Archive for August, 2007

Norton Internet Security 2007 Issues

Monday, August 13th, 2007

I’ve used the free ClamAV in the past, but was never convinced that it was doing much. There were some usability issues with notifying about updates but not automatically downloading and installing them also.

So this weekend I bought the Symantec Norton Internet Security 2007 3-pack at Fry’s. It was about $50 up front but should be free after rebates. I checked the PC Magazine reviews online at the store, and Norton was rated as more effective and polished than the CA product.

NAV has some issues too:

  1. if you use Thunderbird as your email program, backup your mail files before installing Norton Internet Security 2007. On the 2 machines where I installed Norton, the read count was reset to 1, causing Thunderbird to redownload all 4100 emails … causing duplicates. Even worse problems can occur if viruses are detected inside a mail file.
  2. without warning, the Norton installer kills outbound network connections. For example, file transfers and putty sessions will be killed.
  3. the registration screen has top and bottom parts. The top part is for previous registered users, and the bottom is a registration form for new users. If you fill in the bottom, then you click on the top, you lose all your completed form data. Very annoying.
  4. after completing the registration process for the first time, I received a confirmation email that:
    1. was flagged by my default install of SpamAssassin as spam with a score of 6.2
    2. contained a URL to their web site with my username and password in the URL! Not only is that a no-no for a security company, but the username and password aren’t even used to pre-fill the web login form. (And since those are GET parameters, they’re sitting in their webserver logs in plain text of course.)
  5. when scanning, the Stop button seems to mean “stop after finishing the current file.” That’s not cool if you’re ready to close your notebook and you happen to be a in a large zip archive for example. And Task Manager is not allowed to kill the Norton processes.
  6. the file virus scanner is slow – 24 hours to scan my desktop hard drives with 12 million files, mostly in tarballs, though the machine was still somewhat usable.
  7. the installer took 45 minutes to initialize on my notebook – then worked ok, but basically locked up my Compaq 1.6 GHz/2 GB RAM/80 GB notebook while scanning though. Need to look into that.

How good was it at scanning for viruses?

Well, it found what I expected, and the Export Results link creates a useful report file with all the data I wanted. However the program UI goes out of its way to separate results from the corresponding files until you dig around.

Note that their EULA mentions that you have no privacy when using their product. They can send back your files for any reason, and make them available to authorities. Something to think about if you work for a software company or do computer security research.

Update: Symantec 2nd level support recommends running chkdsk and downloading and installing 10.4 to fix many issues. The filename is NIS071040.exe (50,559,136 bytes)

People in the know recommend not using any Symantec software products. For anti-virus software, they recommend AVG as being effective without using obscene amounts of system resources.

Posted in Tech | 1 Comment »

Way to Identify an Emerging Technology

Thursday, August 9th, 2007

“The one way to identify an emerging technology is that there is more written about it than is known about it, there are more people selling it than using it, and the vendors are making more money from education than from selling the tools.” -

Kenn Orr, quoted from IBM Systems Journal, Vol.32, No.3, 1993. Article title, “The Impact of Object Orientation on Application Development.”

Posted in Business, Tech | No Comments »

Defcon 15, Las Vegas

Sunday, August 5th, 2007

I gave up on Defcon after Defcon 11 because of the venue overcrowding at the Alexis Hotel. But since I had no other plans this weekend and they moved to the larger Riviera hotel last year, I decided to give them another shot this year.

What an improvement! 7,000 attendees and 5 talk tracks, yet now fairly well-organized. I registered Thursday at 9:30 am for $100, but they had already run out of the awesome white animated SMT LED badges with a “HUMAN” cut-out conference badges, and programs.

They should have done a photocopy run of the schedules, but didn’t, which is bad since the schedules are not posted outside the lecture rooms.

Security staff in red shirts called “goons” vigilantly enforced access points and fire codes. I was told that lecture room exits had to be clear in case of sudden emergencies like a smoke bomb attack.

The hotel was big enough that the attendees didn’t swamp the hotel, and the rooms for Tracks 2, 3 and 4 were usually big enough. The Track 5 room and the closing ballroom were too small. Hotel security seemed happy and stayed in the background.

The hotel coffee shop was very busy but served ok food ($10 for a hamburger and fries.) The upstairs dinner buffet was a good deal at $16. Good variety of fresh food and desserts, including prime rib, mexican and asian food.

I didn’t bring a notebook computer this year because it would just get hacked if I turned it on, and I also left my Blackberry off. I understand that some people buy a computer at Fry’s and return it after the weekend to get re-imaged, or use it as a honeypot. Some people did use their work Blackberrys with bluetooth disabled. One guy had a Nokia 770 wifi PDA that he planned to re-image after going home. Nice screen with scalable fonts.

The talks that I attended on Thursday and Friday were very strong, usually presented by the original researchers or somebody deeply involved in the topic. Defcon talks are unusual in that most audience questions are held until after the talk in a separate Q&A room. Not my preference, since expert attendees often get more out of the questions that the talk.

Thursday

Thomas Holt: The Market for Malware

Insight into mainly Russian malware industry:

- pincher programs for intercepting username and password data
- joiner programs to bind pincher program payloads with images or downloads
- like to be paid with e-gold, don’t like Western Union
- like ICQ, irc
- tools cheaper for other Russians to purchase than foreigners
- forums for promoting and rating developers and programs
- good authors provide good customer support, upgrades ($10), manuals and customization ($30)
- admin UI programs very polished and professional looking – some are even skinnable.

Pilgrim: How to be a WiFi Ninja

Pilgrim is the real deal – he knows how wifi works, owns a wifi accessories shop in Florida and is a perennial show vendor.

He gave tips on improving wifi transmission and reception:

- thinner cable is lossier, so keep under 10′
- cable is optimized for Channel 6
- wifi signals transmit better in drier air
- most omni AP transmitters can be made more directional by using a tin-foil reflector behind them, preferably parabolic shape
- used Dish satellite receiver antenna could be very useful
- made a wok dish antenna and recommends it
- recommends USB receivers over PC Cards because of external antenna
- recommends USB cable run to smart antenna instead of long runs of cable
- transmit power isn’t everything. try to balance transmitter, receiver, cable and geometry
- re-orient AP antennae to get better vertical or horizontal reception, especially in 2-storey buildings. same when war-driving.

Broward Horne: Click Fraud Detection with Practical Memetics

Broward gave a great talk.

He has the website RealMeme.com and does experiments in web site promotion and Internet mindshare. He left some blog comments on Casey Serins’ IAmFacingForeclosure.com website but received no traffic to his site initially. He posted a comment inquiring about that, got a bunch of traffic, and upon log analysis realized that it was bot traffic, implying that Casey was involved with bots for AdSense click fraud.

He showed some graphs of discussion activity before and after the Pope’s death, which expanded the bandwidth of discussion, and the SARS outbreak, which barely registered.

D.J.Capelis: Virtualization: Enough holes to work Vegas

Awesome talk on how pathetic x86 virtualization is from a security perspective.

He talked mainly about VMware Server and Xen, but problems generally applicable are:

- vulnerable to physical attacks and DoS at PCI level for shared hardware like video, network and drive controllers
- vulnerable to IP and MAC address changes
- vulnerable to practically undetectable covert channels between VMs
- vulnerable to timing attacks similar to the Intel HT ones
- all the image migration tools use plaintext, possibly across ethernet
- any rogue partition can violate all other partitions, subverting your firewall and network security
- bad default configurations, as documented.

The expensive VMware ESX product fixes a few but not all of the above problems.

He’s hoping IBM can leverage their 30 year virtualization experience on LPARs to do a good job.

He released a script to somewhat improve the default security configuration of VMware Server.

Dave Josephsen: Homeless Vikings, (short-lived BGP prefix hijacking and the spamwars)

He presented a history of spam and countermeasures timeline with commentary (he likes content filtering and thinks anything else is just a pointless technical arms race that can’t be won by the good guys).

Then he talked about how BGP can be used by spammers to spoof address blocks or commandeer unassigned IP space, likely the same techniques used by intelligence agencies now.

Gadi Evron: Webserver Botnets

Peter Gutmann: The Commercial Malware Industry

Some repetition of the talk at 10 am, but with more detail.

Daniel Peck & Ben Feinstein: CaffeineMonkey: Automated Collection, Detection and Analysis of Malicious JavaScript

They demonstrated some utilities for de-obfuscating javascript malware and presented some graphs that illustrated how malware and legitimate javascript profile very differently.

Also, they talked about spidering and analyzing some web sites and being surprised at how clean myspace is for example – no JavaScript malware found, probably a credit to their staff.

atlas: Remedial Heap Overflows: dlmalloc style

atlas did a Linux Buffer Overflow 101 class.

He used python to inject the shell code.

All the hotels surrounding the Rivera were full, so I stayed in the Hilton Vacation Getaway Hotel, a moderate walk from the Riviera. My $169 room was a very nice and new suite with a 30″ HDMI plasma TV, jacuzzi, shower, bedroom TV and laundry. The downstairs deli tuck shop is very complete and you can order custom sandwiches there. There is also an outside grill with $5 hamburgers and $4 hotdogs that’s open for lunch. The basement business center is 24 hours and has computer rentals and printing for $1/page. The hallway vending machines have $1 sodas.

Friday

Brendan O’Connor: Greater than 1: Defeating “strong” Authentication in Web Applications

Excellent talk reviewing US online banking so-called strong authentication, then attacking it.

- in-person banking is 2-factor authentication (something you have (card) and something you know (PIN)
- online banking is not 2-factor (you know a PIN but normally you don’t provide card, token or biometrics)
- browser fingerprinting is pointless because everybody buys the same configurations from Dell or HP
- browser fingerprinting is pointless because the implementations are bungled (commented source, little effort)
- banks should display all recent logins, not just the last one
- bank should not star out account numbers, then display the full check thumbnail!
- bolt-on auth systems from 3rd-party vendors weaken overall security and increase the attack surface
- SiteKey is worthless, since they have a limited image catalog indexed by alt tag
- knowledge base questions based on public databases as implemented now are worthless, but could be improved by displaying the same question until correctly answered and not randomizing choices

He finished by demonstrating a MITM attack by writing a newbie-level Perl program to relay the browser fingerprint, setting up Defcon Bank and doing a MITM attack on his personal bank which uses Sitekey.

David Byrne: Intranet Invasion With Anti-DNS Pinning

He discussed DNS pinning issues with IE and Firefox, pinning in Java and also how LiveConnect in Firefox and Opera reduce pinning. Also he showed how to use an exploited browser as a web or socks proxy and talked about using the socket capabilities in Flash 7 and above.

In his demo, he owned somebody’s browser, ran Nessus 3, and started a shell.

Billy Rios & Nathan McFeters: Biting tha Hand that Feeds You – Storing and Serving Malicious Content From Well Known Web Servers

Billy and Nathan are the reason for the recent Firefox 2.0.0.5 and 2.0.0.6 updates.

They talked about:

- XSRF
- serving warez from webmail hosts, in particular Yahoo! and gmail, because they’re free anonymous accounts, have a large storage capacity, good network bandwidth, high-reputation domain names, and plausibly deniable.
- domain substitution
- what can you trust on the Internet? only the domain name in your location bar
- Flash settings XML config file
- browser scheme and %00%00 filetype handlers
- IE 7 and Firefox URI hand-off exploits
- possibly KDE registry might also be vulnerable to filetype handler issues.

The award ceremonies went on 2 hours. It was interesting to learn about the whole Defcon community: security, logistics, press, events, speaker coordination, etc.

40 hardware kits were handed out to people wanting to hack the badge, but only 7 submissions resulted. The 2 winners built a graphical, gray-scale multimeter and a pong game. DT suggested it would be hard to top the badge next year, unless it was converted to a fibrillator or laser beams were added.

A 17 year-old won one of the lock-picking categories. The overall winner mentioned preferring home-made tools.

Some of the award winners received a Black Badge – good for free life-time show admittance. Some got a used notebook or Dish receiver.

The trivia show winning team was booed for their poor result – sometimes needed a dozen clues and still getting the wrong answer – but still got black badges. Next year there will be a pre-qualifying test.

I took one of the airport shuttle buses back to the airport. Depending on how you look at it, either I got a free ground tour of Las Vegas, or they wasted a half hour of my time trying to find a passenger who booked 24 hours in advance but didn’t show up on time. Eventually they found him … back at the Riviera.

theinquirer.ne: How to break forensics software
GData: An Online MD5 Hash Database

Posted in BSD, Business, Conferences, Linux, Open Source, Perl, Photography, Tech, Toys, Travel | No Comments »

SVLUG: Cricket Liu on Securing Internet Name Servers

Thursday, August 2nd, 2007

Cricket Liu, Vice-President of Architecture, Infoblox gave a good talk on “Securing Internet Name Servers” at the Silicon Valley Linux Users’ Group tonite.

Cricket is the author of the O’Reilly book DNS and BIND, and also the DNS & BIND Cookbook.

He discussed both general issues with securing DNS, as well as specific historical attacks such as unrelated record data cache poisoning and a couple of DNS DoS attacks.

The Microsoft 48-hour DNS failure overview was entertaining. One of their technicians misconfigured a router, cutting off their 4 DNS servers from the Internet. Then when they fixed the router, their Windows-based DNS servers fell over from the load. Then a DoS attack on the one router (single point of failure) cut them off again. Verisign noticed that their root server was getting a lot more traffic than normal, and that was mostly due to queries for microsoft.com and update.microsoft.com.

Also, BIND supports 64k zone transfers, which can crash some versions of Microsoft DSN servers, which only expect up to 16k.

He went over some basic configuration recommendations, like splitting authoritative and recursive nameservers onto separate hosts for easier secure configuration and performance, disabling BIND’s version response, and enabling zone transfers only for slaves.

Cricket described how root servers don’t use a single nameserver. Root servers use BGP anycast to do geographically distributed nameservers for nearest lookup, with load-balancing at individual colos across dozens of servers.

He commented that djbdns is remarkable in some ways, but outdated now if you want to use newer DNS features. Also, you may need to separate IP addresses if you want both authoritative and recursive queries, which is overkill for an intranet.

He also demonstrated the free Cricket Liu’s DNS Advisor tool while pointing it at a few public web sites. It does 50 checks on publicly-available nameservers.

Cricket recommends Rob Thomas’ secure bind template.

My understanding is that initially Cricket got heavily involved with DNS at HP.

Cricket and Matt Larsen joined Verisign when Verisign bought their small company, Acme Byte and Wire, several years ago. Cricket spent a year at Verisign, then joined Infoblox a few years ago. Infoblox is an east-coast company that got involved in creating and selling appliances for various purposes, now including DNS and DHCP. Matt is still at Verisign as a Principal Engineer.

The advantage of using an Infoblox DNS appliance is to use a convenient UI for advanced configuration like TSIG mgmt. and load balancing, and to gain the performance benefits of using an optimized appliance.

Posted in Open Source, Tech, User Groups | No Comments »