Logging practices

Posted on March 7, 2010 by cwalsh

Via a tweet from @WeldPond, I was led to a Daily Mail article which discusses allegations that Facebook founder Mark Zuckerberg “hacked into the accounts of [Harvard] Crimson staff”. Now, I have no idea what happened or didn’t, and I will never have a FB account thanks to my concerns about their approach to privacy, but I was curious about the form of this alleged hacking.

My curiosity was rewarded:

“he allegedly examined a report of failed logins to see if any of the Crimson members had ever entered an incorrect password into TheFacebook.com.

In the instances where they had, Business Insider claimed that Zuckerberg said he tried using those incorrect passwords to access the Crimson members’ Harvard email accounts.”

dailymail.co.uk, 2010-03-06

So, it looks like the allegation is that actual passwords entered for failed logins were routinely logged.

Yuck.

SearchSecurity Top Stories of 2009 Podcast

Posted on January 4, 2010 by adam

A few weeks ago, I joined the SearchSecurity team (Mike Mimoso, Rob Westervelt and Eric Parizo) to discuss the top cybersecurity stories of 2009. It was fun, and part 1 now available for a listen: part 1 (22:58), part 2 is still to come.

My Open Letter to the New Cyber-Security Czar

Posted on December 23, 2009 by adam

Is over on the New School blog. “An open Letter to the New Cyber-Security Czar.”

We Take Your Privacy Seriously

Posted on December 11, 2009 by adam

So after BNY Melon dropped a tape with my social security number and those of millions of my closest neighbors, they bought me a one year subscription to Experian’s “Triple Alert” credit monitoring service. Today, I got email telling me that there was new information, and so I went to login.

Boy, am I glad to know they take my privacy seriously, because otherwise, their failure to fill out fields in their certificate might really worry me.

I mean, I’m not annoyed that BNY Mellon treated my information negligently. Oh, no. I expect that. I am a little annoyed that having done so, they offered me a year of “monitoring” rather than prevention. I’m annoyed that it’s a year, when there’s no evidence that risk of harm falls after a year. And I’m annoyed that the company offering monitoring doesn’t bother to get the little things right.

[Update: This may be a broader issue of all non-EV certs being treated like this. I admit, I rarely check because I rarely care. But when I do care, I reasonably expect it to be done right.]

Security is About Outcomes, FISMA edition

Posted on September 30, 2009 by adam

Over at the US Government IT Dashboard blog, Vivek Kundra (Federal CIO), Robert Carey (Navy CIO) and Vance Hitch (DOJ CIO) write:

the evolving challenges we now face, Federal Information Security Management Act (FISMA) metrics need to be rationalized to focus on outcomes over compliance. Doing so will enable new and actionable insight into agencies’ information and network security postures, possible vulnerabilities and the ability to better protect our federal systems.
(“Moving Beyond Compliance: The Status Quo Is No Longer Acceptable”)

I’m tremendously excited to see this because back in April I wrote “Security is about outcomes, not about process.” I don’t know that I can claim credit for this, but it’s nice to see how far the meme has gone.

Rebuilding the internet?

Posted on September 10, 2009 by adam

Once apon a time, I was uunet!harvard!bwnmr4!adam. Oh, harvard was probably enough, it was a pretty well known host in the uucp network which carried our email before snmp. I was also harvard!bwnmr4!postmaster which meant that at the end of an era, I moved the lab from copied hosts files to dns, when I became adam@bwnmr4.harvard…wow, there’s still cname for that host. But I digress.

Really, I wanted to talk about a report, passed on by Steven Johnson and Gunnar Peterson, that Vint Cerf said that if he were re-designing the internet, he’d add more authentication.

And really, while I respect Vint a tremendous amount, I’m forced to wonder: Whatchyou talkin’ about Vint?

I hate going off based on a report on Twitter, but I don’t know what the heck a guy that smart could have meant. I mean, he knows that back in the day, people like me could and did give internet accounts to (1) anyone our boss said to and (2) anyone else who wanted them some of this internet stuff and wouldn’t get us in too much trouble. (Hi S! Hi C!) So when he says “more authentication” does that mean inserting “uunet!harvard!bwnmr4!adam” in an IP header? Ensuring your fingerd was patched after Mr. Morris played his little stunt?

But more to the point, authentication is a cost. Setting up and managing authentication information isn’t easy, and even if it were, it certainly isn’t free. Even more expensive than managing the authentication information would be figuring out how to do it. The packet interconnect paper (“A Protocol for Packet Network Intercommunication,” Vint Cerf and Robert Kahn) was published in 1974, and says “These associations need not involve the transmission of data prior to their formation and indeed two associates need not be able to determine that they are associates until they attempt to communicate.” That was before DES (1975), before Diffie-Hellman (1976), Needham-Schroeder (1978) or RSA. I can’t see how to maintain that principle with the technology available at the time.

When setting up a new technology, low cost of entry was a competitive advantage. Doing authentication well is tremendously expensive. I might go so far as to argue that we don’t know how fantastically expensive it is, because we so rarely do it well.

Not getting hung up in easy problems like prioritization or hard ones like authentication, but simply moving packets was what made the internet work. Allowing new associations to be formed, ad-hoc, made for cheap interconnections.

So I remain confused by what he could have meant.

[Update: Vint was kind enough to respond in the comments that he meant the internet of today.]

If I Were the Type to Say “I Told You So” Dept.

Posted on August 28, 2009 by arthur

Which I’m not — but if I were, now would be the time.
‘Unbreakable’ quantum cryptography hacked without detection using lasers

Moore’s Law is a Factor in This

Posted on August 24, 2009 by adam

I remember when Derek Atkins was sending mail to the cypherpunks list, looking for hosts to dedicate to cracking RSA-129. I remember when they announced that “The Magic Words are Squeamish Ossifrage.” How it took 600 people with 1,600 machines months of work and then a Bell Labs supercomputer to work through the data. I had a fun little stroll down memory lane reading about average machines not having more than 16MB of ram, and how they borrowed a server with 2, later 3 900 MB disks. 129 decimal digits fits in 430 bits. The RSA-129 paper concludes:

We conclude that commonly-used 512-bit RSA moduli are vulnerable to any organization prepared to spend a few million dollars
and to wait a few months.

Fast-forwarding to this week, David Molnar mentions that “We’re living in the future now:”

The 512-bit RSA key used for signing applications and firmware updates for the TI-83 has been factored. By some person working on his or her own. With one computer.

David links to “Calculator hackers crack OS signing key, opening a closed platform,” and following links, we get to “fun number theory facts:”

Gentlemen,

A mathematical morsel for your entertainment and edification.
The number
6,857,599,914,349,403,977,654,744,967,
172,758,179,904,114,264,612,947,326,
127,169,976,133,296,980,951,450,542,
789,808,884,504,301,075,550,786,464,
802,304,019,795,402,754,670,660,318,
614,966,266,413,770,127

is the product of
5,174,413,344,875,007,990,519,123,187,
618,500,139,954,995,264,909,695,897,
020,209,972,309,881,454,541

and
1,325,290,319,363,741,258,636,842,042,
448,323,483,211,759,628,292,406,959,
481,461,131,759,210,884,908,747.

What should the new czar do? (Tanji’s Security Survey)

Posted on August 19, 2009 by adam

Over at Haft of the Spear, Michael Tanji asks:

You are the nation’s new cyber czar/shogun/guru. You know you can’t _force _anyone to do jack, therefore you spend your time/energy trying to accomplish what three things via influence, persuasion, shame and force of will?

I think it’s a fascinating question, and posted my answer over at the New School blog.

The Myths of Security: What the Computer Security Industry Doesn’t Want You to Know

Posted on August 6, 2009 by Richard

John Viega recently published a new book: The Myths of Security: What the Computer Security Industry Doesn’t Want You to Know.
It’s a great read, especially if you are new to or are interested in the security industry as a whole. However, even if you are a long term security veteran, you will find it enjoyable.
The book is a series of essays addressing a range of topics from “The Cloud” to the state of the AV industry and everything in between. The essays aren’t long, but they are very thorough. This makes it easy to pick up the book become engaged and learn something quickly.
My only complaint is that the essays around privacy and anonymity. They weren’t nearly as deep as I was either hoping nor on par with the rest of the book. Despite this, the book is excellent and well worth reading. I highly encourage you to pick up a copy.

Emergent Chaos

The Emergent Chaos Jazz Combo

Category Archives: information security