Today, families gathered in one of America’s oldest, greatest cities to support their loved ones as they accomplish something incredible, something they’re already had to work very hard to even attempt. For some, it was another run in the city. For others, it was a first.
A marathon is a celebration of life. The legend, of course, is that an Athenian soldier ran all the way from Athens to the allied city-state of Marathon - 26.2 miles - to warn them of an impending invasion. The soldier arrived in time, but collapsed dead after gasping his precious message. To run this kind of distance is no easy feat. To run it competitively is nothing short of amazing. But whether you finish in 2:15 or 5:21, it’s a feat that should be celebrated.
Some of these families will be going home without everyone. Literally unwhole. Their faith and their support has been repaid with senseless bloodshed.
I can’t pretend like today’s events in Boston haven’t affected me pretty deeply, much more so than these things usually do. I can’t help but be incredibly angry about this, because it’s not just people like me that were being targeted — it’s the people whom I love and who support me that were targeted.
Not in Boston, but I’ve been there… Four hours into the race with family waiting by the finish line. Yes, in a very real sense, that could have been me and mine. And that makes me very, very angry.
As I write this, we’ve reached the “no-nothing” phase of news coverage. We aren’t learning anything new, but the incessant review of the carnage and the footage and the footage of the carnage must carry on.
It’s not that I don’t care anymore, it’s that I’m already exhausted. I’d like to know why, but I wish we could continue learning about this horrible affair without giving the perpetrators the attention they do not deserve.
I work in network and application security, so you’d think I’d have my home in order. And when it comes to my digital presence, you’d be right. But my home? Well, let’s just say that’s been a lesson learned…
A couple of weeks ago, my wife and I left work ad the end of the day and arrived home to find our garage door opener wasn’t responding to the remote. While that was puzzling, there’s plenty of plausible explanations for that. Maybe the power was out, or the battery in the remote died… So, we walked up to the front door to let ourselves in the old fashioned way.
The front door had been pried open but left propped mostly closed behind the storm door. It was immediately obvious that we’d been robbed.
As we looked around the house and assessed what had happened, a few things became clear:
- The thieves had gone into the garage, pulled the emergency release on the door opened, and used that to get a vehicle in and out to buy themselves more time.
- The thieves had a set list of items they were looking for: TVs, computers, guns, gemstones, watches - things they could fence easily. Items not in their list they left alone.
- They avoided things with extensive cords or wires. They took a laptop and its power brick, but left a superior desktop sitting immediately besides it. They took the audio receiver and DVD player, but left the speakers.
As we worked with the county sheriff’s office, we learned that the crew that had hit us had also hit at least three other houses in the general area that day — all during broad daylight.
And despite the obvious pain points, we were lucky. All of the stuff taken was just that — stuff. Thanks to the thieves’ selectiveness we didn’t lose anything of sentimental value, nothing that couldn’t be replaced by insurance.
So, I’ve learned an important lesson about home security. I wouldn’t be a good Samaritan if I didn’t share a few tidbits of knowledge…
DINKs are an Easy Target
Dual Income, No Kids. It means you’re pulling in the bank, but you’re not investing it into a mini-you. It also means your house is probably conspicuously vacant during the weekday.
We heard neighbors mention that, prior to the break-in, some folks were going door-to-door to solicit a new lawn care business, but they didn’t have a brochure, a flyer, or a business card. This was probably the casing job, and it would have been easy to identify that no one was at home during regular business hours.
Your Neighbors Aren’t a Theft Deterrent
You can’t count on your neighbors to provide an ambient deterrent. There’s way too many situations where they just won’t be there to see something happening at your house. My most reliably nosy neighbor was away on errands (though, to hear her tell it, she is terrified for her personal safety because she’s at home all day). Besides, it’s not you can expect them to be glued to their windows, watching your house. Even if they do, will they realize there’s a theft in progress? Will they react in a timely fashion?
Get A Monitored Security System
You aren’t home, your neighbors aren’t watching your house… so do something! Get yourself a monitored security system.
First place I looked was the ever-ubiquitous ADT, but after quite a lot of research, I settled on SimpliSafe. For just $25/month, I get the top tier of their monitoring service. That gets me all the remote access I want, a smartphone app, and a number of other really nice features. That’s $10 cheaper than ADT’s least expensive and least featured option. True, I didn’t get a $100 install deal. It was quite a bit more up front and it was self-install. Personally, I prefer that to yet another stranger sussing out the soft spots in my home’s security.
The install price pays for itself in time anyway. Having a monitored system gets me a $28/month discount on my homeowner’s insurance, and I haven’t even added fire sensors yet. Once I do, that discount increases. At that rate, the installation will be paid for inside of two years’ time.
Once you’ve got it installed, train yourself to use it. I’ve got a reminder on my iPhone to arm the system set to trigger whenever I leave.
Deadbolts Really Are A Must
I’d always wondered a little bit how much of a difference deadbolts would make. Turns out, it makes all the difference. The thieves went through our front door in seconds with a crowbar because there was no real reinforcement there that would stand up to that kind of force.
The seeds of theft, both digital and physical, are usually the identification of weak points. At work, I’ll call it low hanging fruit. Unless there’s strong motivation to target a specific someone, thieves don’t want to have to work hard. If a target is difficult to rob, they won’t.
Having a deadbolt in each of your entryways make your house a high-hanging fruit.
Act 1 of 5 is now out for Windows and Mac. I’m intrigued by this, but I’ll be holding out for the Linux version (promised “soon”) before I move on this. If you’re bold enough to give this point-and-click a spin, be sure to share your impressions with me!
Notice: This post contains mild spoilers, but it’s nothing you can’t gather from the trailer.
The fact that Skyfall is in theatres right now is pretty impressive, considering that MGM died and came back to life just to bring us more Craig-Bond. Still, it’s a pretty good movie. Except for how it deals with technology.
Given the day and age we live in, it’s hard to ignore technology in modern movie plots. This makes it all the more bewildering that so few writers manage to do it well. Much, much more commonly they do a terrible job with it. Skyfall is a perfect example.
Here’s a rundown of the top ten things that went wrong with technology in Skyfall’s script.
1.) IP Tracing Backwards
At one point early on, the folks at MI6 have the opportunity to trace a computer attack in progress. They run through it like a phone trace. The attack is coming from the UK, specifically London. Gasp! The attack is coming from inside MI6!
Here’s the problem: that fact would have been immediately obvious. There are only three ranges of IP space reserved for private networks, whether it’s your home wifi or a first-world intelligence agency. If the attack had originated from inside the private network, they would be able to identify the asset it came from instantly.
Egregiousness factor: Minimal. They arrived at the same conclusion with a bit more pizzaz. Something happens that precludes the next phase of the investigation (who’s connected to that asset as a relay point?) on-screen, but in the real world this investigation would have continued into containment and then prevention.
2.) Don’t Click Shit!
Later, M receives another fun little message from the hacker-sauce villain. The theme of the message follows on one that punctuates the scene I described above, which was a personalized multimedia presentation designed to her to incite a response. This time, the message includes a link.
Naturally, M clicks it.
Oh, it’s only a link to an online video; that’s lucky! Granted, the attacker already has enough control over M’s system to steal focus on an active console session. It’s unlikely he would actually need human interaction to do further harm on that system (or, following on the previous scene, that network). Still…
Egregiousness factor: Irritating, but plausible. As the head of an organization that certainly traffics independently in information and security, this kind of thick-headed ignorance to information security is shocking. Has she neither the training nor the sense that clicking on an obvious hacker payload is a terrible idea? Why was the IT department not her first phone call after clicking it?
3.) Let’s Plug It In, I’m Sure It’s Safe!
At one point, the villain is captured and brought to MI6’s headquarters. They do the sensible thing with his meatworks — they put him into a holding cell where his captors have access to him to interrogate, but he does not access to anything outside of the cell. That’s how holding cells work, generally.
Meanwhile, they are far less sensible about his laptop. They plug it into the network to explore its contents. Not an isolated DMZ for untrusted or possibly malicious assets. A trusted network! With access to important subsystems, like the controls to the physical holding cell.
Predictably, things do not go well for MI6.
Egregiousness factor: Idiotic. Q is not a genius.
4.) It Takes Two
The aforementioned laptop has not one, but two ethernet interfaces. It’s a really, really beefy machine. I bet one is for all the packets in and the other is for the packets out. Computers work like that, right?
Egregiousness factor: No. Computers do not work like that. Not without unnecessarily a very convoluted environment-specific configuration, but this does not and should not convey that the machine is any more super. It just makes #3 twice as dumb.
On the heels of the scene I described in #3, there’s a frantic hacking scene. The good guys are trying to unravel the loot from the villain’s laptop. Technical terms are flying back and forth, regardless of whether it fits or not. The screen is a mess of nonsense visualization, mostly just to try (and mostly fail) to represent how hard this is.
I’ll dig into some of the finer points of awfulness, but this scene is a classic example of throwing as much jargon as the writers could find at the script and hoping beyond hope that something sticks.
Egregiousness factor: This is slightly less bad than the horrifying programming/hacking sequence of Swordfish.
6.) Polymorphic Encryption
One of the more irritating examples of nonsense jargon to come out of #5 was the following utterance from Q: “He’s using a polymorphic encryption algorithm. It keeps changing!”
Let me be clear. This is not a thing. This doesn’t even make sense.
Whether you’re using symmetric or asymmetric encryption, the point is that the key will decrypt the cipher text. That key doesn’t change. If there’s an active system re-encrypting the cipher, it’s still using the same key pair in the end, so you haven’t changed that the same key unlocks it all in the end. If you’re worried about the integrity of the cipher text itself without the presence of the key, your algorithm isn’t very good — it doesn’t matter if you keep changing it with a derivative key.
Egregiousness factor: High. This is entirely unnecessary. If I start talking about ACTUAL ENCRYPTION THAT REALLY EXISTS, I will make most people zone out within minutes. You don’t have to invent bullshit to tech-impress the audience.
7.) Gibberish != Hexadecimal
During the same hacking sequence I described in #5, Bond’s contribution is to identify non-hexadecimal pairs of characters in a block of what is otherwise clearly a hexadecimal block. This isn’t a great observation - these couplets are literally in a different color on screen.
Egregiousness factor: This is utter nonsense. The stuff you’re putting on screen, it’s either hexadecimal or it’s not. Anything that isn’t 0-9 or A-F is not hexadecimal. Make up your mind. This was not a clue, it was stupid.
8.) An Ultimately Weak Lock
Those non-hexadecimal characters I mentioned in #7 quickly anagram out to form a word, a name. “Try that as a password,” Bond suggests. It works. The tangled knot of nodes and edges quickly unscrambles into the protected data.
Egregiousness factor: My brain is exploding because of the bullshit.
Given how they pointed out in #6 that the bad guy is using mythical encryption functions to protect his data, you would expect the key to rival the effort he’s put into protecting his data.
No, that might make sense. Instead he’s using a password. A case-insensitive password of a single character class and about 10 characters. A password that is barely better than “password”. A password he left lying around in his data on the device.
The more believable setup to this whole moronic scenario would be if he’d written the password on a post-it on the bottom of the laptop. Oh, I forgot; he’s a spy. Maybe put the post-it in a secret compartment.
9.) Radio is Awesome Technology
Skyfall has no hesitation expressing its love for radio. This might be touching, if they spent any amount of time thinking about how radio works (or at least how it doesn’t work).
First is the tracking transmitter Bond if given by Q early on in the film. It’s one of the only two “gadgets,” if you can indeed call them that, that he’s given. It’s not a GPS tracker — that point is made amply clear through dialog from multiple characters.
The thing is the size of a keychain, which means it’s powered by a watch battery. Let’s go nuts and assume it’s powered by two watch batteries. That’s not enough power to transmit a signal from a remote area of China to one listening stations where MI6 could receive it, let alone the three it would take to triangulate a signal.
Later on, Bond finds himself chasing our super villain through Underground tunnels. Meanwhile, back at MI6, a little icon labeled “Bond” zips through a 3D map of the tunnels. How is he being tracked? Presumably it’s the same radio transmitter. But it turns out radio waves don’t travel all that effectively through rock — there are physical limits to how radio travels through dense material like rock and concrete. So, apparently I was wrong before: that transmitter is powered by magic.
Egregiousness factor: Forgivable. If this were the worst of the movie’s offenses against science, it would hardly be worth mentioning. I bring it up largely because the script goes out of its way to applaud low tech, even while abusing it as thoroughly as it does high tech.
10.) “There’s only 6 people in the world who could code this.”
No. You’re wrong, Q. This statement is foolish and you’re an egotistical ass.
It might be true (though a stretch) that only a handful of people in the world could originally come up with a programming trick, but once it’s been done it can be replicated. Despite everything Hollywood has tried to convince you of, the world has no shortage of very smart people who are very good at expanding good ideas if not cooking them up on their own. In fact, there’s entire sub-industries within IT of them.
Pro tip: almost none of the aforementioned very smart people work for governments during peace time because the pay is dirt.
Skyfall may be the least Bond-like Bond film I’ve seen. With Daniel Craig in the suit, MGM has been reaching for a grittier Bond. They’ve added a few dashes of John McClaine in the mix. I would say this experiment has been a mixed bag but is mostly successful. It’s with disappointment (and a fair amount of catharsis) that I write this post because I want to see Hollywood do tech well and even when it’s doing other things right, so much goes awry with the wrong consultants on the job. So, Hollywood! Bubbe! Give me a call next time, alright?
I decided to give lock picking a spin at DerbyCon. I bought a basic set of picks from the Fraternal Order of Locksport (FOOLS) crew and sat down to begin my first attempts at picking a padlock.
It turns out the Master Lock No. 4 laminated locks are ridiculously easy to pick — I was able to tackle those as a complete novice in a matter of minutes. The Master Lock No. 3 proved more of a challenge. I was able to defeat the lock just once before the end of the conference, and only then after a half hour of trying and some pointers from a more experienced lock picker. When I got home, I bought a No. 3 to continue practicing.
As you can see from the video here, I’ve gotten pretty handy with it. I can pretty reliably pop this padlock in a matter of seconds anymore. I’m looking to progress onto some more difficult locks; perhaps a 5- or 6-pin cylinder before attempting something with security pins? Any suggestions on what locks to look for next?
Last night, NIST announced the winner of the SHA-3 competition that began back in 2007. The algorithm being standardized is the Keccak (pronounced “catch-ack”). The function was designed by programmers from Belgium and Italy, most notably Joan Daemen who co-designed the Rijndael cipher we’ve come to know as AES. Keccak is not derrived from SHA-2. The advantage here is that any future attack on SHA-2 does not extend into an attack - hypothetical or manifested - on SHA-3.
The thing to keep in mind when considering this news is that SHA-3 is neither replacing a broken algorithm nor providing a one-stop-shop for protecting sensitive data. If we’ve learned just one thing since the advent of the GPU, it should be that hashing functions are deterministic unidirectional compression functions and not what we should think of as encryption. These things are so fast that use of a hashing function to protect your data is undone simply by exhaustively compressing comparison messages until we’ve found a matching hash.
Why am I on a soap box about it? Two reasons.
First, I’m already seeing people eager about “upgrading” existing security functions that currently employ SHA-2 to SHA-3. This is nonsense; SHA-3 is not quantifiably more secure than SHA-2. Please don’t do this. It’s a waste of your time and your employer’s money.
Second - and more troubling - I’ve seen some folks excited about “upgrading” from bcrypt to SHA-3. This isn’t nonsense, it’s absurd. An algorithm like bcrypt is valueable and useful for applications like salted password storage because it is a memory-hard key derivation function. It is slow and when it comes to storing passwords, slow is secure. To the person who already knows the password, an evaluation of a few thousand milliseconds is less than a hiccup. But it renders that mode of attack wildly impractical for someone who wants to brute force your stolen password hash. The Keccak function does not compare to this; if you eschew something int he bcrypt/scrypt/PBKDF2 family for simple SHA-3, you’re regressing back into GPU-assailable territory.
The round-about point I’m making here is that the NIST announcement does not radically change the landscape. If this news has you thinking about radical change in your software already, you’ve probably not got your feet planted firmly on the ground. Best to consider SHA-3 an option to, but not a replacement for SHA-2.
Postscript: Please tell me you’re not still using SHA-1. Please, please tell me you’re not still using SHA-0 or MD5.
A security conference is usually a pretty good time and place to drop some new software (or the occasional 0-day) on the world and this year’s DerbyCon in Louisville, KY was no disappointment. Over the next few days, I’ll cover some of the new shinies that saw their first dawn at the conference as well as some of my general take-aways and talking points.
First up is a nifty piece of software called CookieCadger. Drawing its name from the verb to cadge - meaning to obtain by imposing on another’s generosity - CookieCadger is a spiritual successor to FireSheep.
FireSheep is a security toy released as a Firefox extension back in 2010 to demonstrate the need for SSL channels at the social networking sites that have become the backbone of our daily web consumption. It implemented a session impersonation attack by lifting session identifiers from cookies being transmitted over unencrypted web traffic. The project caught the attention of the intended parties, HTTPS traffic was enabled for the big players, and FireSheep drifted into the obscurity of vaporware.
Two years later, enter CookieCadger. Started by as a Iowa State graduate project by Matthew Sullivan, CookieCadger expands on the legacy of FireSheep and builds a considerably more robust toolkit from the same concept.
An attacker runs the software (written in Java, so it’s cross-platform from day one) on one or more network interfaces, presumably on older wireless or unswitched wired networks. For instance let’s say he’s in the corner of Joe’s Coffee Shack, a local draw known for its free wifi and open mic nights. All around him people are conducting web traffic happily over port 80, blissfully unaware or unconcerned with the truth that their data is literally flying through the air. The attacker’s machine is sniffing this traffic and extracting vulnerable session data from a packet capture. He doesn’t even need to be sniffing traffic live — he can load in a pcap file to do it, so don’t think you’re safe just because your traffic’s running through switched hardware.
As a blue team member, I’ve already started to come up with some practical applications for this application. The most obvious is to use it for your company’s web applications to verify whether you’re leaving yourselves vulnerable to this exact method of exploitation. I can also see this being used in layperson presentations to demonstrate what SSL encryption is, why it’s important, and what can happen if you believe it doesn’t matter to you.
CookieCadger is not free, but it’s a very modest $10 and that money goes direct to Hackers for Charity. I’ve already got my copy and I’ve been tinkering around with this at home. I recommend checking it out. The source code will be released in the near future (supposedly mid-October) after undergoing a post-hackfest code cleanup.
Check out Matthew Sullivan’s slides for the presentation here.