The very four digits that Amazon considers unimportant...

"The very four digits that Amazon considers unimportant enough to display in the clear on the Web are precisely the same ones that Apple considers secure enough to perform identity verification..." Honan wrote.
Four digits, when combined with my home address and bank account number were all it took for me to gain on line access to a dormant checking account at my bank and enable fund transfers. If I were fond of the various auto-pay options, there would be a dozen or so companies that would have my checking account number, any pretty much anyone in the world can find out my home address (I own a house, so it's in various public records).

Segmenting ones on line life into non-overlapping buckets seems like the best way to break the daisy chain that led to the hack and data loss. I've followed that principle. I try to maintain separate, non-overlapping e-mail addresses and passwords for any on line account that either is connected to something that could cost me money if it were compromised, or is used for account verification for any of those accounts.

I have lots of e-mail accounts and addresses. It's a pain in the azz, and it's only a partial solution.

Read:  ARS, Wired

More thoughts here.

In MumbleWare versions 8.2 and below, the SA password must be set to propq

An e-mail from a vendor, somewhat anonymized:
From: ****
Sent: Wednesday, April 11, 2012 08:22 AM
To: ****
Subject: MumbleWare Case 123456789

Hello ****,
Thank you for contacting MumbleWare Product Support.  I am writing to you in reference to case number 123456789 regarding your request to change your SA password. In MumbleWare versions 8.2 and below, the SA password must be set to propq. If a different password is used, MumbleWare may not be able to communicate with the database and error messages will be generated. The attached KB article references the fact that the SA password must be set to propq in MumbleWare versions 8.2 and below. The second KB article lists the steps involved in moving from MumbleWare 8.2 to 8.3.   

It's only been a decade since we first asked the obvious question "Can we change our SQL Server SA password without breaking your application".

I guess we finally can.

A letter to our Apple Account Exec

A couple of days ago myself and a colleague of mine ran into our Apple account exec.  The conversation ended up in the security space, as is probably appropriate considering Apples recent performance in that area. Our account exec quickly followed up with a request for our contact information (good), a press-release style announcement on how much more secure Safari 5.1.7 was going to be (interesting), and a month old article on how to remove Flashback (amusing).

OT: A plan.

Aaron Smith posted this story about the kindness of an NYC cab driver. It's a good read, and it reminds me of something vaguely similar that happened to be a few decades ago.

I had just moved 400 miles from home to a small town in Minnesota near where my grandfathers sister had moved in the 1930's. He didn't get to see her very often, so when I moved near her farm he had an excuse to make the trip.

Apple joins the big leagues

I've been hearing 'OS X is secure' for a decade now. For a decade, I've been challenging that assertion.

The challenges to that assertion generally end up with a response of  'because it's Unix' or 'because it's not Microsoft'. I don't recall 'OS X is secure' assertions being backed up by detailed explanations of anything in the kernel, operating system, development tools or coding practices that assures a higher level of security than competing operating systems, and I don't hold that a Unix history automatically ensures a more secure platform. My first forensic examinations were Unix, not Windows, and I can easily assert that the reason that we have more compromised Windows servers and desktops is because we have more Windows servers and desktops. 

Unfortunately the 'OS X is more secure' fantasy has left some (or many) with the impression that they don't need to practice safe computing on Macs. It is OK to run as admin. Anti-virus is not necessary. Drivebys are a Microsoft problem. In my opinion the smoke and mirrors surrounding 'OS X is secure'  have also lead to complacency on Apples part. They are not as aggressive at implementing security related operating system improvements (such as ASLR) or routine security patches, nor have they implemented really the really basic security controls that I implemented more than twenty years ago on our NetWare servers (remove the execute permission from directories that contain user data, remove the create/write permission from directories that contain executable code). With the latest attacks on OS X applications and with Apples apparent inability to defend its operating system against drive-by vulnerabilities in third party software, the 'OS X is secure' attitude should must change. A half million users can't be wrong, and those users will eventually move past their denial phase and expect Apple to step up to the plate.

Apple will have to up their game a bit on incident response, too. An urgent fix for a months-old vulnerability followed by a fast tracked effort to provide a malware removal tool, resulting in three updates in ten days, doesn't leave me with the impression that they have a well oiled response machine. Apple will feel heat that has been directed at Microsoft the last decade (and Unix systems before that.) Hopefully they will learn from their competitors and react to the new landscape better and faster than their peers did. 

Apple can't blame Sun either. The vulnerability of Java is well known (as are the vulnerabilities of Flash, Reader, Safari, Firefox…). Apple also has had plenty of opportunity to learn from their own mistakes, having repeatedly offered multiple versions of vulnerable desktop software to their customers.

I figure that it'd be pretty boring surfing the web with a platform that isn't exposed to drivebys and remote root exploits so I never really embraced OS X as my preferred home desktop. Now that OS X is playing in the big leagues I figure that it is sufficiently challenging for me to use it as my preferred desktop, and I went out and bought an 11" Air for my home computer.

Update 2012-05-11: Apple accidentally logs passwords in clear text. In football (soccer) that would be an "own goal". A major league fail. 

Twenty percent of all households have at least one bot-infected computer

...and 5% of all enterprise 'assets' are infected.

From Gunter Ollmann, VP of Research at Damballa in this post on CircleID:
"...on average, between 3-7% of assets within enterprise networks are identified as being infected..."
"Within the ISP/Telco world that have chosen to deploy the Damballa CSP product, between 18-22% of unique subscriber IP addresses are actively seeking to connect to known C&C servers."

Note that this is bot-net infections only, not the broader category of computers infected with malware in general.

When I first started securing systems a couple decades ago there were no external threats. We had Netware, IPX and Arcnet. The only path to a compromise of confidentiality or integrity originated on a keyboard within the campus. There were no external threats. The threat to our systems was from the inside, and the risk from insiders was mitigated by the assumption that we'd be able to pin the actions initiated a keyboard inside our buildings to an individual and that the individual would know that the actions would be traceable. It wasn't foolproof - you routinely read about employees misappropriating employers funds - but as far as I know, it was a manageable problem.

Then we connected our wonderful safe little island to the Internet. It didn't take long to figure out that an action by an outsider, external to our island, was a threat to our systems. The solution? Firewalls, of course. If the outsider can't get in, we can focus on the threat from the inside where we know who is at the keyboard, where they know that we know, and where they know that detection and prosecution is a likely outcome.

Today? Unlike years ago, we cannot associate the actions of a keyboard with the individual sitting at the keyboard. This effectively means that what used to be external is now internal, and what has always been internal is now external. What used to be a fairly clear delineation between something that happened from the outside and something that happened internally is gone. We no longer can assert that we know who is at any particular keyboard, and tracing an event back to an internal keyboard doesn't permit us to presume that the action was initiated by a person internal to the organization.

The external threat is inside your enterprise.

Micrsoft and its partners seize servers...

Microsoft press release on their Zeus botnet server seizure:

"This disruption was made possible through a successful pleading before the U.S. District Court for the Eastern District of New York, which allowed Microsoft and its partners to conduct a coordinated seizure of command-and-control servers running some of the worst known Zeus botnets."

I thought I had this privacy thing figured out, but…

…maybe not.

I’m trying out the Collusion plugin for Firefox and the results are interesting. After a couple evenings of my normal surfing routine, the plugin looks like:

Oracle Support portal: HTML 5 replaces Flash

Oracle Support is upgrading their web interface from Flash to HTML5. I’m happy. I no longer have to twiddle my thumbs waiting for Flash to load:

Secret question fail

My credit union switched to a new service provider for online banking and bill paying. The good news is that they’ve chosen a service provider that has a fairly modern looking interface, unlike the 1990s interface of their old provider. Among other things, they no longer use a captcha as a security factor and they now require “the latest versions of Internet Explorer and Firefox […] SSL compliant with 128 bit encryption” instead of IE5 and Netscape 6.2. I keep thinking that old interface was screen scraping TN3270 session in the background. The new interface at least gives the appearance of having been written this century.

“We keep logs as far back, as long as we have had software to keep logs.”

If I’m reading this right, Symantec had a breech in 2006 but didn’t think that the breech was significant. After learning that older versions or their source code was stolen, they re-analyzed the 2006 event from 6 year old logs (!) and determined that the source was stolen during that incident.