Dragan on Security

After quite some time of silence regarding my work on Wireless Intrusion Detection and Prevention Systems (WIDS / WIPS), I’m considering continuing that work. In past I have done research, published couple of papers on this topic at conferences and journals and also created concept, basic architecture and design of system and products. This possible “reactivation” of work is particularly pushed by recent increased interest of companies, organizations and institutions including commercial, government etc, who contacted me regarding it, and requirements of many production environments.

As you could have read earlier on this blog, that area has been one of my research interests for long time. Intrusion Detection and Prevention Systems (IDS/IPS), especially used in wireless and mobile networks, are becoming particularly interesting and important with increased usage of these types of networks. My research has been particularly oriented to usage artificial intelligence, fuzzy logic and neural networks to make these systems better, easier for use and more efficient.  At 19th Annual Computer Security Applications Conference ACSAC  (December 8-12, 2003, Las Vegas, Nevada, USA) I talked about Wireless Intrusion Detection System (WIDS) and proposed multilevel and multidimensional system with components: agent, sensor, server and management and reporting tools. Also I talked at some other conferences and published couple of papers on this topic. There are different approaches to intrusion detection and prevention, but very common for commercially available IDS/IPS is that they suffer many false alarms (positive and negative) and problems with performances. Separate problem are so called “zero-day” attacks that pass majority of today’s IDS / IPS systems unnoticed.

Wireless Intrusion Detection and Prevention System, in architecture that I proposed many years ago, consist of:

• WIDS / WIPS Agent. It is software installed on mobile computer or device. It detects intrusions and attacks by analyzing traffic and behavior, making conclusions and denies it. It protects computer or computerized device. Agent works in contribution with WIDS / WIPS Sensor and Server if those are available in network and can be reached. Position of application is on Personal Computer (PC) including Pocket PC (PPC) and similar mobile devices.

• WIDS / WIPS Sensor. It is an appliance which sits in wireless network environment. It has embedded logic for detecting intrusions and alerting stations and servers about it. It alerts network users and/or administrators too. Sensor works in contribution with WIDS Agent and Server if it is available in same network. Position of application is area of wireless computer network.

• WIDS / WIPS Server. It is corporate software which integrates functions of previous two components and has additional mechanisms such as: collecting, analyzing, making conclusions (based on neural networks and fuzzy logic implementation), and giving support to WIDS Agent and Sensor. It can communicate with CERT centers and similar. It is responsible for contribution with other security software or devices (antivirus software firewalls…) Server collects information about WLAN security, events, incidents, and performance from the WIDS Sensors deployed throughout a WLAN. The server delivers the information to the WIDS Console in format that helps Network Administrators immediately identify problems. Position of application is in corporate network or remote for more mutually linked networks.

•WIDS / WIPS Console & Management, Reporting Tools. This is set of utilities intended to provide possibility of monitoring, management, tuning, and preparing various reports about WIDS / WIPS components activity. They are installed on Server, but could collect and show data from various components of WIDS / WIPS system. Single utilities could reside on Agent and Sensor devices and hey provide remote access and configuration capability too.

This is just brief description. If you are interested in more details or want to consider contribution or investment into this development send me e-mail.

PDFCreator is a free tool to create PDF files from nearly any Windows application. Real PDFCreator Web site is: http://www.pdfforge.org/products/pdfcreator. I have been using it for quite some time (as per trusted friend recomendation) and it is really good tool. Easy to use and pretty fast, it satisfies most of my needs regarding creating PDF files i.e. printing to PDF from various programs which I use.

But there are some impostors on the Internet. Wikipedia article about PDFCreator says:

PDFCreator’s popularity, achieved through word of mouth advertising, has motivated other commercial software vendors to try to fool people who are looking for the free software PDFCreator to purchase their own commercial software version instead, by using a similarly spelled name to “PDFCreator”.

Such attempts include Capsoft’s USD$57.95 PDF Creator and WCCL’s USD$24.95 PDF-Creator.

I will not put that links here as I don’t want to give them any additional PR, but names of domains are carefully chosen so you can easily be mistaken. Actually, this may be considered as kind of scam and phishing. Not exactly according to classic definition of phishing scam but using some of its principles.

I was tricked by CapSoft recently. It’s funny how it happened. New computer required many things to be installed and set up. As I didn’t have the appropriate PDFCreator version saved on my disc, I did brief research on the Internet, I found it (I thought it was appropriate one), and downloaded it, and… Previously, I spent a lot of time installing, transferring data from old machine, setting up, and I was pretty tired. In those circumstances, I missed to check if that version and the PDF website, which I easily googled, was the appropriate one. I spotted that Web site looks a strange, but I thought they changed it since previous time I downloaded PDFCreator. They required e-mail address to send link for download, what was first bad sign. Link, which I received on e-mail, lead to download.com Web site, using redirection over some aweber.com domain. Unfortunately, I wasn’t to carefull, downloaded, installed that PDF Creator and started to use it. Soon, I got e-mail from them. Erhm… I can’t remember that for “old version” (actually right one), I was ever asked for my e-mail address neither I received any mails from them.  And I received more mails, almost every 2-3 days one new mail. Needless to say that user interface is different, behavior is slightly different but I persuaded myself that it is because of newer version.

Suddenly, 14 days after installation it stopped to work as trial period passed and tool offered “Buy now” in message. I hit it and fortunately that button didn’t work somehow. Then, I inspected carefully information on CapsSoft and their version of PDF Creator and found out many complaints on net and also Wikipedia article which I cited above. McAfee Site Advisor also has got discussion about this. After this I inspected my machine for viruses, spyware, rootkits. I still have to check more thoroughly is there any malicious code that I might have got by installing wrong PDF Creator (with space between PDF and Creator in difference to PDFCreator without that space). Just to note that also, their wrong web site has www-pdfcreator in its domain name what is intentionally chosen to trick people. There is no “About us” section on their Web site, neither any phone that you can call nor physical address, apart from PO Box. Etc… etc… It looks like very suspicious company.

My advice is to be careful, very careful when downloading open source software, as many impostors use well known names and its variations to trick people and then to take money. 

(more…)

Michael Howard and Bryan Sullivan wrote a couple of articles for this month’s MSDN Magazine. One of them is Test Your Security IQ. It’s chance for you to take the challenge.

It might happen even in middle of worlds’ financial crisis. We should wait and see. Or not just wait, you can really contribute to new search engine. To contribute, you should just install free software and use it. The name is Edgios and software is in Alpha stage.

Edgios already have got lot of publicity on Web sites and discussion forums. It is a large-scale distributed search ‘cloud’ that offers higher-quality search results. Users participate in the cloud by downloading the Edgios personal search software, and connecting that software to the net.

Recent discussion on one of most important developers’ forums in Serbia raised many questions about Edgios. Some of participants questioned idea, concept, and many raised privacy and security concerns as well. Also, it seems that many people are scared by Google and Yahoo and have no courage to question their solutions and to start something what may compete with big ones. It can be successful or not, but it is worth a try at least, especially if you have famous Venture Capital to back your ideas. If that is one who backed Skype it is then more serious.

Some of question raised in discussion are: Is it secure? Is it safe? Authors say:

Yes! That’s exactly the point. By having the Edgios personal search client on your computer, you’re in control of what you share and what you keep private. Traditional search engines keep much more information than you might expect, and they hang onto it for a long time. With Edgios, you’re in control.

I would add: do you know what Google or other search engines know about you already? Have you asked yourself that question?

Here are some facts grabbed from Edgios Web site about company:

Edgios is a US company, based in Palo Alto, CA. The company is backed by Draper Fisher Jurvetson (DFJ), a premier Venture Capital firm based in Menlo Park, CA. DFJ shares with Edgios a passion for distributed computing, having backed Skype, the most successful P2P startup to date. Edgios has additional offices in Portland, OR, and in Serbia.

About founder:

The company has very strong connections with Serbia, having been founded by Dr. Borislav Agapiev, who grew up in Belgrade before moving to the US in 1985. The technology that makes Edgios possible has been developed entirely in Serbia, by a team of extremely talented and bright young developers. The entire team is proud of demonstrating that world-class search technology can be developed in Serbia, relying on the deep talent pool of local developers.

Edgios is Dr. Agapiev’s second search startup. He was also the founder of Vast.com, a San Francisco-based search engine for online classifieds. Vast.com is a leader in the online classifieds market, reaching millions of customers in the US and worldwide, having as partners and customers several large US companies. From its start, Vast.com has also been relying on Serbian engineers for technology development and innovation.

About search mechanism:

Edgios does not use a centralized search index of the Web, located in a massive data center, fed by an algorithmic ‘crawler’. Instead, it has an index that’s built by users, for users, and it employs a fully distributed index residing in memory and on the disks of computers that are part of the search cloud. The power of a fully decentralized, distributed search system is dependent on the number of its users. We believe that with just a few hundred thousand users that the Edgios search cloud is capable of surpassing conventional search engines, in terms of freshness, depth, and quality of search results.

It will be interesting to watch progress of this story and to be part of story, why not?

It seems that bad days came for MD5 and those who based hashes on it. It is possible to create two executable programs with different functionalities with identical MD5 hash. Therefore, it is possible to create malicious executable which has same MD5 hash as regular program. This can be done just by using public Internet information and tools.

Here is short story and list of resources that you can be interested in to try.

In March 2005, Xiaoyun Wang and Hongbo Yu of Shandong University in China published paper “How to Break MD5 and Other Hash Functions” in which they described an algorithm that can find two different sequences of 128 bytes with the same MD5 hash. That article originally was here, but it seems as it is not anymore. You can buy it from SpringerLink (here) for price of $25, or download based on subscription to it. There is free Power Point presentation here.

Abstract of paper “How to Break MD5 and Other Hash Functions” says:

MD5 is one of the most widely used cryptographic hash functions nowadays. It was designed in 1992 as an improvement of MD4, and its security was widely studied since then by several authors. The best known result so far was a semi free-start collision, in which the initial value of the hash function is replaced by a non-standard value, which is the result of the attack. In this paper we present a new powerful attack on MD5 which allows us to find collisions efficiently. We used this attack to find collisions of MD5 in about 15 minutes up to an hour computation time. The attack is a differential attack, which unlike most differential attacks, does not use the exclusive-or as a measure of difference, but instead uses modular integer subtraction as the measure. We call this kind of differential a modular differential. An application of this attack to MD4 can find a collision in less than a fraction of a second. This attack is also applicable to other hash functions, such as RIPEMD and HAVAL.

In meantime, Peter Selinger from Department of Mathematics and Statistics, Dalhousie University, published the tool that you can download for free and which he used to create MD5-colliding executable files. He calls it the “evilize” library. This software is based on Patrick Stach’s implementation of Wang and Yu’s algorithm. You can find his original implementation here.

Eduardo Diaz has described a scheme by which two programs could be packed into two archives with identical MD5 hash. A special “extractor” program turns one archive into a “good” program and the other into an “evil” one.

Almost three years ago I had published blog post on MD5 Online Cracking. Also, I have written about NIST new hash competition here and here.

[Thanks to Zeljko for pointing me to this implementation of tool.]

One of main persons behind Microsoft SDL, Michael Howard analyzes recent Symantec and IBM Vulnerabilities in his post on MSDN SDL blog.

Michael says:

The vulnerabilities are not in Symantec code, yet Symantec customers are still open to attack. The issues lie in a small number of file parsers used in many applications created by a third party vendor. As you probably know, file parsing vulnerabilities are very common, and even though the number of such bugs has dropped significantly in Microsoft products, in the past we had many. Thankfully, the SDL’s fuzzing requirements have significantly helped reduce the number of parsing-related vulnerabilities in our products.

And also:

… the same bugs affect IBM’s Lotus Notes 7.0.2 and some other products too.

In summary, Michael says:

Bugs are interesting, you can learn a lot from your own bugs, but also from the bugs in other products. From an SDL perspective, there is nothing new about any of these vulnerabilities. It also appears that the DLLs are not compiled or linked with any other defenses. If I had my way they would be SDL compliant, and have as many defenses as possible as the parser code is an inch away from the Internet, and is used in a mission critical defensive position. What’s interesting to me is how many other products out there consume these giblets? Because those products have security bugs too!

Based on this we can say that Microsoft’s SDL process is becoming very powerful and usable instrument and way to produce more secure software.

Insecure.org has Top 100 Network Security Tools list. Author says:

Anyone in the security field would be well advised to go over the list and investigate tools they are unfamiliar with. I discovered several powerful new tools this way. I also point newbies to this site whenever they write me saying “I don’t know where to start”.

If you think your passwords are strong enough, think twice. They are probably not. Ophcrack is a Windows password cracker based on rainbow tables. It is a very efficient implementation of rainbow tables done by the inventors of the method. It comes with a GTK+ Graphical User Interface and runs on Windows, Mac OS X (Intel CPU) as well as on Linux. The multi-platform password cracker Ophcrack is incredibly fast. How fast? It can crack the password “Fgpyyih804423″ in 160 seconds. Most people would consider that password fairly secure. The Microsoft password strength checker rates it “strong”. The Geekwisdom password strength meter rates it “mediocre”.

See more here and here.

Thanks to Dejan for bringing this to my attention.

Application Verifier is nice tool, designed in Microsoft, specifically to detect and help debug memory corruptions and critical security vulnerabilities. It makes it easier to create reliable applications by monitoring an application’s interaction with the Windows operating system, profiling its use of objects, the registry, the file system, and Win32 APIs (including heaps, handles, locks, and more). It also includes checks to predict how well the application will perform under Least-privileged User Account operation, compatibility tests to be used in logoing, and print tests to verify your usage of the print subsystem.

You can download new version here.

Interesting blog post from Steve Lipner: The Security Development Lifecycle : The Ethics of Perfection. He says in conclusion:

What does all this have to do with ethics?  Well, I think that given the choice between shipping perfectly secure software (whatever that means) that no customers will use and shipping software with continuously improved security that will actually help customers, the better ethical path is to ship.  That’s a controversial view in some circles, but it’s the view I’ve reached after working in the field for the last 35 years or so.