In a comment over at LWN.net, a reader pointed out that it’s a good idea to verify not just SSL certificate, but also doctors, mechanics, etc. He says, “it’s simply a requirement of a healthy society that it’s citizens have a healthy skepticism and be willing to put the effort into understanding what is going on around them. It’s not that you don’t trust them. Its that you do what you can, in your limited way, to make sure that you can trust them.”
Archive for the ‘Security’ Category
Trust, but verify
Friday, February 19th, 2010Users, Security and Scams
Monday, December 21st, 2009I read Bruce Schneier’s Crypto-Gram monthly. It’s from there that I found most of these links, with the exception of the ones on social engineering. I found the first paper on scam victims to be especially thought provoking (although it’s long). The video clip demonstrating social proof was amusing.
Understanding scam victims: seven principles for systems security
Summary: Scammers manipulate people with distraction, deception, herd mentality, greed, time pressure and by impersonating authority. If something sounds too good to be true, it probably is.
Summary: Social engineers exploit people’s tendency to trust and to be helpful. They do this with ingratiation, impersonation, diffusion of responsibility, urgency, appeal to conformity (aka “social proof” or herd mentality), intimidation, deception, and authoritative orders.
There’s an entertaining Candid Camera video clip demonstrating “social proof”.
The Rational Rejection of Security Advice by Users
Summary: Security practitioners often dole out advice that is perceived by users as too time consuming. So users ignore or reject the security advice. However, “Advice that has compelling cost-benefit tradeoff has real chance of user adoption…. the costs and benefits have to be those the user cares about”. Time is one thing users care about.
Article: Election Fraud in Kentucky
Tuesday, April 21st, 2009Bruce Schneier summarizes the first documented case of election fraud using new electronic voting machines in his article Election Fraud in Kentucky:
Five Clay County officials, including the circuit court judge, the county clerk, and election officers were arrested Thursday after they were indicted on federal charges accusing them of using corrupt tactics to obtain political power and personal gain.
They used a low-tech social engineering trick to commit their crime.
Bypassing the I.T. security fortress
Saturday, February 28th, 2009On the back of my mind for the past few years, I've been thinking about how I.T. security becomes less meaningful as time goes on. The use of digital cameras isn't usually allowed, yet a company isn't (usually) going to boot out an employee for having a cell phone with a digital camera -- or even using it to take a snapshot of a diagram that will be placed on a corporate wiki. The use of USB thumb drives for transferring and storing corporate data is perceived as a risk, but often, it's a practical way of getting one's job done. Remember network firewalls? They're still in place, but they're increasingly meaningless. They certainly don't keep out viruses and trojan horses. And with the increasing prevalence of wireless networking, there's even less incentive for people to play by the I.T. security rules. Dan Kaminsky expresses these thoughts better than I have :
... every restriction, every alteration [I.T. makes] in people's day to day business, carries with it a risk that users will abandon the corporate network entirely, going "off-grid" in search of a more open and more useful operating environment. You might scoff, and think people would get fired for this stuff, but you know what people really get fired for? Missing their numbers.
Its never been easier to get away with going off-grid. Widespread availability of WiMax and 3G networks mean there's an alternate, unmonitored high speed network available at every desk.
Kaminsky goes on to discuss some of the ramifications of these ongoing changes, including "the Cloud" (e.g. Google docs) and the security of corporate data.
Fedora 10 lacks “wow” appeal; OpenSolaris 11
Tuesday, January 6th, 2009I upgraded one of my machines to Fedora 10 last month, and for me, this release lacks the “wow” appeal that other releases have had. A minor annoyance is that the keyboard repeat delay is broken for me and so far, there is no fix other than disabling keyboard repeat. On the plus side, Fedora 10 includes OpenOffice.org 3 and other new features. Be sure to check out the Common Issues people have experienced with Fedora 10.
The other day, a co-worker handed me an OpenSolaris 11 Live CD. I booted it, expecting to be underwhelmed like I was with the Solaris 10 JavaDesktop. I was pleasantly surprised, however. Sun’s “Nimbus” GNOME theme knocks the socks off of the boring Fedora window manager themes. The experience felt like I was running Linux. It was responsive, supported my newer hardware, and the system was built with GNU utilities on the command line so I get my favourite options to ‘ls’, ‘grep’, etc. It supported my NVidia card out-of-the box, and had Compiz eye-candy as an option. The only thing I missed (in my superficial test) was the familiar ‘yum’ and ‘rpm’ for package management. I suspect that if I used it from day to day, I’d find other things I miss. Does OpenSolaris support encrypted file systems? Does it have as much optional software as I can get with Fedora Extras?
I’ll keep my eye on OpenSolaris a little more closely in the future.
Web App Security Statistics
Monday, October 13th, 2008Perhaps this is a bit old, but it’s the first time I’ve seen it, and I thought it was interesting enough to share.
http://www.webappsec.org/projects/statistics/
- more than 7% of analyzed sites can be compromised automatically
- Detailed manual and automated assessment using white and black box methods shows that probability to detect high severity vulnerability reaches 96.85%.
- The most prevalent vulnerabilities are Cross-Site Scripting, Information Leakage, SQL Injection and Predictable Resource Location
REST versus RPC
Monday, October 13th, 2008Have you considered the merits and applicability of RESTful web apps? Here are a few notes I’ve made.
There was quite a discussion about RPC, REST, and message queuing — they are not the same thing. Each one is needed in a different scenario. All are used in building distributed systems.
Wikipedia’s explanation of REST is quite informative, especially their examples of RPC versus REST.
The poster “soabloke” says RPC “Promotes tightly coupled systems which are difficult to scale and maintain. Other abstractions have been more successful in building distributed systems. One such abstraction is message queueing where systems communicate with each other by passing messages through a distributed queue. REST is another completely different abstraction based around the concept of a ‘Resource’. Message queuing can be used to simulate RPC-type calls (request/reply) and REST might commonly use a request/reply protocol (HTTP) but they are fundamentally different from RPC as most people conceive it. “
The REST FAQ says, “Most applications that self-identify as using “RPC” do not conform to the REST. In particular, most use a single URL to represent the end-point (dispatch point) instead of using a multitude of URLs representing every interesting data object. Then they hide their data objects behind method calls and parameters, making them unavailable to applications built of the Web. REST-based services give addresses to every useful data object and use the resources themselves as the targets for method calls (typically using HTTP methods)… REST is incompatible with ‘end-point’ RPC. Either you address data objects (REST) or you don’t.”
RPC: Remote Procedure Call assumes that people agree on what kinds of procedures they would like to do. RPC is about algorithms, code, etc. that operate on data, rather than about the data itself. Usually fast. Usually binary encoded. Okay for software designed and consumed by a single vendor.
REST: All data is addressed using URLs, and is encoded using a standard MIME type. Data that is made up of other data would simply have URLs pointing to the other data. Assumes that people won’t agree on what they want to do with data, so they let people get the data, and act on it independently, without agreeing on procedures.
xguest
Friday, August 15th, 2008I just discovered and installed the xguest package for Fedora 8 and 9. Here’s what it does:
Installing this package sets up the xguest user to be used as a temporary account to switch to or as a kiosk user account. The account is disabled unless SELinux is in enforcing mode. The user is only allowed to log in via gdm [or the fast-user-swiching applet]. The home and temporary directories of the user will be polyinstantiated and mounted on tmpfs.
Here’s how to install it:
yum install xguest
I hit a brick wall when I first tried it. I thought my machine was in SELinux Enforcing mode, when it wasn’t — it was in Permissive mode. I fixed it using system-config-selinux.
It’s possible to change what the xguest user can do using system-config-selinux. I’ve attached a screenshot showing what capabilities can be granted or revoked.
Comcast.net hijacked – causes email delays
Friday, May 30th, 2008Comcast is my ISP, and on Wednesday, some email started having trouble getting to me. It turns out that comcast.net was temporarily hijacked using a social engineering trick.
Open Source Security report from Coverity
Friday, May 23rd, 2008Coverity has published it’s Open Source Scan Report 2008, which details the security status of several open source projects. Here’s my summary:
- The overall security of open source projects is improving.
- There’s a linear relationship between the amount of code and the amount of bugs.
- Surprisingly, there’s no relation between function length and defect density.
Projects with exceptionally low defect density include Amanda, NTP, OpenPAM, OpenVPN, Perl, PHP, Python, TCL, Postfix, Samba, curl, libvorbis and vim.
The top two security defects are
- NULL pointer dereference
- Resource leak
I got to preview Coverity Prevent at a previous job, and it rocks at finding real bugs in code, with a very low rate of false positives.