Dragan on Security

I invite you to answer poll question “Have you used penetration testing services” (column on the right of this blog). Possible answers are:

1. Yes
2. No
3. Have I used… what?
4. I provide those services

Thank you for voting.

Wikipedia article defines penetration test in this way:

A penetration test is a method of evaluating the security of a computer system or network by simulating an attack from a malicious source, known as a Black Hat Hacker, or Cracker. The process involves an active analysis of the system for any potential vulnerabilities that may result from poor or improper system configuration, known and/or unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures. This analysis is carried out from the position of a potential attacker, and can involve active exploitation of security vulnerabilities. Any security issues that are found will be presented to the system owner together with an assessment of their impact and often with a proposal for mitigation or a technical solution. The intent of a penetration test is to determine feasibility of an attack and the amount of business impact of a successful exploit, if discovered. It is a component of a full security audit.

See more here.

More than two years ago I wrote post on this blog with question in title: “Should We Teach Students How to Write Viruses?” That post outlines some reasons pro at contra and links to various Internet resources regarding this question.

I’ve added new poll to this blog with this question, today. Goal of this poll is to see opinion of visitors of this blog in regards to this very controversial issue. Before voting, it is recommended to read previous post on this blog and visit links which are mentioned at that post. Also, I recommend you to visit:

• Vesselin Bontchev ‘Should We Teach Virus Writing?
• Teaching students how to write malware
• Virus Writing 101

Your opinions are welcome. Thank you for voting.

Michal Wegrzyn informed me about new and interesting project on http://vsl.sourceforge.net/.  That is new steganographic tool. Name of tool is Virtual Steganographic Laboratory (VSL). It is a graphical block diagramming tool that allows complex using, testing and adjusting of methods both for image steganography and steganalysis. VSL provides friendly GUI along with modular, plug-in architecture. Tool is very similar to CrypTool which has been described on this blog here.

VSL screenshot

Steganography is the art and science of writing hidden messages in such a way that no one, apart from the sender and intended recipient, suspects the existence of the message. That is a form of “security through obscurity”. The word steganography is of Greek origin and means “concealed writing”. Generally, messages will appear to be something else: images, articles, or some other covertext. It may be considered as kind of invisible ink between the visible lines of a private letter.

The advantage of steganography, over cryptography alone, is that messages do not attract attention to themselves. Plainly visible encrypted messages will arouse suspicion, and may in themselves be incriminating in countries where encryption is illegal. Therefore, whereas cryptography protects the contents of a message, steganography can be said to protect both messages and communicating parties.

Virtual Steganographic Laboratory (VSL) is simple, easy to use software for steganography, steganalysis and watermarking. It gives scientists and students a powerful tool for conducting wide range of experiments involving different types of message embedding, diverse attacks (employing image processing algorithms) and steganalysis with the use of popular methods. Due to its use of generics (and few other features) it requires at least Java 1.5 (5.0).

Primary interface of the VSL is a graphical block diagramming tool and a customizable set of block modules. VSL uses dynamic invocation, so any new module can be created, added and used along without recompilation of the application.  Many steganographic applications are usually command-line tools or very simple GUIs which consist of one chosen method. VSL provides framework for complex yet simple to arrange experiments and methods testing. It can use many methods simultaneously and everyone can add a new one.

I see this as very promising project and will continue to watch its progress.

Payment with credit or debit cards, at least in Serbia, at some of Intesa bank owned POS terminals is NOT secure. They print full credit card number on paper slip.

I recognized this issue many months ago after purchase in one shop. Accidently, I looked carefully at slip issued after purchase and found that full card number is clearly printed on slip. No stars (*) or other wildcards instead of eight card number digits in the middle of number, as it is usual. This gives possibility of misuse and is not in compliance with standards which credit card companies require of banks and processors. If you using your credit cards in these shops you may be at serious risk!

After compliant to my bank (which is not Intesa), it was passed to Visa and their official called me on phone. He explained that this issue has been noticed earlier by their revision and bank was requested to sort it out in short term.

Unfortunately, months after this complaint and promise that things will be sorted out shortly, I’ve had same case today. One of shops in Serbia which uses Intesa POS terminal issued slip with my full card number.

Now, I feel free to report this publicly as I hope this will help banks, credit card companies and shops to sort out this problem and mitigate risk to which we as customers are exposed.

My recommendation to all credit card owners is to look carefully, ask shop staff and avoid payment by cards in shops which own this type of POS terminal. If you already did this, then report issue to your bank, credit card issuer or Intesa officials.

Interesting article: Investigators replicate Nokia 1100 online banking hack – Network World. It says:

Versions of the 1100 have firmware that can be modified in order to intercept SMSes, including one-time banking passwords.

and

An Ultrascan informant sold one of the devices recently in Tangiers, Morocco, for €5,500 (US$7,567), Engelsman said. Ultrascan previously confirmed data earlier this year that one Nokia 1100 sold for €25,000.

If you can’t remember how Nokia 1100 looks like, see article on Wikipedia. Also you can see details about this model on Nokia web site.

Is it just Nokia 1100 or possible with some other models maybe?

There is new poll on this blog. Question is “Which antivirus software do you use?” and possible answers are:

• Symantec
• McAfee
• Kaspersky
• F-Secure
• AVG
• Avast
• Trend Micro
• NOD32
• Other
• None

Thank you for voting.

Interesting interview: Safe, But Also Sorry: Security expert Bruce Schneier talks about privacy and property in the information state – Reason Magazine.

Citation:

Reason: In Schneier on Security, you emphasize that technology isn’t the only (or even the most important part) of a security solution. Why do people tend to systematically discount cultural and economic factors in considering questions of security?

Schneier: We live in a technological world, and it’s common for us to believe that technology can solve our security problems. It solves so many of our other problems, so it’s a plausible belief. It’s also easier to believe that a shiny new piece of technology—a new ID card, a new airport scanner, a new face-recognition system—can solve our problems than boring old concepts like culture and economics. Admitting that technology isn’t the answer is admitting that there isn’t an answer that will solve the problem, and many people can’t do that yet. We’ve forgotten that risk is an inherent part of life.

Recent poll with question “Will crisis in financial sector affect tech and security?” expired.

New question is related to long lasting rumors that some security software companies are connected to virus writers and use them as helpers to increase revenues. In my opinion, it is unlikely to believe in, but I would like you to say your opinion in poll on this blog.

So, question is: “Are software companies, which produce antivirus tools, connected to virus writers?”

Two simple answers are yes or no.

Thank you for your vote.

In this, just before New Year post, I will take chance to mention one of most respected technical journals in the IT security field. That is  Computers & Security – Elsevier, official journal of Technical Committee 11 (computer security) of the International Federation of Information Processing.

From time to time, I serve as reviewer for scientific and technical journals, conferences and papers including Elsevier Computers & Security.

This journal, now in its 21st year, with a new editorial board and new regular features and columns, is essential reading for IT security professionals around the world.

In Journal Citation Report list published by Thompson Reuters, this journal is listed with impact factor for many years. That means that articles published in Elsevier Computers & Security journal are often cited and have important impact on further research and development in area of computer security.

Elsevier, like most scientific publishing companies, relies on effective peer review processes to uphold not only the quality and validity of individual articles, but also the overall integrity of the journals we publish.

Here you can flowchart which shows per review process.

On Elsevier web site you can read:

Those who publish with Elsevier can take pride in knowing that the most honored scholars, scientific leaders and educators – from Galileo to Jules Verne to Stephen W. Hawking – have published with Elsevier, as well. In fact, in 2006, 6 Nobel Prize winners had been previously published with Elsevier.

So, if you are planning to publish your important scientific paper in area of security, you definitely should consider Elsevier Computers & Security.

In this article I tried to explain why we should not believe Internet polls and explained some of ways to cheat them. Here is one more proof: Victoria Secret competition gets hacked.

How?

In the early hours of Oct. 21, Plunkett and his friend created a Perl script that could log 1,500 votes per second on the Victoria’s Secret Web site. Twelve hours later, Drexel had gone from 9,000 to 5.2 million votes.

The script took Plunkett all of three minutes and 30 computers to run.

It’s interesting to read.