Tuesday, March 24, 2009

The great cryptographic demolition derby

Tonight ISSA-BE was hosting a talk by Bruce Schneier.

The talk was in two parts. The first part was about cryptography and actually about a thing called the great cryptographic demolition derby. NIST has organised a first crypto contest and the winner was AES. Bruce was a participant with the blowfish algorithm.

Currently there is another contest for hash algorithms to replace SHA2. At the start there were 64 algorithms and this summer 16 will go through to the next round. Next year the top 5 will be anounced and in 2011 the winner will be announced and be called SHA3.

The big advantage of such contests is that the top minds in the industry participate and everybody in the world can enter and try to crack algorithms.

One thing that I thought was interesting is that according to Bruce most cryptographic research happens in Europe and in some Asian countries. He thinks that the reason why in the US is not so overwhelming represented is that the funding in the US is dependent of the DoD and the National Science Foundation and there not so happy that we could make things the goverment is not able to read.

The second part of the talk was about security in general. Security is a trade off. The trade off can is not always about money. It can be time, ease of use, ...

A very clear example to illustrate this was about a bulletproof vest. They are very efficient in stopping bullets and there are many bullets in this world but nobody at the talk wore a bulletproof vest. Why? Simply because the risk of being shot at the talk was acceptable to those who attended it.

Security is always a trade off between benefits and costs and that is the only economic perspective according to Schneier. To illustrate this he made an example of the way we pick out a restaurant. If you are in a town and don't know any good restaurant you pick one based on unclear biased criteria that make sense to you. The same goes for security, we make decisions based on what we know but actually there is no way for us to proof that the decision is correct.

All we want is adequate security at a reasonable cost. It seems that somewhere in security the trade off is more difficult that in real life (see the restaurant example)

There is a theoretical 'right' answer to the question "what is adequate security and a reasonable cost?" but things like cultural differences, regulatory environment and the amount of data we have about the risk influence the right answer and so it will be different each time.

Bruce also talked about the mandatory breach disclosure law in some US states. I think this would be a good idea to have this all over the world. At least we would know what happens. I am aware of the fact that this could do serious image damage to a company but comming clean is to me the first step in repairing the damage the company caused. I asked if there is a list on which we could check which companies suffered from which attacks, but Bruce wasn't aware of an existing list.

Another point that came up was the European data protection act. One of the illusions we have is that we own our private data but if you actually if you think about it your data is owned by your governement and companies. In Europe we have some protection due to this act but in most places on this planet this is not the case.

The reason why we have e-crime is simply because there is money to be made. Actually it is simple, if you can make a profitable business model for something people will do it. The same idea goes for e-crime and so it is clear that we haven't seen the end of it. One thing is very clear, there is no specific law that can protect you since the Internet has no nation bouderies and laws are bound to territorial boundries.

Sunday, March 22, 2009

!exploitable

Microsoft has announced at CanSecWest the release of !exploitable (pronounced as bang exploitable). This tool is still in beta phase but a RC is publicly available. !exploitable is an extension on Windbg, the well known Windows Debugger.

Monday, March 16, 2009

Foxit Reader & JBIG2

I made a post about Didier Stevens a while ago who found vulnerabilities in Adobe pdf. But not only Adobe made mistakes. In the SANS newsbite newsletter is an article that the popular alternative Foxit Reader has vulnerabilities in the JBig2. (JBig2 is an image compression standard.)

I am not a programmer but I know from the little programming experience at school I have that every code has bugs and the main goal of a programmer is to make things work. Therefore it is important that professional programmers get educated about common problems and mistakes. Once the code is written I think the code has to go through a peer revision system. I know there are things called deadlines but still QA of code is not something that can be skipped because the impact (Foxit has a user base of 50 million users) can be enormous.

Even if you are somebody that likes to write code on your own make sure you have a kind of
QA and practice secure programming.

Thursday, March 12, 2009

Nice website

Today I want to share http://www.ss64.com/nt/ with you. It is a simple website. You have a list of commands, next to it is written what it does and if you click on the command you get more details about the syntax.

Wednesday, March 11, 2009

Bastille

I was just configuring a box an used for the first time bastille linux (a project from Jay Beale) and I have to say it is a nice tool. It helps you configure a linux box in a safe and easy way. It is asks you a bunch of questions and explains you the impact of the choices.

Some people might think there box is 100% secure after running this but it isn't the case. You still have to do some additional steps (use hardening guides to help you) but is a nice and simple start :).

Keeping documentation

Yesterday I was talking with Christophe and he saw that I have a wiki on my system just to keep track of all the info I gather about almost any subject. For those interested it is a simple wampserver and a simple mediawiki. Wampserver has this cool feature that gives me the option to set the access and I restricted it to localhost.

Another tool I use was pointed out to me by the main programmer of phpcompta. He showed me that there were wikis that were file based and I personally use wiki on a stick to document my own systems at home. I keep track of what is installed, how I installed it, configuration, ect. Most people think this might be overhead but is a way for me to keep track of things because sometimes I have memory gets corrupted ;-)

Thursday, March 5, 2009

Didier Stevens did it again

Didier Stevens did it again :). He found some nice vulnerabilities related to pdf documents. To make things clear he created a nice video to demonstrate his findings.
http://blog.didierstevens.com/2009/03/04/quickpost-jbig2decode-trigger-trio/

L0phtcrack is back

Howdy,

Going through my RSS feeds I got some great news. L0phtcrack the world famous Windows password auditing tool will be back.

On l0phtcrack.com is an announcement that version 6 will be released on the Source conference in Boston.