Author Archives: Adam - Page 4

Access Your Virtualized Linux Box Anywhere

Have you ever wanted access to a Linux box on your mobile device? Sure, you could just SSH into secure shell but what if you wanted the entire experience on your portable computer or at a friend’s house? Virtualization + RAS = true OS freedom (or… well, for geeky fun anyway). The technique is used on a regular basis but there may be some out there that may not know how to take advantage of it.

In this blog article I’ll explain how to get access to your Linux box from any platform or device. Keep in mind that if your host is already Linux you can skip the virtualization section and head right down to configuring the remote access software.

This setup can be and should be used on a Windows host machine running a Linux Guest environment.

Remote Access on Your Mobile

There’s been a lot of advancements in the fields of virtualization and remote access software, but it never ceases to amaze me how few all-in-one packages there are for manipulating virtual environments via mobile devices. This is because writing mobile devices is often tricky and the few software options out there are kind of crappy. The software I’ll be using in this post are the iOS iPad versions of TeamViewer HD Free for iPad and VMware View (also free but the host-side software is a 60-day trial). But I’ll only be providing the in-depth setup for TeamViewer as to do both would be too exhaustive.

Downloading TV or VMware View on Your Mobile

TeamViewer For Remote Control (Android OS)

TeamViewer HD for iPad (iOS/iPad)

VMware View for Android (Android OS)

VMware View for iPad (iOS/iPad)

Your RAS software is the key to accessing your virtualized session so select RAS that is usable on the desired mobile device. The RAS determines manipulation to a “T” so select wisely or YMMV. Similarly you can opt for VNC variations and swap out the RAS selections I’ve used.

As such, you’ll probably need to review the release notes on your mobile RAS to ensure that it’ll function correctly on your specific mobile device. For example, I’ve used TeamViewer for Android on my Motorola Razor without any problems. But I wouldn’t expect speedy results on an older android without a dual-core processor.

Host Machine

Obviously it goes without saying (but I will) that your host needs to be on if you want to access your virtualized box. The critical components here are:

  • RAM
  • Bandwidth

I’ll be using ~1.5-2 gigs dedicated to the virtual sessions but keep in mind that this is the bare minimum needed for most X environments to work efficiently under pressure (and therefore in a virtual environment). Your success will be based on how much RAM you a lot the virtualization on the host machine: some operating systems X environments are resource hogs. Keeping that in mind, I’ll be using Bodhi Linux as it’s a lightweight E17 distribution. Minimalism is critical if you are tight on RAM.

(If you’re interested in Bodhi Linux you can pick up the distro here: http://www.bodhilinux.com/)

It goes without saying that 3D hardware acceleration needs to be enabled on the host but what you’ll see on the mobile client may also vary, this means having a fairly new GPU. But this is Linux we’re talking about… in all likelihood you’ll be fine so long as you aren’t doing anything too graphically intense. I’m using an XFX HD 6670 with 1 GB of DDR5 so you don’t need anything fancy (keep in mind everything on my system is bottlenecked due to an old Pentium D processor, so any modern system should be able to do well). If the virtual environment plays fine on your host you are set in that department.

Bandwidth is critical. I’m pulling 45/35 on a fiber line for the host. You don’t want your host machine to slow you down (use Wi-fi on the client-side as opposed to 3G or 4G if the network is fast enough). Let’s be honest. We’re using RAS (slow) and virtualization (potentially slow), you don’t want a bandwidth problem factored in. Nothing sucks more than remote access lag.

Host Software

This is broken up into two parts. 1) The virtual environment creator and player (can be the same in the case of VMware Workstation or VirtualBox), and 2) The RAS setup within the virtualized Linux session.

This post will be focusing on the latter. You should already know how to setup a virtual environment in VMware or Oracle VM VirtualBox. Read the documentation associated with either virtualizaton software package you decide to use (keeping in mind, of course, that VirtualBox and VMware Player are free while VMware Workstation is an expensive investment; the free former alternative is best for creating and playing environments without having to purchase VMware Workstation).

Oracle VM VirtualBox can be downloaded here: https://www.virtualbox.org/
VMware Workstation can be sampled for 30-days here: http://www.vmware.com/products/workstation/overview.html
VMware Player (not a v creator) can be downloaded here: http://www.vmware.com/products/player/

The last note here would be to use NAT as your network adapter preference to allow the host to share the IP address (my VPN configured through my host machine also worked well with this configuration).

Virtualization’s RAS

TeamViewer or VMware View 5.0 are ideal since they are well documented and exist on nearly any platform you need. You need to have created your virtual environment flawlessly for this to work which means installing and being able to use Linux as a whole.

As far as the virtualization’s RAS is concerned, if you did use Bodhi you can download the Debian archive for TeamViewer for Linux or use Synaptic to automate the process (using this method is the easiest with TeamViewer7).

Configuring Your RAS (TeamViewer Example)

Upon starting TeamViewer for the first time you’ll get a notice about software configuring Wine to run the remote desktop accordingly.

I would create an account on TeamViewer to be able to save frequently accessed computers.

Once it starts up you’ll want to copy down your 9-digit ID number. If you want to perform unattended sign in disregard the attended password on the main page (keeping in mind that your Linux guest box and TeamViewer software needs to be running).

To configure the unattended password head over to the Options/Security Tab and choose a complex password for logging in (the combination of your 9-digit ID and your unattended password will allow you remote access to your virtualized Linux session).

Then head over to your mobile TeamViewer app (or the program you are trying to connect from) and add the Linux guest’s ID and unattended password in the “Computers & Contacts” section of the client.

Then go ahead and connect resting assured the connection is secure (even if you’re connecting over an insecure wi-fi).

Closing Notes

Bodhi Linux Guest VMware / Bodhi on iPad 1

It’s highly unlikely that any RAS is going to offer stunning visuals but different software can provide different results (TeamViewer isn’t known for graphical prowess). Regardless, feel free to play around with the general concepts explored in this post to achieve a suitable result. In the end the goal was to create a decent remotely accessible Linux virtualization as opposed to accessing your Linux box through a CLI and, to that end, it worked.

LOIC DDoS & The Nature of Anonymous Attacks

One of the most impressive and dangerous Denial of Service tools is named, jokingly, as Low Orbit Ion Cannon (LOIC). The tool has gained public notice after being repeatedly used in successful attacks against high value web servers such as those belonging to the Church of Scientology during Project Chanology, the Recording Industry Association of America (RIAA), groups opposing MegaUpload and WikiLeaks as the mega-group’s enemies.

While I won’t get into the ideological arguments expressed by either Anonymous or their opposition, I’d like to take a moment to explain LOIC and provide some interesting links to sites containing more information.

As I always state:  I’m merely an individual interested in security for the sake of learning, if you have a vested interest in any of the ideologies either for or against the attacks check the links below for protections or ways to get more involved in the LOIC project.

Background

LOIC, originally written in C# by Praetox Technologies, has been since coded into an independent JavaScript program known as JS LOIC (hosted by HiveMind, linked below). As such there’s even a web version of the DoS tool!

When the project was first released I managed a DDoS (Distributed Denial of Service) attack against my own test box using a 5 PC networked LOIC attack triggered using UltraVNC (akin to a botnet), it worked extremely well. The method could even be used to trigger remotely using an iPad or any device running the appropriate RAS software. If a given server or network is susceptible to LOIC attacks, a DDoS against that server or network can be extremely potent.

Details and Protection

LOIC works by flooding a specified target server with TCP or UDP packets. The attack relies on the principles inherent to most forms of DoS attacks. As such it’s surprisingly easy to protect against. Many servers should have been well-protected against DoS attacks to begin but, as we know from real world IT, what’s best isn’t always what’s done.

Firewall rule-sets can be enacted which filter out the over abundance of packets coming from any one IP address long before something like this becomes a problem. To my knowledge ISPs on a larger scale can protect against DoS traffic by filtering out the appropriate UDP and ICMP packets before they reach their intended targets.

It should be common knowledge for server administrators to contact their ISPs to ensure measures are in place to protect them at that level. Then appropriate measures should be taken to draft appropriate network firewall rules.

But many of the attacks are difficult to trace…

The Nature of Anonymous Attacks

ARP Poisoning, as previously mentioned on fork(), can be used to make attacks appear to be launched from within your own network (or attacks against your network can be made by attackers who gain special accessing by spoofing their way into your network). Such attacks can be used to incite various man-in-the-middle (MITM) attacks and/or DoS/DDoS attacks. For more examples see this blog’s article on session hijacking.

A good intrusion detection system monitoring ARP tables can alert the network administrator of changes or additions and thus possibly thwarting spoofed MITM attacks before they occur. The article by Busschers cited below discusses spoofed/reflected attacks and how they can be conducted.

Sources

My blog isn’t funded by any corporations or governments and as such I’m fully willing to give all sides to an argument. So, I’ve constructed a list of  sources I used when writing this post as well as some sites that may interest those wanting to learn more:

If you’d like to contribute to the C# original LOIC project please check out the LOIC project page here: https://github.com/NewEraCracker/LOIC/

Additionally you can check the more frequently updated SourceForge page for JS LOIC designed by HiveMind: http://sourceforge.net/projects/loic/

The HiveMind web version is located here: https://code.google.com/p/lowc/

Server Fault (Stack Exchange) Topic in regards to preventing LOIC DDoS posed by a user in 2010: http://serverfault.com/questions/211135/how-to-prevent-a-loic-ddos-attack

“4 Best Practices for Mitigating DDoS Effects,” by ES Enterprise Systems, February 6, 2012. Article discusses DDoS damage mitigation here: http://esj.com/articles/2012/02/06/best-practices-mitigating-ddos.aspx

“Effectiveness of Defense Methods Against DDoS Attacks by Anonymous,” Busschers, Rik. University of Twente, NL. This is a great article detailing the Anonymous Chanology & Operation Payback attacks, those recent attacks against PayPal, MasterCard and more. Check it out here: http://referaat.cs.utwente.nl/TSConIT/download.php?id=1085 (It’s also an excellent article for learning more about the type of attacks used and how such things as SYN packet flooding work. If the article ever goes off-line I’ll re-upload it.)

Another great source detailing spoofed DDoS attacks: http://www.skullbox.net/spoofeddos.php

ARP Poisoning/Spoofing in detail can be further explored here: http://www.irongeek.com/i.php?page=security/arpspoof

Network Research Group (NRG)’s ARP Watch can be found here: http://www-nrg.ee.lbl.gov/

ASIS 2012 is coming!

The 58th Annual ASIS International Seminar will bring Philadelphia its countless vendor exhibits to learning sessions brought to you by top security companies from across the globe. The seminar and exhibits will be held from September 10th to the 13th.

Be sure to check the presentation on VIP security and protection to be given on the 11th by ARSEC co-founder, Mr. Oren Raz. I’ll also be in attendance providing technical assistance during the presentation. ARSEC is comprised of specialists at providing both government and private sector clients with in-depth security solutions and training. For more information on them, please visit their website here: http://www.arsec-corp.com/

Exhibition-only tickets are free to be sure to register soon, at the door they’re $75. Ticket costs for those wanting to attend the keynote speaker addresses and luncheons can be found on the ASIS homepage.

If you’d like to use the nifty mobile app for ASIS you can download one for your mobile device by clicking here. The mobile device will let you view photos & videos of the presentations, organize your contacts, check the schedule, access an interactive map of the event and more.

Check out the ASIS 2012 site here: http://www.asis2012.org

9/06 Edit: If you’re interested in Dignitaries Under Fire and its coverage of VIP protection, this is the schedule’s information:

Dignitaries Under Fire
Speaker: Mr. Oren Raz
ARSEC Co-Founder
Former Head of Security for Israeli Embassies
Tuesday, September 11, 2012 1:45 PM - 3:00 PM
Location: PCC 109-B

Links – PGP Security

If you use PGP, as I do, you’ll want to read an old but useful article on pgp.net: “Security Questions” @ pgp.net as it covers a whole slew of topics ranging from how secure asymmetric cryptography can be to possible security threats arising from using PGP. Essentially if you have a good passphrase you’re better off than folks without one.

Similarly, this article explains passphrase safety tips: http://www.wowarea.com/english/help/pwd.htm — similar to the previous article mentioned which mentions TEMPEST*, this discusses things like a hidden microphone, camera, stolen swap files, access to your hard disk or other medium where private keys are stored, not using drive wiping technologies, key loggers, recovery software and EM microscopes on junked hard drives, viruses, Trojans and more.

* Some useful sites dealing with information on the old TEMPEST attack can be found using these sites:

http://en.wikipedia.org/wiki/Tempest_(codename)
http://www.surasoft.com/articles/tempest.php

With modern technologies and, being a regular citizen as opposed to an enemy of the state, your probably safe!

While it wasn’t designed specifically for asymmetric key passphrases, the GRC’s Haystack Password checker can be used as a starting point for developing safe habits: https://www.grc.com/haystack.htm

Also, in GPG anyway, if you ever find yourself needing to explain what a particular encrypted message is you can always perform a session key override:

--show-session-key (file)

Followed by:

--override-session-key (session key hash) (file)

The former will reveal a unique encrypted session key string, which is derived from your public key but is different than your secret key. The latter will enable you to decrypt a single text/file without you having to give any sensitive information. This is very useful if you have a naggy wife (or husband)!

Lastly Schneier’s article regarding the flaws of public key infrastructure is a must read.

The sites above make for some good reading and could help you safeguard your data appropriately.

EDIT: If you are subscribed to the blog, sorry for the multiple emails for the same post. Seems to have been some sort of problem with the CSS but it seems to be fixed now.

Google Searching & Subversion

Google can be an extremely powerful tool to have at your disposal. You can use advanced operators appended to Google search strings to enhance your searching. Using this method you can find (almost) anything.

The fun thing about playing with Google operators is that there’s no limit to what you can do. The potential grows greater with time as different sites introduce different technologies which react differently to Google’s search spiders. Consider the ability to use Google to find images taken from security cameras! This is an extremely powerful exploit using a very legitimate method. Security professionals should take note. But right now we’re going to go over some basics for all the folks that don’t care about exploitation…

Operators and Symbol/Special Word Usage

If you’re not quite aware of Google’s power try using mathematical operators in your search string. Operators are:

^ + - * / are basic operators
% of - as in, "percent of."
in - as in, "340 lbs in kg."

As such these can be seen in the string:

(36+3) * 2

At which case the answer will calculate to 78, showing a neat on-screen calculator and adhering to the rules of PEMDAS (quite like your Python interpreter). By the way, if words are injected into the search, you’ll get a search for the words and numbers as opposed to getting a sum of the math (such as asking Google, “What is the sum of (36+3) * 2?”)

Symbols and Special Words with examples can include (text being modified is in blue for ease of reading):

- meaning  not the next word; exhaust -cars    
 + must include the next word; "cats" "dogs" "ducks"
 ~ find word references of all sorts; dishonest ~dictionary (or wherever you want to search)
" " search exact phrase on page together; example "cats" + "dogs"
... range search; Dan Brown 1990...2012
AND  such as "ducks" and "goats"
OR you probably get the point

Advanced Search Techniques/Operators

Okay cool, so we know how to say that we want to search for ducks and chickens but only if they occur on the same page so long as hens aren’t mentioned! But what else can you do?

Some advanced operators for use in the search bar can include:

book searches the content of an entire book on Google Books
define, what is, what are these are all types of definition queries
cache:* will give you the last recorded cached page for a specified URL; note there are cache archives out there as well.
id: or info: gives you information about a specified URL
related: will attempt to give you related web pages to the specified URL.
movie: 007; common sense.
site: can be used to search only on a specific domain
filetype: or ext: searches documents of a specific types such as PDFs.
link: searches pages that are linked to a specified URL (very cool feature)
stocks: looks up stock quotes
weather: (state, zip, etc) can result in giving you weather reports
allinanchor: specifies a word which, when found in the alt or anchor will trigger. Useful to find sites that refer to other sites by a certain name or word.
inanchor: specifies a word that must appear in an anchor otherwise it isn't listed in the search results.
allintext: or intext: does the same as the two above except the word can or must be within the text of the page.
allinurl: or inurl: term must be listed within the URL.
allintitle: or intitle: refers to the title line usually shown about the file menu bar in the browser.

For more cache sites please see a list of repositories.

Okay that’s enough for now… each of Google’s Services also have their own set of advanced searches but such goes beyond the scope of this blog entry.

So by now you realize you can mix and match results. But what else can we learn? First a word of warning…

Google’s Data Retention

Before you try and pull the wool over anybody’s eyes make sure you’re not logged into Google. Data typed into Google and with an account associated with such information will be kept indefinitely. Anonymous data collection – if you’re not logged in – will include your IP address, search string and time and date the search was made (as well as the results so that Google can monitor their search algorithms and generate statistics).

Within a certain amount of time the IP addresses are stripped from the search so that only the search words, date, time and results remain (I forgot how long, it was actually on an MSNBC documentary… what?? I don’t work for Google!).

If you’re worried about privacy use a proxy and/or VPN solution. Plain and simple.

Analyzing the Browser URL/Parameters and Google Hacking

On your browser you can get a lot of information by looking at your URL bar. You can tell where on the internet you’re going (duh)! So at its base Google may say: http://www.google.com/

Found a neat cheat sheet for reading the various parameters here: http://cdn.yoast.com/wp-content/uploads/2007/07/google-url-parameters.pdf — but what this means is essentially there’s a lot of code in there when you actually search that you probably don’t need to know.

But altering the URL line, or at least understanding it is a key to any successful “Google hack.” When we say “google hacking” we essentially mean directing or using Google search to perform tasks that we wish the search engine to accomplish. People call these “Google dorks.”

There are also exploits which can be triggered against a remote machine by using Google’s search engine. One such example is SQL Injection via Google which can be used by exploiting database code on a remote server in hopes of gaining useful information.

A great guide to Google SQL Injection can be found here @ breakthesecurity.com.

What Google hacking isn’t: Google hacks do not access restricted data on Google’s own servers. You aren’t “hacking into Google,” so if that’s what you’re looking for you should go seek psychiatric help. There’s nothing wrong with using Google dorks to accomplish tasks which would otherwise be difficult to do. However, exploiting any remote system to gain access which would otherwise be restricted to you is subject to federal and state laws. If in doubt, don’t do it.

Lastly you can also use Google searches to pull up completely benign but useful information. Such information can include a person’s entire background or even default router gateway UI login information (dlink + model # + default username and other such combines can be extremely useful at this form of recon).

Consider the fact that many popular cross-platform password managers save their username/password database files with the same .db extension. Some people actually upload their db files right to their web server for safe keeping. Proper awareness of these security concerns are needed.

Happy hunting. The sky’s the limit!

Google Dorks

There are Google dorks for everything from searching for specific types of photos to accessing content which would otherwise be restricted to you on a remote system. Google is a public search engine and as such provides access to everything that its spiders have access to. This can be used for positive and negative gain.

Offensive Security’s Exploit DB covers Google Hacks extensively here and can be located here: http://www.exploit-db.com/google-dorks/

One popular dork is:

"index of /etc/passwd"

Which will attempt to show you password files on systems that are also running active web servers. In this case you’d enter that text directly into the Google Search field. It’ll find pages with that content displayed chiefly on it.

Another is the ability to look up and remotely control TrackerCam security cameras using Google but by manipulating your search bar.

https://encrypted.google.com/search?num=100&hl=en&lr=&safe=off&q=intitle%3A%28%22TrackerCam+Live+Video%22%29|%28%22TrackerCam+Application+Login%22%29|%28%22Trackercam+Remote%22%29+-trackercam.com&btnG=Search

Similarly you can search using key words if you know which words a specific system uses. Consider the TrackerCam example. We know that such sites use Trackercam Live Video, TrackerCam Application Login, Trackercam Live Video in the page’s title. So utilize the intitle option to search such pages.

The operation can be best illustrated by asking Google to search for:

intitle:("TrackerCam Live Video")|("TrackerCam Application Login")|("Trackercam Remote") -trackercam.com

As you can see, the pipe can be used to separate multiple intitle search options, following similar rules as any computer command line or program interpreter. Using common sense you can master these techniques to give you a desired outcome.

For sake of exhausting this example you can also make up something along the lines of…

inurl:log.txt intext:"password" -com

Searching log files on web servers looking for the phrase “password” found within those text files but only displaying sites ending in the .com suffix. Using that and/or replacing “password” with “username,” you can typically find information stating when a specific user does things which are log worthy (such as a web server software upgrade).

Google dorks is about using your imagination and testing it. Keep in mind though all of your actions will be retained via Google in conjunction with your external IP address!

But the purpose of this post isn’t to show you how to “exploit” Google or any other web server. My goal is to help reinforce the need for companies worldwide to study their technologies and ensure that the loopholes such technologies present are within reason. A wise man once said, “knowing is half the battle.” For that reason I’ll let you, the reader, explore new Google dorks of your own.

cDc’s Goolag Dorks Scanner

One of the coolest tools I’ve ever had the chance to play with has got to be Cult of the Dead Cow‘s Goolag Scanner, or gS for short. Although the tool is rather dated, it allows you to scan for Google-related exploits on a designated domain of your choice. gS will run exploits ranging from data retention/cache tests to Google dork exploration.

To find the scanner you should search around the ‘net, again, it’s really old!

In Closing

Google is an amazing tool which puts all the services of the internet at your fingertips. But service providers and technology producers alike must routinely check for exploits to their own system. Part of this is to regularly “test” search engine accessibility. Not merely for efficient optimization techniques but to ensure their systems can’t be exploited.

I hope that you’ve also learned a thing or two about advanced Google searching. Whether you’re an investigator  or every-day-user, you can use the techniques discussed here to improve your search experience online.

Apple vs. Innovation

In the absence of Steve Jobs and any new innovative ideas, the tech giant Apple won their patent violation case against Samsung. Apple will be awarded $1 billion dollars and Samsung will be forced to cease production of smartphones which bear a resemblance to previously patented technologies found on Apple devices.

I suppose the jury of Samsung’s “peers” didn’t read the illusionary flier circling around the Earth since the 1800s stating that technology is innovated on the back of pre-existing technology. Instead the court decided that devices that contained features such as pinch-to-zoom were in violation of patents registered by Apple.

Of course all smartphones have those features (HTC included), but this is just Apple’s first step. In the case of pinch-to-zoom, it makes sense for a small device to enable zooming by pulling and pushing your fingers together and apart. Many other similar technologies can be found in the case. But the courts found that Apple’s patents were violated by introducing these features on Samsung Android-based devices. Apple hopes this will deter future smartphone makers from replicating the features in question in the future.

This is Apple’s first attempt to thwart android smartphone leader Google, a company that relies on hardware manufacturers to produce phones with their Android operating system (an open source Linux platform designed by Google to be run on mobile devices). Samsung is Google’s largest mobile hardware designer (makers of the notable Samsung Galaxy Tab and Samsung Galaxy S II). The New York Times article entitled, “Jury Gives Apple Decisive Victory In A Patents Case” by Nick Wingfield* released on 8/25 calls this a “proxy war against Google’s Android.”)

In actuality, this seems a lot like Apple is trying to stifle all forms of mobile competition so that the iPhone and other Apple mobile devices can trump the competition. This landmark decision proves that, in America today, suing is is better than innovating. Equally as unsettling, the integrity of the judicial system in the modern era is at stake as well.

By some sources, Google smartphones sold worldwide trump Apple smartphone sales considerably. As we’ve also seen, Apple has been reluctant to create any new products in recent history with the exception of the iPad 3 (which is an iPad 2 with a better screen, slimmer design and overheating problems). Apple will soon release their new iOS version as well as an a newly revamped Apple TV (much needed considering Roku sales have left the previous incarnation of Apple TV in the dust).

As an Apple customer, I’m appalled by Apple’s stance to innovation and, more specifically, Samsung. Apparently no one at Apple studied game theory and the need for innovative competition in High School economics. If you silence the competition with your complaints and fail to offer anything new you should should be ashamed of yourself. Don’t hide behind patent law as an excuse. Jobs claimed Google’s android OS is a “stolen product”* yet they seemed to have had the same complaint against Microsoft over a decade ago! I believe we’re seeing Apple’s ugly side when dealing with competition and can best be described as “blame it on the other guy.”

This case brings up a number of valid legal concerns technology producers have:

1) Is our current legal system and, specifically juries, effective when dealing with technological matters?

2) What if jurors can’t comprehend the matters at stake?

3) Is our current patent laws reasonable in an inherently innovative world?

4) What role should patent law play in technology today?

5) If you believe our legal system is incapable of dealing with new technological issues, should our legal system be fixed?

While I won’t get into those two “big picture” debates on the blog, people should be considering those questions when reading the news. As it stands, this ruling will disturb the very foundation of mobile innovation in America. Hopefully the appeals will be more successful at stopping Apple’s temper tantrums.

Sources Used Above

* Wingfield, Nick. “Jury Gives Apple Decisive Victory In A Patents Case.” The New York Times, August 25, 2012.

Python Common Exponent Mistake

I was just learning some Python when I ran across a problem. So I thought I’d share the solution to that problem here in case any amateur programmers are running across it during their studies:

print 8^3

Was giving me the answer 11 when in actuality I wanted 8 raised to the 3rd power (8*8*8), which should yield 512.

This is best accomplished by using the ** operator instead of the ^ typically common in math.

print 8**3

Stack Overflow forum members helped me realize that ^ in Python was used as a Bitwise XOR while ** was actually used for exponents. So don’t confuse the tw

print 8**3 <= 8*8*8 # TRUE - Both are equal.

Instead Bitwise XOR enable you to input actual math operations and receive an output in binary.

If you’d like to read Python’s complicated page in regards to Expressions, and in particular the exponent operator, feel free to click here. Similarly if you’d like to learn more about Python’s Bitwise XOR click here.

Sources:

Python doc on Powers Operators:

http://docs.python.org/reference/expressions.html#the-power-operator

Python doc on Bitwise XOR:

http://wiki.python.org/moin/BitwiseOperators

Apple’s Social Engineering Crisis

On 8/08 there was an interesting news article on Bloomberg’s website regarding the Apple password crisis surrounding journalist Mat Honan. Honan’s digital existence was ruined a few days ago when hackers used social engineering tactics against him (for those unfamiliar with the articles, I’ve linked them below).

Anyone who’s ever been to an Apple store knows that convenience is king.

You need help with something? There’s almost always some friendly hipster with a weird haircut to help you. You need your data migrated from one device to another? No problem for these blue shirt gurus! Want your password changed? Sure, answer just a few simple questions that anyone can get…

Wait… what?

Apple previously allowed users to change crucial account details such as one’s password over the phone. Typically most companies handle such changes online and merely talk the customer through a series of secure web pages after confirming their identity by a number of different means. (Recently I had to call Dell and was bumbarded by over 4 different identity-based questions.) Apple’s system allowed for sensitive account changes to be made with a few simple facts about a customer including the last 4 digits of the primary credit card and one’s address!

One with access to another user’s iTunes account, if cloud backups and syncs are enabled, could potentially delete data right out of the air or access important documents which could potentially allow an attacker to access other accounts the user owns.

Other security flaws included the ability to circumvent the AppleID associated with App and iTunes store purchases, compromise iCloud data and more.

That’s exactly what happened to Mat Honan of Wired Magazine. His dilemma is exactly what spawned Apple’s reaction regarding their security flaws: Honan’s entire life was ruined when a hacker – simply interested in taking his Twitter username and causing havoc – gained access to his AppleID, wiped his Apple devices remotely, accessed his other accounts on other services and more.

In response to this crisis, Apple has suspended the option of resetting one’s AppleID password over the telephone as stated in the Bloomberg article linked below. It’s unfortunate that lessons are learned on the backs of paying customers as Honan’s case also dealt with the security failings of Amazon as well as Apple (see links below for further details).

Hopefully these major tech players have learned that sometimes convenience cometh before the fall.

It really is a tragedy that these companies didn’t take security seriously. With more data being stored off-site, on cloud servers, Mat Honan’s story gives us a lot to think about going forward in the digital age.

Sources:
Satariano, Adam. Bloomberg Reporter
Giles, Tom. Bloomberg Editor
Article URL: http://www.bloomberg.com/news/2012-08-08/apple-to-beef-up-security-for-phone-password-resets-after-breach.html

Honan, Mat. Wired Magazine
Article: http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/

Recap Notes on Infosec VC 2012

Recap: the Pros & Cons

Back in June we had an awesome segment of Infosec VC 2012 entitled, “Hacktivism: What, Why, and How to Protect Against It,” lead by Gregory Nowak, Head Researcher at ISF (Information Security Forum) and ISACA Security Advisory Group and Peter Wood , CEO of First Base Technology and also of ISACA. So I thought I’d attend the bulk of the Infosec VC 2012 conferences now in August. What follows is my notes on some of the presentations for those that are interested…

The Disconnect Between Managers and Technicians

Product managers and corporate executives all seem to view security in a macro sense and often don’t fully grasp or care about the minute details of data security, such was illustrated at the 2012 Infosecurity Virtual Conference. These big shot corporate types and project managers are great for selling security solutions developed by a company’s IT department to the company’s administrators. But their lack of “street level” knowledge leave a lot to be desired.

Take the keynote presentation, Data Security and Compliance in an Evolving Data Center, by Derek Tumulak (VP of Vormetric). He was extremely intelligent and understood a lot of core concepts. A few positives of his presentation included: overview of virtualization and how it’s used in data centers (globally speaking), cloud computing and associated models, the importance of mobile security and how one breach could potentially mean disaster for an insecure organization, encryption management (how and when to use encryption as a last resort) and so on.

But Mr. Tumulak failed to identify actual instances of said compromises or how an organization should safeguard their systems on a technical level.

Instead he said, hackers, by and large, have been “[s]tealing information to sell it on the black market,” which isn’t necessarily true. Corporate espionage is big but it isn’t everything. Given the rise of Hacktivism I believe a strong number of attacks are conducted by those with specific ideological views they wish to convey (Anonymous attacks against Sony to protest the prosecution of a PS3 modder and other similar attacks). Also many wish to highlight security flaws to that company and, some, see what they can get by exploiting such systems (sheer curiosity).

While I can’t claim to know every technology out there, I understand this to be a very large weakness in the corporate environment: the disconnect between the inner workings of data security and the project managers that organize teams to implement the solution. Is the solution to make all corporate executives network technicians? Obviously not but a middle ground must be met in order to appropriately data. Big pictures are wonderful but if you aren’t going to get your hands dirty or at least explain past instances of exploitation and what steps can be made to protect against such problems, you’re just ranting. Good for sales, bad for business.

Unlike conventions such as HOPE, Defcon and Black Hat Briefings (which does have a fair amount of “big picture” talks, as corporations only seem to understand that method), a lot of corporate events are presented in this kind of “dry” way at other sessions. The Infosecurity Magazine US Summer Virtual Conference 2012 was full of this. Some, but not all, of the presentations were like this.

You’d think a lot of these executives were more interested in PowerPoint or Keynote than coding.

“Providing Smart Security for Smart Devices,” by Mike Sapien and Marc Vael) was very dry and the solutions discussed were obvious ones. Anyone with smartphone knowledge would have been eons ahead of these guys. The Program Director of ISACA was a little more informative here as far as how corporate employees need to safeguard their mobile data.

Unfortunately almost 99% of the conference was targeted at CTOs, VPs, and other corporate audiences. A number of presenters stated that things that were “highly technical ” wouldn’t be useful; most people gloss over it. As such the tone of the conference was “business minded” and technology was discussed in general terms. As such it didn’t really serve to impress the tech savvy.

I really liked Theresa Payton’s address. As the Fmr. Whitehouse CIO and head of her own security company she has a warning to companies: focus on the new emerging digital landscape. She spoke about the important role social media plays in computing today.

Companies today must adopt social media, in her opinion, but they must also adopt a strong sense of security if they want to address its inherent security concerns.

So in conclusion of the cons, it wasn’t a conference detailing the finer points of information security such as firewall and network group policies, AD flaws and loopholes, social engineering techniques, encryption standards in depth, code exploits & tightening, wireless security (ARP table monitoring for MITM protection), and a myriad of other technical details. It was mostly by corporate-types for corporate-types.

A forum friend of mine actually did tell me “it’s like this. We just go to these things to get our credits for our CISSP,” after I said I wasn’t really interested in the bulk of the conferences. So I guess I’m over-analyzing the conference.

Onto the pros…

Best Presentation: “How to Protect Your Organization from a DDoS Attack”

Panelists

Michael Singer, VP of Security for AT&T
Prof. David Stupples, CCySS, University of London

At Glance

Prof. David Stupples of the Centre for Cyber Security Sciences (CCySS), City University of London was one of the greatest speakers for me. He discusses malware, DDoS attacks in-depth using past examples of such attacks are conducted. Botnets that harvest data and move through proxy servers to mask the identities of attackers are of significant concern to CCySS.

The professor explained how Botnets work and how they are analyzed before being sent to anti-virus/malware companies for safeguarding their client’s systems. He explained how analysis is conducted using mathematics when analyzing botnets in CCySS-made honeypots and how CCySS has a track record of doing just that.

Prof. David Stupples also discussed the limits of Botnets and possible preventative methods such as:

* Providing security/OS upgrades can mitigate against such malicious code exploitation.
* Vendors using honeypots to analyze known botnets/malware can help.
* IP/DNS filtering is effective to some degree against Botnets (and the Botnets ability to connect “home” to its masters).  Note that I attribute this to the way Alureon/DNSChanger was thwarted by ISPs despite the FBI’s warnings to the general public. ISPs were able to compensate for this at their level and ensure DNS didn’t resolve where they weren’t supposed to.
* Malware companies examing Botnet/malicious code fingerprints for quick identification
* Reverse engineering search engine spiders to identify threats immediately

That panel included other security professionals and their insights into the matter of software attacks, viruses, malware and DDoS attacks. They stress the importance of different countries working together to analyze, spot and thwart such attacks. Prof. David Stupples said that such international efforts have helped catch a number of attackers in the UK. He stressed the need for more international law enforcement support.

Michael Singer, Executive Director of Security for AT&T, was also among my top favorite speakers. He discussed how the safeguarding of the internet is essential but not at the expense of individual freedoms, which many people enjoy. He stressed the importance of the need for a global security organization, like Prof. Stupples, but also warns that such an organization must make sure not to curb individual freedoms.

Interestingly Mr. Singer also discussed mobile security and how Android, in particular, can be used for for such exploitation as it’s an amazing platform with the power of a small computer.

To see the presentation, click here to register and go to the conference page.

Glitches

Poor Audio – There are a lot of problems with audio. The audio was pretty bad. But all of these conferences generally have low quality audio.

Slide/video track bar – When watching older/archived sessions, moving this bar to skip or go back usually requires a refresh of the entire presentation page. Which generally stinks.

Infosec Summer Virtual Conference 2012

On Thursday 8/9/12 Infosecurity Magazine will be hosting their summer Virtual Conference 2012. If you possess a SSCP®/CISSP® you can also earn CPE credits. Although most virtual conferences are hokey ways to sell a company or organizations products, this security conference looks interesting (but may turn into a means of selling magazine subscriptions, you’ve been warned). Noteworthy pieces include a segment on Hacktivism and an address from Theresa Payton, fmr. White House CIO.

You may have also thought of American Express as the card with the most identify theft attempts made against it (or at least that may be your impression from all those fraud warnings you get in the mail). Dismiss it from your mind, Mike Mitchell – director of merchant data security at American Express – will be gracing us with his presence.

If there’s anything interesting worth noting I’ll post it here. Usually I don’t like advertising events that aren’t really amazing (notably Def Con, Black Hat Briefings, HOPE, LayerOne, ShmooCon, ASIS, etc.), but it’s free and online so who cares? If you’re like me and missed the better conventions this year due to Vegas being too expensive in this economy, security+free is always good.

Sign up for free @ http://www.infosecurity-magazine.com/virtualconference/infosecurity-magazine-2012-us-summer-virtual-conference