Having someone chop off my finger so they can fake an ATM into thinking it's me is a Bad Idea (tm)
Actually something similar has happened in a prison that used Biometrics for their new high tech electronic locks. During the riot the prisoners attempted to remove the guards hand or fingers, so they could open the lock.
The 9/11 attackers had real US passports, some attempted legally, others obtained via such out-of-band means as by murder, and bribery.
So these lovely smartcard based passports will only provide better tracking of lawful citizens, while criminals and terrorists are still free to walk amongst us.
It is a secure way of verifying a person's identity.
Wrong. Security professionals have thousands of years of experience auditing and detecting false / fake / modified documents, and less than 20 years of serious computer forensics.
Please name one 1 digital security system that has not been hacked / bypassed / cracked or otherwise just plain abused?
PGP? The FBI installed a keyboard logger under a search warrent.
RSA and DES? They are algorithms, not security systems. Never mind Deep Crack circa 1997 (DES key recovery via a single multiprocessor machine), and various public key factoring attempts since about 1995 (of RSA keys).
XBOX? see hacking the xbox by bunnie
PS2? Look at the mod chips available online.
Verisign CA? Remember the fake Microsoft cert that was issued by a human screw up at Verisign.
Thawte CA? Other abuses in regards there.
Windows 2003 Server, the first of MSFT's Trusted Computing influenced OSes? - had their first security flaw announced recently.
it is really hard to condemn a case like this, where a man has been brought to justice as a result.
Unfortunately law enforcement agencies are under increasing pressure to close cases, rather than prevent future crimes and enforce justice by bringing criminals to court.
This is why we have seen massive abuse of illegal wiretaps, to the point that there were likely as many illegal wiretaps in the USA as legal ones in some years.
Have you not seen the abuse and tampering of evidence to help "prove" cases where evidence is lacking? DNA is excellent for this, and has been suggested in numerous fictional stories. I am not certain how many actual cases of DNS evidence tampering have been found, but I suspect it happens.
Granted you can use the readers with "glitching" circuitry to program normal legal cards but its hard to argue that a device with special circuitry to bypass tamper resistance is for any other purpose than the illegal one when for much cheaper you can get a normal writer that will achieve the legal results.
Other than actually testing vendor claims that their smartcard products are not vulrenable to glitching, and other well known attacks (see Cryptography Research)
I own a smartcard reader/programmer (most devices are both readers and programmers, it's just a serial interface to a "chip card" aka smartcard.) made by Schlumberger, and the SmartCard Developer's Kit from Amazon, which I bought to play with Smartcard support for Linux.
My development life was heavily influenced by my first job doing, as an in-house IS programmer, we had deadlines but no money value to these deadlines, although some were legal reporting requirements (i.e. taxes, census). Much of the work I did was to modify or update old code written by some anonymous previous employee. By dealing with the maintance of code that was from a year old to older than me, I learnt the important of maintainable code and started to take a longer term view of the software development process. Software doesn't stop at version 1.0, it is only really getting started.
Since then I have had to untangle and update or maintain evil old code, from things like "never more than freshmen 1000 students entering", to "nobody will sniff the network", and hundreds of similiar assumptions that were no longer valid. I am leary of "Quick and Dirty" because these hacks can often outlive their expected life and will need maintance, yet these programs are expensive to maintain because to numerous bad assumption, numerous bugs, and lack of documentation and structure.
I feel sorry for the submitter, he (or she) looks to be in a lose-lose situtation. Either he produces bad code, which have bad assumptions and cause grieve in the future, perhaps not to himself, but to whoever is responsible for support, or write the software correctly, and miss the deadline and risk his job. It seems that if Quick and Dirty isn't "successful" you also risk your job, and if "Correct and Proper" isn't successful you risk your job. Solution? Perhaps, find a more reasonable place to work. If you cannot make you current job a more reasonable place, with more honest and realistic expectations, look elsewhere. Working under those sort of lose-lose environment will not do your mental health any good in the long term, and the company or department will likely suffer in the long term anyhow when it repeatedly fails to met basic expectations of their customers, like producing a working product.
I am tried of the debate of whether to hassle Gorman.
Why isn't anyone stepping up to complain about the lies and misinformation of building and being sold a resilent internet? I mean, that was a goal of the original ARPAnet, we know how to do it. I've been told by all the big name backbones that they offer high relability, resilent networking, which appears to be a lie about their product.
I want the real problem fix, fix the networking!, build a truely resilent network backbone.
The disclosure that a threat exists is not in itself a threat, it is the first step in reducing the vulnerability.
Why do people want to attack the messager, and not the companies and government departments who built an unreliable critical national infrastruction? An infrastructure that uses technologies that make it fairly easy, abeit more expensive, to build highly redundant internetworking.
Why not stop pretending there is no problem, and start to fix the problem? Perhaps there too many lies from the telecom "boom" that would be exposed.
The licensing comes from a tradition of making spectrum organized to prevent interference.
Anyone who tries to use WiFi in a densely populated area, especially over a large area (e.g. linking various sites in the same city) can tell you, intereference can be a problem within the license-free (aka license-exempt) frequency ranges.
You are too critical of the Linux end, I think. You belittle its capabilities.
I did not mean to belittle Linux or X11 / Xfree86. I was trying to explain why Win4Lnx is not too as fast as native Windows running 3D applications (aka high graphic bandwidth apps like games).
"network aware"
Grumble, I reget mentioning that now, but I was trying to stress that X11 is not focuses on 3D display, nor is it a simply fast access to the video card's framebuffers, X11 is a rich a complex display protocol, including supports for things like networking which you don't find in DirectX, Direct3D, or OpenGL for Windows.
get some 3D going, which is why I _really_ want Windows at this point. What's stopping them from doing this?
Direct access to the hardware via highly optimized video drivers and specific graphics libraries are very hard to virtualize with a level of performance that matches the "native" Windows running directly on the hardware.
First we have the simple fact that by running via the Win4Lnx you have an additional layer that does messages parsing and translation (from various Windows API including DirectX graphics API) to a native Xfree86/Linux function call, which has to then go through a network aware display system, and gets painted on your display using a video card driver not written in-house by the card manufactor, but a 3rd-party free software developer, who likely had less than full, to possibly no vendor documentation about the card and how to make full and optimized use of its capabilities.
So I doubt you will ever see a solution that provides full performance supporting the at the time current gaming graphics capabilities supported via a virtualizer (creates an additional virtual machine using special CPU instructions rather than emulator that emulates everything in software) because they are always playing catch up, and they add unavoidable additional layers of translation that negatively impact on execution speed compared to native running OS.
Ross Anderson, professor at Cambridge University has some works on this including Programming Satan's Computer (PDF) which looks at cryptographic protocols being attacked by being deployed on hostile system. Such as Satellite TV decoders which rely on smartcards which are in the posession of the attacker / customer.
Thanks for more specific details on frequencies. I didn't get into VHF television on purposes, and I think it would be a real fight to reallocate that portion of the spectrum.
You wouldn't dealing with "little guys" (in tv broadcast terms) FOX, CHUM (both started UHF afaik) but the powerhouse stations like ABC, NBC, and CBC....
UHF broadcast is "effectively limited" for line of sight, but you are right, for intereference planning, licenses need to consider additional propagation. I mean mass-media broadcast not hit or miss TV DX'ing.
Digital TV (as in DTV right?) does not go from "picture perfect" to nothing at all. You can get nice blocking effects from the FFT processing of bad data. Yeah, my video processing knowledge is very limited...
UHF would be great for wireless internet, especially in rural areas. The "wave" would be able to travel farther than it does using 2.4Ghz or 5.8Ghz technology.
Off-hand I know that UHF TV (approx. 440MHz I believe) is usually city wide in coverage, but remember analog TV is far more accepting of data errors (no error correction, no retransmissions) than digital data needs to be.
Also UHF TV still follows the 1-directional broadcast methology. That means, one powerful transmitter (~10-100kW I think) and an antenna at one high location, e.g. hilltop.
For wireless networking, you need bidirectional transmission, longer antennas (17cm versus 3mm if I have my math right), and because the signals transmit further you need frequency coorditation (i.e. licensing) from the FCC to prevent interference if you also want higher power station, over 100 milliwatts.
IMHO any information security professional needs to develop a professional paranoia, being thoughtful of potential risks and failures, and understand what might go wrong.
Reading Bruce Schneier's Secrets and Lies is a really good start in this area. It is a not very technical book, written at the level suitable for an IT manager. This is also useful to help explains risks, vulnerabilities, and failures to IT Management.
The ever so ugly covered Hacking Exposed, which explains the basics of what criminals (or attackers) do commonly to gain unauthorized access to (networked) computer systems. This is so you a) know how easy it is, and b) are familiar with an overview of the basic steps and techniques to gain illicit access.
For online resources, RISKS digest (not focused on malicious activities, but how systems fail - very insightful and low volume), and Bugtraq a full disclosure mailing list will show you recent exploits, and vuln notices, but it is fairly lacking in actual educational content, and there are several other mailing lists at SecurityFocus that could also be useful to developing professional paranoia.
Next you need the language and basics of information/computer security. For this textbooks like Computer Security by Dieter Gollmann, Information Security Management Handbook by Tipton and Krause, Practical Unix & Internet Security by Simson Garfinkel, Gene Spafford, Alan Schwartz, and Security in Computing by Pfleeger and Pfleeger.
For procedures look at CISSP study material, BS 7799 / ISO 17799, and security auditing and incident handling materials. Some knowledge of risk management can also be useful.
From these basics, of the right mindset, the common language of infosec, and procedures and policy you can get into the low-level details of firewalls, VPNs, IDS, and network design. For this you should have a good network/internetworking basics, a very detailed understanding of TCP/IP, and understand firewalls, VPNs, and IPsec.
Firewalls and Internet Security: Repelling the Wily Hacker, 2nd ed. by William R. Cheswick, Steven M. Bellovin, and Aviel D. Rubin is a great place to start, and Building Internet Firewalls by Elizabeth D. Zwicky, Simon Cooper, D. Brent Chapman is a great follow-up. An alternative book on firewalls and VPNs is Inside Network Perimeter Security: The Definitive Guide to Firewalls, VPNs, Routers, and Intrusion Detection Systems by Stephen Northcutt, Karen Frederick, Scott Winters, Lenny Zeltser, Ronald W. Ritchey (crowd from SANS).
For IDS - Network Intrusion Detection: An Analyst's Handbook by Stephen Northcutt and Intrusion Signatures and Analysis by Matt Fearnow, Stephen Northcutt, Karen Frederick, Mark Cooper are the best IMHO.
I am not sure what to recommend for VPNs, other than you need to know about IPsec.
More version incompatible program
on
Hijacking .NET
·
· Score: 3, Informative
I suspect the most common use of this is not attempts at bypassing poorly thought out security. I hope MSFT programmers are not hiding passwords in.NET classes. The most common usage will be "tweaks" and such that will be dependent on a specific.NET framwork version/release.
By delving into the private classes, you might be able to get speedups on a specific (or common) platform, say MSFT's.NET framework version 1.0 for Windows 2000/XP, but come next release, these tweaks are likely to break. That's why private members of classes are private, because they are not part of the documented API.
In the UK where public and private owned CCTV cameras are everywhere already, reports into how well they work indicate that camera operators are likely to target just young males of visable minorities and engage in voyerism of attractive women.
I don't have the link, but there was a good article in the NY Times I think about this, around 2001.
Slashdot Mirror
Having someone chop off my finger so they can fake an ATM into thinking it's me is a Bad Idea (tm)
Actually something similar has happened in a prison that used Biometrics for their new high tech electronic locks. During the riot the prisoners attempted to remove the guards hand or fingers, so they could open the lock.
See the RISKS digest archive for the story.
32 Kbytes of EEPROM storage
EEPROM -- Electronically Erasable Programmable Read Only Memory
This means that the smarter slashdot geeks can sell $2 worth of parts to let people update their passport photos.
Excellent.
The 9/11 attackers had real US passports, some attempted legally, others obtained via such out-of-band means as by murder, and bribery.
So these lovely smartcard based passports will only provide better tracking of lawful citizens, while criminals and terrorists are still free to walk amongst us.
It is a secure way of verifying a person's identity.
Wrong. Security professionals have thousands of years of experience auditing and detecting false / fake / modified documents, and less than 20 years of serious computer forensics.
Please name one 1 digital security system that has not been hacked / bypassed / cracked or otherwise just plain abused?
PGP? The FBI installed a keyboard logger under a search warrent.
RSA and DES? They are algorithms, not security systems. Never mind Deep Crack circa 1997 (DES key recovery via a single multiprocessor machine), and various public key factoring attempts since about 1995 (of RSA keys).
XBOX? see hacking the xbox by bunnie
PS2? Look at the mod chips available online.
Verisign CA? Remember the fake Microsoft cert that was issued by a human screw up at Verisign.
Thawte CA? Other abuses in regards there.
Windows 2003 Server, the first of MSFT's Trusted Computing influenced OSes? - had their first security flaw announced recently.
it is really hard to condemn a case like this, where a man has been brought to justice as a result.
Unfortunately law enforcement agencies are under increasing pressure to close cases, rather than prevent future crimes and enforce justice by bringing criminals to court.
This is why we have seen massive abuse of illegal wiretaps, to the point that there were likely as many illegal wiretaps in the USA as legal ones in some years.
Have you not seen the abuse and tampering of evidence to help "prove" cases where evidence is lacking? DNA is excellent for this, and has been suggested in numerous fictional stories. I am not certain how many actual cases of DNS evidence tampering have been found, but I suspect it happens.
Granted you can use the readers with "glitching" circuitry to program normal legal cards but its hard to argue that a device with special circuitry to bypass tamper resistance is for any other purpose than the illegal one when for much cheaper you can get a normal writer that will achieve the legal results.
Other than actually testing vendor claims that their smartcard products are not vulrenable to glitching, and other well known attacks (see Cryptography Research)
I own a smartcard reader/programmer (most devices are both readers and programmers, it's just a serial interface to a "chip card" aka smartcard.) made by Schlumberger, and the SmartCard Developer's Kit from Amazon, which I bought to play with Smartcard support for Linux.
So am I going to get a letter from DirectTV?
My development life was heavily influenced by my first job doing, as an in-house IS programmer, we had deadlines but no money value to these deadlines, although some were legal reporting requirements (i.e. taxes, census). Much of the work I did was to modify or update old code written by some anonymous previous employee. By dealing with the maintance of code that was from a year old to older than me, I learnt the important of maintainable code and started to take a longer term view of the software development process. Software doesn't stop at version 1.0, it is only really getting started.
Since then I have had to untangle and update or maintain evil old code, from things like "never more than freshmen 1000 students entering", to "nobody will sniff the network", and hundreds of similiar assumptions that were no longer valid. I am leary of "Quick and Dirty" because these hacks can often outlive their expected life and will need maintance, yet these programs are expensive to maintain because to numerous bad assumption, numerous bugs, and lack of documentation and structure.
I feel sorry for the submitter, he (or she) looks to be in a lose-lose situtation. Either he produces bad code, which have bad assumptions and cause grieve in the future, perhaps not to himself, but to whoever is responsible for support, or write the software correctly, and miss the deadline and risk his job. It seems that if Quick and Dirty isn't "successful" you also risk your job, and if "Correct and Proper" isn't successful you risk your job. Solution? Perhaps, find a more reasonable place to work. If you cannot make you current job a more reasonable place, with more honest and realistic expectations, look elsewhere. Working under those sort of lose-lose environment will not do your mental health any good in the long term, and the company or department will likely suffer in the long term anyhow when it repeatedly fails to met basic expectations of their customers, like producing a working product.
uses a proprietary encryption scheme
translated:
Some crappy, broken scheme baked up by programmers not professional cryptographers.
I'm glad it is not my venture captial money backing this broken puppy.
Sigh. Snake Oil FAQ or the Crypto mini FAQ and various Cryptogram will remind you, proprietary encryption is very bad.
I am tried of the debate of whether to hassle Gorman.
Why isn't anyone stepping up to complain about the lies and misinformation of building and being sold a resilent internet? I mean, that was a goal of the original ARPAnet, we know how to do it. I've been told by all the big name backbones that they offer high relability, resilent networking, which appears to be a lie about their product.
I want the real problem fix, fix the networking!, build a truely resilent network backbone.
Yes, it's probably a security threat.
.
The disclosure that a threat exists is not in itself a threat, it is the first step in reducing the vulnerability.
Why do people want to attack the messager, and not the companies and government departments who built an unreliable critical national infrastruction? An infrastructure that uses technologies that make it fairly easy, abeit more expensive, to build highly redundant internetworking.
Why not stop pretending there is no problem, and start to fix the problem? Perhaps there too many lies from the telecom "boom" that would be exposed
the killer feature that hasn't emerged is a single, high speed, world-wide data standard.
You mean 3G aka 3GPP or UMTS.
Except it has been subverted by business interests and stakes such as W-CDMA, and CDMA2000, and patents held by Qualcomm.
Cell phones use licensed spectrum, controlled by companies.
.
Spectrum is controlled and licensed by government agencies, in the the US, the Wireless Telecommunications Bureau of the FCC, Canada, Industry Canada, and the UK, the Radiocommunications Agency of the Department of Trade and Industry.
The licensing comes from a tradition of making spectrum organized to prevent interference.
Anyone who tries to use WiFi in a densely populated area, especially over a large area (e.g. linking various sites in the same city) can tell you, intereference can be a problem within the license-free (aka license-exempt) frequency ranges
You are too critical of the Linux end, I think. You belittle its capabilities.
I did not mean to belittle Linux or X11 / Xfree86. I was trying to explain why Win4Lnx is not too as fast as native Windows running 3D applications (aka high graphic bandwidth apps like games).
"network aware"
Grumble, I reget mentioning that now, but I was trying to stress that X11 is not focuses on 3D display, nor is it a simply fast access to the video card's framebuffers, X11 is a rich a complex display protocol, including supports for things like networking which you don't find in DirectX, Direct3D, or OpenGL for Windows.
X uses shared memory for local work, and has done so for years and years.
Shared memory or UNIX sockets (as in not tcp/ip sockets)?
I assume you mean SysV IPC or similar by shared memory.
get some 3D going, which is why I _really_ want Windows at this point. What's stopping them from doing this?
Direct access to the hardware via highly optimized video drivers and specific graphics libraries are very hard to virtualize with a level of performance that matches the "native" Windows running directly on the hardware.
First we have the simple fact that by running via the Win4Lnx you have an additional layer that does messages parsing and translation (from various Windows API including DirectX graphics API) to a native Xfree86/Linux function call, which has to then go through a network aware display system, and gets painted on your display using a video card driver not written in-house by the card manufactor, but a 3rd-party free software developer, who likely had less than full, to possibly no vendor documentation about the card and how to make full and optimized use of its capabilities.
So I doubt you will ever see a solution that provides full performance supporting the at the time current gaming graphics capabilities supported via a virtualizer (creates an additional virtual machine using special CPU instructions rather than emulator that emulates everything in software) because they are always playing catch up, and they add unavoidable additional layers of translation that negatively impact on execution speed compared to native running OS.
Ross Anderson, professor at Cambridge University has some works on this including Programming Satan's Computer (PDF) which looks at cryptographic protocols being attacked by being deployed on hostile system. Such as Satellite TV decoders which rely on smartcards which are in the posession of the attacker / customer.
The Tamper Lab is pretty impressive too.
Making your system realible in the present of the hostile attacker or on a hostile system is very hard, well nearly impossible.
Thanks for more specific details on frequencies. I didn't get into VHF television on purposes, and I think it would be a real fight to reallocate that portion of the spectrum.
You wouldn't dealing with "little guys" (in tv broadcast terms) FOX, CHUM (both started UHF afaik) but the powerhouse stations like ABC, NBC, and CBC....
UHF broadcast is "effectively limited" for line of sight, but you are right, for intereference planning, licenses need to consider additional propagation. I mean mass-media broadcast not hit or miss TV DX'ing.
Digital TV (as in DTV right?) does not go from "picture perfect" to nothing at all. You can get nice blocking effects from the FFT processing of bad data. Yeah, my video processing knowledge is very limited...
Cheers.
Grumble, here is a graphical chart (in PDF) from Industry Canada.
My point, was so people can see the many users of various frequency allocations, and to compare the bandwidth available.
I believe a single broadcast TV channel is about 4 MHz wide, whereas the entire brocast AM allocation is 1.5 MHz wide.
Look at this chart from the FCC Radio Spectrum page.
UHF would be great for wireless internet, especially in rural areas. The "wave" would be able to travel farther than it does using 2.4Ghz or 5.8Ghz technology.
Off-hand I know that UHF TV (approx. 440MHz I believe) is usually city wide in coverage, but remember analog TV is far more accepting of data errors (no error correction, no retransmissions) than digital data needs to be.
Also UHF TV still follows the 1-directional broadcast methology. That means, one powerful transmitter (~10-100kW I think) and an antenna at one high location, e.g. hilltop.
For wireless networking, you need bidirectional transmission, longer antennas (17cm versus 3mm if I have my math right), and because the signals transmit further you need frequency coorditation (i.e. licensing) from the FCC to prevent interference if you also want higher power station, over 100 milliwatts.
IMHO any information security professional needs to develop a professional paranoia, being thoughtful of potential risks and failures, and understand what might go wrong.
Reading Bruce Schneier's Secrets and Lies is a really good start in this area. It is a not very technical book, written at the level suitable for an IT manager. This is also useful to help explains risks, vulnerabilities, and failures to IT Management.
The ever so ugly covered Hacking Exposed, which explains the basics of what criminals (or attackers) do commonly to gain unauthorized access to (networked) computer systems. This is so you a) know how easy it is, and b) are familiar with an overview of the basic steps and techniques to gain illicit access.
For online resources, RISKS digest (not focused on malicious activities, but how systems fail - very insightful and low volume), and Bugtraq a full disclosure mailing list will show you recent exploits, and vuln notices, but it is fairly lacking in actual educational content, and there are several other mailing lists at SecurityFocus that could also be useful to developing professional paranoia.
Next you need the language and basics of information/computer security. For this textbooks like Computer Security by Dieter Gollmann, Information Security Management Handbook by Tipton and Krause, Practical Unix & Internet Security by Simson Garfinkel, Gene Spafford, Alan Schwartz, and Security in Computing by Pfleeger and Pfleeger.
For procedures look at CISSP study material, BS 7799 / ISO 17799, and security auditing and incident handling materials. Some knowledge of risk management can also be useful.
From these basics, of the right mindset, the common language of infosec, and procedures and policy you can get into the low-level details of firewalls, VPNs, IDS, and network design. For this you should have a good network/internetworking basics, a very detailed understanding of TCP/IP, and understand firewalls, VPNs, and IPsec.
Firewalls and Internet Security: Repelling the Wily Hacker, 2nd ed. by William R. Cheswick, Steven M. Bellovin, and Aviel D. Rubin is a great place to start, and Building Internet Firewalls by Elizabeth D. Zwicky, Simon Cooper, D. Brent Chapman is a great follow-up. An alternative book on firewalls and VPNs is Inside Network Perimeter Security: The Definitive Guide to Firewalls, VPNs, Routers, and Intrusion Detection Systems by Stephen Northcutt, Karen Frederick, Scott Winters, Lenny Zeltser, Ronald W. Ritchey (crowd from SANS).
For networking basics, a Cisco certification like CCNA could useful in providing knowledge about internetworking and Cisco router's IOS. For the gory details of TCP/IP either TCP/IP Illustrated: Volume 1: The Protocols by Richard Stevens or Internetworking With TCP/IP Volume 1: Principles Protocols, and Architecture, 4th edition by Douglas Comer.
For IDS - Network Intrusion Detection: An Analyst's Handbook by Stephen Northcutt and Intrusion Signatures and Analysis by Matt Fearnow, Stephen Northcutt, Karen Frederick, Mark Cooper are the best IMHO.
I am not sure what to recommend for VPNs, other than you need to know about IPsec.
I suspect the most common use of this is not attempts at bypassing poorly thought out security. I hope MSFT programmers are not hiding passwords in .NET classes. The most common usage will be "tweaks" and such that will be dependent on a specific .NET framwork version/release.
.NET framework version 1.0 for Windows 2000/XP, but come next release, these tweaks are likely to break. That's why private members of classes are private, because they are not part of the documented API.
By delving into the private classes, you might be able to get speedups on a specific (or common) platform, say MSFT's
Not unlike the time they were warned by the courts against marketing of vapourware. From the Pre-slashdot era.
Competitors found MSFT spending nearly as much on advertising not yet ready products as when they were released (pre Win95 actual release hype).
In the UK where public and private owned CCTV cameras are everywhere already, reports into how well they work indicate that camera operators are likely to target just young males of visable minorities and engage in voyerism of attractive women.
I don't have the link, but there was a good article in the NY Times I think about this, around 2001.
Some Camera to Watch Over You is a related Wired article.