Erich sieht » IT

Cold boot attacks on steroids

Sven Türpe — Wed, 23 Dec 2009 05:15:54 +0000

BootJacker puts malware underneath the running operating system:

Force reboot
Boot malware
Resume OS session preserved in memory

(found here)

Posted in English, IT, Security, Trusted Computing Tagged: BootJacker, evil maid, physical access

Moderne Welt

Sven Türpe — Wed, 16 Dec 2009 23:26:51 +0000

Posted in Fundbüro, IT Tagged: Internetzeitalter

Sven vs. McAfee — 1:0

Sven Türpe — Sun, 13 Dec 2009 18:33:37 +0000

Wozu schleppe ich eigentlich seit Jahren zwangsweise ein Dreckstool von Virenscanner auf meinem PC mit mir herum, wenn er im − äußerst seltenen − Ernstfall nichts tut? Zugegeben, ich brauche keine Softwareunterstützung, um mich über eine unaufgefordert heruntergeladene PDF-Datei und die Fehlermeldung bei deren Interpretation zu wundern. Nur ist es dann, wenn ich etwas bemerke, für die Abwehr schon zu spät. Falls die PDF-Datei bösartig ist, wird sie nämlich versuchen, Fehler im PDF-Betrachter auszunutzen.

Na ja, immerhin liefert der Vorfall einen Datenpunkt für die empirische Forschung. McAfee hat mir auf diesem Rechner noch nie irgend etwas gemeldet und liegt damit klar im Rückstand.

P.S.: Heise meldet zwei Tage später das hier.

Posted in Geschäft, IT, Security, Zahlenspiele Tagged: Aberglaube, Antivirus, dreckstool, Drive-by-Download, McAfee, PDF

TR-Mail

Sven Türpe — Sat, 05 Dec 2009 10:14:47 +0000

E-Mail vom Staat, das löst hierzulande einiges Misstrauen aus. Woanders fragt man gar nicht erst:

»Ab nächstem Jahr bekommen alle türkischen Neugeborenen eine E-Mail-Adresse vom Staat. Diese Adresse wird von einer Behörde verwaltet und in den Pass gedruckt. Zugleich soll die Verwendung ausländischer Dienste wie Google und Yahoo verboten werden. Das Projekt dient der nationalen Sicherheit.«

(Welt Online: Nationale Sicherheit: Jeder Türke erhält eine E-Mail-Adresse vom Staat)

Posted in IT, Regierungsviertel, Security Tagged: De-Mail, nationale Sicherheit, Türkei

The Evil Jan Attack

Sven Türpe — Thu, 03 Dec 2009 19:40:22 +0000

[See only posts in English]

Microsoft’s BitLocker is, for all we know, a proper disk encryption software. It encrypts data at rest against attacks originating outside the running system. If you use BitLocker and your computer is stolen while turned off, there is essentially no way of reading data from the disk without having the proper key(s)—your BitLocker PIN, a key file on a USB stick, or both. If an attacker gets access to the machine while it is running, there may be ways of compromising it through Windows or in other ways, but such attacks are clearly outside the scope of disk encryption.

We know, however, another class of attacks against disk encryption: evil maid attacks. This term describes a general strategy rather than a particular implementation. If you leave your computer unattended, let’s say in a hotel room, an attacker, let’s say an evil maid, might manipulate it such that your data will be compromised as soon as you return and provide it with your encryption keys. There are various ways of doing so, for instance installing a hardware keylogger if your keys are based on passwords, or altering the unencrypted boot code to install a Trojan horse that will leak your keys later.

BitLocker is different from other software-based disk encryption products, such as TrueCrypt, in that it supports Trusted Computing technology for added security. If used with a Trusted Platform Module (TPM)—a small chip inside your computer—BitLocker needs not only your key(s) but also another key stored inside the TPM to decrypt your data. First and foremost this implies that stealing just your disk is futile if the target is your data, since without the TPM part of the key will be missing.

But this is not all the TPM does. It also watches the boot process to ensure your system hasn’t been tampered with before releasing its part of the encryption key. This won’t solve the hardware keylogger problem, but many people seem to believe that this would be sufficient to prevent software-based variants of evil maid attacks. After all, you can either boot the unaltered system and get your data encrypted or boot a system that has been tampered with, which will fail to obtain the key from the TPM, right?

Well, almost. BitLocker needs to interact with you, the user, to obtain its keys. As the TPM merely records properties of boot components, it will not prevent the software asking for your keys from being altered, or the altered software from being executed. This means that an attacker can alter code on your computer to obtain your PIN or USB key. The TPM only ensures that the cannot boot right into Windows in its altered state. But if the attacker can get away with a single forced reboot—think bluescreen—the malicious code may remove itself before and just leave your keys somewhere on the disk for later retrieval.

The TPM as it is and as it is being used by BitLocker is therefore not sufficient to fend off evil maid attacks, not even the software-based subset. We discussed such and similar attacks in a paper published earlier this year. Now we also demonstrate the BitLocker version of an evil maid attack in a short video starring two of my Fraunhofer colleagues, Jan and Jan. Hence we call this attack the evil Jan attack.

The evil Jan attack does not imply that the BitLocker is broken as a disk encryption scheme. It does not even imply that the TPM would be entirely useless. Our attack has a particular objective, getting unauthorized access to encrypted data in a targeted attack. We show that this remains quite feasible despite the use of the TPM. Attacks with different objectives and side conditions may still get considerably harder due to Trusted Computing. For instance it seems no longer possible for an attacker with physical access to the computer to install malicious software into the running operating system in a single pass.

Posted in English, Hackmeck, IT, Security, Testlabor, Trusted Computing Tagged: attack, BitLocker, evil maid, Fraunhofer, janitor, physical access, secure boot, SIT, Skimming, TPM, Video, Windows

Herr, schmeiß Hirn vom Himmel!

Sven Türpe — Thu, 03 Dec 2009 16:07:48 +0000

Nach der WAF nun also die Datenbank-Firewall. Weil dämliche PHP-Programmierer nicht in der Lage sind, sicher auf Datenbanken zuzugreifen, soll GreenSQL zwischen Anwendung und Datenbank heuristisch SQL Injection erkennen. Die Idee ist so blöd, dass ich nicht mal beim szenetypischen Herumalbern darauf gekommen wäre.

Kernproblem bei Injection-Lücken ist die ungenügende Trennung zwischen Daten und Code in Verbindung mit dem Impedance Mismatch zwischen Programmier- und Datenbanksprache. Die kanonische Lösung besteht darin, eben diese Trennung zuverlässig aufrechtzuerhalten. Das lässt sich recht einfach bewerkstelligen, indem man eine geeignete Programmierschnittstelle − Prepared Statements statt Stringverkettung zu SQL-Statements − verwendet. Das kann zwar auch noch schiefgehen, wenn die Bibliotheksfunktion Fehler hat, aber wenigstens kann man sich selbst nicht mehr in den Fuß schießen.

Ist die Grenze zwischen Code und Daten einmal verwischt, steht die Datenbankfirewall vor exakt demselben Problem wie die Datenbank selbst: sie kann diese Grenze nicht mehr zuverlässig bestimmen. Konzeptionell ist die Datenbankfirewall deswegen genauso machtlos wie die Zugriffskontrolle der Datenbank. Sie versucht es nur mit einer anderen Strategie. Klüger wäre es, den Entwicklern ausschließlich sichere Schnittstellen zur Verfügung zu stellen.

Als Security-Theater allerdings dürfte so eine Datenbankfirewall hervorragend funktionieren, spuckt sie doch am laufenden Band Meldungen aus, die MovieOS alle Ehre machen würden: Hilfe, wir werden angegriffen!

Posted in Begriffe, IT, Security Tagged: Datenbank, Firewall, GreenSQL, Rant, Security-Theater, SQL injection

In einem Wort

Sven Türpe — Thu, 26 Nov 2009 12:07:07 +0000

Panic Password

Posted in In einem Wort, IT, Security Tagged: Authentisierung, Nötigung

Gewagt

Sven Türpe — Fri, 13 Nov 2009 10:07:30 +0000

IT-Sicherheit auf einem Bierdeckel. Am schönsten finde ich Aufpassen. Dieser Empfehlung kann nun wirklich niemand widersprechen.

Posted in IT, Security

Epic Fail

Sven Türpe — Wed, 04 Nov 2009 14:47:42 +0000

Unter der Überschrift: Die Illusion von Safer-Shopping nimmt Heise gerade das Online-Gütesiegel eines bekannten Anbieters auseinander:

»Nach der Datenpanne im vom TÜV Süd zertifizierten Online-Shop-System von Libri.de fanden sich nun Sicherheitslücken auf weiteren Sites, die das Safer-Shopping-Siegel tragen – und sogar auf dessen eigener Homepage. Neben Safer-Shopping.de waren Audible.de, ReifenDirekt.de und weg.de betroffen.«

Über Zertifizierung, Gütesiegel und den TÜV gab es hier ja schon einiges zu lesen. Als Sekundärliteratur empfehle ich noch: 10 Things Your Auditor Isn’t Telling You.

Posted in Geschäft, IT, Security, Vertrauen Tagged: Gütesiegel, TÜV

The Cloud Computing Consultant

Sven Türpe — Sun, 18 Oct 2009 18:55:22 +0000

(video link)

Posted in English, Geschäft, IT Tagged: Cloud Computing, consultant, Video

White Hat Hacker Man

Sven Türpe — Wed, 14 Oct 2009 06:46:12 +0000

(video link, lyrics)

Posted in English, IT, Security, Testlabor Tagged: Paco Hope, song, Video

100 Dollar

Sven Türpe — Tue, 13 Oct 2009 10:22:49 +0000

Hundert Dollar lässt sich T-Mobile USA den Datenverlust durch Serverausfall pro Kunde kosten. Scheinbar zumindest, denn statt Bargeld gibt es einen Gutschein, einzulösen bei T-Mobile USA. Weiß jemand, wie man die realen Kosten so einer Gutscheinaktion kalkuliert?

Posted in Geschäft, IT, Preisschild, Unterwegs Tagged: BWL, Gutschein, Kalkulation

1 Cent

Sven Türpe — Mon, 12 Oct 2009 08:29:55 +0000

Für 90 Dollar bekommt man 10.000 geklaute E-Mail-Accounts, ein einzelner Account ist also ungefähr einen Cent wert:

»Unterdessen rückt Rik Ferguson von Trend Micro den Vorfall in die richtige Perspektive. 10.000 gestohlene Account-Daten seien nichts Ungewöhnliches. Die würden auf dem freien Markt etwa 90 Dollar kosten – wenn man die üblichen 10 Prozent Rabatt abzieht.«

(heise Security: Test für kompromittierte E-Mail-Accounts)

Weiß jemand, wie hoch im Vergleich dazu der Schaden pro Account ist?

Posted in Geschäft, IT, Preisschild, Security Tagged: account, E-Mail

Digital Cold Reading: The CSS History Hack

Sven Türpe — Sun, 20 Sep 2009 09:47:09 +0000

[See only posts in English]

Cold reading is a technique used by mentalists to simulate psychic powers and impress people. Essentially, the cold reader is supplying words and the other person supplies their meaning as well as hints for the reader.

The CSS history hack, which seems to impress quite a few people, is nothing more than the Web’s version of cold reading. Your impression is that any Web site can read your browser history. Now there is indeed an information leak and no Web site should get access to history information. But this leak is very small. It doesn’t reveal the history altogether to anyone daring to ask. The CSS history issue only gives us an oracle. We can ask the oracle whether a particular URL is in the history or not. So to find out that you’ve read this blog post we would have to ask the oracle about the precise URL of this post.

Nonetheless demonstrations of the history hack impress people. The trick is simple and similar to the cold reading technique. History hack demos use a set of URLs that leads to a hit for almost every Internet user on the world: Google, YouTube, Microsoft, Wikipedia, Flickr, Apple, Slashdot, Amazon, and so on. A mentalist would guess and suggest these until you start giving feedback on which to hook. The CSS history hack replaces this interaction with asking the oracle to avoid wrong guesses. The trick is really to use a set of Web sites that guarantees a hit, and use a minor information leak to remove the wrong guesses from the set that would spoil the effect. This works well with the top 20/top 50/top 1000 sites on the Web, but it won’t scale to arbitrary URLs.

Posted in English, IT, Phishing, Security, Wahrnehmung Tagged: cold reading, CSS history hack, don't worry

Häh?

Sven Türpe — Wed, 16 Sep 2009 18:02:55 +0000

Kann mir jemand sagen, ob ich das möchte? Oder weiß wenigstens jemand, unter welchen Umständen so eine Meldung typischerweise zustandekommt? Der Text klingt ein wenig schräg, und der Hilfe-Button ist nur Dekoration.

Posted in Freundlich zum Nutzer, IT, O-Ton, Security Tagged: Acrobat, Adobe, Dialogbox, update

Schnäppchenpreis

Sven Türpe — Wed, 16 Sep 2009 08:25:27 +0000

»Ein Botnetz, das zwischen 5000 und 10.000 Bots kontrolliert, kann laut Wüest für 10 US-Dollar pro Woche gemietet werden.«

(Heise online: Spam-Bots werten soziale Netze aus)

Posted in Geschäft, IT, Security, Zahlenspiele

Swiss Cheese Security

Sven Türpe — Tue, 08 Sep 2009 12:02:07 +0000

I’m off for the New Security Paradigms Workshop in Oxford, where I will present what I currently call the Swiss Cheese security policy model. My idea is to model security mechanisms as classifiers, and security problems in a separate world model as classification problems. In such a model we can (hopefully) analyze how well a mechanism or a combination of mechanisms solves the actual problem. NSPW is my first test-driving of the general idea. If it survives the workshop I’m going to work out the details. My paper isn’t available yet; final versions of NSPW papers are to be submitted a few weeks after the workshop.

Posted in English, Forschung, IT, Security, Unterwegs Tagged: 2009, NSPW, Oxford, paradigm, security policy, Swiss Cheese

In einem Wort

Sven Türpe — Tue, 08 Sep 2009 09:19:47 +0000

C-DLICE

Posted in In einem Wort, IT, Testlabor Tagged: software test

Production-safe Testing

Sven Türpe — Tue, 01 Sep 2009 17:58:48 +0000

[See only posts in English]

Software testers increasingly have to deal with production systems. Some tests make sense only with production systems, such as Nessus-style vulnerability scanning. And an increasing number of systems is hard to reproduce in a test bed as the system is really a mashup of services, sharing infrastructure with other systems on various levels of abstraction.

Testing production systems imposes an additional requirement upon the tester, production safety. Testing is production-safe if it does not cause undesired side-effects for the users of the tested or any other system. Potential side effects are manifold: denial of service, information disclosure, real-world effects caused by test inputs, or alteration of production data, to name just a few. Testers of production systems therefore must take precautions to limit the risks of their testing.

Unfortunately it is not yet very clear what this means in practice. Jeremiah Grossman unwittingly started a discussion when he made production-saftey a criterion in his comparison of Website vulnerability assessment vendors. Yesterday he followed up on this matter with a questionnaire, which is supposed to help vendors and their clients to discuss production-safety.

The time is just right to point to our own contribution to this discussion. We felt a lack of documented best practice for production-safe testing, so we documented what we learned over a few years of security testing. The result is a short paper, which my colleague and co-author Jörn is going to present this weekend at the TAIC PART 2009 conference: Testing Production Systems Safely: Common Precautions in Penetration Testing. In this paper we tried to generalize our solutions to the safety problems we encountered.

The issue is also being discussed in the cloud computing community, but their starting point is slightly different. Service providers might want to ban activities such as automated scanning, and deploy technical and legal measures to enforce such a ban. They have good reason to do so, but their users may have equally good reason to do security testing. One proposal being discussed is a ScanAuth API to separate legitimate from rogue scans. Such an API will, however, only solve the formal part of the problem. Legitimate testing still needs to be production-safe.

Posted in English, IT, Safety, Security, Testlabor Tagged: 2009, precautions, production, ScanAuth, Software, TAIC-PART, Test

Management ohne Metriken

Sven Türpe — Sun, 23 Aug 2009 11:07:44 +0000

Der eine oder andere dürfte es mitbekommen haben. Tom DeMarco, dem wir die Manager-Faustregel: “You can’t control what you can’t measure.” verdanken, macht einen Rückzieher. An Software Engineering will er nicht mehr so recht glauben, und an Metriken auch nicht. In seinem Artikel Software Engineering: An Idea Whose Time Has Come and Gone? erläutert er seinen Sinneswandel unter anderem an diesem Beispiel:

»Imagine you’re trying to control a teenager’s upbringing. The very idea of controlling your child ought to make you at least a little bit queasy. Yet the stakes for control couldn’t be higher.
(…)
Now apply “You can’t control what you can’t measure” to the teenager. Most things that really matter—honor, dignity, discipline, personality, grace under pressure, values, ethics, resourcefulness, loyalty, humor, kindness—aren’t measurable.«

Von der Vorstellung, wir könnten ausgerechnet in der IT-Sicherheit Risiken anhand von Metriken steuern, sollten wird uns schnell verabschieden. Zusätzliche Unbekannte und Rückkopplungen vereinfachen das Problem sicher nicht.

Ach ja, und hört nicht auf Gurus.

Posted in IT, O-Ton, Risiko Tagged: DeMarco, Guru, Management, Metrik, Risikomanagement

In einem Wort

Sven Türpe — Tue, 04 Aug 2009 18:54:50 +0000

cloudenfreude (via)

Posted in English, In einem Wort, IT, Risiko, Security Tagged: Cloud Computing

Internet helpdesk

Sven Türpe — Thu, 30 Jul 2009 22:00:40 +0000

(direct, via)

Posted in English, Freundlich zum Nutzer, IT Tagged: helpdesk, Internet, sysadmin, Video

50 Ways to Inject Your SQL

Sven Türpe — Sun, 05 Jul 2009 15:16:22 +0000

(direct link, found here)

Posted in English, Hackmeck, IT, Security Tagged: SQL injection, Video