Tag: Security

Information that we reveal

Bruce Schneier blogs on the possibility of a public tweet leading to a burglary. This got me to mark down some thoughts that I have for quite some time regarding home Wi-Fi networks:

While a simple curtain can keep the nosy neighbor in the dark, Wi-Fi cannot be “curtained”. If our access point is not on all the time, the neighbor knows when we are on the Net. It is even easy to know this even when the AP is always on, since it is the activity that matters. Hell, they can even be patient enough to crack our keys and look around. And it is quite possible that a burglar knows when we are at home, or on vacation by simply observing whether the AP is on or active based on the usage pattern that we create.

[ Update: The post’s point is that wireless devices inside the house reveal habits of ours to the neighborhood that we *think* are not since we have drawn the curtains. Plus, stuff like WPA protects us from the passer-by and not from the nosy neighbor. ]

Oh well, I guess I cannot be paranoid enough, right?

pf tricks

OpenBSD journal points that pf is enabled by default on OpenBSD from now on (with the exception of X11 incoming traffic). I take the opportunity to share some minor tricks that I use with pf on my BSD systems (servers mostly):

Regardless of the default policy which may or may not vary across the BSD operating systems that support pf, I always have a pf.conf.block and a pf.conf.pass handy, just in case I need to enable one of the two defaults for debugging:

* pf.conf.block:

block all

* pf.conf.pass:

pass all

On machines that run OpenVPN it happens that pf is enabled and its rules are loaded before OpenVPN is started (and its virtual interface created). So if your pf.conf has rules for a non existent interface, loading it fails leaving your machine’s pf in a state that your clearly do not want. In those cases I boot the machine with a very simple policy and load the intended policy (written in /etc/pf.conf.local) later from /etc/rc.local by issuing the command:

pfctl -Fall -f /etc/pf.conf.local

And the simple policy contents of /etc/pf.conf are:

table <machine> const  { self }
block all
pass all to <machine>
pass all from <machine>

The above policy allows any kind of traffic to and from the machine, but routes no traffic between interfaces. It can be modified depending the services the machines starts (if any) and it is used only for boot time. YMMV.

Bureaucracies and information flow

Interesting quote from a security presentation that I attended recently:

“Bureaucracies depend on information flow to maintain function. Change the information flow and you can predict function”

I miss the days when hacking cracking was about ownage and defacement. It has now evolved to a strategic capability, which makes things far more difficult for the defenders.

wash your hands

Bear with me, this is actually a computer security post. In parentonomics Joshua Gans cites an Australian study according to which doctors believed they washed their hands after going to the toilet 73% of the time. Close monitoring however revealed that this happened only 9% of the time. This in a pediatric intensive care unit!

This is a simple requirement: Wash your hands when leaving the toilet! One would expect that medical professionals, of all people, would follow it and not believe that they follow it.

So if the most simple measure, and one instructed to them from a very young age, cannot be followed through, how on earth are we supposed to make people read, understand and actually follow any security policy? How much simpler than wash your hands does it have to be?

Recently I heard the argument that “I do not mind using cracks and pirated software*, since I trust the source”. Oh really? I am sure they [the source] wash their hands every time too…

In the case of hospitals the problem was solved using a kind of public embarrassment (screen savers with the names of doctors with no clean hands). Or as Gans puts it “Data plus shame equals trust”. However, I am sure that no legal framework can allow for the public embarrassment of any computer user. Nor any administrator wishes to make more enemies among their users than they already have.


[*] – Using cracked versions of software when the price is not right is not the way to go. If you want to punish the vendor quit using their product and stop advertising it by using it.

Το όνομά σας;

Απορία:

– Πως ακριβώς ενισχύει την ασφάλεια του πολίτη η ονομαστικοποίηση των καρτοκινητών τηλεφώνων;

Απάντηση: Δεν την ενισχύει. Μπορεί οι προτείνοντες να νομίζουν πως την ενισχύει, αλλά δεν συμβαίνει αυτό. Στην πραγματικότητα ένα τέτοιο μέτρο είναι απλά ένας φτηνός εντυπωσιασμός. Γιατί πως αλλιώς μπορεί να χαρακτηριστεί κάτι που δυσκολεύει τη χρήση ενός μέσου για τον νομοταγή πολίτη και όχι για τον κακοποιό; Το είδος των κακοποιών που στοχεύει ένα τέτοιο μέτρο έχει (σχετικά) απεριόριστο προϋπολογισμό και τελικά δεν περιορίζεται, απλά εξελίσσει τη μεθοδολογία του.

Και για να συνεχίσω στην επιχειρηματολογία του Ντροπαλού στο ιδεατό ερώτημα “Θα σε πείραζε να δώσεις το όνομα, εάν είχες καρτοκινητό;“, η απάντηση είναι:

Φυσικά και με πειράζει:

“As governments widen their definitions of just who is a potential threat it makes increasing sense for citizens engaged in previous innocuous activities (especially political and financial privacy) to protect their data from being useful if seized.”Steve Shear

Επίσης με πειράζει οτιδήποτε προκαλεί σπατάλη χρόνου, χρήματος, υποδομών και ανθρώπινου δυναμικού.

Do your homework. Ακόμα και ρεαλιστικά -αποκομμένα από το θεαματικό του πράγματος- να το δει κανείς, δύο επαγγελματίες των αποδράσεων έφυγαν από τη φυλακή, δεν άδειασε ολόκληρη. Για δύο ανθρώπους δεν παίρνονται αποφάσεις που επηρεάζουν το γενικό πληθυσμό.

“Patch! Patch! Patch!”

Το 2001 στα πλαίσια του IT Security Conference (που αργότερα εξελίχθηκε στο Cyprus InfoSec) ο Richard Cross έκανε την καλύτερη παρουσίαση.

Δεν θυμάμαι τον τίτλο, ούτε το περιεχόμενο, όμως σίγουρα όποιος την είδε θα σας πει το ίδιο: Ήταν η καλύτερη παρουσίαση, γιατί είχε ένα μήνυμα και όλοι μα όλοι το θυμούνται καλά:

Remember people; Patch! Patch! Patch!

Δε θυμάμαι πόσες φορές το είπε. Το είπε αρκετές και παραστατικά, γιατί αμέσως μετά, όποιος πήγαινε να του μιλήσει δεν του έλεγε “Hi!”, του έλεγε “Patch! Patch! Patch!”.

Αργότερα μου είπε πως:

Έχω καταλάβει πως αν θέλεις να μείνει κάτι από αυτά που λές, πρέπει να το λες τρεις φορές.

Μία λέξη · δύο μαθήματα.

(Σε συνέχεια του προηγούμενου post)

nmap book

This landed today at nmap-hackers: Fyodor finished “Nmap network scanning” and it is shipping. From the book’s abstract:

Nmap Network Scanning is the official guide to the Nmap Security Scanner, a free and open source utility used by millions of people for network discovery, administration, and security auditing. From explaining port scanning basics for novices to detailing low-level packet crafting methods used by advanced hackers, this book by Nmap’s original author suits all levels of security and networking professionals. The reference guide documents every Nmap feature and option, while the remainder demonstrates how to apply them to quickly solve real-world tasks. Examples and diagrams show actual communication on the wire. Topics include subverting firewalls and intrusion detection systems, optimizing Nmap performance, and automating common networking tasks with the Nmap Scripting Engine.

16 – game over

Κάποιος κάποτε αποφάσισε πως ένας άνθρωπος είναι ικανός να φέρει όπλο για να επιτελέσει την εργασία του.

Τώρα ένα παιδί είναι νεκρό.

Αύριο θα είναι τα δικά μας παιδιά.

O Μπαμπάκης ρωτάει γιατί μένουμε εδώ ακόμα. Δε θα φύγουμε εμείς από την πόλη μας. Δε θα φύγουμε εμείς από τη χώρα μας. Αυτοί θα φύγουν.

Νύχτα.

The New School of Information Security

I just finished reading “The New School of Information Security” which is written by Adam Shostack and Andrew Stewart. Reader of this blog thanasisk and I disagree on the value of the book. He considers it as overrated while I say that it is simply different.

I read this book in the bus (while going to work and returning from it). First of all, it is not a book. I would call it a long paper (160 pages long). Second, every two or three pages the message of the book repeats itself: We need objective data. If one wants to summarize “The New School” in two bullets, these would be:

  • We need objective data, so let’s start sharing data and not wait for others to share first.
  • Amateurs study Cryptography; Professionals study Economics.

Actually the second bullet is the title of chapter 6. People forget that cryptographers study cryptography. We apply it!

So does this book bring any new knowledge on the table? It depends on who you are. For me, who has passed from a variety of information security outposts (from security oriented system administration, to running an emergency response team and passing the CISA exam among others) the book does not offer any new knowledge. It clearly points out the “generalist versus specialist” debate (if you read sage-members sometimes such threads occur) and pushes the reader to think outside of his domain of expertise.

Information Security is always a lot more than what you deal with. So what did I get by reading the book?

So is this book overrated? Well if you have the experience that thanasisk carries you can live without reading it. Is it different? Since it is a 160 pages long paper (manifest if you like) of course. Is it readable? Yes! Should you read it? If you are an eager mind dealing with system administration or information security (at any level; from junior to senior) definately yes! It will always remind you that Information Security is a whole lot more than what you think it is, dealing or interested with. For it certainly is not only writing policies, running a vulnerablity scanner or finding that next buffer overflow that will give you root access.

For me the most powerful statement of the book remains the title of chapter 6:

Amateurs study Cryptography; Professionals study Economics.

PS: Adam Shostack blogs interesting stuff over at Emergent Chaos.