Dragan on Security

I’ve added a new poll to this blog. The aim of the poll is to see what is the structure of the blog visitors according their (your) individual opinion and experience in the field of security knowledge. There is no guidance and explanation of the given choices. You are the one who sets measurement units, decides and rates your own knowledge and experience according to it.

Question is: “Rate your computer security knowledge and experience”, and possible answers are:

• None
• Beginner
• Moderate
• Expert
• Guru

Vote and enjoy visiting often and seeing how others vote. Polls started today and it is planned to be open 3 months i.e. by end of June 2008.

An earlier poll “Hacking Motives” expired last night (March 31, 2008). I am going to discuss results in future post on this blog.

“How Do I?” Videos for Security - Here you’ll find Microsoft educational videos from series “How Do I”, that explore a variety of security questions for developers, including encryption, handling attacks, security best practices, and a lot more. New videos are added regularly, so check back often.

Last week featured videos are:

• Get Started with Encryption
• Export and Import Certificates

Previously featured videos from series “How Do I”:

1. Secure Data Using Symmetric Key Encryption
2. Secure Data Using Asymmetric Key Encryption
3. Secure Passwords Using Hashing Algorithms
4. Improve Cryptographic Security by Storing Keys in Containers
5. Add Hashing to Existing Application
6. Perform Imperative Security Checks
7. Create a Windows Principal for Role Based Security
8. Create a Generic Principal for Role Based Security
9. Add Security to Applications Built with Visual Basic.NET and Visual C
10. Create a Secure Custom Membership Provider
11. Improve Data Security by Encrypting and Decrypting XML Data Using Asymmetric Keys
12. Improve Data Security by Encrypting and Decrypting XML Data Using Symmetric Keys
13. Attach Client Credentials to a Web Service Call For Security
14. Integrate SqlMembership Provider into My Existing Database
15. Set up SqlMembership Providers
16. Add Security to Applications by Digitally Signing XAML Documents
17. Digitally Sign Documents with the Signature of a Single Party
18. Add Security to Visual Basic and C Applications with Digital Signatures
19. Add Security to .Net Applications with the ProtectedData Class
20. Add Security to Visual C++ Applications
21. Prevent a SQL Injection Attack Over a PHP/MySQL/Linux Platform
22. Use Managed Cards in Windows CardSpace to Increase the Security of My Web Site
23. Prevent a SQL Injection Security Flaw in an ASP.NET Application
24. Prevent a Cross Site Request Forgery Security Flaw in an ASP.NET Application
25. Encrypt My Web.Config File
26. Use Discretionary Access Control Lists in Windows

You’ll need to install Microsoft Silverlight for a better Web experience.

If you are interested in cryptography, there is very good YouTube video: Theory and Practice of Cryptography. You’ll need one hour of time to watch it.

Topics include: Introduction to Modern Cryptography, Using Cryptography in Practice and at Google, Proofs of Security and Security Definitions and A Special Topic in Cryptography.

This talk is one in a series hosted by Google University. Speaker is Steve Weis. He received his PhD from the Cryptography and Information Security group at MIT, where he was advised by Ron Rivest. He is a member of Google’s Applied Security (AppSec) team and is the technical lead for Google’s internal cryptographic library, KeyMaster.

Source: ACM TechNews and IEEE Distributed Systems Online.

The hacker community has devised effective methods for the analysis, reverse engineering, testing, and modification of software and hardware, and it behooves leaders in industry and academia to understand this culture and be cognizant of its values, unique strengths, and weaknesses, writes Dartmouth College’s Sergey Bratus. He observes that many quirks of the hacker culture are rooted in frustration with certain industry and academic trends (pressure to follow standard solutions, a limited perspective of the API, a dearth of tools for studying the state of a system, etc.), which he believes contribute to the current abundance of software vulnerabilities. This in turn fuels the hacker culture’s impetus to fully comprehend underlying standards and systems, which largely formalize hackers’ learning and work ethic. Among the sources hackers tap to acquire skills are classic textbooks highly rated by fellow hackers, electronic magazines, online forums dedicated to specific technical areas, source code from released tools, talks and private communications at hacker conventions, and IRC communities. Hackers have a tendency to adopt a cross-layer approach that tracks data through multiple tiers of interfaces, in accordance with three guiding principles. Bratus lists these principles as inspecting the system state or network on all levels down to the bit level; injecting arbitrary data into the system or network; and identifying and second-guessing deployment peculiarities. The author concludes that in many respects, hacker culture “produces impressive results that enrich other computing cultures, and its influence and exchange of ideas with these other cultures are growing. So, understanding the hacker learning experience and approaches is becoming more important day by day.”

Full article is here.

Over two years ago, George Ledin wrote an essay in Communications of the ACM, where he advocated teaching worms and viruses to computer science majors. He stated in that essay:

Computer science students should learn to recognize, analyze, disable, and remove malware. To do so, they must study currently circulating viruses and worms, and program their own. Programming is to computer science what field training is to police work and clinical experience is to surgery. Reading a book is not enough. Why does industry hire convicted hackers as security consultants? Because we have failed to educate our majors.

This spring semester, George Ledin Jr. taught the course at Sonoma State University. He created a class that taught students how to design and execute malicious programs that can take over a computer, steal information, or cause the computer to erase vital information and need a complete overhaul. Ledin believes that teaching students how to write computer viruses will give them a better understanding of how malicious programs are made and the knowledge needed to create better defenses. The controversial class, which SSU officials call the first of its kind in the nation, has drawn heavy criticism from members of the computing community. Three security software development companies sent SSU hostile letters, according to Ledin, and have pledged not to hire SSU graduates. That threat did not stop 15 students from signing up for the course. To prevent any malware created during the course from endangering any computers on the Internet, all work was done in an isolated lab disconnected from the network. Ledin acknowledged that there is a danger that some student might maliciously release a virus, but like with other academic fields that deal with dangerous and controversial material, teachers must rely on the students’ ethics. To help reinforce those ethics, SSU assistant professor of philosophy John Sullins was added to the course as a second instructor, and continuously reminded students of the potential consequences. Ledin developed the idea for this class after writing an editorial emphasizing the need for better education on malware for an ACM publication. Ledin said that despite the criticism he plans to teach the course again. “There is a perception that this is a taboo topic and shouldn’t be taught,” Ledin said. “But if we are going to develop better security, we need to know how these programs work.”

It got a lot of press coverage. Here are some articles:

• Sonoma State University http://www.sonoma.edu/pubs/newsrelease/archives/001090.html
• The California State University http://www.calstate.edu/pa/clips2007/may/22may/virus.shtml
• PC World http://blogs.pcworld.com/staffblog/archives/004452.html
• Also here http://www1.pressdemocrat.com/apps/pbcs.dll/article?AID=/20070526/NEWS/705260309/1043
• And here http://www1.pressdemocrat.com/apps/pbcs.dll/article?AID=/20070522/NEWS/705220312/1033/NEWS01.

Bruce Schneier commented on this:

No one wrote a virus for a class project. No new malware got into the wild. No new breed of supervillian graduated.

Teaching this stuff is just plain smart.

One of comments on this course was:

I believe that anyone who criticizes Ledin should meditate whether the action of forbidding virus lessons could lead to a more secure computer world. This story remembers me something that I have experienced in my childhood. I was a teenager, I was supposed to have a lecture in human reproduction, but a group of parents have come to my school to complaint about the subject and the school representatives decided to eliminate the subject in the program. That was a similar situation, do those parents have educated their children with a strong moral? Do the companies who disagree with the classes would hire students with more strong ethics and moral because they couldn’t learn how to program a virus at the university? Do they know there are a lot of documents to do that? Are they trying to cover the sky with their hands?
Besides, the advantage of learning something with the guidance of someone with expertise is worth value. Should the academic members have the knowledge? Yes, they should!

So, should we teach students how to write viruses?

This will probably cause many discussions in future. But I think that it will end up with recommendation that we should teach students about viruses and worms, but also give those good advices and ethical guidance related to this area, as medical doctors get on human viruses.

Book preview of our book “Security of Computer Systems and Networks” is scheduled to appear at ComSIS Journal Volume 4, Number 1, June 2007 (here).

CryptTool is demonstration and reference program for cryptography by Bernhard Esslinger. It is a freeware program which enables user to apply and analyze cryptographic mechanisms. It has the typical look-and-feel of a modern Windows application. CrypTool has implemented almost all state-of-the-art crypto functions and allows you to learn about and use, cryptography within the same environment.

The methods available include both classic methods and modern cryptosystems:

• classic methods: e.g. the Caesar cipher and the double-column transposition (permutation) encryption algorithm.
• modern methods: e.g. the RSA and AES algorithms, hybrid encryption and algorithms based on elliptic curves.

The source code of the CrypTool product is distributed under the terms of GPL (GNU General Public License).

I can recommend this tool for purposes of education and trainings for novices, but also for others that are already familiar with cryptography.

Visit CryptTool web site here.