Wed - April 21, 2004
Linux: unfit for national security?
Professor Spafford says Linux not quite ready for
prime time national security duties.
My boss likes controversy. He likes causing
trouble. This EE Times article
on Linux and national security is a good example.
Posted at 10:40 AM
Solaris 10 Security
Ravi Iyer, group manager for security and my last
boss at Sun, put together an article on security features in Solaris 10.
I remember having discussions (or, was it arguments?) with the Solaris Engineering group on security in Solaris 10. It seemed so far away based on the customer problems and complaints that we were dealing with at that time. Now, it's closer. Not here yet though.
I recently celebrated my departure from Sun two years ago -- way back on March 29, 2002. "Celebrated" might be a stronger word than appropriate here. I am just glad to not work there anymore. Sun is no longer the great company I remember.
I remember having discussions (or, was it arguments?) with the Solaris Engineering group on security in Solaris 10. It seemed so far away based on the customer problems and complaints that we were dealing with at that time. Now, it's closer. Not here yet though.
I recently celebrated my departure from Sun two years ago -- way back on March 29, 2002. "Celebrated" might be a stronger word than appropriate here. I am just glad to not work there anymore. Sun is no longer the great company I remember.
Posted at 10:36 AM
Tue - April 20, 2004
Expert Professor adds Prestige to University
Spaf is in the news
again.
The Purdue Exponent has an article on my boss,
Professor Gene Spafford:
He is one of 25 presidential appointees to
the President’s Information Technology Advisory committee. The committee
serves as a board of advisers to the president. Spafford, professor of computer
science and philosophy, is examining issues of cyber security. He and other
appointees, from all over the country in industry and academia, are
investigating if the government is spending money in the right areas and then
determining whether the research that is being done is correct.
Posted at 01:57 PM
Tue - March 23, 2004
Employee Badges in the Strangest Places
While on vacation in the US and British Virgin
Islands, I found a real employee badge in the strangest place.
On March 23, 2004, I was on the island of Jost
Van Dyke in the British Virgin Islands for a wedding reception for my cousins
who were married earlier in the day. There is not much on this island. It was
only wired for power twelve years ago. Yet on this island is a famous tiki bar
called "Foxy's". Visitors are encouraged to leave behind personal items for
others to see. We found license plates, business cards, T-shirts, bikini tops,
and even
underwear.
I found the business card for the store manager of a Togo's restaurant I used to go to in the Bay Area many years ago.
I also found something from a guy named Mark Allen. His Nortel employee badge.
It is real. I know because I worked for Nortel. I have seen them before. It is hanging from the rafters in one of the tiki huts near the beach-side bar. The badge is even attached to a Nortel-labeled neckstring thingy.
I can hear the scream of security practioners everywhere. So many questions and thoughts about security risks popped into my head the moment I saw it.
Yes, Mark Allen, I found your employee badge. I wasn't looking for it. I just happened to stumble across while on vacation.
Who brings an employee badge to Jost Van Dyke? What's with that? Are you nuts? Did you quit your job, go for a vacation, and decide to leave it behind? Why? Inquiring minds want to know?
I found the business card for the store manager of a Togo's restaurant I used to go to in the Bay Area many years ago.
I also found something from a guy named Mark Allen. His Nortel employee badge.
It is real. I know because I worked for Nortel. I have seen them before. It is hanging from the rafters in one of the tiki huts near the beach-side bar. The badge is even attached to a Nortel-labeled neckstring thingy.
I can hear the scream of security practioners everywhere. So many questions and thoughts about security risks popped into my head the moment I saw it.
Yes, Mark Allen, I found your employee badge. I wasn't looking for it. I just happened to stumble across while on vacation.
Who brings an employee badge to Jost Van Dyke? What's with that? Are you nuts? Did you quit your job, go for a vacation, and decide to leave it behind? Why? Inquiring minds want to know?
Posted at 04:47 PM
Thu - March 11, 2004
Follow-up to Microsoft's posters
Dave Ladd of Microsoft discovered my blog about
Microsoft's posters and expresses his opinion on the matter.
On February 3, I posted a note about Microsoft's
New Approach to Security which was a completely sarcastic rant about
some new posters that Microsoft published to warn users
about computer viruses, worms, and hackers. I also ask whether the Trustworthy
Computing initiative was needed anymore in light of these posters.
Dave Ladd, Sr. Manager at Microsoft Research,
discovered my post while Googling and sent the following message. With his
permission, it is included below.
Full disclosure: Microsoft is a Tier-1 sponsor of CERIAS. Dave is Microsoft's representative on the CERIAS External Advisory Board. I work for CERIAS.
[Ed. The text is complete, only the readability of the URLs included has been adjusted for the web.]
I must admit that I got a kick out of reading your blog on "Microsoft's new approach to security" Since you posed the semi-sarcastic question on whether Trustworthy Computing is no longer needed as a result of the posters, I'll take a shot at an answer...
No, the posters do not mean that Trustworthy Computing is no longer needed. As Spaf (and others) often point out, real security is always a work in progress. Anyone that declares victory is fooling themselves. That includes Bill Gates and Scooter McNealy.
Is it your belief that Smokey the Bear fire posters http://www.mtmultipleuse.org/smokey_bear_poster.htm hold no value? Obviously the consequences of playing with fire aren't common knowledge, or they wouldn't be necessary. Same with HIV/AIDS education, http://www.avert.org/postershist.htm cigarette smoking, http://tobacco.health.usyd.edu.au/site/supersite/resources/docs/gallery_posters.htm and Cambodian minefield awareness. http://www.pitt.edu/~ginie/lm/cmac1.html.
While it may be great sport poking fun at the posters (and by proxy, Microsoft), they serve a purpose. People need to be reminded about security just like they need to be reminded not to throw burning cigarettes out car windows, not to engage in risky sexual behavior, not to inhale burning carcinogens, and not to play with strange looking metal objects sticking out of the ground in a former combat zone. The posters are especially relevant given the security problems inherent on many college campuses...like this one: http://jafci.chem.purdue.edu/security.htm.
While it may be hard to pass up a shot at Microsoft, I would hope that you agree that not everyone that has a computer has the benefit of taking classes from Spaf.
So, in closing, you're welcome... : )
- Dave
I appreciate Dave's response to my posting. He brings up some interesting points which I had not considered before.
Thanks, Dave.
Full disclosure: Microsoft is a Tier-1 sponsor of CERIAS. Dave is Microsoft's representative on the CERIAS External Advisory Board. I work for CERIAS.
[Ed. The text is complete, only the readability of the URLs included has been adjusted for the web.]
I must admit that I got a kick out of reading your blog on "Microsoft's new approach to security" Since you posed the semi-sarcastic question on whether Trustworthy Computing is no longer needed as a result of the posters, I'll take a shot at an answer...
No, the posters do not mean that Trustworthy Computing is no longer needed. As Spaf (and others) often point out, real security is always a work in progress. Anyone that declares victory is fooling themselves. That includes Bill Gates and Scooter McNealy.
Is it your belief that Smokey the Bear fire posters http://www.mtmultipleuse.org/smokey_bear_poster.htm hold no value? Obviously the consequences of playing with fire aren't common knowledge, or they wouldn't be necessary. Same with HIV/AIDS education, http://www.avert.org/postershist.htm cigarette smoking, http://tobacco.health.usyd.edu.au/site/supersite/resources/docs/gallery_posters.htm and Cambodian minefield awareness. http://www.pitt.edu/~ginie/lm/cmac1.html.
While it may be great sport poking fun at the posters (and by proxy, Microsoft), they serve a purpose. People need to be reminded about security just like they need to be reminded not to throw burning cigarettes out car windows, not to engage in risky sexual behavior, not to inhale burning carcinogens, and not to play with strange looking metal objects sticking out of the ground in a former combat zone. The posters are especially relevant given the security problems inherent on many college campuses...like this one: http://jafci.chem.purdue.edu/security.htm.
While it may be hard to pass up a shot at Microsoft, I would hope that you agree that not everyone that has a computer has the benefit of taking classes from Spaf.
So, in closing, you're welcome... : )
- Dave
I appreciate Dave's response to my posting. He brings up some interesting points which I had not considered before.
Thanks, Dave.
Posted at 11:28 PM
Tue - February 3, 2004
Microsoft's new approach to security
Strange but true... Microsoft has three new
posters to educate everyone about security.
Wow! Would you believe that we are just three
free posters away from a safer Internet? Thank you,
Microsoft!
Does this mean that Trustworthy Computing is no longer needed?
Does this mean that Trustworthy Computing is no longer needed?
Posted at 01:08 PM
Wed - January 28, 2004
Social Engineering Technique Used by Worm
The myDoom/novarg email worm entices a user to
open an attachment. Don't do it! At least that's what the DJ told me this
morning...
The world has become a strange place now that the
news media tells us not to open email attachments. I suppose that's OK, since I
may not have known about the worm before I got to work and starting reading
emails (and their attachments). Forewarned is forearmed, or something like
that.
My first worm email arrived on Tuesday at 11:35AM (EST). The sender was "3d76d4b3.ba0c5dd1@purdue.edu", but the subject was "test". Looked to me like an error of some kind, but it was most likely SPAM (SpamAssassin gave it a score of only 2.6.) It only contained an attachment (a zip file). Now I was raised never to talk to strangers or open email attachments from them either. I checked the headers and found that it came from a Windows PC in a lab in the Nuclear Engineering Building room 120 (nucl120pc3.ecn.purdue.edu). I deleted it unopened. The other person in the office got a similar message, but she was raised the same way.
The interesting thing about this worm in particular is that it looks an normal error message. The average PC user may not have enough information available to them to make a judgment about the validity of the message. A user may suspect that the system is trying to help them recover a legitimate message. The system is being helpful, so it must be OK, right?
If you look at the body of the message, it is simple and straight forward. There was an error, but your message is still here. Just click here to get it. It's definitely nicer than the standard sendmail error messages. (Even I can't figure those out sometimes. OK, most of the time.) Email malware in the past has applied similiar techniques to entice recipients to spread the worm themselves before. This one is trickier in some respects because it appears to be a legitimate error.
My concern is for worm propagation in the future. The worm writers are preying upon normal human interactions in the electronic (cyberspace) and real (meatspace) world to spread. If your boss sent you a brief email message with an attachment, you would open it, right? I know I would. I don't want to get fired for ignoring his messages. A worm writer merely needs to exploit that relationship, for example, and half the world's businesses might collapse for a couple days.
Of course, I have left out the discussion of the myDoom/novarg worm's target. That's not my concern here. It could be argued that they brought this type of attention upon themselves.
My first worm email arrived on Tuesday at 11:35AM (EST). The sender was "3d76d4b3.ba0c5dd1@purdue.edu", but the subject was "test". Looked to me like an error of some kind, but it was most likely SPAM (SpamAssassin gave it a score of only 2.6.) It only contained an attachment (a zip file). Now I was raised never to talk to strangers or open email attachments from them either. I checked the headers and found that it came from a Windows PC in a lab in the Nuclear Engineering Building room 120 (nucl120pc3.ecn.purdue.edu). I deleted it unopened. The other person in the office got a similar message, but she was raised the same way.
The interesting thing about this worm in particular is that it looks an normal error message. The average PC user may not have enough information available to them to make a judgment about the validity of the message. A user may suspect that the system is trying to help them recover a legitimate message. The system is being helpful, so it must be OK, right?
If you look at the body of the message, it is simple and straight forward. There was an error, but your message is still here. Just click here to get it. It's definitely nicer than the standard sendmail error messages. (Even I can't figure those out sometimes. OK, most of the time.) Email malware in the past has applied similiar techniques to entice recipients to spread the worm themselves before. This one is trickier in some respects because it appears to be a legitimate error.
My concern is for worm propagation in the future. The worm writers are preying upon normal human interactions in the electronic (cyberspace) and real (meatspace) world to spread. If your boss sent you a brief email message with an attachment, you would open it, right? I know I would. I don't want to get fired for ignoring his messages. A worm writer merely needs to exploit that relationship, for example, and half the world's businesses might collapse for a couple days.
Of course, I have left out the discussion of the myDoom/novarg worm's target. That's not my concern here. It could be argued that they brought this type of attention upon themselves.
Posted at 11:09 AM
Poly^2 Paper Posted
I updated the Poly^2 project web
page with a link to the ACSAC
conference paper.
The conference occurred in December, but I am
only now getting caught up enough to update web pages. Poly^2 Paradigm: A Secure
Network Service Architecture is available online.
Posted at 12:46 AM
Other Uses for Embedded Sensors
The Embedded Sensors
Project uses internal sensors for intrusion detection. Sensors use a
direct monitoring approach to capture data. They also have an internal view of a
running program's data and operations. For purposes of detecting attacks, research
has shown that sensors are effective. But what else are they good
for?
In a recent ESP project meeting, I challenged the
students to think about the uses of embedded sensors in other applications and
research. It seems obvious to me, the internal sensor approach can be applied to
other areas in information security, networking, computer science,
etc.
There are other types of sensors, both physical and virtual. The embedded sensors that I refer to here are of the type defined by our research.
The real challenge is determining whether sensors provide some additional benefit to other methods without introducing significant overhead in the areas of code size, performance and operations, developer training and effort, or administrative costs.
I have compiled a short list of half-baked ideas on where embedded sensors may make some sense for uses outside of intrusion detection.
Single Purpose Device Performance and Debugging
A single purpose device (sometime called an "appliance") provides one type of service in sealed, non-programmable unit. It may provide network services (IP routing, web, email, DNS, etc) or storage services (SAN switch, file server, etc). Software sensors could be placed in the device code to monitor internal state and operations at the code level.
During system development, these sensors could be used to test and debug. Internal system state can be difficult to examine even with debugger tools. Sensors can assist in examining, monitoring, and measuring many internal data points at once and providing reporting when specified conditions arise. Assertions can be examined in the running systems for implementation errors. Load and throughput measurements can be made internally where data structures can examined internally.
Sounds like standard debugging procedure coding, right? Well, yes, it is. It also more formalized than simply sticking printf()'s all over the place. The key is sensor framework that handles the messages. It has a standard API and method of capturing, recording, and alerting.
Digital Rights Entrapment
Another idea comes from the realm of managing use rights for digital media. Currently, organizations such as the RIAA use third-party companies to scan file sharing services to find users sharing illegal copies of music. It is a costly and time consuming process. A better method is to let the user's software report back when it finds illegal copies of media in use.
Suppose a record label uses digital watermarks to place unique identifiers on a portion of their works and then surreptitiously inserts the files into several file sharing services. Simultaneously, they use an unconnected third-party software vendor to create, market, and distribute digital music software that has embedded sensors. This piece software works as a normal media player or media manager or even a file sharing client. However, the internal sensors examine the program internals (say, the decoder) and look for the watermark while the media is streaming along. If a specific watermark is found, the software sends information about the (ab)user to the record label. The record label forwards information to the RIAA.
As long as the connection between the label and the software vendor is not discovered, this scheme could work quite well. In fact, the sensors could be embedded in a wide variety of music software, including the file sharing services themselves. Most users are not allowed, capable, or even interested in examining the code, so they wouldn't see the sensors. As far as we know, software with DRM today just tells you "NO". In the near future, software may tell you "OK" and then "rat you out" to the legal division of some media giant or its industry association.
OK, that may not be a great use of sensors for consumers.
Workplace Surveillance
While we are on the subject of monitoring and informing on users, let's consider workplace surveillance. I am not a big fan of most kinds of surveillance, but I can see the management's view on the subject. I'll leave the discussion about surveillance rights and wrongs for another blog. Let's talk about how this can be accomplished using software-based sensors.
There are a few things that Internet-connected companies tend to worry about their employees doing: using EBay, surfing too much for non-work related subjects, playing games, gambling away the company's money on the corporate credit card, looking at pornography, IRC, AIM, Napster, iTunes Music Store, etc, etc. Most of these are time-wasters. Others may require HR and legal involvement, like pornography. There are products that filter out some of this stuff at the network's edge, but they can't catch it all. Most cannot keep up with the sheer amount of data. There are also ways to bypass these controls.
Placing embedded sensors in some of the software would allow the employer to better control and/or monitor employees behavior throughout the workday without relying on costly and ineffective filtering solutions. For example, take pornography. Most viewing of pornography is done through a standard web browser. Algorithms exist that try to determine if an image is likely to be pornographic in nature (it looks for a large number of pixels that are of skin tone color). These algorithms could incorporated into the image functions of a web browser as sensors. If the sensor detects skin tone levels reaching a specific threshold, the image's pixels are converted to all black to mask the entire image. The rest of the page renders correctly, just the images are all black. No, it probably wouldn't catch everything, but it wouldn't need to. Just enough to frustrate the user back to work.
Sensors could be placed in these other time-wasters to do similar things. The key point is that the detection and mitigation is handled at the end user's system and not a potentially overloaded gateway.
Well, there are a few ideas for use of embedded sensors outside of the intrusion detection arena. If you have other ideas , please email them to me.
There are other types of sensors, both physical and virtual. The embedded sensors that I refer to here are of the type defined by our research.
The real challenge is determining whether sensors provide some additional benefit to other methods without introducing significant overhead in the areas of code size, performance and operations, developer training and effort, or administrative costs.
I have compiled a short list of half-baked ideas on where embedded sensors may make some sense for uses outside of intrusion detection.
Single Purpose Device Performance and Debugging
A single purpose device (sometime called an "appliance") provides one type of service in sealed, non-programmable unit. It may provide network services (IP routing, web, email, DNS, etc) or storage services (SAN switch, file server, etc). Software sensors could be placed in the device code to monitor internal state and operations at the code level.
During system development, these sensors could be used to test and debug. Internal system state can be difficult to examine even with debugger tools. Sensors can assist in examining, monitoring, and measuring many internal data points at once and providing reporting when specified conditions arise. Assertions can be examined in the running systems for implementation errors. Load and throughput measurements can be made internally where data structures can examined internally.
Sounds like standard debugging procedure coding, right? Well, yes, it is. It also more formalized than simply sticking printf()'s all over the place. The key is sensor framework that handles the messages. It has a standard API and method of capturing, recording, and alerting.
Digital Rights Entrapment
Another idea comes from the realm of managing use rights for digital media. Currently, organizations such as the RIAA use third-party companies to scan file sharing services to find users sharing illegal copies of music. It is a costly and time consuming process. A better method is to let the user's software report back when it finds illegal copies of media in use.
Suppose a record label uses digital watermarks to place unique identifiers on a portion of their works and then surreptitiously inserts the files into several file sharing services. Simultaneously, they use an unconnected third-party software vendor to create, market, and distribute digital music software that has embedded sensors. This piece software works as a normal media player or media manager or even a file sharing client. However, the internal sensors examine the program internals (say, the decoder) and look for the watermark while the media is streaming along. If a specific watermark is found, the software sends information about the (ab)user to the record label. The record label forwards information to the RIAA.
As long as the connection between the label and the software vendor is not discovered, this scheme could work quite well. In fact, the sensors could be embedded in a wide variety of music software, including the file sharing services themselves. Most users are not allowed, capable, or even interested in examining the code, so they wouldn't see the sensors. As far as we know, software with DRM today just tells you "NO". In the near future, software may tell you "OK" and then "rat you out" to the legal division of some media giant or its industry association.
OK, that may not be a great use of sensors for consumers.
Workplace Surveillance
While we are on the subject of monitoring and informing on users, let's consider workplace surveillance. I am not a big fan of most kinds of surveillance, but I can see the management's view on the subject. I'll leave the discussion about surveillance rights and wrongs for another blog. Let's talk about how this can be accomplished using software-based sensors.
There are a few things that Internet-connected companies tend to worry about their employees doing: using EBay, surfing too much for non-work related subjects, playing games, gambling away the company's money on the corporate credit card, looking at pornography, IRC, AIM, Napster, iTunes Music Store, etc, etc. Most of these are time-wasters. Others may require HR and legal involvement, like pornography. There are products that filter out some of this stuff at the network's edge, but they can't catch it all. Most cannot keep up with the sheer amount of data. There are also ways to bypass these controls.
Placing embedded sensors in some of the software would allow the employer to better control and/or monitor employees behavior throughout the workday without relying on costly and ineffective filtering solutions. For example, take pornography. Most viewing of pornography is done through a standard web browser. Algorithms exist that try to determine if an image is likely to be pornographic in nature (it looks for a large number of pixels that are of skin tone color). These algorithms could incorporated into the image functions of a web browser as sensors. If the sensor detects skin tone levels reaching a specific threshold, the image's pixels are converted to all black to mask the entire image. The rest of the page renders correctly, just the images are all black. No, it probably wouldn't catch everything, but it wouldn't need to. Just enough to frustrate the user back to work.
Sensors could be placed in these other time-wasters to do similar things. The key point is that the detection and mitigation is handled at the end user's system and not a potentially overloaded gateway.
Well, there are a few ideas for use of embedded sensors outside of the intrusion detection arena. If you have other ideas , please email them to me.
Posted at 12:20 AM
Wed - January 21, 2004
Problems and Challenges with Honeypots (article)
Lance takes a look back at the last 18 months and
the expansion of Honeynet technologies and tools. Interesting tools, open
source and commercial, are now available. There are still issues to address in
the identification and exploitation of honeynet and honeypot
systems.
Posted at 12:51 PM
Quick Links
My Links
Categories
License
This work is licensed under a Creative Commons License.
Current Terror Alert Level
XML/RSS Feed
Calendar
| Sun | Mon | Tue | Wed | Thu | Fri | Sat |
Archives
Statistics
Total entries in this blog:
Total entries in this category:
Published On: Sep 22, 2004 09:33 AM
Total entries in this category:
Published On: Sep 22, 2004 09:33 AM