Posts Tagged ‘infosec’

Physical data smuggling

April 23, 2010

So with all the talk of US border services forcing people to log into their laptops and provide access to email, files on the system, the contents of their iPOD and so on I can’t help but think about physical data smuggling. This of courses ignores the fact that competent bad guys will just bring a nice clean laptop/etc. with them and then download their data once they’re in the country, but I digress.

Let’s say you have a couple hundred gigabytes of data; not something I’d want to download over a hotel connection. So how to smuggle that much data into a country that may force you to log into your laptop, or even confiscate it? Please note that this may not be “illegal” or even “naughty” data, if someone is transporting health care data they will probably be legally required to protect it and not give access to it for example.

Micro SD card on a finger tipMicro SD cards seem to be the obvious answer. Small enough to fit in a hollow coin or to swallow or insert into.. well you get the idea. I’m just wondering how long until someone posts an X-Ray online of a courier filled with condoms stuffed with Micro SD cards. Oh and 2 terabyte Micro SD cards should be available in 5 years or less.

Spotting counterfeit money

April 22, 2010

It’s about time but Canada will be moving to a plastic/polymer bill based instead of paper/linen based bills in 2011 or so. Back in 2004 counterfeit bills peaked (“The prevalence of counterfeiting in Canada and its impact on direct victims and society“) and prior to that the majority of it was $50 and $100 bills being counterfeited by one guy (Wesley Weber) who managed to put enough fake $100 bills into circulation that even now in 2010 most retailers won’t accept $100 bills.

Probably the easiest way to defeat counterfeiters is the move to plastic/polymer notes, this is a combination of the ease of checking the bills (the feel/etc. will be entirely different than current notes, even in a dark nightclub a waitress should be able to tell the difference) and the difficulty in getting the stock and printing on it (at least for now….). I remember one local store that had a counterfeit %40 pinned to the wall, it was literally 20 lb copier paper printed in an ink jet and looked more like monopoly money than real currency (the reds were saturated and bloby).

But in the meantime we’ll have to stick to the old fashioned methods of checking currency (security strip embedded in the paper, micro print, reflective metal patch, etc.). For more information on the Canadian security features see the Bank of Canada page and for American money check out newmoney.gov (way higher production values!).

One thing you will note is a common and consistent set of features used to prevent counterfeiting of banknotes:

  • embedded metal strip in the printing stock with the value of the bill printed on the strip (prevent people from running these off on a copier or bleaching a $20 bill and reprinting it as a $100 bill)
  • metal reflective patches that refract light differently depending on the angle you view it at (like a soap bubble)
  • micro print, and lots of it (in the background, in the numbers, on the faces, etc.)
  • raised ink (and embedded braille dots for the blind)
  • water marks (printing embedded in the paper as opposed to on the paper)
  • UV fluorescence under black light
  • iodine pens, since bills are mostly linen and not paper iodine doesn’t mark the bill significantly

Hopefully this will inspire and encourage web browsers and other software makers to come up with a common set of features to help users identify the legitimacy of online web sites (my next post).

Verisign certificate authority finally fixes (part of the) domain verification problem

April 20, 2010

So a few months ago I decided to see how easy it was to buy an SSL certificate for a domain I didn’t own. It turns out that it was very easy because at least one large certificate authority (CA), RapidSSL (owned by Verisign) allowed a large number of email addresses to be used for verification (such as [email protected], [email protected], etc.).

The original article is available here: http://www.linux-magazine.com/w3/issue/114/054-055_kurt.pdf. I also contacted the Mozilla/Firefox people through the mozilla.dev.security.policy mailing list to let them know about it and to show the proof (the emails from RapidSSL to me). Betanews ran a nice article (http://www.betanews.com/article/Security-researcher-Trivially-easy-to-buy-SSL-certificate-for-domain-you-dont-own/1270072287), and not much else happened for a while.

Things finally got rolling when a Bugzilla report was filed (Bug 556468, which was basically a copy of an older bug Bug 477783 concerning Equifax doing basically the same thing). A Verisign representative confirmed they had removed a bunch of problematic email addresses they allowed, but [email protected] was still valid (this turned out to be a mistake as you’ll soon see).

Fast forward about two weeks and someone has copied my article and thrown in a few screen shots and submitted it to Slashdot (http://news.slashdot.org/story/10/04/18/1218212/Become-an-SSLAdmin-In-a-Few-Easy-Steps) personally I don’t mind if people copy my work and build off of it, but when they protray it as their own original work with no credit or original source mentioned that is a bit annoying.

Although annoying it had the benefit of showing the world that by using the [email protected] email address (remember, the one Verisign didn’t remove) which resulted in the rather quick disabling of it:

VeriSign will be removing the following generic approver email options for GeoTrust and RapidSSL as of tonight or tomorrow night:

– ssladmin, sysadmin, and info

So I guess in the end it worked, certificates are hopefully a little more secure now but the sad thing is I spent several dozen hours basically holding vendors feet to the fire for something they should have been doing all along.

Oh and there is no way to find out if a certificate authority has issued a certificate for your domain to someone else. Unlike DNS/etc. there is no way to query what certificates have been issued.

Mapping the Internet / scanning every web server

April 20, 2010

This is something I’ve always wanted to do, having a data set such as every ping-able IP, every server with port 80 exposed, lookups on every domain name or IP and so on are very useful. But the bandwidth and computation needed for this is often out of reach. Except now with services such as EC2 it is within reach, figure 1k data sent and received for an IP, a class A scan would only take 32 gigabytes in total. Figure 1 month of Small Linux instance machine time at Amazon and you’re looking at $63.60 (cheaper if you use a reserved instance or a spot instance!). So for a few thousand dollars you can now easily scan the entire Internet or create other similarly large data sets for a reasonable price.