Art’s Blog

E.W. Felten & J.A. Halderman
IEEE Security & Privacy, Vol 4 No 1, January/February 2006, pp 18-23

Sysinternals’ Mark Russinovich discovered a rootkit included in a number of Sony BMG music CDs. The rootkit, part of First4Internet’s XCP copy protection technology, modifies the Windows kernel to hide files that start with $sys$, limits the number of times music files from a Sony CD can be copied, and alerts Sony every time an XCP-protected CD is played. Attempts to remove XCP could crash a computer and render it unusable without a complete hard drive reformat. Hackers have begun using the $sys$ prefix to hide malicious files, antivirus companies are issuing workarounds and signatures for XCP, and Sony faces several civil suits as a result. The XCP controversy has even affected the open source community, since some of the code might have been lifted from open-source software in violation of the GNU Foundation’s General Public License.

JUNE 7, 2006 | We recently got hired by a credit union to assess the security of its network. The client asked that we really push hard on the social engineering button. In the past, they’d had problems with employees sharing passwords and giving up information easily. Leveraging our effort in the report was a way to drive the message home to the employees.

The client also indicated that USB drives were a concern, since they were an easy way for employees to steal information, as well as bring in potential vulnerabilities such as viruses and Trojans. Several other clients have raised the same concern, yet few have done much to protect themselves from a rogue USB drive plugging into their network. I wanted to see if we could tempt someone into plugging one into their employer’s network.

In the past we had used a variety of social engineering tactics to compromise a network. Typically we would hang out with the smokers, sweet-talk a receptionist, or commandeer a meeting room and jack into the network. This time I knew we had to do something different. We heard that employees were talking within the credit union and were telling each other that somebody was going to test the security of the network, including the people element.

We figured we would try something different by baiting the same employees that were on high alert. We gathered all the worthless vendor giveaway thumb drives collected over the years and imprinted them with our own special piece of software. I had one of my guys write a Trojan that, when run, would collect passwords, logins and machine-specific information from the user’s computer, and then email the findings back to us.

The next hurdle we had was getting the USB drives in the hands of the credit union’s internal users. I made my way to the credit union at about 6 a.m. to make sure no employees saw us. I then proceeded to scatter the drives in the parking lot, smoking areas, and other areas employees frequented.

Once I seeded the USB drives, I decided to grab some coffee and watch the employees show up for work. Surveillance of the facility was worth the time involved. It was really amusing to watch the reaction of the employees who found a USB drive. You know they plugged them into their computers the minute they got to their desks.

I immediately called my guy that wrote the Trojan and asked if anything was received at his end. Slowly but surely info was being mailed back to him. I would have loved to be on the inside of the building watching as people started plugging the USB drives in, scouring through the planted image files, then unknowingly running our piece of software.

After about three days, we figured we had collected enough data. When I started to review our findings, I was amazed at the results. Of the 20 USB drives we planted, 15 were found by employees, and all had been plugged into company computers. The data we obtained helped us to compromise additional systems, and the best part of the whole scheme was its convenience. We never broke a sweat. Everything that needed to happen did, and in a way it was completely transparent to the users, the network, and credit union management.

Of all the social engineering efforts we have performed over the years, I always had to worry about being caught, getting detained by the police, or not getting anything of value. The USB route is really the way to go. With the exception of possibly getting caught when seeding the facility, my chances of having a problem are reduced significantly.

You’ve probably seen the experiments where users can be conned into giving up their passwords for a chocolate bar or a $1 bill. But this little giveaway took those a step further, working off humans’ innate curiosity. Emailed virus writers exploit this same vulnerability, as do phishers and their clever faux Websites. Our credit union client wasn’t unique or special. All the technology and filtering and scanning in the world won’t address human nature. But it remains the single biggest open door to any company’s secrets.

Disagree? Sprinkle your receptionist’s candy dish with USB drives and see for yourself how long it takes for human nature to manifest itself.

— Steve Stasiukonis is VP and founder of Secure Network Technologies Inc. Special to Dark Reading

Taken from: http://www.darkreading.com/document.asp?doc_id=95556&WT.svl=column1_1

By Bruce Schneier
Computerworld
February 9, 2005

It’s happened to all of us: We sign up for some online account, choose a difficult-to-remember and hard-to-guess password, and are then presented with a "secret question" to answer. Twenty years ago, there was just one secret question: "What’s your mother’s maiden name?" Today, there are more: "What street did you grow up on?" "What’s the name of your first pet?" "What’s your favorite color?" And so on.

The point of all these questions is the same: a backup password. If you forget your password, the secret question can verify your identity so you can choose another password or have the site e-mail your current password to you. It’s a great idea from a customer service perspective — a user is less likely to forget his first pet’s name than some random password — but terrible for security. The answer to the secret question is much easier to guess than a good password, and the information is much more public. (I’ll bet the name of my family’s first pet is in some database somewhere.) And even worse, everybody seems to use the same series of secret questions.

The result is that the normal security protocol (passwords) falls back to a much less secure protocol (secret questions). And the security of the entire system suffers.

What can one do? My usual technique is to type a completely random answer — I madly slap at my keyboard for a few seconds — and then forget about it. This ensures that some attacker can’t bypass my password and try to guess the answer to my secret question, but is pretty unpleasant if I forget my password. The one time this happened to me, I had to call the company to get my password and question reset. (Honestly, I don’t remember how I authenticated myself to the customer service rep at the other end of the phone line.)

Which is maybe what should have happened in the first place. I like to think that if I forget my password, it should be really hard to gain access to my account. I want it to be so hard that an attacker can’t possibly do it. I know this is a customer service issue, but it’s a security issue too. And if the password is controlling access to something important — like my bank account — then the bypass mechanism should be harder, not easier.

Passwords have reached the end of their useful life. Today, they only work for low-security applications. The secret question is just one manifestation of that fact.

Taken from: http://www.schneier.com/essay-081.html

In March 2003, the IETF decided that was the right time to start the phase-out of the IPv6 experimental network (6Bone), which started in 1996. This included a phase-out plan that defined that on 6 of June of 2006, no 6Bone prefixes will be used on the Internet in any form.

Moreover, the IETF IPv6 working group has started the process to advance the core IPv6 specifications to the last step in the IETF standardisation Process (e.g., Standard). IETF protocols are elevated to the Internet Standard level when significant implementation and successful operational experience has been obtained. Vendors with IPv6 products are encouraged to participate in this process by identifying their IPv6-enabled products at the IPv6-to-Standard site.

This event want to acknowledge the efforts of all the 6Bone participants, the IETF community which developed IPv6, other organizations engaged in the IPv6 promotion, and operators and end-users that have been early adopters. All them have been key contributors for the success of IPv6. Service Providers and other organisations that provide on-line IPv6 services are encouraged to register those services in the IPv6 Day website.

On June 6, 2006, end-users will be able to connect to the above web site to learn about issues like how to turn-on IPv6 in their operating systems, how to obtain IPv6 connectivity and how to try some of the available services.

With the occasion of this virtual celebration, we have a couple of quotes from two key people on this subject:

Bob Fink (6Bone Project): “After more than ten years of planning, development and experience with IPv6, with efforts from all around the world, it is gratifying for me to see the 6Bone phase-out on the 6th of June 2006, having served it’s purpose to stimulate IPv6 deployment and experience, leaving IPv6 a healthy ongoing component of the future of the Internet!”

Brian Carpenter (IBM, co-author of multiple IPv6 RFCs and IETF chair): “It’s very encouraging to see IPv6 moving forward both technically and commercially, with its address assignments now routinely managed by the same registries that look after the rapidly diminishing IPv4 address pool. I look forward to the day the Internet reaches ten billion active nodes with public addresses, which will only be possible with IPv6.”

• www.ipv6.org
• www.ipv6day.org
• www.ipv6-to-standard.org