Domain: rsaconference.com
Stories and comments across the archive that link to rsaconference.com.
Stories · 13
-
Hacking a Professional Drone
New submitter ricardinho writes: Research done at the University of Twente, in the Netherlands, shows that paying thousands of dollars for a professional drone does not guarantee that the device will be hack proof. These professional drones are commonly used across various industries to perform daily critical operations, such as surveillance and recon missions by law enforcement authorities. During his research, student Nils Rodday discovered that a professional drone could be compromised in multiple ways (PDF). One of these attack vectors investigated by the student is much more sophisticated than those used to compromise recreational drones that cost few hundreds of dollars and are not expected to be strongly secured. By reverse engineering the drone's operation and firmware, the student found ways to obtain key information that is used to validate the communication on the telemetry link between the drone and its remote controllers. This allowed for a Man-in-the-Middle attack in which the hacker could take full control of the attacked drone from a distance of up to 2 km. Manufacturers of professional drones are blindly trusting XBee chips for the communication between devices. These chips however are not meant to be used in sensitive devices and this flaw can compromise any sort of operation that the drones are deployed for. In addition, the solution is not simple since a firmware update patch cannot be simply released, but manufacturers have to actually recall the devices for in-house upgrades. Perhaps even more surprising is the cost of the described attack: 40 dollars is enough for an attacker to take full control of a $30,000 drone. Nils will explain and demonstrate his hacking into a professional drone during talks at RSA conference in San Francisco and Black Hat Asia in Singapore. -
Pwnie Express Rides Again at RSA 2014 (Video)
The intro to our first video interview with Pwnie Express 'Founder and CEO and everything else' Dave Porcello back in 2012 started with this sentence: 'Pwnie Express is a cute name for this tiny (and easily hidden) group of Pen Test devices.' They have more tools now, including some they've released since we mentioned them and their (then) new Pwn Pad back in March, 2013. Now they're working with Kali Linux, a distro built especially for penetration testing (and formerly known as BackTrack). In this video we have Tim Lord chatting with Dave Porcello about recent Pwnie Express happenings at RSA 2014. (If you don't see the video below, please use this link.) -
RSA: From Apple Keys to Biometric Security Devices (Video)
30 years ago there was a company that made molded plastic push buttons and keyboard keys, including those used on early Apples, Ataris, and Texas Instrument computers. Said company, Key Source International, has morphed over the years into a supplier of secure keyboards and other biometric security devices. Some of what they make is trivial, and some is interesting. In this video (and the accompanying transcript), made by Tim Lord at the 2013 RSA conference, Key Source International marketing VP Philip Bruno tells us about the company and its products. -
RSA: An Unusual Approach to User Authentication: Behavorial Biometrics (Video)
In the North of Sweden, in Lappland, there is a university spinoff company named BehavioSec that decides you are you (or that a person using your computer is not you) by the way you type. Not the speed, but rhythm and style quirks, are what they detect and use for authentication. BehavioSec CEO/CTO Neil Costigan obviously knows far more about this than we do, which is why Tim Lord met with him at the 2013 RSA Conference and had him tell us exactly how BehavioSec's system works. As usual, we've provided both a video and a transcript (There's a small "Show/Hide Transcript" link immediately below the video) so you can either watch or read, whichever you prefer. -
RSA: The Pwn Pad is an Android Tablet-Based Penetration Tester (Video)
Last year Pwnie Express showed us their Stealthy Pen Test Unit that plugged directly into a 115 VAC wall outlet. This year at RSA they're proudly displaying their Pwn Pad, which is a highly-modified (and rooted) Nexus 7 tablet "which provides professionals an unprecedented ease of use in evaluating wired and wireless networks." They list its core features as Android OS 4.2 and Ubuntu 12.04; large screen, powerful battery; OSS-based pentester toolkit; and long range wireless packet injection. If you can't see the video (or want to read along) the transcript is below. -
RSA: Self-Encrypting USB Hard Drives for all Operating Systems (Video)
Tim Lord met Jay Kim at the RSA Conference in an Francisco. Kim's background is in manufacturing, but he's got an interest in security that has manifested itself in hardware with an emphasis on ease of use. His company, DataLocker, has come up with a fully cross-platform, driver independent portable system that mates a touch-pad input device with an AES-encrypted drive. It doesn't look much different from typical external USB drives, except for being a little beefier and bulkier than the current average, to account for both a touchpad and the additional electronics for performing encryption and decryption in hardware. Because authentication is done on the face of the drive itself, it can be used with any USB-equipped computer available to the user, and works fine as a bootable device, so you can -- for instance -- run a complete Linux system from it. (For that, though, you might want one of the smaller-capacity, solid-state versions of this drive, for speed.) Kim talked about the drive, and painted a rosy picture of what it's like to be a high-tech entrepreneur in Kansas. -
Video Captchas are Hard for Computers to Understand but Easy for Humans (Video)
A new company called NuCaptcha provides animated video captchas it says are much harder for OCR-based programs to crack than static captchas, but lots easier for humans to figure out. While at the 2012 RSA conference, Timothy Lord pointed his camcorder at NuCaptcha CTO Christopher Bailey, and had him explain how video captchas work and how the company makes money. The video includes demos of the video captchas so you can see what they look like (and the company's website has lots more video captcha examples). -
Why is the EFF at the RSA Security Conference? (Video)
Timothy asked Electronic Frontier Foundation (EFF) International Outreach Coordinator Maira Sutton that very question. Watch the video for her answer. It turns out that the EFF has lots of friends among RSA ("the most comprehensive forum in information security") attendees, and has some very good reasons to be there, in the midst of companies and government agencies that Timothy thinks might not only violate your privacy once in a while, but (gasp!) might even enjoy it. -
Book Review: Defense Against the Black Arts
brothke writes "If there ever was a book that should not be judged by its title, Defense against the Black Arts: How Hackers Do What They Do and How to Protect against It, is that book. Even if one uses the definition in The New Hackers Dictionary of 'a collection of arcane, unpublished, and (by implication) mostly ad-hoc techniques developed for a particular application or systems area', that really does not describe this book. The truth is that hacking is none of the above. If anything, it is a process that is far from mysterious, but rather aether to describe. With that, the book does a good job of providing the reader with the information needed to run a large set of hacking tools." Read below for the rest of Ben's review. Defense against the Black Arts: How Hackers Do What They Do and How to Protect against It author Jesse Varsalone, Matthew Mcfadden, Michael Schearer, Sean Morrissey pages 412 publisher CRC Press rating 7/10 reviewer Ben Rothke ISBN 1439821194 summary Good reference for someone experienced in the topic who wants to improve their skills Defense against the Black Arts is another in the line of hacking overview books that started with the first edition of Hacking Exposed. Like Hacking Exposed, the book walks the reader through the process of how to use hacking tools and how to make sense of their output.
Defense against the Black Arts is written for the reader with a good technical background who is looking for a nuts and bolts approach to ethical hacking. Its 14 chapters provide a comprehensive overview of the topic, with an emphasis on Windows.
But for those looking for an introductory text, this is not the best choice out there. The book is written for the reader that needs little hand-holding. This is in part due to its somewhat rough around the edges text and the use of more advanced hacking tools and techniques.
By page 4, the author has the reader downloading BackTrack Linux. BackTrack is a Ubuntu distro which has a focus on digital forensics and penetration testing. BackTrack is currently in a 5 R1 release, based on Ubuntu 10.04 LTS and Linux kernel 2.6.39.4. BackTrack comes with a significant amount of security and hacking tools preloaded, which the authors reference throughout the book.
After showing how to install BackTrack, chapter 1 shows how to log into Windows without knowing the password. Much of that is around the Kon-Boot tool, which allows you to change the contents of the Windows kernel in order to bypass the administrator password. Tools like Kon-Boot though will only work when you have physical access to the machine.
Chapter 3 gets into the details of digital forensics and highlights a number of popular tools for forensic imaging. While the book provides a good overview of the topic, those looking for the definitive text on the topic should read Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet.
Chapter 5 deals with web application penetration testing. The authors describe a number of tools that can be used to assess the security of web sites, and offer ways to attempts to manipulate data from a web page or web application.
One is likely hard pressed to find a large web site that will be vulnerable to such web attacks, given that most of them have already checked for those errors via validation control testing. Smaller vendors may not be so proactive, and find out that those $99- items are being sold for .99 cents. With that, the chapter details a number of tools developers can use to test for SQL injection, XSS and other types of web vulnerabilities.
Chapter 8 is about capturing network traffic. There are two perspective to collecting traffic. For the attacker, it is about identifying holes and avenues for attack. For those trying to secure a network, collecting network traffic is an exercise in identifying, thwarting and defending the network against attacks.
Chapter 10 provides a brief overview of Metasploit. For those looking for a comprehensive overview of Metasploit, Metasploit: The Penetration Testers Guide is an excellent resource. This chapter like many of the others provides the reader with detailed step-by-step instructions, including screen prints, on how to use the specific tool at hand.
Chapter 11 provides a long list of attack and defense tools that can be used as a larger part of a penetration tester's toolkit.
Chapter 12 is interesting is that it details how social engineering can be used. The authors show how public domain tools like Google Maps can be used in to mount an attack.
Chapter 13 – Hack the Macs– is one of the shorter chapters in the book and should really be longer. One of the reasons pen testers are increasingly using Macs is that the newer Macs run on the Intel platform, and can run and emulate Windows and Linux. The increasing number of tools for the Mac, and significant Mac vulnerabilities, mean that the Mac will increasingly be used and abused in the future.
Just last week, Dr. Mich Kabay wrote in Macintosh Malware Erupts that malware specifically designed for Mac is on the rise. This is based on progressively more and more serious malware for the Mac since 2009 where given that Apple products have been increasing their market share for laptops and workstations but especially for tablets and phones.
The article notes that one of the reasons Mac OS X is perceived as superior to Windows is because of its appearance of having integrated security. But although the design may be sound, the operating system does not prevent people from being swayed into thinking that the malicious software they are downloading is safe. With that, Apple will have to concentrate more on security and vulnerability within their operating system.
The book ends with about 30 pages on wireless hacking. The chapter provides an overview of some of the weaknesses in Wi-Fi technology and how they can be exploited. The chapter focuses on the airmon tool, part of BackTrack that you can use to set your wireless adapter into monitor mode, to see all of the traffic traversing the wireless network.
Overall, Defense against the Black Arts: How Hackers Do What They Do and How to Protect against It is a really good reference for someone experienced in the topic who wants to improve their expertise.
Ben Rothkei s the author of Computer Security: 20 Things Every Employee Should Know.
You can purchase Defense against the Black Arts: How Hackers Do What They Do and How to Protect against It from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page. -
Book Review: The CERT Oracle Secure Coding Standard For Java
brothke writes "It has been a decade since Oracle started their unbreakable campaign touting the security robustness of their products. Aside from the fact that unbreakable only refers to the enterprise kernel; Oracle still can have significant security flaws. Even though Java supports very strong security controls including JAAS (Java Authentication and Authorization Services), it still requires a significant effort to code Java securely. With that The CERT Oracle Secure Coding Standard for Javais an invaluable guide that provides the reader with the strong coding guidelines and practices in order to reduce coding vulnerabilities that can lead to Java and Oracle exploits." Read on for the rest of Ben's review. The CERT Oracle Secure Coding Standard for Java author Fred Long, Dhruv Mohindra, Robert Seacord, Dean Sutherland, David Svoboda pages 744 publisher Addison-Wesley Professional rating 10/10 reviewer Ben Rothke ISBN 0321803957 summary Definitive guide on the topic The book is from CERT, and like other CERT books, provides both the depth and breadth necessary to gain mastery on the topic.
The first 100 pages of the book are available here. After reading it, you will be likely to want to see the next 650 pages.
This book provides a set of guidelines for secure programming in Java SE 6 and 7 environments. It is primarily targeted at software developers and computer security practitioners. While Java is inherently designed to be relatively secure as compared with other languages, it requires the developer to understand the security controls and language features thoroughly before he can implement them correctly. The book illustrates insecure coding practices and suggests corresponding safe alternatives to enable a developer to have an optimal blueprint.
Software developers are constantly under pressure to accommodate feature requests and have to strike a fine balance between enhancing delivery excellence and releasing a software product in consonance with deadlines. At the same time they routinely tackle technical challenges and often document their experience for the benefit of others. This book is one such effort, in that, several programmers and reviewers have contributed the contents. It encourages a developer to think beyond programming logic and enables him to produce clear, concise, maintainable and secure code – a mandatory requirement for today's dynamic software industry which is plagued by a spectrum of security threats and attrition's.
This book isn't for a Java beginner. The introductory chapter expects an intermediate or seasoned Java professional to identify the gamut of security vulnerabilities that frequently manifest in code and design. The chapter briefly explains injections attacks, unintended information disclosure, denial of service and issues involving concurrency and class loaders. Summary tables have been provided to assist the reader to easily locate representative secure coding rules for each category.
The examples presented primarily encompass the lang and util libraries of Java SE and also cover collections, concurrency, logging, management, reflection, regex, zip, I/O, JMX, JNI, math, serialization and JAXP libraries. No particular Java platform or technology has been favored; the set of rules is generic and independent of whether a mobile, enterprise, desktop or web application is being developed.
Notably, the layout enables the practitioner to pick up any chapter or rule at random without requiring him to read the preceding pages. Each rule has a short description of a unique problem and one or more non-compliant and compliant code examples. Risk assessment and references to other coding standards along with bibliography are also provided.
Unfortunately, the suggested tips for automatic detection of described problems aren't very practical because no automated bug detection tools have been vetted. Some rules also have a related vulnerabilities section that preys on weaknesses in commonplace software in context of the described problem.
Chapter 2 focuses on input validation and data sanitization. It highlights attacks such as SQL, XML, and OS injection and XML External Entity (XXE) and suggests corresponding mitigation techniques. It mentions but doesn't elaborate on web-based attacks such as cross-site scripting and CSRF, to avoid being too domain specific. The chapter advises developers to normalize strings, canonicalize and validate path names, refrain from logging unsanitized input, use appropriate internationalization and globalization APIs, avoid string encoding misgivings and other issues.
Chapters 3, 4 and 5 deal with declarations and class initialization, expressions, and numeric operations respectively. Dangers of auto-boxing, side-effects in assertions, integer overflow, and vagaries of floating point arithmetic are discussed at length.
The examples are short, to the point and intellectually challenging for the advanced reader. For example, one rule – don't use denormalized numbers dissects a vulnerability in Java 1.6 and earlier that allows an attacker to perform a denial of service attack by sending a crafted input to the JVM.
The book devotes a chapter to object-oriented programming and stresses on limiting extensibility of classes, encapsulating data, ensuring that code refactoring doesn't result in broken class hierarchies, using generics for fun and profit and so on.
Another chapter discusses Java methods, for example, one rule suggests that subclasses mustn't increase the accessibility of an overridden method. There is some useful information about using methods of Object class properly. This information is standard advice that can also be found in other books. This book offers all that and more. For example, one rule documents a convincing and exhaustive list of reasons why you shouldn't use finalizers.
The book also highlights misconstrued exception handling practices through examples akin to the shortcuts programmers invent, to save themselves from the trouble of having to handle exceptions. It explains why doing that can be insidious. Information disclosure arising from ill-conceived exception handling strategies is also discussed. Some may disagree with the advice on the pretext that exception handling when done the right way leads to unreadable code, however, the features presented from Java 7 convincingly offer a middle path. Further, when compliance with a certain rule is believed to be challenging and costly, the standard allows documented deviations and even lists valid exceptions for each rule.
Chapters 9, 10, 11, 12 and 13 are reserved for concurrency related issues. There are more than 30 rules in these chapters; the set could qualify as a handbook of concurrency issues and solutions. At a high level, the chapters cover visibility and atomicity, locking, thread class APIs, thread pools and thread safety in multi-threaded Java programs. The chapters don't assume that the reader has any familiarity with multi-threaded programming.
The next few chapters highlight input-output (I/O) risks such as working with shared directories, using files securely, closing resource handles properly, serialization and more. The book doesn't assume that the reader has a sophisticated background in serialization and builds from the basics. It cites examples of vulnerabilities that necessitate understanding the role of serialization.
A chapter on platform security follows, and is meant for advanced Java users. This chapter leads to another on runtime environment that cautions against signing code, granting permissions frivolously and permitting insecure deployment configurations. The final chapter captures miscellaneous rules that forbid hardcoding sensitive information, leaking memory, generating weak random numbers and writing insecure singletons among other topics.
Many other leading security standards delineate high-level measures that must be taken to ensure compliance but most fall short of prescribing the exact recipe to get there. This book fills that gap by approaching security from the ground-zero level upwards. However, it doesn't clearly specify to what extent the rules will help organizations meet the compliance goals proposed by other security standards. All the same, the eighteen crisp chapters of this book undeniably have the potential to help the software developer win the battle against software insecurity on his own terms.
For those using Java on Oracle and hoping to build secure applications, The CERT Oracle Secure Coding Standard for Javais a very useful resource that no programmer should be without.
Ben Rothkeis the author of Computer Security: 20 Things Every Employee Should Know.
You can purchase The CERT Oracle Secure Coding Standard for Java from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page. -
Keys Leaking Through the Air At RSA
NumberField writes "The RSA Conference is underway in San Francisco. A theme among the opening speakers is that the attackers are winning, and even well-funded organizations like NASDAQ can't secure their networks reliably. The show floor is lively, but dominated by the typical firewalls and 'compliance solutions.' One interesting exception is a scary side-channel analysis demo in the Cryptography Research booth using GNU Radio to capture secret keys from various smartphones from about 10 feet away. (The method is related to early computer music using AM radio interference.)" -
Trick or Treatment
brothke writes "The recent collapse of financial companies occurred in part because their operations were run like a black box. For many years, alternative medicine has similarly operated in the shadows with its own set of black boxes. In Trick or Treatment: The Undeniable Facts about Alternative Medicine, Simon Singh and Edzard Ernst, MD, break open that box, and show with devastating clarity and accuracy, that the box is for the most part empty." Keep reading for the rest of Ben's review. Trick or Treatment: The Undeniable Facts about Alternative Medicine author Simon Singh and Edzard Ernst pages 352 publisher W. W. Norton rating 9 reviewer Ben Rothke ISBN 978-0393066616 summary Peels away the fallacies of acupuncture, homeopathy, chiropractic and herbal medicine I first encountered co-author Simon Singh at the 2005 RSA Conference. In his presentation, he included a demonstration of the human brains unique capability for pattern matching when specific patterns are expected, and used Led Zeppelins Stairway to Heaven as an example. Stairway has long been rumored to have subliminal satanic messages. When played backwards, it is impossible to decipher any message. But when the message is known in advance, one can then hear the message imploring the listener to go to Satans tool shed. Once Singh put the subliminal lyrics on the overhead, the subliminal message was now clear, not due to a subliminal message, rather via pattern matching.
While no reasonable person can believe in Stairways subliminal lyrics, far too many people do believe in equally implausible things in the realm of alternative medicine. In the book, the authors tackle four main areas: acupuncture, homeopathy, chiropractic and herbal medicine. The books conclusion is that acupuncture, homeopathy, chiropractic are essentially worthless, while herbal medicine has limited value.
Chapter 1 starts with an overview of evidence-based medicine (EBM), of which the authors are staunch believers. EBM applies evidence gained via the scientific method and assesses the quality of the evidence relevant to the risks and benefits of the treatments. The foundation of EBM is the systematic review of evidence for particular treatments via mainly randomized controlled trials. In the chapter, the authors reiterate the concept that the plural of anecdote is not data. Acupuncture, homeopathy, chiropractic have plenty of first-person anecdotes, but a lack of controlled studies with real data to back up their spurious claims.
EBM shows that homeopathy and other bogus cures are of no value, yet the public is oblivious to those facts. In a piece I wrote on this topic, New York News Radio" The voice of bad science, its shows that cheap radio advertising (with its mishmash of pseudo-scientific claims) combined with a public that is ignorant of basic scientific facts, creates a perfect storm for the continuation of homeopathy and other bogus cures.
A recurring theme the book stresses is that acupuncture, homeopathy, chiropractic and other alternative therapies are scientifically impossible, and often will violate fundamental scientific principles. A perfect example of this implausibility is with homeopathy. Contrary to what common sense and basic science, in homeopathy, a solution that is more diluted is considered stronger and as having a higher potency. The issue is that the end result is a product that is so diluted, that its contents when in solid form is pure sugar, and when in liquid form; 100% H20. When a homeopathic liquid is in its most diluted state, there is not a single molecule of the active ingredient. Therein lays the scientific implausibility of homeopathy.
Chapter 1 also asks one of the books fundamental questions: how do you determine the truth? The authors answer that it is via the scientific method. This is determined only after strict and careful analysis of a clinical study, of which the most effective is double-blind and randomized.
In chapter 3, the book jokingly notes that since homeopathic liquid remedies are so diluted that they contain only water; their only use would be for dehydration. And since homeopathy is based on the fact that the strength of a remedy is based on its dilution, one could conceivably overdose on a homeopathic remedy by forgetting to take a dose.
The chapter concludes with perhaps the strongest indictment against homeopathy; namely its content. If one looks at the content of oscillococcinum, a homeopathic alternative marketed to relieve influenza-like symptoms, the packaging states that each gram of medication contains 0.85 grams of sucrose and 0.15 grams of lactose. Sucrose and lactose are simply forms of sugar, of which oscillococcinum is nothing more than am expensive sugar pill.
In chapter 4, the authors write that while homeopathy is nothing more than a placebo, the added danger with it is that patients will often forgo real medications to take a homeopathic one. It reports of a study in Britain, which demonstrated that the most benign alternative medicine can become dangerous if the therapist who administers it advises a patient not to follow an effective conventional medical treatment. The study demonstrated that alternative medical practitioners often recommend homeopathic remedies for malaria, and ignore proven conventional medicines. Such an approach can often mean a death sentence for the person taking the homeopathic remedy.
Chapter 5 deals with herbal medicine. The chapter is somewhat different in that the previous chapters about acupuncture, homeopathy and chiropractic showed them to be useless, herbal medicine does have value. The book notes that herbal medicine has been embraced by science to a far greater extent than acupuncture, homeopathy and chiropractics. The chapter lists over 30 herbal medicines and their levels of efficacy. An irony of herbal medicine is that some exotic ones, such as those with tiger bone or rhino horn are pushing the species to the brink of extinction, due to their level of popularity in certain parts of the world.
Chapter 5 concludes with on why smart people believe such odd things? Alternative medicine has failed to deliver the health benefits that it claims, so why are millions of patients wasting their money and risking their lives by turning towards a snake-oil industry? The authors provide numerous reasons for this, from the concepts such as natural, traditional and holistic, to attacks on the scientific method by the alternative medical community and more.
The appendix is a rapid guide to alternative therapies and lists over 30 new treatments with their benefits and potential dangers. The appendix gives single page summaries of the plethora other alternative therapies, from ear candles, colonic irrigation, reiki, to leech therapy and more. The authors write that most of these are bogus, many violate fundamental laws of sciences, and but a few have real, but limited value.
Alternative medicine operates in the shadows, blithely touting that their products have not been evaluated by the Food and Drug Administration, and that they are not intended to diagnose, treat, cure or prevent any disease. While these products are not intended to diagnose, treat, cure or prevent any disease; consumers nonetheless spends billions of dollars per year on unproven supplements. Consumers can be quite fickle. On one side they are furious at the SEC for their lack of oversight around Madoff Investments Securities. Yet when the FDA requires products use their disclaimer of how ineffective the item is, consumers will throw billions of dollars on ineffective products.
Trick or Treatment: The Undeniable Facts about Alternative Medicine is an incredibly important and eye-opening book. While Singh is a physicist and Ernst a medical doctor, the book is written in a clear and compelling style, avoids technical jargon, and sticks to the facts. In the spirit of the scientific method, the authors scrutinize alternative and complementary cures and the results show that the snake oil is still selling.
Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.
You can purchase Trick or Treatment: The Undeniable Facts about Alternative Medicine from amazon.com. Slashdot welcomes readers' book reviews — to see your own review here, read the book review guidelines, then visit the submission page. -
Hackers in the Henhouse
strucker writes "A good story on SecurityFocus from the RSA Conference. Kevin Mitnick debated his former prosecutor, DOJ attorney Christopher Painter, on the whether ex-hackers could be trusted as computer security professionals. Mitnick says hackers bring special skills to the job, while Painter says a criminal is a criminal."