Terrorism Snake Oil

February 22, 2011

Dennis Montgomery, a programmer from California, was the principal software engineer for at least two companies who appear to have defrauded the US government. His software, originally designed for colorizing movies, failed to generate any interest. At least, until he started claiming that its image-processing capabilities could find secret terrorist messages in Al Jazeera broadcasts and isolate images of evildoers in Predator drone videos.

Security is, unfortunately, a hot item these days – there’s a lot of money being thrown around, and that means a lot of snake oil salesmen trying to get their hands on a bit of it. Millions of dollars later, I’m sure that the feds wish they had done their due diligence. Their response has been to lock down the story in the interests of “national security” – more likely, they’re just hoping the story quietly dies and spares them some embarrassment.

Definition Monday: SIEM

February 21, 2011

Welcome to Definition Monday, where we define and explain a common technology or security concept for the benefit of our less experienced readers. This week: SIEM Systems.

A SIEM, or Security Incident and Event Manager, is a relatively new concept in information security. The concept was pioneered about a decade ago, and has been evolving rapidly ever since.

A SIEM performs two major functions:

Log Centralization

The first, and original, purpose of a SIEM is to serve as a single point of collection for activity logs from disparate systems on an enterprise network. Nearly everything is capable of producing logs in some standarized format: Windows servers, VPN concentrators, network firewalls, managed Ethernet switches, Unix hosts, IDS systems, even individual workstations. In a SIEM deployment, each of these network devices sends its generated logs to a single collection point so that they can be analyzed in one place.

The benefit to this is obvious, if only for troubleshooting purposes. Imagine a mid-sized network that has half a dozen DNS servers, four Active Directory domain controllers, two DHCP servers, redundant border routers, and two hundred wireless access points. Finding a particular wireless host and tracking its Internet activity would take hours or days if each of these devices had to be queried and analyzed separately. With the centralized logging of a SIEM, on the other hand, all the information is in one place and easily searchable, usually with an intuitive web interface. You can track the laptop from the time it is issued an address by the DHCP server to the moment it vanished from the last access point.

Correlation Analysis

Additionally, a modern SIEM deployment will include a correlation software engine to mine through these disparate logs and alert the administrative staff to potential problems.

Imagine this example: your enterprise network has an LDAP-based single sign-on environment. This means that the same account credentials can be used to log in to any system on the network. Now imagine that someone is trying to gain access to an account with the username “admin”, assuming (perhaps rightly) that this account has elevated privileges and so it is a particularly tempting target. Your computers are set up with account lockout rules – logging in with the wrong password five times will lock the account.

The attacker knows this, so he tries four passwords for the “admin” account on a random assortment of hosts on your network. In an environment of any size, four incorrect logins are not going to raise red flags. But if the logs from these different hosts are all flowing into a SIEM system, the administrators should be quickly alerted by the correlation engine that someone is definitely trying to compromise the “admin” account.

Advantages and Disadvantages

The advantage of a SIEM should be obvious – it allows administrative staff to view the current and past condition of a network with a stunning level of transparency and immediacy. Most popular SIEM products will interface with almost anything that speaks TCP/IP – and, generally speaking, writing new plugins to understand a foreign format is a straightforward task.

The main disadvantage of a SIEM is that it is a very complex product, and the simple deployment can be a major project unto itself. Each host needs to be configured to speak to the central console. The correlation engine needs to be carefully tuned to minimize false positives and, more importantly, to minimize false negatives. In a complex network, multiple listening hosts (often known as “probes”) may need to be deployed in order to have a clear view of all network traffic. And the hardware to run a project like this needs to be pretty powerful; this isn’t something that will run in a VMWare container with a dozen other machines. You need power, memory, and disk to do this right.

But if those disadvantages aren’t too daunting, a SIEM is a fantastic tool for anyone who needs to manage a network with more than a few dozen hosts.

Lojack for Students

February 19, 2011

The Anaheim Union High School District of California has come up with a new scheme for battling truancy: track students with GPS units.

Students with four or more unexcused absences are issued a GPS unit, which they must carry with them during the day. Their locations are checked five times a day – when they leave home for school, when they arrive, lunchtime, when they leave school, and eight PM. In addition to location tracking, students are assigned to a mentor for one-on-one planning sessions to avoid future truancy.

This is an interesting solution to a common problem – although I have to wonder how beneficial it really is to the other students to divert funds from education to technology, in the interests of filling the classroom with students who would rather not be there.

Android Trojan

February 18, 2011

Another trojan for the Android smartphone platform was discovered earlier this week. This is apparently being included in repackaged wallpaper packages and used in the Chinese market. It essentially uses the phone’s data connection in the background to perform search engine queries and click on results; I imagine that click fraud revenue is a motivator.

Old Accounts

February 17, 2011

A recent survey conducted by Harris Interactive reveals that roughly 1 in 10 IT professionals still has access to accounts from a previous employer. And, considering that this was a survey of IT people, it’s pretty likely that these accounts are privileged in some way.

Are your employment termination procedures up to date?

(The survey has some other interesting conclusions as well, though I would take them with a grain of salt. Most of them concern account and identity management, and the survey was sponsored by a software company that just happens to have products in that space.)

Unsecured IP Cameras

February 17, 2011

Here is an interesting article over at Ars Technica about the prevalence of Internet-accessible cameras that you can find with a simple Google query. Some of them are intended for public consumption, like the aquarium cam he posts a picture from. Some of them are not, like the jewelry store security cam. But all of them are available to anyone who can find the URL in a search engine.

Why is this so?

Well, security cameras used to be a dedicated product with specialized cabling and deployment techniques. But like so many things (voice telephones, printers, POS terminals, etc.), someone had the innovative idea to just put cameras onto an IP network instead. This meant that the cameras no longer needed runs of special analog cabling back to a VCR or monitor – instead, you could just access the video feed with a web browser.

Well, this is an excellent advancement. But moving things into the IP world means that you now have to be familiar with how to secure things in that world. And clearly, many people are not. They don’t think to change default passwords, or close firewall holes, or whitelist allowable addresses. And their cameras show up in this article.

Cameras aren’t the only culprit. Here’s a list of common IP devices; are you sure that they’re all properly secured on your network?

  • Printers
  • Vending Machines
  • Cash Registers
  • Card Swipe Readers
  • Handheld Scanners
  • Smartphones
  • Tablets
  • Administration Interfaces (like HP’s ILO)

Securing an IP network means securing everything on that network, not just what we traditionally think of as “computers”. Because everything on that network is a potential target and a potential beachhead for an attacker.

Robotic Safe Cracking

February 16, 2011

So, what do you do when you get your hands on an old safe with an unknown combination?

Build a robotic safe cracker, of course! It’s either that or die of curiosity – the Magic Safe could contain anything!

Rivest Lecture

February 16, 2011

Ron Rivest, perhaps best known as the “R” in “RSA”, delivered a lecture yesterday at MIT on the past and future of cryptography. It touches on his invention of public-key crypto in the 1970s, as well as some possible applications — such as micropayments and electronic voting systems — in the future. Not a lot of new material for people who work in the field, but still interesting stuff.

Java Updates

February 15, 2011

It’s that time of month again – Oracle has released another patchset for Java, including fixes for 21 different security issues.

Write once, hack everywhere, I guess.

Cybersecurity Budget

February 15, 2011

In a fairly austere budget year, the Obama administration is pushing for a significant increase in cybersecurity research funding at the federal level. This is a clear response to the complete inability of some government agencies to control data exfiltration (see: Wikileaks) as well as the threat to SCADA and other systems represented by Stuxnet.