Dan Griffin's Blog

Comments on security, PKI, smart cards, cryptography, and entrepreneurship.

I left the Last Supper Club (the venue in Seattle’s Pioneer Square area for today’s talks) a bit early, but not before catching some great talks. Two in particular were memorable today:

First, Dan Kaminsky discussed how some ISPs, such as Earthlink, are replacing DNS responses for non-existent sub-domains with pointers to ad hosts.  For example, www.jwsecure.com exists.  But evil.jwsecure.com doesn’t (at least, not yet …).

So what if someone is out there surfing the web, using Earthlink as their ISP, and they request evil.jwsecure.com?  They
should get some sort of no-host response.  But instead, they get PPC ads.

Well, that’s a problem, because the ISP doesn’t own the parent domain, jwsecure.com.  And its owner isn’t benefitting from those ads. And furthermore, isn’t the ISP misrepresenting the owner of the parent domain?  It’s an aspect of net neutrality that I hadn’t been aware of.

The second cool talk this morning was given by a former colleague of mine, Dan Shumow, on the possibility of a backdoor in a published NIST elliptic-curve-based pseudo-random number generator.  The brouhaha is actually not new (see http://www.realtime-websecurity.com/articles_and_analysis/2007/11/backdoor_in_new_encryption_sta.html), although I certainly benefitted from a live explanation.

What was even more interesting about Shumow’s talk was the reaction among some of the ToorCon crowd when he raised the point mentioned toward the end of the article link above.  Namely, that there is suspicion among the academic community about why the NSA would, via NIST, publish an algorithm with such an obvious flaw.  That point was amplified by Bruce Schneier (quoted above).

In effect, Shumow asked the ToorCon audience, “Is the NSA slipping?”  I could not have been more surprised at the strongly voiced reply, which was, in effect, “No way, the NSA is always 10 steps ahead when it comes to  cryptography.” In other words, the NSA is infallible when it comes to information security, so this must be a fully intentional part of their master plan.

I’m not sure why that response struck me so.  It’s partly because the debate is essentially “malicious intent” versus “just plain incompetence”.  Pretty silly, when you step back and think about it.

But it’s more than that.  After all, man is fallible, and the cryptographers at the NSA put their pants on one leg at a time, just like the rest of us.  Just because you have a giant budget doesn’t mean you’re never wrong.

On one hand, you should never underestimate an adversary. On the other hand, some members of the hacker nderground have either decided that their adversary is unbeatable, or that it’s no longer an adversary. Equally shocking in either case.

Permalink | Comments (1)

The first day of ToorCon Seattle 2008 was held at the so-called “Public N3rd Area” on East Marginal Way in south Seattle. BFE, in other words. I was planning on taking a cab home, before I realized that that would have been hopeless. Thank goodness I found a ride.

It’s a cool venue, though, and the 5-minute lightning talks last night were very entertaining. Two were particularly memorable:

Travis Goodspeed, who also did a cool talk last Fall at ToorCon in San Diego, discussed reverse engineering a traffic-light control box. Excellent hacker con material. See http://seattle.toorcon.org/2008/conference.php?id=29, as well as
http://travis.frob.us/projects/asc3/.

Dean Pierce presented a network visualization tool. It’s like if nmap could draw a pretty little graph for you. Very nice! See
http://seattle.toorcon.org/2008/conference.php?id=39 and http://code.google.com/p/seedsofcontempt/.

Permalink | Comments (0)

Mainstreaming Tor

April 18, 2008

Calling all Windows and Visual Studio hackers, especially those who have privacy concerns about the web, and particularly those who think that citizens of repressive regimes should have unfiltered access to knowledge!

(More context can be found here - http://seattle.toorcon.org/2008/conference.php?id=20, and here - http://www.torproject.org/.)

The Tor project needs your help in creating a port based on the standard Windows build tools, such as Visual Studio, followed by an easy-to-use package for novice every-day Windows users. More:

Permalink | Comments (0)

Our Small Business Server machine crashed two nights ago. That’s the
least fun I’ve had in several weeks.

There’s been so much activity after RSA, that losing the server just
about drove me to drink. So I wasn’t thinking clearly about the best
way to recover from the crash. Finally, I figured that I should just
call Dell, play sort of dumb, and ask them what to do.

Well, as painful as the overall experience of recovering a
mission-critical server tends to be, calling Dell was definitely the
right thing to do. First, I was connected to the tech support guy
within a minute of dialing, which I consider to be amazing these days.
Next, he quickly decoded the status lights on the front of the machine,
determined it to be a memory failure, and walked me through checking all
of the RAM. We identified one bad stick (for which Dell is sending me a
replacement overnight at no cost).

Total time spent on the phone, including testing all four RAM sticks:
less than 30 minutes, at which point the machine was back up and running
again, since the bad RAM had been removed.

My only minor complaint? Before I was routed to the real tech support,
some dispatcher guy came on to ask me about my service tag number. I
asked if that’s the same as the serial number, which was the only thing
I could find, and had written down. He didn’t know if that was
sufficient, and he went quiet for a bit. Anyway, that guy could
definitely be replaced with a touch-tone entry system, based on the
model number, for example, which is what I ended up giving him. The
call would have been even faster if I’d just gone straight to the real
support guy.

One more comment: I’m 99% certain that this was not an offshore call
center (although the first guy might have been offshore). I’m merely
making an observation, but I was pleasantly surprised by it.

Permalink | Comments (0)

This book - “Confessions of an Economic Hit Man” - written by a wealthy
retired consultant, is notable in that it is decidedly
anti-globalization, in contrast to most of the business-related
bestseller fair in the past few years. I can’t decide whether the book
actually goes so far as being anti-capitalist. Or maybe I’m just in
denial about finishing a book that’s that hypocritical.

Anyway, having read it, quoting Usher, these are my confessions:

My first reaction was that I wanted to become an economic hit man. I
mean, as the author himself observed, it’s a lot like being James Bond.
Except much safer and you get paid more.

It should be obvious even to those who haven’t read the book that it’s
not intended to have that effect. However, there’s a subtext throughout
that, even though the author claims remorse now, he reveled in the power
and prestige attached to many of his roles along the way, including
those he filled even after having left his “hit man” job. And there’s
little evidence that he misused that power. Nor did he intentionally
mislead anyone. Rather, he regrets having helped put certain 3rd-world
nations in debt to the World Bank and IMF. That’s like one of the
current generation of executives at Ford Motor Company saying he regrets
the effect he’s had I-5 traffic through downtown Seattle. Get over
yourself, right?

In any case, in the context of Hit Man, it all seems a little shallow
coming from a rich guy, retired, living in Florida.

But then I realized that the book actually made me want to be Dick
Cheney. I mean, the author singles him out repeatedly as one of the
top-tier major powerbrokers. Duh. Much like the author himself, Cheney
doesn’t seem to have done anything specifically wrong. He just accepted
jobs that he should apparently now feel guilty about. We’re left to
conclude that if Cheney were to take the opportunity of his impending
political retirement to write “Confessions of an Influential and
Powerful American Politician and Executive,” he would be forgiven.

But then it finally dawned on me that, rather than being an executive at
a major contractor such as Halliburton or Bechtel, I actually want to be
the founder of such an entity. Those companies are huge and have a
combined age of 200 years. What a legacy it would be to start something
that has that sort of impact, that employs that many people for that
length of time!

(While it’s apparent that the book is written from the perspective of
someone who dedicated many years of his life to climbing the Economic
Hit Man professional ladder, it must be noted that the author is also an
entrepreneur, having founded an energy company, and then having
begrudgingly - yeah right - sold it to an oil company for a sizable
profit.)

So if the author’s intent was to inspire me in this way, he could have
picked a different title and cut the last couple of chapters (I read the
paperback version). Otherwise, he missed the mark.

http://www.amazon.com/Confessions-Economic-Hit-John-Perkins/dp/045228708
1/ref=pd_bbs_sr_1?ie=UTF8&s=books&qid=1208051240&sr=1-1
http://www.halliburton.com/Default.aspx?navid=402&pageid=714
http://www.bechtel.com/history.html

Permalink | Comments (0)

A colleague sent me some welcome feedback on a recent post
(http://www.jwsecure.com/dan/2008/04/02/on-recent-press-coverage-and-cod
e-quality/).

Namely, that the effects of project and team dynamics can’t be ignored
when it comes to creating an environment that encourages the production
of high-quality, and highly secure, code. In other words, it’s not just
training and it’s not just having the latest tools. For example,
customer expectations and pressures, real or imagined, are transmitted
by sales and marketing, sometimes in negative ways, to the technical
team (PM/Dev/Test). Stress leads to mistakes, and aggressive timelines
mean that shortcuts get taken. This adversely affects code quality.

The feedback between external-facing and internal/technical teams must
be continuous and bidirectional.

Permalink | Comments (0)

I decided to be low-budget at the RSA conference this year and just
attend the Expo. So far, that’s definitely been the correct decision;
I’m able to do all of the networking I need to do this way, and I avoid
the back pain associated with sitting in those uncomfortable chairs for
90 minutes at a time. Plus my Expo pass was free ;) I do miss seeing the
crypto panels, though. Maybe next year.

Big themes among this year’s exhibitors? Auditing and compliance, not
surprisingly. As a colleague observed, nearly every product booth makes
some claim to that effect. And there are more and more service firms
doing technology auditing/testing/compliance.

Strong authentication is big, of course. Thankfully nobody seems to be
claiming this is the Year of PKI or the Year of Smart Cards. It might be
the Year of OTP, though: there’s a resurgence in that technology,
consisting of some firms who have been slowly but surely eating away at
RSA’s market share in that area, and others who will try. This is driven
not only by demand for OTP in the context of RAS/VPN, but also as a
solution for web sign-on, a beach head first established among the
European banking community.

Biometrics too, of course. Most demos are still fingerprint-based, the
main difference this year being the sheer number of them and the fact
that they’re better integrated into existing authentication systems,
front-end and back-end.

And booth babes. Still plenty of those.

Last note for the day: I found my way to the IOActive party this
evening, which was classy. It was there that I learned about the recent
eWeek “15 most influential people in security today” list (link below)
which had, naturally, become a subject of debate. Having now reviewed
it, I think the list is insightful and thought-provoking, and thus the
reporter accomplished his task. I will say that a substantial amount of
influence within the security community trickles down from the
hacker/researchers on the conference circuit, and while the list isn’t
entirely representative of that, I’ll grant that it’s difficult to
measure the impact of ideas that haven’t yet reached the mainstream.

http://www.eweek.com/c/a/Security/The-15-Most-Influential-People-in-Secu
rity-Today/

Permalink | Comments (0)

Some recent articles (including one that I already pointed to in a
previous blog post) about research I did, links below, all missed the
point. The big picture is that, when it comes to software security,
code quality is the most critical factor. The fact that it’s a complex
factor means that many techniques must be brought to bear. The littler
point is that one of those techniques - fuzz testing - remains
under-utilized.

I must briefly digress to explain the first part. First, note that code
quality is not the only factor in a secure deployment. But it is the
most important one.

Second, observe that the production of software is a challenging
endeavor. Obtaining and maintaining high code quality even more so.
What is high-quality code? No needless abstractions, no unnecessary or
undocumented features, well-commented and easy to read, smartly designed
and written based on a reasonable analysis in choice of language and
underlying technology. There are other factors. It’s a complicated
concept even to just describe!

Now, to bridge the gap between code quality and code security. While,
in my experience low quality code is more likely to be insecure,
high-quality code isn’t necessarily without security flaws. For the
software industry as a whole, the obstacles to consistently writing
secure code are numerous. For example, the threat landscape is
constantly changing: what was considered acceptable before may now
represent a major risk. And secure coding is a difficult concept to
teach, if an attempt is even made at all (for example, at the collegiate
level or on the job).

Furthermore, and partly for reasons already cited above, software
security is its own field. So, much as it may be attractive to expect
experts in GUI design or network communication to also be experts in
software security, it just isn’t realistic to do so. Yes, everyone
should know the basics, but the basics are never enough.

Software tools vendors (referring mostly to compilers and commercial
libraries) play an interesting role here, because they are both part of
the solution and part of the problem. That is, all of the challenges
above affect them as well: how to attract, retain, and continuously
retrain developers who can consistently produce not only high-quality
but also highly secure code? And everyone downstream is partly
dependent upon the tools vendors to keep up with the moving target of
security threats. I say ‘partly’ because the true responsibility for
the security of an software application lies with the vendor of that
software - that is, whatever brand name that would be on the front if it
came in a box. Attempts to blame the compiler vendor, or the vendor of
a special library with which the program links, don’t cut the mustard.

It’s not my intent just to pound on developers here; testers play a
critical role as well.

Indeed, testing is the current frontier in software security. I’m not
saying the development/code-generation side is solved, just that the
latest technologies (tools, libraries, platforms) are sufficiently more
secure than what’s actually in wide deployment, and that testing
methodology hasn’t kept up. When it comes to quality, the test team -
Q/A as it’s frequently called - is the last line of defense. Time to
improve that defense.

Fuzz testing is a technique that’s easy to understand and totally
under-utilized. It is not a panacea. Deployed correctly and against
the proper components (parsers, mostly, and there are probably more of
those out there than you think), it is likely to find bugs, probably
significant ones with security impact. That’s partly because of the
randomness involved, and partly because it pounds on the kind of code
that tends to be complex.

Once a fuzzer has been written, deployed, and the related bugs found and
fixed, it becomes another piece of the automation to ensure that
something previously fixed doesn’t become broken again. Just like your
API test, just like your GUI test. Then it’s on to the next technique
or the next component.

But few shops have reached that point, and the tools vendors haven’t
caught on either. It’s time to invest in software security testing:
better tools, better techniques, and more widespread use of the
techniques we already know about.

http://www.jwsecure.com/dan/2008/03/14/look-mom-im-on-dark-reading/
http://www.darkreading.com/document.asp?doc_id=148438&WT.svl=news1_1
http://www.theregister.co.uk/2008/03/18/vista_smartcard_hack/
http://www.heise-online.co.uk/security/Vista-with-smart-card-hacked–/ne
ws/110330
http://msdn2.microsoft.com/en-us/magazine/cc163313.aspx

Permalink | Comments (0)

I’ve got a “lightening talk” on Friday, 4/18, meaning you’ll only get to
hear me for 5 minutes or less -
http://seattle.toorcon.org/2008/conference.php?id=20. But some things
are best taken in small doses ;)

Permalink | Comments (0)
« Older Posts