Dragan on Security

Michal Wegrzyn informed me about new and interesting project on http://vsl.sourceforge.net/.  That is new steganographic tool. Name of tool is Virtual Steganographic Laboratory (VSL). It is a graphical block diagramming tool that allows complex using, testing and adjusting of methods both for image steganography and steganalysis. VSL provides friendly GUI along with modular, plug-in architecture. Tool is very similar to CrypTool which has been described on this blog here.

VSL screenshot

Steganography is the art and science of writing hidden messages in such a way that no one, apart from the sender and intended recipient, suspects the existence of the message. That is a form of “security through obscurity”. The word steganography is of Greek origin and means “concealed writing”. Generally, messages will appear to be something else: images, articles, or some other covertext. It may be considered as kind of invisible ink between the visible lines of a private letter.

The advantage of steganography, over cryptography alone, is that messages do not attract attention to themselves. Plainly visible encrypted messages will arouse suspicion, and may in themselves be incriminating in countries where encryption is illegal. Therefore, whereas cryptography protects the contents of a message, steganography can be said to protect both messages and communicating parties.

Virtual Steganographic Laboratory (VSL) is simple, easy to use software for steganography, steganalysis and watermarking. It gives scientists and students a powerful tool for conducting wide range of experiments involving different types of message embedding, diverse attacks (employing image processing algorithms) and steganalysis with the use of popular methods. Due to its use of generics (and few other features) it requires at least Java 1.5 (5.0).

Primary interface of the VSL is a graphical block diagramming tool and a customizable set of block modules. VSL uses dynamic invocation, so any new module can be created, added and used along without recompilation of the application.  Many steganographic applications are usually command-line tools or very simple GUIs which consist of one chosen method. VSL provides framework for complex yet simple to arrange experiments and methods testing. It can use many methods simultaneously and everyone can add a new one.

I see this as very promising project and will continue to watch its progress.

After quite some time of silence regarding my work on Wireless Intrusion Detection and Prevention Systems (WIDS / WIPS), I’m considering continuing that work. In past I have done research, published couple of papers on this topic at conferences and journals and also created concept, basic architecture and design of system and products. This possible “reactivation” of work is particularly pushed by recent increased interest of companies, organizations and institutions including commercial, government etc, who contacted me regarding it, and requirements of many production environments.

As you could have read earlier on this blog, that area has been one of my research interests for long time. Intrusion Detection and Prevention Systems (IDS/IPS), especially used in wireless and mobile networks, are becoming particularly interesting and important with increased usage of these types of networks. My research has been particularly oriented to usage artificial intelligence, fuzzy logic and neural networks to make these systems better, easier for use and more efficient.  At 19th Annual Computer Security Applications Conference ACSAC  (December 8-12, 2003, Las Vegas, Nevada, USA) I talked about Wireless Intrusion Detection System (WIDS) and proposed multilevel and multidimensional system with components: agent, sensor, server and management and reporting tools. Also I talked at some other conferences and published couple of papers on this topic. There are different approaches to intrusion detection and prevention, but very common for commercially available IDS/IPS is that they suffer many false alarms (positive and negative) and problems with performances. Separate problem are so called “zero-day” attacks that pass majority of today’s IDS / IPS systems unnoticed.

Wireless Intrusion Detection and Prevention System, in architecture that I proposed many years ago, consist of:

• WIDS / WIPS Agent. It is software installed on mobile computer or device. It detects intrusions and attacks by analyzing traffic and behavior, making conclusions and denies it. It protects computer or computerized device. Agent works in contribution with WIDS / WIPS Sensor and Server if those are available in network and can be reached. Position of application is on Personal Computer (PC) including Pocket PC (PPC) and similar mobile devices.

• WIDS / WIPS Sensor. It is an appliance which sits in wireless network environment. It has embedded logic for detecting intrusions and alerting stations and servers about it. It alerts network users and/or administrators too. Sensor works in contribution with WIDS Agent and Server if it is available in same network. Position of application is area of wireless computer network.

• WIDS / WIPS Server. It is corporate software which integrates functions of previous two components and has additional mechanisms such as: collecting, analyzing, making conclusions (based on neural networks and fuzzy logic implementation), and giving support to WIDS Agent and Sensor. It can communicate with CERT centers and similar. It is responsible for contribution with other security software or devices (antivirus software firewalls…) Server collects information about WLAN security, events, incidents, and performance from the WIDS Sensors deployed throughout a WLAN. The server delivers the information to the WIDS Console in format that helps Network Administrators immediately identify problems. Position of application is in corporate network or remote for more mutually linked networks.

•WIDS / WIPS Console & Management, Reporting Tools. This is set of utilities intended to provide possibility of monitoring, management, tuning, and preparing various reports about WIDS / WIPS components activity. They are installed on Server, but could collect and show data from various components of WIDS / WIPS system. Single utilities could reside on Agent and Sensor devices and hey provide remote access and configuration capability too.

This is just brief description. If you are interested in more details or want to consider contribution or investment into this development send me e-mail.

There is new poll on this blog. Question is “Which antivirus software do you use?” and possible answers are:

• Symantec
• McAfee
• Kaspersky
• F-Secure
• AVG
• Avast
• Trend Micro
• NOD32
• Other
• None

Thank you for voting.

Google released Ratproxy – passive web application security assessment tool. It is released under terms and conditions of the Apache License, version 2.0.

Here is Google’s description of tool:

Ratproxy is a semi-automated, largely passive web application security audit tool. It is meant to complement active crawlers and manual proxies more commonly used for this task, and is optimized specifically for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments.

Microsoft IPsec Diagnostic Tool assists Network administrators with troubleshooting network related failures, focusing primarily on IPsec. It is applicable on Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008. This tool download is available to customers running genuine Microsoft Windows. Also, check interesting Network Access Protection (NAP) Case Study. It’s a quick and interesting to read, use IPsec-based enforcement.

Insecure.org has Top 100 Network Security Tools list. Author says:

Anyone in the security field would be well advised to go over the list and investigate tools they are unfamiliar with. I discovered several powerful new tools this way. I also point newbies to this site whenever they write me saying “I don’t know where to start”.

If you think your passwords are strong enough, think twice. They are probably not. Ophcrack is a Windows password cracker based on rainbow tables. It is a very efficient implementation of rainbow tables done by the inventors of the method. It comes with a GTK+ Graphical User Interface and runs on Windows, Mac OS X (Intel CPU) as well as on Linux. The multi-platform password cracker Ophcrack is incredibly fast. How fast? It can crack the password “Fgpyyih804423″ in 160 seconds. Most people would consider that password fairly secure. The Microsoft password strength checker rates it “strong”. The Geekwisdom password strength meter rates it “mediocre”.

See more here and here.

Thanks to Dejan for bringing this to my attention.

Application Verifier is nice tool, designed in Microsoft, specifically to detect and help debug memory corruptions and critical security vulnerabilities. It makes it easier to create reliable applications by monitoring an application’s interaction with the Windows operating system, profiling its use of objects, the registry, the file system, and Win32 APIs (including heaps, handles, locks, and more). It also includes checks to predict how well the application will perform under Least-privileged User Account operation, compatibility tests to be used in logoing, and print tests to verify your usage of the print subsystem.

You can download new version here.

IEEE Security and Privacy, issue July/August 2007 (Vol. 5, No. 4), has interesting article Encryption: Security Considerations for Portable Media Devices (subscription required).

Abstract

With the proliferation of removable media devices, such as iPods and USB drives, large amounts of an organization’s sensitive data can easily be removed. The author explores the complexities of protecting networks against removable media, including guidelines for purchasing encryption software.

Michael Howard’s talks about SDL Crypto Code Review at his blog. He says:

When I review code for security bugs I basically do the following:

1) Run static analysis tools and compile with /W4 to see which source code files appear to have more warnings or errors. This may indicate more bugs.
2) Look for known issues, such as banned APIs and banned functionality. I hand review anything I spot in this pass, but the noise can be very high.
3) Drill down into the riskiest code (ie; line-by-line review) based on the threat models.

Michael decided to create a simple macro to help with (2) when reviewing code for potential crypto issues. You can read about it and donwload code at his Web log (here).