Mac != Automatically Safe (Take It From a Mac Fan!)

April 1, 2009

I love my Macbook Pro – ask anyone who knows me.

Before you Windows users leave thinking that this is YAFBR (Yet Another Fanboy Rant) you should all know that I believe strongly in using the right tool for the job – which does not always mean using the trusty Macbook, and sometimes using MS Windows instead (lord help me, but I said it and there is no taking it back).  Sometimes it involves Linux or a BSD variant.  I love them all for different reasons.

I am concerned with the number of Tweets I saw related to Conficker this morning that stated (not an exact quote) “Thank goodness I have a Mac – it is safer than a PC…Macs never get viruses” and other sentiments that denigrated MS Windows in a sometimes more, sometimes less manner.

Before you get too happy consider the information discussed at CanSecWest last week and published by Milw0rm prior to vendor notification.  Check it out here (but come back!)

It is important to note that you are only as safe as your habits and software, Apple system or not.

I have worked a number of Apple forensics cases involving intrusion and interception of electronic communication.  In each case the firewall was turned off (the user wasn’t aware of how to control the firewall) and there was an astounding lack of logging (the user didn’t know how to control or review logs on the Apple system).

I can also tell you that the number of these types of cases is definitely on the rise.

Here is a quick test:  If your Apple (you can also insert Linux, *BSD, Windows) system was potentially compromised, how would you know?  Can you pull up, right now, failed connection attempts, firewall logs, running process logs?

If not, then take that as your sign and make sure to get yourself battle-ready.

As bot-nets become more and more prevalent if you are not part of the solution you are truly a large part of the problem.

Leave a Comment » | Inforensics Opinion | Tagged: , , , , , | Permalink
Posted by inforensics

YouTube Struggles With a Wretched Hive of Scum and Villainy

March 5, 2009

Information Week Article: “YouTube Wrestles With Scammer-Generated Content

InformationWeek reports that YouTube is “struggling” with posted videos showing such things as stolen credit cards, PINs, etc.  They go on to talk about how difficult it is to screen video content.

A single line mentions that meta-content can be used for screening (searching for keywords that can identify the content), but a YouTube spokesman goes on to say that they rely “on our community to know our community guidelines and flag content that violates the guidelines.”

First of all, the type of community that will be looking for that niche content isn’t going to be all that quick to flag it.

Secondly,  how hard would it be to build a signature base of meta-word and behavioral screening to remove the largest portion of objectionable (illegal) content?  Here are a few ideas to think about as you read the article – feel free to post your own:

  • Spam assassin for content anyone?  Use the meta data to help weight the red flag.
  • Watch topics that users post to/visit and use this to weight a flag.  For instance, a little old lady that is concerned about “poodles” and “identity theft” will not affect the weight as much as someone looking for “Free credit card numbers” and “MS Windows licenses”.
  • Use Natural Language Processing techniques to identify and weight actual posts (remember the “StupidFilter“?).

I realize full well that these techniques can be gamed just like anything else, but it seems to me that they are viable, not so hard to implement (I use components of them in my work – although the scale is different!), and a darn spot better than relying on the crooks to report themselves!

Leave a Comment » | Inforensics Opinion | Tagged: , , , , , , | Permalink
Posted by inforensics

The Top 5 Biggest Infosec Lies

March 2, 2009

I have compiled a list of what I believe are the biggest lies told by and about infosec.  Let me know if you have an addition to the list!

5. There is no evidence that the data has been misused….

This lie is typically told by a company that has just had their digital posteriors handed to them.  The first question that I want to ask upon hearing this one is:

“So… wait… you were completely unable to detect the intruders that were playing around in your own systems for 3 or 4 months, but now all of a sudden you can tell across the entire globe if the information is being misused?”

4. It was a sophisticated attack….

The biggest problem is deciding if this lie is being told by the party that was breached, or the media.  For some reason the media classifies everything as “hacked”, even when it isn’t.  You can add to this that the party that has been breached has two things working against it:

1.  Who wants to admit they were breached by something stupid?  If you are going to be breached you want it to be the most sophisticated, complex attack known to man.

2. The “mouthpiece” for the organization that was breached likely doesn’t understand the technical issues themselves.

3. Of course it is secure – the (Military/Law Enforcement/Government) uses this, so it has to be….

I was asked by a client to sit in a product demonstration not too long ago, and the vendor’s mouthpiece kept harping on the fact that “This is so secure, NASA uses it!”.  They were more than a little crestfallen when I demonstrated for them that they were sending their username/password in Base64 decoded format for the entire world to see – and then the page was moving to SSL encryption (on an expired certificate).

The lesson here?  Just because no one has questioned it, doesn’t make it secure.

2.We have “Insert favorite technology here” so we know we are all set….

My first response to this usually is: “Tell me/Show me the specific policy/procedure that your favorite technology is in place to support.  What about the policy and procedure that governs support of the technology?”  The largest portion of the time an organization is completely unable to do this simple exercise.

Infosec technology that does not support policy and procedure is pretty much meaningless – at best you have wasted money, at worst you have created yet another attack vector through a mis-managed, poorly understood device.

1.  We are compliant with (HIPAA, GLB, Sarbannes-Oxley, PCI, etc.) so we know we are secure….

Ummm… so was Heartland….  Do we really need to go down this road?

Leave a Comment » | Inforensics Opinion | Tagged: , , , | Permalink
Posted by inforensics