Dominic White

What a Wedding!

nospam@example.com (Dominic White) — Mon, 04 May 2009 16:35:31 +0200

We loved every moment, if only there was more time. Some photos are up courtesy of our photographers. Our informal engagement shoot, and photos from the wedding.

In the meantime, we're off on honeymoon!

I'm getting married!

nospam@example.com (Dominic White) — Fri, 01 May 2009 21:57:12 +0200

In 17 hours. Finally, I can't wait.

Conficker Claims its First Human

nospam@example.com (Dominic White) — Wed, 01 Apr 2009 09:02:29 +0200

Conficker has claimed it's first victim, this time a live one. Conficker, a computer virus that security researchers have warned will do severe damage to computing systems from April 1st, has claimed millions of computer victims to date. However, Harry Hermulen's computer was luckier than he was.

Mr Hermulen, fearing a computerised Armageddon would occur on April 1st due to Conficker, barricaded himself in his log cabin outside the small town of Pofadder in South Africa last week. After missing the town's weekly "sokkie", a type of traditional Afrikaans dance, town members went to visit Harry. One witness described what they found as "horrifying". "We knocked on the door, but Harry didn't answer, a jean-pant were drying outside, but Harry only had one pair, so we knew he was inside." said Maggie van Schoonstad. "We opened the door and found yellow, red and blue devil's signs on all the walls," continued Maggie These were later confirmed as the logos of well known Anti-Virus vendors. "We found him dead in front of his computer, his face was all blue from the screen."

Later analysis confirmed Mr Hermulen had starved to death. Computer experts determined that while waiting for his Vista computer to boot, then clicking through the thousands of 'Allow' dialogs presented to him by the multiple Anti-Virus products installed, Mr Hermulen had not had time to eat. "His finger was full of blood and stuck to his mouse." said Frikkie Steyn a close hunting friend of Harry.

When asked for comment, Norton Symanteck, a spokesperson for Fckng-Secure Anti-Virus said, "What happened to Mr. Hermulen is a tragedy, BUT YOU'RE ALL GOING TO DIE UNLESS YOU BUY ANTI-VIRUS." Oh the humanity.

Happy April First.

Department of Home Affairs Snooping Tools

nospam@example.com (Dominic White) — Tue, 24 Mar 2009 16:37:09 +0200

Thanks to the Department of Home Affairs, it is now possibly to get a bit more creepy. If you know someone's ID number (not a hard task) you can now find out if they are dead/alive, in the process of obtaining a new ID book or married (and when).

While these would make a great addition to Maltego as new transforms, given how poorly protected our ID numbers are, I'm reluctant for the DHA to be making this info available. While this information certainly isn't a deep invasion of privacy, I am worried about them expanding the service. Additionally, the existence of these services implies that there is a DB full of juicy ID data connected to the internet, and I'm not sure they've secured it very well.

SA AV Vendor Recycling News for FUD Marketing

nospam@example.com (Dominic White) — Tue, 17 Mar 2009 13:04:26 +0200

ClassicFM just phoned me for comment on this story. I did some quick research and was rather dismayed to find that this appears to be an attempt to drum up some press references for marketing rather than a responsible informing of the public.

Update: ClassicFM has put up the story with a soundbite.

It was referencing X97M/TrojanDropper.Agent.NAI.trojan (the vendor in question isn't McAfee, they just had a good writeup) which exploited an unpatched vulnerability (CVE-2008-0081 to be specific) in early 2008, but was patched by Microsoft in October 2008. So, by now the patch is likely deployed to even your mother's machine in the cupboard, and AV vendors have got several copies of the signature deployed. In addition, the specific trojan was used in targeted attacks and it is highly likely that no person or company in SA will ever see a copy, even if they did, the generic advice of 'be suspicious of .xls files' is fairly useless.

To add insult to injury, the AV vendor seems to have received orders from their head office as their international office engaged in the same FUD last month.

This appears to be fairly blatant scaremongering in order to get their name in the papers, the sort that harm the whole industry and makes people unable to differentiate between real threats with real actions they can take. There may be a good explanation, and if the vendor in question wants to clear things up I'll publish it here, although having not mentioned their name I doubt they'll see it. In the meantime, I recommend journos blacklist them as a source.

Now, if anyone wants to write about the PDF tomfoolery that's been going on lately, that would be far more interesting. Although, even then only to IT and security types, not the general public yet.

Using Maltego to Data Mine Twitter

nospam@example.com (Dominic White) — Wed, 11 Mar 2009 10:31:02 +0200

I've previously, spoken about Paterva's awesome data mining tool Maltego in 2007. I've recently had cause to start playing with it again as part of the Privacy work I'm currently doing, and it's come a long way baby.

To demonstrate the cool sorts of data mining you can do, I decided to play with the new twitter transforms. I've produced some really nice graphs that demonstrate the power the views in Maltego can bring to your data analytics.

What I did was to start off with a phrase "@singe". I then transformed that to tweets. This showed all recent tweets to or about me. From there I transformed the tweets to twitter affiliation (i.e. a twitter user). Then for each of those users, I ran the 'tweets to' and 'tweets from' transforms. This gave me a nice first go at the networks surrounding me. Then for all tweeple who were referenced more than once, I ran the same 'tweets to/from' transforms. With the centrality data mining view, I could quickly see which tweeple were referenced several times and continued running the transforms against the most highly referenced people. I soon ran out of the 75 transforms allowed in the community edition.

From this data, I have a good idea of the twitter communication network that surrounds me. With the centrality view, you can immediately see there are two distinct networks, the South African twitter-sphere, and the Security twitter-sphere.

Centrality View - Showing 2 Distinct Networks

Centrality View - Showing Security Network

Centrality View - Showing South African Network

This is an interesting view. I know I operate within these two networks and the people in the one don't talk to the people in the other, but to have it represented so clearly is interesting.

Next, I switched to the edge-weighted view which looks at the number of incoming and outgoing connection of each entitiy. This provided some insight into how these networks are structured. It is easy to see that the South African twitter-sphere is far more connected, the people there share a common group of friends, it's also easy to pick up the central nodes of the network, stii features quite prominently. The security network on the other hand is far more distributed and far less connected, with the central players much less easier to spot.

Edge-weighted view - Showing network properties

Edge-weighted view - Showing SA Network

Edge-weighted view - Showing Security Network

The other piece of information this has provided are any people I should be following that feature prominently in either of the networks. For example, Tanya de Ville, Sheena Gates, Wogan May, Nick Jackson and Gabrielle Rosano are all people I don't currently follow but maybe should. Although, I tend to follow people I know personally in the South African network. On the other hand, I don't know most of the security tweeple personally and it tends to operate on more of a meritocracy, so this has given me some good ideas of other security tweeple I should follow; Andrew Hay, Marcus J. Carey, Thomas Nicholson and Rob Fuller.

I should add a disclaimer that I had Maltego set on max speed so it only returned 12 results, this means these graphs are very temporal based, tweple that were making more noise at the time I ran them featured more prominently. Also, I was using the community edition, and was limited to 75 transforms. Thus, don't take this as a personal slight if your name doesn't show up.

My intention is to show how Maltego's views can be used for quick visual analysis of interrelated data sets. With the inclusion of local transforms, I'm excited about the possibility of using this for all sorts of things, nessus/nmap output, firewall rules, customer info data sets etc. Nice work Paterva.

Cybersquatting and Prank Redirects - Malema and the DA

nospam@example.com (Dominic White) — Thu, 26 Feb 2009 16:00:49 +0200

Update: Verashni has since written a story on the matter.

Many non-technical people don't realise how easy it is to manipulate many of the core internet protocols. 2008 Was a particularly bad year for it with some key weaknesses being pointed out in critical protocols such as DNS, SSL and BGP (again) which have joined the ranks of SMTP, Ethernet and in-line SQL as broken. However, with all the technofeats, I forget how easy it is to do something simple that appears to be manipulation to the general public. A journo friend of mine, Verashni, noticed (amoung others) that visiting www.malema.co.za will take you to the DA's website. For any forein readers, this is funny as I'm sure Julius Malema has a dartboard with, opposing political party leader, Hellen Zille's face on it. I did a quick check of who had registered the domain and it was fairly obvious this was a prank:

2f. billingaccount : The ANC
2g. billingemail : neveranc@gmail.com
2i. invoiceaddress : Not 54 Sauer Street, Johannesburg, 2001
2j. registrantphone : +2774 115 9505
2k. registrantfax :
2l. registrantemail : neveranc@gmail.com

This isn't a technical feat, or particularly difficult to do. It likely cost the prankster R50 and 30 minutes of her time. For example back in 2007, I pointed out that thesource.ofallevil.com mirrored Microsoft's website (and still does), and a commentator pointed out that theroot.ofallevil.com did the same for Verisign (but not anymore).

However, the almost magical qualities attributed to technology by the general public have lead to some very amusing conspiracy theories. My favourite so far is: "The DA is trying to profit from Julius' popularity!" Unfortunately, there is no proof that the DA is behind this, and until we can rule out the rest of the planet as suspects, we'll just have to smirk and read Classic Malema.

This does have some domain squatting implications though. If Julius ever decides to take his "unique" brand on-line, he'll likely need to go through some legal procedure to get "Not the ANC" to relinquish it. You can read more about "Cybersquatting" on Wikipedia.

Happy 5th Blogbirth Day

nospam@example.com (Dominic White) — Thu, 05 Feb 2009 11:06:13 +0200

Five years ago I started this blog to keep my then supervisor up to date on my academic progress. It's interesting that at the same time five years ago Facebook was launched, and I think the last five years have been particularly interesting for computer security, and it's been fun. I've also grown a lot over the years, and it's funny to read my early entries with hindsight.

I've never had a massive readership except for the odd case of big blogs linking to me (SANS, F-Secure and Washington Post were my most memorable). Although, the feedback I've received over the years has really helped to refine some of my stances and ideas, and hopefully a few of yours dear reader. For example Ben Nagy once scared me into a whole new tack leading from this to this. Last year was particularly fun with Roberto Preatoni and Dan Kaminsky both getting involved in some discussion. It also marked a return to more active blogging for me, after a drop off in the move from academia to consulting. I hope to keep it up.

To my regular readers, thanks for reading, to any new readers welcome. My goal has always been to encourage debate and discussion, so if you've never argued with me before but always wanted to, know that I welcome the chance.

A Response to Bejtlich on DLP

nospam@example.com (Dominic White) — Wed, 04 Feb 2009 21:14:47 +0200

Richard Bejtlich just posted an entry entitle "Data Leakage Protection Thoughts." In it he argues that Data Leak Prevention products will just lead to a new barrage of alerts for someone to ignore (ala IPS/IDS), or blocking a too-small-set of data for which a significant amount of time would need to be invested to understand how to block. I'm paraphrasing, but I think it provides the gist.

Before I provide a response, I must preface it with the fact that we are currently working on and selling projects which use DLP tools.

That said, what I think Richard misses about DLP is the fingerprinting and discovery aspect. DLP solutions provide radically enhanced methods of fingerprinting and finding 'unstructured' data beyond comparing hashes or strings. Unstructured data, is data that doesn't follow some kind of programmatic pattern. For example, credit card numbers are structured data and need to conform to certain guidelines. It's fairly easy to find and detect that sort of data. Unstructured data on the other hand are things like spreadsheets, documents, presentations, podcasts, movies etc. However, even then those are just containers for the data, and it is possible for the same information to be copied from a word document to a spreadsheet (for e.g.). DLP provide a way of fingerprinting the underlying information, and then detecting it across the organisation.

For example, one could fingerprint the board minutes on a PA's laptop, then examine all mailboxes, databases and file servers to locate them. Or, one could do the same for customer records and work out which systems are storing customer personal information. Alternatively, one could work out which systems are in scope for PCI DSS compliance (or descoping) because they contain card-holder data. Then, much later, one could monitor communication channels, flash sticks and printers and block any instances of the classified information being distributed outside of designated groups.

The reason this sort of stuff is important, is that organisations aren't very good at knowing where their important data is. People who've done 'information classification' projects before, will tell you they took a long time because the business people knew what data was important, but not how or where it was stored, and the IT people knew which systems the business people thought were important, but not which parts of information in that system were important. Being able to do this sort of fingerprinting and discovery makes the task of mapping these to each other much easier. Additionally, being able to fingerprint a blob of data and assign the whole blob specific properties makes life easier. You don't have to classify each paragraph of the board meeting's minutes, you can fingerprint every one and assign a policy to all of them.

The second part of a DLP solution, the enforcement, is the bit Richard was talking about. If we look at previous information classification projects again, even if you did come up with a decent data/system/comms map and classification scheme, you couldn't do much more than write policies or put a bit more effort into securing the systems holding the important data. The DLP tools let security teams start putting controls around the actual data, not their format or system, and provides a method to enforce that policy. In implementing this part, it's easy to alert on everything and end up with an unmanageable and unwatched list of alerts. Initially, key policies should be expressed as a block rule, assuming you aren't an unrealistic rule-nazi this will allow you to define rules for very confidential information or high-risk leaks (e.g. 1million customer records and one set of minutes of a board meeting). However, once you've got that tweaked and usable, all the stuff in the middle may need a more nuanced approach in the form of logs and alerts. It's my personal belief that security analysts can't do that part, I've tried and it's just way too much work. The communication context is something the data owner needs to comment on, and takes too much time to work out. This is where I think the workflow component comes in as described in my other blog entry on the topic.

Then (almost) finally, I think DLP has potential to allow an organisation with an immature security posture, to fairly quickly put controls around high risk data, start working out where their high risk data is stored and where their biggest leaks are. Those last two will help them prioritise their security efforts better than the other risk assessments consultancies like mine are famous for overcharging for ;)

I do agree that DLP tools aren't going to provide a fool proof way of detecting all attempts at smuggling data out. I've tested a couple and while steganography works all the time, in some cases just bzip2'ing it worked too. I don't think only stupid people will get detected by the DLP tool (although given the number of "mistakes" you end up seeing, blocking stupid is useful) as they do go quite far in picking up things like copy pasting snippets of text into other documents or inserting some random text in between paragraphs etc. But in the end it won't kill that werewolf for you.

Opt-Out of Online Advertiser's Profiling

nospam@example.com (Dominic White) — Mon, 02 Feb 2009 21:59:21 +0200

I've been saying to anyone who would listen, that many advertisers (such as Google and DoubleClick - owned by Google) don't let you opt-out of their profiling. Essentially, many advertisers set a cookie and use it to track you across sites. This is useful to add state to stateless HTTP, but often lots of third-party cookies are set by advertisers which have no function other than to help profile you, i.e. it's possible to have a perfectly functional site without these cookies.

However, while trawling through Google's privacy policies, I found a gold-mine of opt-outingness, and it appears I was wrong. Not only can you opt-out of Google's and DoubleClick's profiling, you can opt-out of almost every other one! What this does it set a specific opt-out cookie, that will prevent the code running on the ad platforms from using or recording profile data to serve you ads. You will still see ads (unless you run Ad Block Plus), but they will not be based on inferences from your surfing history. As it uses cookies, this will only work as long as the cookie is there, so other browsers/computers won't have it, nor will they remain if you delete your cookies. I still recommend not accepting the cookies in the first place (Cookie Safe helps with that and is easier than managing it through browser prefs), but if you must (e.g. to use gmail) then there's very little reason to not opt-out.

While this is quite cool, and certainly makes me heap less derision on online advertisers, there is a caveat that you are trusting the advertiser that they have opted you out. For example, doubleclick.com still has an ASP session cookie set which could be used for profiling if they felt like it (several of the other ad partners also have opt-out cookies with what looks like unique identifiers present). I would still recommend blocking these third party cookies just to be safe, and you don't really loose anything by doing so. Additionlly, non-ad profiling such as your Google life-time (now 2 years) cookie or YouTube tracking cookie will still be present and used to profile you (unless someone can show me a cool way to opt-out of that?) so this certainly isn't a panacea.

The big problem is that anyone who indiscriminantly accepts third party cookies, is also not likely to know about/care about/find the opt-out page. Either-way, the Network Advertising Affiliates deserve some credit for this.

ARIAD - AutoRun.Inf Access Denied

nospam@example.com (Dominic White) — Sun, 25 Jan 2009 23:10:59 +0200

Viruses using the autorun.inf file of removable media such as flash sticks and iPods to automatically execute and install themselves whenever they are plugged into a machine can now be thwarted by Ariad. This is a big vector at the moment.

It's a file system filter (I didn't know about these, they're cool) that blocks access to autorun.inf and effectively stops windows from automatically installing viruses for you (aka a design flaw). Group Policy should allow you to do the same thing, but if you have either incompetent domain admins, some inheritance complexity of multiple policy applications have self-imploded, or a family member who uses their USB without protection, this can help fill the gap.

Courtesy DiderStevens - Ariad

Dider asked me to add that at the time of writing this is beta software, so test it first.

Connecting to a Microsoft Office Communicator or Live Office Communicator Server in Ubuntu

nospam@example.com (Dominic White) — Tue, 20 Jan 2009 01:07:35 +0200

As part of my ongoing attempt to not use Windows this year, I have been struggling to find a way to get OCS/LCS working in Linux. Due to some recent work on the SIPE/SIPLCS Pidgin plugin, it is now working. To make it work, first download the broken 'stable' version from the Sourceforge page (currently 1.3.2), and extract it to a directory.

Next, checkout the latest snapshot from the git repository, as version 1.3.3 fixes several problems with 1.3.2. If you're reading this and 1.3.3 is an ancient version, then skip this step and try the stable version from sourceforge first. The latest snapshot can be downloaded from the GIT repository. Just click the first 'snapshot' link at the top right.

Extract the snapshot into the same directory.

Next perform the usual configure/make routine you're used to. Remember to set the correct prefix based on how you have pidgin installed. If it is a binary package it will most likely be /usr, source compiles will be in /usr/local. I am using Ubuntu Intrepid and since chose /usr.

singe@blackguard:~/manual-install/sipe/merged$ ./configure --prefix=/usr
singe@blackguard:~/manual-install/sipe/merged$ make
singe@blackguard:~/manual-install/sipe/merged$ sudo checkinstall --fstrans=0 make install

I use checkinstall to make sure a package is generated. The --fstrans=0 switch is to turn off file system translation due to a current bug. This will actually install the files, so make sure you're running it on a system you want it installed to.

Next you will need to link the sipe libraries into libpurple as it is incorrectly installed to pidgin's directory. You can do this with:

singe@blackguard:~$ cd /usr/lib/purple-2/
singe@blackguard:/usr/lib/purple-2$ sudo ln -s /usr/lib/pidgin/libsipe.* .

Now you're done. Fire up Pidgin and add a new account. Under protocol select "Microsoft LCS/OCS". The options are poorly named. Place your SIP server's address in the 'Proxy' field, select non-standard port then enter the port your OCS server is exposed on. I used 443 for SSL/TLS and selected the SSL/TLS connection type. Next I put my SIP username and password into the 'Username' and 'Password' fields, my domain username into 'Auth User' and domain into 'Auth Domain'.

For example:

Basic

Protocol: Microsoft OCS/LCS
Username: <sip account e.g. bob@company.com>
Password: <domain password>

Advanced

Use proxy: checked
Proxy Server: <SIP server e.g. sip.company.com>
Use non-standard port: checked
Port: <relevant port based on connection type, most likely 443>
Connection Type: SSL/TLS
Auth User: <domain username, e.g. BOB >
Auth Domain: <company domain e.g. COMPANY>

Server Instability

nospam@example.com (Dominic White) — Tue, 20 Jan 2009 00:10:44 +0200

Sorry for the server instability. There appear to have been some problems with the kernel, which I think are now sorted. We'll see.

WorkTime Script to Prevent Innapropriate Web Surfing

nospam@example.com (Dominic White) — Sun, 18 Jan 2009 04:07:00 +0200

Not only does BASH cure cancer, but it can stop you from wasting time on the intertubes. While lying on the grass today I realised that I have a few 'jumping off' sites for non-work meanders; gateway drugs of sorts. By blocking these sites, I can stop myself from getting sidetracked most of the time and prevent Work Avoidance Behaviour (WABbing). If you're one of those people who can stick to a schedule, you could even cron it. Read the crufty-4am-produced shell script yourself, or the English below.

The shell script has two variables at the top, the location of your block list and the location of your hosts (as in /etc/hosts) file. Anyone with a modicum of unix knowledge should get how it works now (if not, don't use it). As an additional step I export my Tomboy todo list to HTML and use netcat to serve it up on localhost (trying to use a combination of dbus and the ExportToHTML xsl to automate this, but not succeeding). This ensures that I am not only prevented from being side tracked, but am put back on track.

The block list is formed by listing the base domain for each site, one per line. For example:

singe@blackguard:~$ cat ~/.worktime
facebook.com
bloglines.com
twitter.com
singe.za.net
engadget.com
gizmodo.com
boingboing.net

You'll need to run it as root to modify the hosts file. For example:

singe@blackguard:~/bin$ ./worktime.sh
Invalid argument!
The options are "on" or "off" e.g.:
./worktime.sh on #to enable work time
./worktime.sh off #to enable play time
singe@blackguard:~/bin$ sudo ./worktime.sh on
Get to work!
singe@blackguard:~/bin$ sudo ./worktime.sh on
It's already work time.
singe@blackguard:~/bin$ sudo ./worktime.sh off
Work's done, let's play.
singe@blackguard:~/bin$ sudo ./worktime.sh off
You're already playing.

You can download it here.

Why Patch Management will Remain Hard

nospam@example.com (Dominic White) — Sat, 17 Jan 2009 10:49:21 +0200

A discussion with haroon yesterday revived some of my interest in my MSc thesis topic. Then serendipity brought Eric Schultze commentary/apology on the MS09-001 patch to my attention.

First, some justification. Patch management is still a poorly practised discipline. I can't think of a single audit report either written or reviewed by me that didn't mention missing patches as a finding. This is also a non-trivial issue. Patches drives attacks (you can read my vulnerability life-cycle for more justification), missing security patches really do put your organisation at risk, no matter how jaded we are about them.

Arguably, Microsoft has done the most work in making their patches reliable and easy to install. However, it's still possible for a highly experienced patch management expert to get things wrong in understanding the impact (and hence appropriate prioritisation) of a patch.

However, the people within your organisation responsible for 'patch management' are usually fairly low level techies. It is often seen as a plumbing and maintenance issue. You certainly don't have your top sysadmins jumping to it every Tuesday to put together a regression testing schedule and work out which machines to prioritise the deployment to. In South Africa, things are a little worse, where there appears to be an increasing dearth of top sysadmins, as many of them move up into less technical managerial positions away from the care of the metal, thankful to leave plumbing issues like patching behind them.

This is where the disconnect comes in. Even with a comprehensive toolset to easily deploy patches. The technical and security experience required to properly understand the affects of a patch, coupled with the operational and organisational experience required to understand those applied to a specific organisation are quite large however this maintenance issue is usually given to a junior technician. Additionally, even though Microsoft's patches have improved their stability dramatically, people still err on the side of caution and tend towards non-deployment. This disconnect can be resolved via an organisation patch management policy that codifies much of that experience, but in the words of haroon "Management don't buy into who cleans the fridge or when the light bulbs are replaced." For the same reason low-level techies are sent to do the patching, management are unlikely to spend money and time getting patch management right. The right way to cut through that is with a risk-based argument, although not every organisation has a risk-management function motivated to do much about patching. Why? Because it's boring. Not only is it boring, it's repetitive; every month there's more. I personally find it very hard to care about patches these days.

However, these are the problem in the case of some of the best patches out there. But the software stack deployed on your average desktop, let alone across the organisation is far more complex, and most third-party vendors haven't gotten their patch process up to the same level as Microsoft. Even if they have, they often come with their own seperate infrastructure that many organisations are disincentivised to duplicate, and this isn't likely to get better any time soon. There are great tools out there to help with this, Lumension and Shavlik for example, however as per the previous paragraph this isn't the sexy sort of problem people want to spend lots of money on, and getting everyone to run Debian, while ideal, is impractical :)

So that's my litany of problems around patching. While quite different from several years ago, much of it remains the same or is just a subtle reformulation. I don't see patching getting better, and I don't see people willing to spend much time (outside of select vendors) to make it better. But the risk remains (and your IPS which you never check anyway won't save you).