Archive for the 'Security' Category

Removing Adobe DRM from Books

Sunday, May 10th, 2020

Digital Restrictions Management is an abomination. I try to avoid it, but ever so often you stumble upon something, and you need it in readable, unrestricted form. Turns out, the mechanisms for removing DRM are just as an unholy mess of outdated software and scripts for proprietary systems as the DRM systems themselves.

The first thing you get when stumbling upon Adobe DRM is an .acsm (Adobe Content Server Message) file. It’s an XML that tells Adobe Digital Editions (and Apps that implement it) where to download the data.

Apparently, there’s several versions of Adobe DRM, and you can enforce an earlier one with a downgrade attack, by using Adobe Digital Editions 2.01 for Windows, apparently still available from Adobe, as it’s the last version to run on Windows Vista and Windows 7.

And yes, you need to create an account at Adobe to use these.

I actually tried ot the newest one (4.5.11) as well. Installation is straightforward:

WINEPREFIX=~/.wine.ade4 winetricks corefonts dotnet40; \
WINEPREFIX=~/.wine.ade4 wine ADE_4.5_Installer.exe

According to winehq.org this should work, but upon trying to download anything with it, it returned E_ADEPT_DOCUMENT_TOO_SHORT.

ADE 2.01 is a bit trickier, it needs a 32bit wine prefix, and dotnet 3.5, servicepack 1. As 4.5.11 it needs corefonts too.

WINEARCH=win32 WINEPREFIX=~/.wine.ade2 winetricks corefonts dotnet35sp1; \
WINEPREFIX=~/.wine.ade2 wine ADE_2.0_Installer.exe

Again according to winehq.org this should work as well, but also returned E_ADEPT_DOCUMENT_TOO_SHORT, which might point to some network-problem, winbind-error, crypto-library too new or somesuch. In any case, you can’t find anything useful by searching for the error.

So I’ve been looking for other apps, some open source on github or somesuch, that could use .acsm files for download. And I found at least one: Aldiko, on Android. It’s apparently also abandoned, but it still can be found on Google Play. I got myself Aldiko Classic 3.1.3.

Upon loading a .acsm File in Aldiko (from anywhere, basically, I copied some I downloaded with the Browser on my Workstation into /sdcard/Download), you get prompted to enter your Adobe acocunt; after that it downloads the books to /sdcard/eBooks. And you can copy over these to any device that has the keys for your adobe account. Like your wine-prefix.

I initially tried to get DeDRM working standalone or with my Calibre on Linux, but it turned out this thing is a collection of dozens of scripts, which all demand python 2.7. Which is EOL, and which no sane person should use aynmore. As you can see from the pull-requests and issues, there’s some efforts of making these work on contemporary python, but these went nowhere so far (“Python tests (2.7) failed” — duh!).

Also, as it turned out, after I fixed one of the scripts to run with python 3, these things rely on the existence of ADE on your system; and you either need to somehow convert registry-entries or get files from MacOS to get the device key and the licence key. Which then are pumped through some assembler(!) to get a useful .der file. All in all, too complicated,

What I did instead was to install python-2.7.msi, pycrypto-2.6.win32-py2.7.exe and calibre-3.48.0.msi into the wine-prefix and run from there:

WINEPREFIX=~/.wine.ade2 wine msiexec /i python-2.7.msi; \
WINEPREFIX=~/.wine.ade2 wine pycrypto-2.6.win32-py2.7.exe; \
WINEPREFIX=~/.wine.ade2 wine msiexec /i calibre-3.48.0.msi

Within calibre, finally, in “preferences -> Plug-ins -> Load Plugin from file” I installed DeDRM_Plugin.zip from DeDRM_tools_6.7.0.zip.

The books downloaded with Aldiko on Android and copied over can now be added to the collection in calibre, and have their DRM removed automatically.

The Biggest Threat to Cyber-Security is Surveillance

Thursday, September 8th, 2016

The biggest threat to cyber-security is surveillance. Or rather the will, ability and legal status of organisations who prioritise surveillance and active attack abilities above defence and security.

The point is, that surveillance does not mean passive wire-tapping. It means attacking infrastructure where the data you want is available unencrypted, or infrastructure through which the message or data travels. Infrastructure which might not be under control of the entity trying to gain these surveillance-capabilities. For instance it might target the sender or the recipient of an encrypted e-mail or instant-messenger message. Or an intermediary, in order to know who communicates with who in the first place. All these actions are not comparable with passive wire-tapping, in fact, these attacks are indistinguishable from hacker-attacks aimed towards any other goal, like the enactment of botnets; and they also enable the attacker not just to eavesdrop, but to do whatever else he pleases, from launching man-in-the-middle attacks to denial-of-service, ransomware, attacking somebody else and so on. So surveillance is an attack as any other.

The problem now stems from the fact, that in order to attack somebody, you need knowledge of insecure systems, vulnerabilities, on their part. Typically, what you use are exploits, and if they’re not published yet, they’re called zero-day-exploits. Now, as long as you don’t tell anyone, these vulnerabilities don’t get fixed. They might be found by somebody else, and published or not. As soon as they get published, they loose their value for attack. Now, during that period when you have a zero-day-exploit on your hands, you might mitigate that vulnerability on your systems. But you actually can’t mitigate them on all systems of your allies, because then the secret would go out. So you don’t. Which leads to one outfit having knowledge of vulnerabilities leaving every other outfit at risk.

In a practical example, 2013 a server was hacked, that was used by the NSA as staging system for attacks. The Shadow Brokers hack was made public only in 2016, and it turned out, the NSA had stashed a load of zero-day-exploits there, some of which were still zero-days in 2016, but the majority of them had already been made public. Now, not only illustrates this that independent researches will find these “secret” vulnerabilities eventually, but also something much more sinister: The NSA had actually put every other US-agency, including FBI and DOD, the government, critical infrastructure (including power plants, water supply and hospitals) and finally all its own citizens at risk.

With all the secret services world-wide, and often also police-units (For instance, the Zürich Police bought surveillance software from Hacking Team containing three zero-day-exploits) involved in ramping up their cyber-attack-capabilities, most often with the goal of surveillance, we can see an extreme effect on creating a market for zero-day-exploits. Where fifteen years ago no noticeable market existed at all, we now have one whose prices start at USD 40’000 and go up to USD 500’000 per exploit, as evidenced by the price-list published by Zerodium In other words, secret services and police are actively undermining the security of everyone on this planet, friend and foe alike.

The trouble is, highly technological societies are much more vulnerable to this. For guerillas, insurgents and terrorists the benefits of being able to exploit vulnerabilities is much greater, and they don’t really have to defend any friends from such attacks. So the ones that suffer the most, are the people and governments of exactly the same nations and states whose secret services and police are actively undermining their security. This is a grave situation, as most governments have not even realised what it is they have their secret services and police doing, and are actively trying to destroy their own security with initiatives that call for weakening of crypto or for government back doors. Or at least, trying to explicitly legalise these practices as seen with Switzerlands NDG, which of course will have a very much adverse effect of security.

The solution is surprisingly simple, the only impediment is, as usual, the widespread incomprehension of the problem itself. Since every vulnerability that is made public eliminates the exploitation of it for everyone, the only solution is to make every vulnerability public as soon as possible. The usual, and in fact “best practice” of the computer industry, is called “responsible disclosure”, where the manufacturer of a software or product is informed a few days or maximum weeks in advance, so he can fix the vulnerability, before the issue is made public. And in the end, it’s the only solution that will really make us more secure.

Die Überwachung und der Skandal

Thursday, January 30th, 2014

Spätestens seit den späten 80er Jahren ist bekannt dass die NSA alles überwachen möchte, namentlich wurden da Details über das ECHELON Projekt, welches Funksignale auch in Europa z.b. via den Abhörstationen in Menwith Hill (UK) oder Bad Aibling (DE) abhört bekannt. Der Spiegel berichtet 1989 darüber: NSA: Amerikas großes Ohr.

Nicht nur der Funk wurde abgehört, sondern schon damals war es ein offenes Geheimnis dass die NSA in Frankfurt “in unmittelbarer Nachbarschaft der Postzentrale” hunderte von Telefonleitungen betrieb. Und in den 90ern war bekannt dass die NSA im selben Gebäude wie der DE-CIX ein Büro unterhielt, später dann aber nach gegenüber umgezogen sei (Scheinbar ist das nicht ganz korrekt: Die NSA hatte offenbar ein Büro über dem Hauptpostamt, aber das war vor der DE-CIX Zeit. Was aber nichts daran ändert dass die NSA später in unmittelbarer Nähe vom DE-CIX Büros unterhielt).

Dass die NSA versucht im Ausland alles zu Überwachen war also schon in den 90ern klar, und wem sich dafür interessiert hat auch bewusst. Auch klar war dass da mindestens eine Billigung durch entsprechende Behörden in den UK, Deutschland und anderen Ländern vorhanden sein musste.

Was weder mir noch der Öffentlichkeit klar war, ist das Ausmass in dem die NSA, zumindest im 21. Jahrhundert, damit erfolgreich war.

Der Skandal in den USA

Der eigentliche Skandal ist aber ein anderer. Einerseits hat den die USA selber: Die Überwachung der eigenen Bevölkerung war weder Auftrag der NSA, noch legal. Die versuchte Rechtfertigung mit “National Security Letters” und esoterischer Gesetzesauslegung sind nicht mehr als ein Feigenblatt, um die Verfassungs- (und eigentlich auch Gesetzes-)widrigen Machenschaften der NSA und der Regierungen Bush Jr. und Obama zu decken. Aber das ist erstmal das Problem der US Bürger.

Der Skandal hier…

Andererseits haben wir auch einen Skandal. Nämlich wie die Taten der NSA durch lokale Geheimdienste und Regierungen gedeckt wurden. Ja, die USA dürfen nach ihren eigenen Gesetzen bei uns spionieren. Aber nicht nach unseren. Und während die meisten Europäischen Geheimdienste, im Gegensatz zu den US-Amerikanischen, auch die eigenen Einwohner bespitzeln dürfen, so dürfen sie eines nicht: Daten über die eigenen Bürger an fremde Mächte weitergeben. Und statt Spionage-Abwehr zu betreiben haben wohl einige europäische Geheimdienste, darunter ziemlich sicher der BND, wohl genau das Gegenteil getan und ihre eigenen Bürger verraten.

..und der Skandal wie damit umgegangen wird

Und der dritte Skandal an der ganzen Sache ist wie die betroffenen Regierungen damit umgehen. Statt sich sofort hinter die eigene Bevölkerung zu stellen und die Übeltäter im eigenen Land vor Gericht zu ziehen, der NSA die Dependencen zuzumachen und den Datenfluss abzuwürgen übt man sich in lahmen Verleugnungen (“es gibt keinen Skandal”), Relativierungen und Rechtfertigungen.

Klar, einige Leute in den Regierungen wussten vermutlich etwas zuviel, aber das ist weder ein Grund nicht sofort die Geheimdienste an die Leine zu nehmen oder zuzumachen, noch ein Grund die ganze Sache herunterzuspielen. Und für die Parlamente ist das schon gar kein Grund nicht sofort Gesetze zu erlassen die so eine Massenüberwachung in Zukunft verunmöglichen. Stattdessen gibt es immer noch Politiker die die Vorratsdatenspeicherung fordern, was schlussendlich nichts anderes ist als die Bereitstellung von Datensammlungen für fremde Geheimdienste und Kriminelle. Ebenfalls ist es unerklärlich weshalb nicht sofort die Staatsanwaltschaften gegen die Beteiligten zu ermitteln anfangen.

Und dann haben wir noch die Presse, welche sich vor allem in den USA als NSA-Apologet hervortut und statt die Missetäter anzugreifen den Überbringer der Botschaft mundtot machen will.
Aber auch in Europa ist die Reaktion noch moderat, und statt Köpfe rollen zu fordern wird abgewiegelt.

Ja, wir haben einen Skandal, aber der ist nicht dass die NSA alles abhört, sondern dass sie dabei von Kollaborateuren in unseren Ländern unterstützt wird, und dass unsere eigenen Regierungen nichts dagegen unternehmen.

(Der Grund warum der Artikel nicht mehr auf die Schweiz eingeht ist dass hier noch sehr viel offen ist, und eine mögliche Zusammenarbeit von Schweizer Geheimdiensten mit der NSA noch nicht wirklich untersucht, und auch nicht derart offensichtlich wie beim deutschen BND oder beim englischen GCHQ ist).

Unpack, Change and Repack Android Apps

Sunday, February 27th, 2011

Some time ago, I read Lock down your Android APK permissions by benn from Intrepidus Group.

I decided to automate the whole procedure, at least the unpacking, signing and repacking. Each app has to have it’s own key (lest the apps signed with the same key can access each others ressources!) which was the thing that most needed automation.

So I wrote some shell-scripts. The scripts are not only useful for changing the permissions of an app from any source (unpack, edit AndroidManifest.xml, resign), but also for android developers themselves. it’s much easier to manage keys and sign different apps with them.

So here they are:

  • android-unpack Stupid script to decode .apk-files, all of those in a directory, actually.
  • android-resign Script to pack .apk-files, and sign them. Each project with it’s own key.

Of course, if you re-sign foreign apps with your own key, they won’t be the same ones as on the Android Market, and thus not automatically upgradeable and will not use the same configuration.

Security as Service

Friday, March 5th, 2010

I’ve been sceptical about offerings of Security as Service. It’s sounds an awful lot like “Outsourcing Security”, and security is a process which involves every aspect of business or life.

However, I’m working now in a company which does just that, selling Security as Service. And I think it can work. As opposed to any other company which sells you a product, or some other services, if you’re selling security, you’ve got an interest in your customers security not being breached. Because you will loose that customer.

If you’re a Bank, you sell banking services. As long as the cost of one of your clients accounts being misused is not really your cost, the security of your clients is a total non-issue. The same goes for vendors of security-appliances. The client bought it, and already paid it, so if somebody hacks it, it’s not really your problem, unless you get bad publicity out of it.

And we’ve seen with the whole “full-disclosure”-debate, that bad publicity is a very weak instrument, and some companies can take hideous amounts of it before they improve security. Microsoft is the classical example; it took them aeons to do something about security, and the security of its products is still very weak.

On the other hand, if you get paid by subscription, you have a very real interest in keeping the customer. That means you have an interest of providing the services you are being paid for. If it’s not security the client pays for, this also means that security is probably not your concern (as seen with banks and credit card companies).

Of course, security embedded in you company will be much more capable and resilient. You can design every process with security in mind. You can choose specific products with a good security track-record. You can have system administrators with a very intimate knowledge of your network and IT-landscape, who can provide for a very fine-grained incident-response and emergency management.

But most smaller companies can’t have that. Because they don’t have the expertise, the money to hire specialists, and most of all, an IT-landscape that is not modeled by security-considerations but by habit. And habit is of course the biggest foe of security. It could be his friend too, but old habits die hard, and most people today grew up in a world where not everything was networked, and where systems of a company which gave a damn about networks and security were, and still are, prevalent. So the people in these companies don’t have the slightest clue about security, e-mail their passwords around, get their negotiations eavesdropped on mobile phones, infect their computers with viruses and get their e-banking accounts phished.

And this is where Security as Service can help. It can’t make you into a company where everything is secure. But it can mitigate some of the effects the security-unconscious acts of your employees cause. It can filter out malicious emails before someone can click on it, or some stupid mail client executes the malware-payload on its own. It can encrypt the emails at least between hosts. It can keep the botnets at bay that try to penetrate your servers. And it can provide incident-response if something goes wrong.

And finally, Security as Service is the fundamental better idea than Security as Product. Because Security is a Process, it never ends; and because with any product you bought, the sale is done, and the supplier is only interested in selling you another product, but not in making the already sold product better. Furthermore, if you lack the expertise, will you even be able to manage the product correctly?

There are those who can, with in-house security expertise, where it would be stupid to outsource it. But for the rest of us, there’s at least a certain measure of security available with Security as Service.

Credit Suisse: Security-Idioten im E-Banking

Sunday, February 28th, 2010

Die Credit Suisse will auf ein neues SMS-Sicherheitsverfahren umstellen. Benutzbar mit a) Einem Handy b) welches eine Schweizer Landesvorwahl hat c) eine Vorwahl von 076, 077, 078 oder 079 hat.

Sobald man auf der DirectNet-E-Banking-Seite einzuloggen versucht wird einem mitgeteilt dass die bisherige SecurID-Authentifikation noch 7 Tage lang gültig sei.

Was haben die Sicherheitspezialisten der Credit Suisse geraucht? Oder sind die aus einer Anstalt entflohen?

Wer auch nur die geringste Ahnung von “Sicherheit” hat, dem fallen sofort einige ganz gravierende Probleme (abgesehen von “Usability”-Problemen, für Leute im Ausland z.b.) mit diesem “SMS-Sicherheitsverfahren auf:

  • SMS sind abhörbar. In Real-Time. Das wurde am Chaos Computer Club Congress 2009 bewiesen (und sämtlicher SMS-Traffic auf dem Kongress gleich live auf einem Beamer angezeigt).
  • Smartphones werden immer mehr als Ziel für Malware interessant, je mehr sie Funktionen übernehmen für die früher ein ausgewachsener Computer benötigt wurde.
  • Das “Token” (das Mobiltelefon nämlich) an das die Authentifikation gebunden ist, ist DER Gegenstand weltweit der am meisten verloren und gestohlen wird.
  • Es ist eine enorme Datenschutzverletzung. Nun ist jedes Konto mit einer Telefonnummer gekoppelt. Gleichzeitig ist es auch noch möglich den Standort von Mobiltelefonen zu Triangulieren.

Und das ist nur das was mir sofort eingefallen ist.

Der einzige Vorteil der ersichtlich wäre, ist dass die Authentifizierung Out-Of-Band erfolgen könnte, was für Benutzer mit kompromittierten Windows-Kisten einen Vorteil darstellen kann. Der ist aber sofort wieder weg wenn man a) dasselbe Smartphone gleich fürs E-Banking benutzt b) sich Malware auf den Telefonen verbreitet. Aber vorallem c) muss der Code den man per SMS erhält so wie es jetzt implementiert ist trotzdem per Browser zurück übermittelt werden. Was die ganze Übung hinfällig macht.

Es gäbe schon ideen wie man sowas wirklich sicher machen könnte, aber die involvieren dann Karten mit Keypads und Methoden zur Out-Of-Band Übermittlung. Und nicht dasselbe wie vorher, bloss neu nun auf einem Gerät welches abgehört, gestohlen und verloren wird.

Es handelt sich hier um eine offensichtlich reine Geschäftsentscheidung. Für die CS ist die Frage einzig und allein die: Was kostet das System, was sind die zu erwarteten Aufwände für den Token-Verlust und schlussendlich, was sind die Aufwände wenn es von Dritten misbraucht wird. Mit dem SecurID-System bestehen die Aufwände in der Ausgabe der SecurID, und den Auswechseln derselben bei Verlust. Mit dem SMS-System ist es im Betrieb das senden der SMS, der Aufwand bei Verlust ist für die CS geringer da der Hauptaufwand da vom Benutzer getragen wird. Bei den Aufwänden durch Misbrauch seitens Dritten dürfte die CS erwarten dass die in etwa dieselben bleiben, da das neue System etwa die selben Schwachstellen hat wie das alte (respektive die Kosten für neue Schwachstellen nicht von der CS getragen werden müssen, z.b. in Form von Privatsphäreverlust) und Entwicklungen wie Smartphones die das ganz Ad-Absurdum führen könnten hat man vermutlich ignoriert, da bisher noch keine entsprechenden Misbrauchsfälle aufgetreten sind. Man hat sich wohl gegen eine wirkliche Out-Of-Band-Authentifizierung entschieden, da das vermutlich wesentlich teurer würde, und sich die momentanen Aufwände bei Misbrauch offenbar in Grenzen bewegen.

Die Sicherheit für den Endbenutzer war für die CS nie das Thema. Solange sich die Kosten der CS für misbrauchte Konten im Rahmen bewegen, und sie nicht übermässig schlechte Publicity wegen mangelnder Sicherheit bekommen, hat die CS nicht das geringste Interesse daran E-Banking sicherer zu machen. Nur billiger.

Ganz schlimm ist auch dass man den Kunden offensichtlich nicht die Wahl lassen will, die für sie meist sicherere SecurID weiterzubenutzen. Wenn die nicht von Fall zu Fall einlenken (in meinem nämlich ganz bestimmt), dann werde ich das tun was man in einer Marktwirtschaft in so einem Fall tut: Mit den Stiefeln wählen gehen.

Addendum: Ich habe angerufen, und scheinbar haben sie nun die Laufzeit für meine SecurID verlängert. Mir wurde aber mitgeteilt dass sobald eine andere Lösung für nicht-schweizer Mobiltelefone etc. exisitert, das SecurID-System abgeschaltet würde.

Addendum Zwei: Seit ich das im April 2010 geschrieben habe, haben endlich auch andere bemerkt dass das eine schleichte Idee ist: Telcos declare SMS ‘unsafe’ for bank transactions Selbstverständlich wird es auch schon misbraucht Präventionshinweis für Onlinebanking im mTAN-Verfahren

USA: enhanced stupidity at airports

Monday, January 4th, 2010

Stupidity and misunderstanding on how security works has reached new heights in the USA: TSA: Enhanced screening for people flying to U.S. from certain nations.

How bloody stupid must one be to react this way to a failed attack? Yes, failed means exactly that a security measure — in this case a terrorist attack that was thwarted by passengers(!) — works. But instead of relying more on what obviously works, the TSA (and of course, this one is backed by the government; proving that Bush and Obama really do the same bollocks) has decided to implement something else, something incredibly stupid which will actually lower security.

Security professionals worldwide don’t even know if they should laugh or cry at such a bold display of imbecility. I’ve not yet seen what Bruce Schneier has to say about this specific idiocy, but here’s an essay which essentially explains the issue: Screening People with Clearances. Just so you can see that I’m not the only security professional who thinks this way, and Bruce Schneier has rather more clout than me. ;)

Do you really think terrorists won’t be likely to fly NOT from those 14 countries? Or — gosh — use a false passport? Hell, they might even recruit people from a country deemed “safer”, the USA itself for instance. And of course, increased scrutiny of certain passengers will draw resources from scrutinizing other passengers.

Congratulations, you’ve just implemented a fast lane for terrorists while harassing other passengers coming from some 14 countries. Mindbogglingly stupid. According to Hanlon’s Razor I’m forced to conclude that the USA is run by drooling idiots.

Addendum: Bruce Schneier has now put it nicely: Christmas Bomber: Where Airport Security Worked. I can only add “and in whose aftermath common sense did not”.

Espionage in the free World

Tuesday, September 26th, 2000

Switzerland tries its take on a surveillance-system which could be used to
monitor all satellite-based communication, inlcuding mobil phones, some
internet traffic and more. Such a system already exists, operated by the
USA, Canada, New Zealand, Australia and Great Britain, called Echelon (see
the Statewatch Report from 1997 on Echelon). The Satos 3 project was slipped
half-covertly into the budget as “renovations for military buildings” and
is now built in the town of Zimmerwald and Heimenschwand. The following
are resources, mainly press coverage, on the subject of Satos 3.

References

Webpages

Related issues

Peter Keel,

2000-09-26

Network Security by Half-Wittedness

Monday, August 16th, 1999

How to base your network security on misinformation, overreaction, nervousness and lawyers

Security cautiousness is a good thing, in the vast and wild cyberspace. A lot of networks don’t even have somebody who cares. But there are some sites which are security cautious, and there are different kinds of these: Those who care, and those who fear.

Fear and Loathing in Cyberspace

There are a lot of companies out there who fear they could be attacked by some misfit and in turn create policies, buy firewalls and try to detect any behaviour which could be interpreted as attack. Particularly
a lot of those companies are in the consulting or even network security
business. And some of them quite internationally renowned. As soon some
possible sign of an attack is detected, hell breaks loose: sysadmins of
the originating site of the possible attack are emailed, upstream
providers informed, the CERT gets an email, even the police might be
called or a lawyer to write threatening letters. In the end it probably
turns out to be some user who tried to test it’s newest movie-streaming
software. Or the sysadmin of the ISP did a portscan “to see what that
machine does”. Maybe it even was intended maliciously, but it came
from somewhere in China. What had happened was in any case something
with no importance and no actual impact which is now turned into a
great spectacle.

A very nice case is the one of the Israeli “security”
company COMSEC
versus IOS++
, the Internet Operating Systems Counter. With great
incompetence COMSEC interpreted some weird packets which reached their
webservers as attack, didn’t even bother to contact IOS++ but informed
the press instead which promptly took up a story about widespread attacks
against the isreali part of the internet.

Another typical case is people who want their DNS Zone transfers
blocked. Why would one want that when you just can do a zone transfer
of in.addr-arpa and get the whole thing anyway? This is typical for
wrong understood network security. It’s called security by obscurity,
one tries to hide something, and it never works. There are certainly
things outsiders ought not know, but certainly not which hosts you’ve
got on your external network. If you’ve got no internal (private) and
external (for the public) network, you’ll be probably in trouble
anyway…

Of course, this is not the only case, I had at least three cases of
overreaction last year (one involving a user trying to stream some
movies and two portscans), and one demand of restriction of
zone-transfers from a big international consulting company which
really should know better.

What we have here is security cautiousness backed by a half-witted
knowledge about network security. People who know nothing about
network security don’t fear a security breach, neither do people
which really know what network security is all about. It’s those who
know a bit, but not enough, who fear and cry.

Why should a sysadmin start crying about some possible attack which
failed anyway, because the sysadmin keeps his systems updated and
knows that some 13 year-old script-kiddie will fail against his
walls anyway?

How-NotTo

Essentially, there are two forms of misbehavior when it comes to
security (not counting the case of being NOT security cautious):

  • Security By Obscurity
  • Overreaction

In the first case, we’ve got the idea of being secure just because
the enemy does not know you are not. Or where you are located. The
effect is badly designed programs which appear secure just because
nobody should be able to proof they’re not; IP-adresses which do
not resolve but which can be found by broadband-scanning anyway;
crypto-software which can cracked in seconds, and so on. A strong
lock is one where you can see how it works but are still unable to break
it. The international crypto-community has condemned obscurity long
ago, see the
Snake Oil FAQ
for details.

The second case is a bit more difficult to grasp. Is a portscan or weird
packets an attack or not? You can simply ignore it if you’re confident
enough of your security, or you can investigate, meaning taking a look
at the originating host, portscan it yourself, query whois-databases and
finally sending the sysadmin of the originating host a note. There are
a lot of sysadmins out there who portscan without any intention of
attacking you. And a sysadmin of a system into which was broken in
will be very glad if you tell him some portscan originated at his site.
The wrong answer is of course to panick and make a big fuss about it. If
you detect a portscan, chances are low the portscanning person will ever
break in, because you already updated your system — otherwise you’d be
a complete moron. On the other hand, if you’ve been already broken in,
you can investigate and collect evidence that there actually was a break-in
— then it’s time to make a fuss. So it either has nothing to say, or
it’s a failed attempt, in which case you’d better update your system, or
the breakin already occurred.

There are also several projects like the

Internet Security Auditing Project
, or the above mentionned
IOS++ which
might appear as “attackers”, but surely don’t have the intention to
break into your systems. So you better get informed before you
start crying out loud.

So if you detect something which could be a failed attack, what you
should do is to simply inform the sysadmin of the originating host
(the sysadmin of the provider, if it originated from a dialup-machine,
or the sysadmin of the company. You should be smart enough to know
who you should contact, otherwise you’d better stay away from network
security altogether). In the case of an actual break-in, the most
stupid thing you can do is also panicking. If you don’t feel experienced
enough to handle the incident, you probably get help at your internet
provider or from a specialized company. In the other case, you’ll have
to investigate what the attacker did, and most important, where it
came from. Then you mail the sysadmins of the originating hosts —
chances are it was a dialup-machine (so mail or call up the ISP) or
another compromised system, so be polite and don’t threaten him with
legal action or somesuch. Normally they’ll be very glad to hear one
of their machines was compromised (actually they’re not glad to hear
that, but glad that you tell them ;))

Prevention

So what do security cautious people do who actually know what
they’re doing? Simple. Updating. First, all security-relevant
mailinglist need to be read, and as soon as some vulnerability
is found, the systems need to be fixed. Either there is already
a fix, then it needs to be applied, or the services need to
be replaced or turned off until a fix comes. Sometimes even the
whole system needs to be either shut down or replaced, unless you want
to risk it; particularly the case with Windows NT since Microsoft
normally needs weeks to fix something. Another possibility is of
course to firewall such systems/services off.

And if someone seems portscan or to probe the network for
vulnerabilities or somesuch? Don’t panic. The Walls are strong
enough to whithstand a script-kiddie attack. Probably send an
email to the attacker or its sysadmin. It will either be harmless or a real attacker who will go away and seek something easier to penetrate; probably after he gets a new ISP. ;)

Peter Keel,

1999-08-16

Footnotes on Security

Friday, November 1st, 1996

happily, big brother is watching you, and he wears the mask of a clown

Security has its price, and
the price is user-friendlyness. To type a password each time you turn on
your machine is not very pleasant, but the benefit is big. So you have to
decide how much security you want. The following are some guidelines, most
of them are crucial.

  • Don’t use Microsoft Explorer. ActiveX-technology permits anyone to
    get any file on your computer and maybe even to turn the computer off.
  • Don’t use DOS nor Windows nor Windows95. These Operating Systems
    have completely zero security, and Microsoft is just so fucking
    stupid; they have no idea about security. Besides that, 99% of
    all virii grow and spread on these systems. Unix knows no virii.
  • Don’t use any Microsoft program which features a macro-language,
    such as Excel and Word. Unless you want virii.
  • Use a secure operating system such as Unix or VMS. Maybe Windows NT,
    But take care on your applications in case of Windows NT…
  • Netscape or any other browser does not need to transmit information
    from you to any other site.. link the cookies to /dev/null or remove
    the write-permission.
  • Use no words as password. Not even words from other languages. No
    permutations of your own name too. Use different password for
    different machines. If you want to make it perfect, use PGP to
    generate passwords.
  • If you don’t need it, turn it off. If you’re standalone, you presumably
    don’t need to run a finger or a telnet or an ftp server. Turn it off.
  • Watch you traffic. Which program transfers unwanted information from
    your machine to elsewhere? Take special care using software to which
    you haven’t the sourcecode – e.g. that Microsoft stuff.
  • Apropos sourcecode: Real security needs the sourcecode. If you don’t
    have the sourcecode to a crucial tool – an encryption routine, for
    instance – nobody can know if it is secure. If it is secure, knowing
    the sourcecode won’t help to decrypt it (take PGP as an example).
    Don’t trust an algorithm which is not released publicly. Never.
  • Encrypt confidential Mail. Use PGP. That may not be 100% secure,
    but you’ll need much much time. It’s presumably the most secure
    thing we’ve got.
  • If it’s really secret, you might use steganographic techniques as
    well. Hide your encrypted messages in unsuspicios-looking ones.
  • Make copies, backups, whatever. Most information most people got,
    is not as critical that other people do not have to have it, but
    you do not want to loose it. Au contraire the army, for
    instance: They don’t care if they loose information, as long as
    no one else gets it. So make backups – best encrypted.
  • For data-encryption, you can use low (crypt) middle (des) or high
    (pgp) security. These should all be available on a reasonable
    operating system by default.
  • After all, man is the biggest break in security.. people talk too
    much, give away their passwords too easily, write their passwords
    down, use stupid passwords, use no passwords, use operating systems
    with no passwords, and so on and so on and so on.

Okay. Now another thing… What are the threats?

  • Brother state might read your data (not very likely)
  • Big Brother Bill might use your data for marketing (likely)
  • A hacker might (ab)use your machine (unlikely)
  • You might get a Virus (likely your problem, get another OS)
  • You might loose data (very likely)
  • Your system might crash (likely(DOS/Windows95) to unlikely(linux))
  • A person you know might mess with you data (very likely)

So you see whats the most crucial point? Make backups. Second is, use
A system which permits the use of a password (NOT Windows95, this is
ridiculous). Third, do not let anyone snoop information from your machine.
The rest is hackers of any colour, including the state and corporations.
And that’s a pretty little threat, according to the probability to happen.

Ehm.. So have a nice night.

An make backups!

Peter Keel,

1996-11