-trap.html

As soon as you visit the site, Firefox will produce a warning notice that allows you to leave the site immediately or to ignore the warning. See example below.

Anti-spam Filters: Additionally, anti-spam filters for your email will help to keep most spam-based phishing messages out of your inbox in the first place.

Good luck and safe surfing.

Chalmer

Why ōKAMi?

Some of you may be asking...what does ōKAMi mean...
ōkami comes from Japanese and means wolf. My Japanese friends chose this symbol to represent my name. Japanese symbols often come with multiple pronunciations. For example, the symbol for wolf has several pronunciations.

• ōkami
  
• rō

rō is how my Japanese friends pronounced my last name of Lowe. Thus when they went looking for a meaningful symbol to represent my name, they chose Wolf.

The image to the right is one way of drawing the symbol for wolf:

Chalmer

User Accounts at home and BIOS vs Windows logon

Many of my Astute Readers are familiar with the Windows logon process from their work computers. Some of you may not use a logon for your home computers. In addition, you may not know that there is an additional logon process, that uses a BIOS password, that you can use to slightly increase your level of protection (keyword: slightly).

Windows passwords and User Accounts

Why would you use a Windows password and separate User Accounts at home? Several reasons:

• keep the kids from accessing, modifying or accidentally erasing your personal files.
• keep out some of the less determined bad guys
• keep out prying visitors (like the babysitter)

Windows allows you to set up user accounts on your computer. The user accounts come in several flavors: Administrator Accounts and Limited Accounts with certain restrictions. Administrators have the ability to install programs, delete files, modify files, etc. Limited Accounts with restrictions have significantly lower capabilities: they may not be able to read certain files or folders that you identify; they may not be able to delete files; they may not be able to install programs; etc. If you are logged in as an administrator, when a virus or trojan or the kids take control of your computer, the virus, trojan or little Billy can cause much greater damage.

Bottom line: for your everyday use (surfing the web, writing letters, playing music or games), you should have a Limited Account. For those rare times when you need more power (i.e. you need to install some software), you should use an Administrator Account. Both of these accounts should have strong passwords.
To set up User Accounts on your computer, try this Microsoft website.

BIOS passwords

The BIOS password is useful for providing a basic level of protection that can prevent passersby from using a CD or USB token to boot your computer and circumventing the Windows Logon process. This can provide you with some protection when you travel with your laptop and find yourself in situations where you leave your laptop unattended for short periods (i.e. at conferences, etc.).

It should be noted, that this will not keep out a determined cracker, and is not a secure line of defense. TechRepublic and SearchWindowsSecurity have articles that explain multiple ways to get past BIOS passwords.

Chalmer

Technorati Tags: information security, password, user account

Firewalls: the big picture

In fire protection, a firewall is a solid, fire resistive barrier that keeps fire burning on one side of the wall from burning valuable material on the other side of the wall. In computing, a firewall serves a similar purpose: separate bad guys and your valuable data. Firewalls come in two flavors: software (computer programs) or hardware (equipment or stand-alone boxes). There are benefits and disadvantages to both:

Software Firewalls:

• Generally installed directly on your computer
• Goes everywhere your computer goes (important if you use a laptop)
• Often fairly inexpensive and/or free
• Uses your computer's processor to do it's work, which can sometimes bog down your computer slightly (Modern computers should not be tremendously affected.)

Hardware Firewalls:

• Installed physically on the cable or network that connects you to the Internet
• Generally NOT portable (important if you use a laptop)
  
• Does not use any of your computer's processing power to do it's job
• Can be more expensive and takes up space on your desk

What do firewalls do:

Firewalls help separate two worlds. The world of the bad guys and your world. Firewalls work to keep traffic from traveling in both directions: keeps attacks out (inbound filtering) and keeps your private info in (outbound filtering).

• Inbound filtering:
• Probes and scans: bad guys often try to probe or scan your computer and your network to see what programs you have, what operating system you run, what ports you have open and what files or other information you have. With this info, they can
  decide which attacks would be most effective.
• Flooding and Denial-of-Service: bad guys may try to prevent legitimate people from reaching your computer or network, by flooding your computer with traffic.
• Bad or malformed traffic: some messages sent to your computer can actually cause your computer to lock up or crash, because it does not understand the message and gets "confused".
• Storage: Some bad guys don't want anything off your computer, but they may want to put something on it. The bad guys will sometimes store pirated software or child porn images on other people's computers, so keeping the bad guys off your machine is critical


• Outbound filtering:
• Phone home: Just like E.T. wanted to "phone home" sometimes you will get infected by viruses or other junk from the bad guys. Often, these programs will want to phone home to get more instructions, to send your private info to the bad guys or to
  open up gateways so that more powerful programs can be installed secretly on your computer.

If you don't have a firewall installed, get one. Some of them include firewalls from Norton, McAfee, Comodo, Sunbelt/Kerio, ZoneAlarm, etc. Most are available for download off the Internet. Some are free. Some will cost you.

Chalmer

Security changes coming to your bank!

Banks will be instituting a variety of new identification and authorization methods in 2007. This article by Sherry Slater covers many of the ways and means that banks will be beefing up their security, apparently in response to guidelines issued by the Federal Financial Institutions Examination Council. Some of methods of choice include:

• Pictures and phrases chosen by the user and displayed when
  they login - to prevent phishing attacks
• Identifying the user's computer(s) based on unique
  identifiers - to prove the user's identity
• Use of an expanded selection of questions - to
  prove the user's identity
• Use of transaction tracking software - to red flag
  suspicious activity
• One-time passwords - to authorize especially large
  transactions

The second to last paragraph was probably the most pertinent:
"No amount of security and software on the bank’s part can make up for carelessness on customers’ parts, however."

Chalmer