Security Practice: Life, Crypto, Network forensics.

Links for 2008-09-10 [del.icio.us]

2008-09-11T00:00:00-05:00

Installing Hacme Bank on an XP Pro VMWare Image - PingTrip

Links for 2008-09-09 [del.icio.us]

2008-09-10T00:00:00-05:00

Damn Vulnerable Linux - The most vulnerable and exploitable operating system ever - First steps with Damn Vulnerable Linux

Links for 2008-07-17 [del.icio.us]

2008-07-18T00:00:00-05:00

Links for 2008-07-03 [del.icio.us]

2008-07-04T00:00:00-05:00

Ghost-writer | home

Links for 2008-07-02 [del.icio.us]

2008-07-03T00:00:00-05:00

Words List - Extelligence: Archaic and Creative Word Dictionary

Links for 2008-07-01 [del.icio.us]

2008-07-02T00:00:00-05:00

UrlScan Security Tool

Links for 2008-06-25 [del.icio.us]

2008-06-26T00:00:00-05:00

A Lawyer's analysis of PCI

2008-03-25T09:15:00.003Z

PCI-DSS - the Payment Card Industry Data Security Standard, has attracted some interesting views to it. The latest one is here. The writer describes it operating "like a court" - I don't quite agree, it operates under contract law, and I've been involved in at least one case where the issuing brand failed to have a recovery clause in the contract allowing them to seek reparation from the retailer-in-breach.

However, the interesting thing is that its not just a good idea to be compliant with PCI if you are "storing, processing or transmitting" credit card numbers. If you want to take payment with credit cards, then your bank (urged by VISA and MasterCard) will require you to sign up for PCI, with contractual caveats that any PCI breaches and costs thereof are born by .. erm, you.

In other news, my friend Branden has a spiffy blog online. Go check it out. The link is to his "All QSA's are not created equal" post, which given the legal post above, is worth considering. Not only do you get what you pay for, but selection of a high quality QSA over a bucket shop could save a hell of a lot of money in PCI reparation costs.

Sir Tim and I agree

2008-03-17T15:37:00.004Z

In a previous post, I recommended you write to your MP, cancel your phone service, and call Jeremy Vine (from someone else's phone) if your ISP started using Phorm.

Well, Sir Tim Berners-Lee says:

The creator of the web has said consumers need to be protected
against systems which can track their activity on the internet.

Sir Tim Berners-Lee told BBC News he would change his internet
provider if it introduced such a system.

Plans by leading internet providers to use Phorm, a company
which tracks web activity to create personalised adverts, have
sparked controversy.

Sir Tim said he did not want his ISP to track which websites
he visited.

"I want to know if I look up a whole lot of books about some form
of cancer that that's not going to get to my insurance company
and I'm going to find my insurance premium is going to go up by 5%
because they've figured I'm looking at those books," he said.

Sir Tim said his data and web history belonged to him.

He said: "It's mine - you can't have it. If you want to use it for
something, then you have to negotiate with me. I have to agree,
I have to understand what I'm getting in return."

Seriously folks, imagine how you'd feel if the Royal Mail said "hey, we opened your post and saw that you had a letter from the bank warning you about your overdraft, can we interest you in a low-price loan"? Or if your phone company rang you up and said "You've had a call from the hospital, would you like some low-price funeral expenses insurance?" I could hope that this will encourage more people to use encryption such as PGP, but that's not likely. People have never really understood why encyrption is important in reducing their internet footprint.

More to the point, it would be illegal. Has the law not caught up with the fact that we conduct sensitive and private communications over the Internet, not just by phone and letter?

I wonder if Sir Tim will get an invite from Phorm's PR company to a business briefing as well?

Saying no, the third way

2008-03-17T13:46:00.003Z

My favourite line in The Vicar of Dibley is:

GERALDINE: There are two answers to your question, the long one and the short one. The short answer is "No", and the long answer is "Noooooooooooooooooooooo".

I signed the petition to form a national e-crime unit recently. The gub'mint have found a Third Way:
Thank you for the e-petition, asking for the Government to give priority to the creation of an e-crime unit as proposed by the Metropolitan Police Service and ACPO.

The Government takes seriously all forms of crime, and has passed legislation to support the prosecution of those who steal data and attack IT systems, or who create the technical mechanisms to support such attacks

The Government is currently in receipt of the proposal by the Metropolitan Police Service and ACPO and are actively considering the issues it has raised and the value of creating such a unit.

Government has allocated £29 million over 3 years to implement the recommendations of the Fraud Review. This includes the creation of a National Fraud Strategic Authority (NFSA) which will drive forward a comprehensive strategy for tackling fraud, bringing together the Government, criminal justice practitioners, business and the public. It also includes a new national lead force role for the City of London Police and National Fraud Reporting Centre (NFRC) which will collect and analyse data on all types of fraud (including online fraud), equip law enforcement agencies with a powerful intelligence tool and help form the basis of better prevention advice and alerts to fraud threats for business and the public.

Both the Child Exploitation Online Protection Centre (CEOP) and the Internet Watch Foundation (IWF) have 24 hour reporting mechanisms aimed at members of the public to report instances of child abuse or websites containing child abuse images.

The National Hi Tech Crime Unit (NHTCU) was originally part of the National Crime Squad (NCS), and moved into SOCA along with the rest of NCS in 2006. The name was changed to SOCA e-crime to reflect the new organisation. SOCA e-crime has more resources than the NHCTU and greater international reach via SOCA's international liaison network. The e-crime unit brings together experts from different organisations under one roof and has already developed a national e-Crime strategy with key partners. This aims to improve links with industry and to develop ways for educating businesses and the public about e-crime.

The Government is committed to providing adequate responses to this area of crime in a unified way without duplicating the work carried out by other organisations.

There is of course the fourth way, or "Internet Dating" method of saying no, which is simply to disappear and never be heard from again. But I guess we'd miss Gordon if he did that one.

Deep into Sleep (July-August 2005)

2008-03-13T21:50:00.001Z

Deep into Sleep (July-August 2005)

What does this have to do with security?
Well, apparently we all have messed up sleep patterns (your author included), and this means our decision making skills are impaired.

Hence, security lapses.

Musing: differences between the US and the UK

2008-03-07T19:34:00.002Z

US: "If everyone is a speeder, the cops won't arrest everyone"
UK: "If everyone is a speeder, then put automated cameras to catch them"

Inspired by Cringely.

Facebook users set stupidity tests

2008-03-07T12:44:00.002Z

I see these on FaceBook:

So, for those who don't know - Alt-F4 closes your current window. Its a stupidity test, don't fall for it.

In other news, a grateful "thank you" to Gaggia, who sent me an upgraded coffee machine after I returned the first one to them, worn out. Espresso powered computer security is here once more.

Why we love PaperGhost

2008-03-07T12:38:00.000Z

Just because.

SUR in English

2008-03-07T09:03:00.000Z

SUR in English: "Having survived a complicated divorce and secured custody of the children the thought of moving to another country and reducing contact with an ex husband or wife becomes attractive. What many parents don’t realise, however, is that taking a child out of their country of origin without authorisation from their former partner violates international law."

We don't care, we dont have to, we're the phone company

2008-03-06T21:21:00.006Z

Lauren Weinstein writes about how BT are quite callously exploiting the privacy (and ignorance) of their customers. Let's face it, technically aware people avoid BT like herpes.

Edit: I've actually had quite a fun idea which would screw this up completely. In the same way that we can screw up Sky Digital's audience monitoring system by leaving the DigiBox tuned to 504 (BBC Parliament) when we aren't watching anything else, why not have a little perl script running in the background of your system which submits a list of stupid and bogus queries to google, say once a second. The traffic and system load would be minimal, and it would crap out the Phorm Phactor.

I'm reproducing Lauren's post in full, because it sums it up.

Greetings. Given the CCTV surveillance fetish in the UK these days, it seems somehow sickly appropriate that British ISPs are in the forefront when it comes to spying on the content of their subscribers' Web browsing -- and it appears that Google users are in the bull's-eye.

Most of the related media attention so far has revolved around the manner in which the three largest UK ISPs have gone to bed with "Phorm" -- toward the goal of monetizing Web browsing habits of subscribers and providing targeted ads
( http://www.theregister.co.uk/2008/02/29/phorm_roundup/ ).

Of course, there's a lot "soothing" promotional blather on the BT site claiming that the data collected regarding the sites that you visit is quickly deleted or anonymized. And while officially the ISPs claim that they haven't made a decision about opt-out vs. opt-in, the current British Telecom limited deployment -- they call the "service" "Webwise" ( http://webwise.bt.com/webwise/index.html ) and promote it as mainly an anti-phishing system -- appears to be opt-out (requiring either maintaining a special cookie in your browser or blocking all cookies from a particular site).

Third-party tracking of the Web sites that you visit is bad enough, but Webwise (and presumably the other incarnations of the Phorm system) go one big step farther -- they actually *spy* on your Web content and extract for their own use the search terms that you enter into search engines:

"We [Webwise] use the website address, keywords and search terms
from the page viewed to match a category or area of interest
(e.g., travel or finance)."

Given that the vast majority of searches these days are conducted with Google, it's obvious that this ISP-based system will be attempting to monetize the vast number of search transactions between users and Google, in a technical manner that seems eerily similar to wiretapping.

This is unbelievably intrusive and unacceptable, except perhaps on a fully-informed opt-in basis. When I use a search engine -- let's say Google -- I am expressing an implicit belief that my search data will not be abused or misused by Google. I have made no such determinations regarding any use in any manner of this search query
data by ISPs or their partners.

I'm communicating with Google. Period. I don't care if the ISPs claim that the data is quickly discarded, or anonymized so well that it looks like an iPhone that's been put through a blender ( http://youtube.com/watch?v=qg1ckCkm8YI ), nobody but Google and I have any rights to those search terms!

And we all know that search keywords can be very sensitive. Names, addresses, social security numbers (sloppy, but people do it), searches for new words to be used for domains or product names -- all manner of personally and commercially sensitive information can be found in search query data.

Anyone who tried this stunt on such a basis with physical mail or phone calls they'd probably land in prison. But ISPs are increasingly pushing the envelope in terms of spying on and even altering subscriber Web traffic. This latest example is utterly beyond the pale, and it's hard to see how such abusive behavior can continue to pass legal muster indefinitely.

If subscribers wish to opt-in to such systems with a full understanding of what's involved -- well, I wouldn't recommend it but that's their choice. However, if these systems are fully deployed in a manner that requires subscribers to opt-out to avoid having their communications with Google and other search engines being intercepted, then I foresee some very angry subscribers, and a particular search services giant who will likely be anything but amused.

Wake up people. Write to your MP. Cancel your phone service. Call Jeremy Vine. This is appalling behaviour from a cynical monopolist who is moving tens of thousands of jobs abroad, (as an insider told me "90% of the work will be done offshore") and happily raking in profits through the abuse of its customers.

Webwise? Terribly patronising name. WebStupid more like.

I'm doing Science, I'm still alive

2008-03-04T16:19:00.001Z

Now these points of data make a beautiful line.
And we're out of beta.
We're releasing on time.

More at http://www.youtube.com/watch?v=Y6ljFaKRTrI

White Paper - SABSA

2008-03-03T12:35:00.001Z

Hooray, yet another online ID

2008-03-03T10:09:00.002Z

I've just signed up for online access to my GP's surgery. I have three new pieces of identity information:

A numeric Practice number
A numeric access ID
A password (which mercifully I got to chose)

I understand that E-MIS need this information to register me, but why can't I then associate my OpenID, or my token with my account for authentication?

When you're in a good mood, all your creativity goes out the window

2008-02-29T09:21:00.003Z

I think it may have something to do with actually getting enough sleep last night. So in a fit of lazyblogging, I read this article on CIO.com about interviewing skills. Its not bad, and covers the basics, although I was struck with laughter when I read the advisory note on "witness intidimation", wondering whether the author was for it or against it! Reading this won't turn you into Gibbs, and it doesn't deal with other issues such as when to make (or break) rapport, or how to take control over the interview. (For example: questions such as "what happens if the witness wants to record the interview" means you are not in control).

Furthermore, Muffett has pointed me at "Ten Mistakes that CIOs consistently make that weaken enterprise security". Interesting, funny, insightful reading. Its worth quoting here (because this is a lazy blog day after all).

Use process as a substitute for competence: The answer to every problem is almost always methodology, so you must focus savagely on CMMi and ITIL while not understanding the fact that hackers attack software.
Ostritch Principle: Since you were so busy aligning with the business which really means that you are neither a real IT professional nor business professional, you have spent much of your time perfecting memorization of cliche phrases and nomenclature and hoping that the problem will go away if you ignore it.
Putting network engineers in charge of security: When will you learn that folks with a network background can't possibly make your enterprise secure. If a hacker attacks software and steals data yet you respond with hardware, whom do you really think is going to win the battle.
Over Rely on your vendors by relabelling them as partners: You trust your software vendors and outsourcing firms so much that you won't even perform due diligence on their staff to understand whether they have actually received one iota of training
Rely primarily on a firewall and antivirus: Here is a revelation. Firewalls are not security devices, they are more for network hygiene. Ever consider that a firewall can't possibly stop attacks related to cross site scripting, SQL injection and so on. Network devices only protect the network and can't do much nowadays to protect applications.
Stepping in your own leadership: Authorize reactive, short-term fixes so problems re-emerge rapidly
Thinking that security is expensive while also thinking that CMMi isn't: Why do you continue to fail to realize how much money their information and organizational reputations are worth.
The only thing you need is an insulting firm to provide you with a strategy: Fail to deal with the operational aspects of security: make a few fixes and then not allow the follow through necessary to ensure the problems stay fixed
Getting it twisted to realize that Business / IT alignment is best accomplished by talking about Security and not SOA: Failing to understand the relationship of information security to the business problem -- they understand physical security but do not see the consequences of poor information security. Let's be honest, your SOA is all about integration as you aren't smart enough to do anything else.
Put people in roles and give them titles, but don't actually train them: Assign untrained people to maintain security and provide neither the training nor the time to make it possible to do the job.

I'd add another one to this list - "Outsource everything in the belief that IT is non-core". IT, like it or not, is not only the brains, but the entire digital nerve system of your organisation. Handing it over to people who are paid a tenth of what you pay your own staff, and don't be surprised if your digital nerve system gives your organisation Parkinson's disease.

We could tell you, but then we'd have to tax you

2008-02-26T18:26:00.002Z

Scenario:

I suspect fraudulent use of National Insurance Numbers. I go to HMRC website and find this page:

http://www.hmrc.gov.uk/manuals/nimmanual/NIM39100.htm

hmm NIM39140 looks like what I need so I click on it. Go on try it.

My flabber is ghasted, but its nice to see HMRC taking confidentiality of information seriously.

BGP stands for Bring Complete Paranoia

2008-02-26T08:57:00.005Z

Rory Cellan writes in his BBC blog that:

So the Pakistani authorities order the country's ISPs to block access to
YouTube. That is done by the country's telecoms provider sending out what is, in
effect, a new - and false - route to get to YouTube. The result is that any
traffic from Pakistani users to YouTube gets directed into a cul-de-sac. So far,
so normal, for any country - China, Turkey, Iran - which decides to control its
population's access to certain websites.
But what appears to have happened in this case is that the dodgy route map somehow leaked beyond Pakistan's borders, and was adopted by the giant Asian telecoms business PCCW. Once it started broadcasting this new way to find YouTube, the rest of the world's ISPs altered their maps, sending everyone up the wrong road.

Now, I'm no longer a network engineer. Terribly bright people now shepherd Internet traffic around the world, carefully grooming and optimising traffic routes between the different Internet "clouds" (known more formally as Autonomous Systems, or AS). In fact, the BBC is an AS, as is BT, and most big ISPs are autonomous. This means that clouds can choose which way is best for traffic going into - and out of - their cloud. So for example my ISP at home can decide that the best way for me to get traffic to and from Australia, for example, is via a cheaper (but longer) land link running through Asia, than by a satellite hop. And they'd probably be right, satellite links tend to be slooow.

What happens here is an issue of transitive trust. Most "peering agreements" (the name for the decisions two AS's make to send traffic between each other) are technically complex, and some include the following rules:

If I can't send traffic to another third party directly, I'll send it to you.
If you can't send traffic to another third party directly, you can send it to me.

Those two rules sound pretty simple, however they're pretty important. The question then arises how does an AS know where it can and cannot send traffic to? Enter the Border Gateway Protocol, or BGP for short. BGP controls routing information which can be thought of as meta-data on the traffic. Its an automated system for updating clouds on which other clouds can be reached through each other. Then the router decides which route is the shortest (or best in some other way configured by its network engineers - for example, "send as much traffic as possible over the cheap landline rather than over the expensive satellite link") and voila, you get to see the Google homepage.

There is a whole industry built up around providing expertise and BGP services, from companies like InterNAP, and industry associations such as LINX. BGP routes get used to advertise places we shouldn't go - for example, some anti-spam services provide a list of IP addresses that network engineers can say "don't try and send traffic here". It can include malware sites, persistent spammers, and as we've seen, a government can mandate that all traffic can be dropped and that all routers in a particular jurisdiction must carry this "internet death penalty".

Where this becomes a security issue, is that BGP is designed to propagate the "best" routing information around the internet. This is designed to assist the internet's self-healing process, so if a cable going under the atlantic is cut - separating a link between two clouds, other routes are automatically brought into play. If you have a collection of routers who say "We know that the best route to youtube.com is to just drop the traffic on the floor", they will announce this route to their peers, and the peers will pick this up, announcing it to their peers, and so on.

This is a transitive trust issue. While network engineers can force the routers to filter the routes sent to them, most of the time they prefer not to - and why would I be jaded and cynical about a peering ISP who I know well and probably go for drinks with their staff? Well, we've seen the answer.

Security pro's would note that the potential for damage of wild and crazy routes being propagated across the Internet, both in terms of PR damage, lost time, and so on, would be worth the mitigation cost of filtering out bogus routes before they are adopted into the routing tables, however ISP's typically focus on availability, throughput - all the things that their customers demand. Network Engineers are highly skilled people, but they're not security experts.

All this puts an interesting slant on the arguments for and against Net Neutrality.

This is not news

2008-02-26T08:45:00.002Z

Deloitte reports that:

IT security pros working in the technology, telecommunications, media and
entertainment industries say they're confident they can handle external security
threats, but nearly half lack a formal security strategy, according to a new
survey

Indeed true. And without a strategy, there's no planning. Without planning, there's no real threat and risk control. Without threat and risk control, then we're back to the good 'ol "Hey! We gotta firewall!" (or insert-the-name-of-your-favourite-new-appliance-here) approach.

How to spot a boiler room

2008-02-25T13:22:00.002Z

I received the following post from the Motley Fool financial investing service. Not that I have any cash to invest, but the following is very good anti-fraud advice.

As our 'Good, Bad and the Ugly email campaign continues, we look at a nasty share scam - the 'boiler room'.
I think the 'boiler room' is the ugliest financial scam of them all.
Telesales staff outside the UK call up unsuspecting private investors and pressure them to buy dodgy shares at inflated prices. Some people believe the crooks' sales patter and frequently they end up losing all the money they've invested. Don't assume that it won't happen to you. Often the victims are pretty sophisticated folk who have been playing the markets for ten years or more.
Indeed, the Financial Services Authority (FSA) has highlighted one case where a management consultant in his 50s lost 40,000 to a boiler room scam, and he had been investing in the stock market for 12 years.
http://www.lnksrv.com/m.asp?i=2464668&u=1473957

How does it work?

Boiler rooms are always based outside the UK and are not regulated by the FSA. The boiler rooms use various techniques to get hold of names to call. They can follow up initial market research calls or call up investors on shareholder registers of small companies. Dealers can then offer free research on a punter's favourite share, and a relationship can be built from there. Or you might be offered free research via junk mail. If you send a reply card back with a tick in a particular box, the dealing room can then claim it's making a legitimate phone call.
Often the boiler room salespeople push shares that 'are about to IPO' (list on the stock market) and 'big profits' can be expected. More often than not, the company never lists and the investors lose all their cash. Sometimes the shares are listed, often on fairly obscure markets such as the 'pink sheets' in the US. On occasion, the shares are listed on better known exchanges, but either way there's a good chance that the share price will start to fall shortly after you've paid your cash. What's more, the boiler room may have taken an outrageously high dealing commission.

Why does it work?

The boiler rooms don't give up easily. They will constantly call a target, trying to build a relationship and get their confidence. According to FSA research, six out of ten targets were pursued for at least a month regardless of whether they purchased shares. Nearly a quarter of targets said they were receiving calls from the same boiler room for more than a year.

What can you do?

If you're cold-called by somebody trying to sell you a share, be very suspicious indeed. If it's such a sure thing, why is he ringing up complete strangers and telling them about it? The simplest approach is to hang up as quickly as possible. If your curiosity won't let you do that, you can check the FSA's list of unauthorised overseas firms that are targeting UK investors. But if a firm isn't on the list, don't assume it's a kosher operation. Boiler rooms frequently change names to get around this.
http://www.lnksrv.com/m.asp?i=2464669&u=1473957

You can find out much more about boiler rooms in this excellent FAQ compiled by star poster JakNife on our discussion boards. Also read these useful tips by my Foolish friend David Kuo.
http://www.fool.co.uk/m.asp?i=2464670&u=1473957

http://www.fool.co.uk/m.asp?i=2464671&u=1473957

> Anatomy Of A Boiler Room Scam

http://www.fool.co.uk/m.asp?i=2464672&u=1473957

> How To Spot A Scam

http://www.fool.co.uk/m.asp?i=2464673&u=1473957

Get hacked by google, bush, and hotmail

2008-02-25T11:27:00.009Z

Over the weekend, I got the following message on MSN.

23/02/2008	22:43:03	Jonathan *mssoc	d@hotmail.com	:)
23/02/2008	22:44:04	Jonathan *mssoc	d@hotmail.com	hey
23/02/2008	22:44:04	Jonathan *mssoc	d@hotmail.com	it watches this animation of bush :P
23/02/2008	22:44:04	Jonathan *mssoc	d@hotmail.com	http://[deleted].googlepages.com/bush.exe

I've changed the name of the sender, and deleted the googlepages website name, because frankly, you don't want the ball of infection that is bush.exe.

First thing is, never run an .exe from the internet. Even if your friend has told you its safe (How do they know? Answer most commonly given "Well it didn't trip out my copy of McAfee"). As we'll see, even downloading the little pucker can be hazardous.

Normally when I do malware research, I use the electronic equivalent of thick rubber gloves and a bacterial safety screen. No one is pleased when malware stomps all over their system, including me.

Avast didn't pick it up. Not quite trusting one AV, I submitted the result to VirusTotal, and the scan results showed a couple of potential heuristic nasties (the link is to the report). In the meantime, I deleted bush.exe unopened.

And this is where it went wrong.

You see, even deleting a file (or moving it to the Recycle Bin) counts as an access to a file. On access virus scanners open up a packed file (like bush.exe) to see what's inside. This means that code set to execute when the file is opened... does. The next thing I knew, my resident protection for Spybot S&D was going crazy.
By the way, Spybot S&D is freeware. If you don't have it installed, either you didn't know about it (you do now), or you are certifiably crazy. Go install it now, I'll wait.

Spybot reported that three new files had appeared, and were trying to insert themselves into my startup. Those files:

C:\WINDOWS\CYA.EXE
C:\WINDOWS\WINLOGON.EXE
C:\WINDOWS\LSASS.EXE

They picked C:\WINDOWS because that's the default setting of the %temp% variable in Windows. There are times when UNIX's /tmp folder looks eminently more sensible than using a system executable folder to drop stuff in, and this is indeed one of them.

A popup appeared (in Spanish) asking me to install the latest Flash player. Oops. Clicking "don't install" did not help, and Spybot screamed at me for firing off more instances of the virus. I blacklisted the processes from adding themselves to my startup registry, and spybot went ballistic, warning me that this thing was indeed running rife through my system, trying to infect as much as possible.

So, while spybot was ringing every alarm bell it could find to let me know I had a problem (Houston?) and bringing my machine to a crawl, I fired up Security Task Manager (not free, but useful) and quarantined the nasty processes. I booted from clean, ran a startup AV scan. Everything looked ok.

This took about 2 hours, and the lessons I'd pass on are:

Don't ever download and run an .exe file. My friend didn't even know that I'd received this message from her, as it fires up windows messenger silently (fortunately I have this set to block already).
Run Spybot. Its a line of defence.
If you absolutely must download these things, use a virtual machine (Microsoft's Virtual PC, or VMWare) and examine what's going on under a clean disk image. Then wipe and start afresh. Better not to.
Don't trust processes that "look good". WINLOGON.EXE and LSASS.EXE are both names of system processes, however they normally live in %systemdir% (C:\WINDOWS\SYSTEM32)
I got thwacked in the chops by being too careless, and was lucky. My friend still has this thing running around their machine. Not so good.

So, that was my weekend fun. How was yours?

Fingerprint scan at nursery door

2008-02-24T18:36:00.003Z

The BBC reports that a nursery has installed fingerprint scanning at its entrance to increase the safety of its young pupils.

In an interesting quote, UK Biometrics director Ryan Hole said: "By fitting a biometric access system they now have the one key that cannot be lost, stolen, forged or hacked - the human fingerprint".

Some ways I can think of subverting a biometric access system:

Go in the window
Kick the door in
Lift a fingerprint (needs sellotape, google for it)
Bribe, con or coerce an authorised user. For example, "My finger doesn't work, I need to get my kid to the doctor now!" (Given that there is a Felinfoel pub just up the road, there is good beer available for bribery).
Wear a bandaid, bemoan the office shredder/photocopier/rabid secretary. Repeat the above con.
Tailgate behind an authorised user
Use someone else's authorised finger, having first thoughtfully removed it from their body
Exploit the software. All software has bugs, some bugs are interesting security holes. (attributed to Muffett).
Get a rogue fingerprint on the database.
Grab a kid before (or after they go in the door). Better still, push the parents in the door, and shut it after them, so they have to use the fiddly biometric lock to get out.
Put superglue on the sensor. Wait until lock is removed. Enter.

The point about all of this is that security "point solutions" don't work, neither in the physical world, nor in the exciting online world where all of our bank details slush about. Its essential that all risks are assessed, and solutions combined to make sure you don't just shift a threat from one attack point to the other (for example, no window locks means that the expensive biometric lock will actually remove very little risk).

The other things to think about are that when a failure of the security device occurs (not if), how will the nursery audit who went in and out of the nursery, and when? More importantly, if a "rogue" fingerprint gets into the database, how easy is it to detect and remove? Can I register my index finger under the print for the left little finger of the headmistress?

Most importantly, the risk of biometric systems is that the credentials can be stolen. Fingerprints can be copied, and facsimile "fakers" make that duplicate the print of the target. Now if you find out that stanley's password is "yelnats", he can change it. But how do you change your fingerprint once its been lifted off a glass you drank from?

On Coercive Psychology

2008-02-24T03:17:00.004Z

I encountered someone who was into "The ISA Experience" recently. I was interested, then became aware how one of this person's goals was to recruit me into ISA. I'm not very recruitable.

I found the following article on Coercive Psychology on F.A.C.T.Net, and its worth noting here. Remembering that the weakest link in Information Security is the soft squidgy thing in front of the keyboard, good ISO's should be aware of some of the pressures that can be brought to make people act abnormally.

WARNING: This stuff is nasty. You will win few friends if you deploy this sort of stuff in your daily lives (but it might be fun watching your local church group to see how many of these techniques accidentally get used).

The Definition

Coercion is defined as “1. To force to act or think in a certain manner, 2. To dominate, restrain, or control by force, 3. To bring about by force.”

Coercive psychological systems are behavioral change programs which use psychological force in a coercive way to cause the learning and adoption of an ideology or designated set of beliefs, ideas, attitudes, or behaviors. The essential strategy used by the operators of these programs is to systematically select, sequence and coordinate many different types of coercive influence, anxiety and stress-producing tactics over continuous periods of time.

In such a program the subject is forced to adapt in a series of tiny “invisible” steps. Each tiny step is designed to be sufficiently small so the subjects will not notice the changes in themselves or identify the coercive nature of the processes being used. The subjects of these tactics do not become aware of the hidden organizational purpose of the coercive psychological program until much later, if ever. These tactics are usually applied in a group setting by well intentioned but deceived “friends and allies” of the victim. This keeps the victim from putting up the ego defenses we normally maintain in known adversarial situations.

The coercive psychological influence of these programs aims to overcome the individual’s critical thinking abilities and free will-apart from any appeal to informed judgment. Victims gradually lose their ability to make independent decisions and exercise informed consent. Their critical thinking, defenses, cognitive processes, values, ideas, attitudes, conduct and ability to reason are undermined by a technological process rather than by meaningful free choice, rationality, or the inherent merit or value of the ideas or propositions being presented.

How Do They Work?

The tactics used to create undue psychological and social influence, often by means involving anxiety and stress, fall into seven main categories.

TACTIC 1. Increase suggestibility and “soften up” the individual through specific hypnotic or other suggestibility-increasing techniques such as: Extended audio, visual, verbal, or tactile fixation drills, Excessive exact repetition of routine activities, Sleep restriction, and/or Nutritional restriction.

TACTIC 2. Establish control over the person’s social environment, time and sources of social support by a system of often-excessive rewards and punishments. Social isolation is promoted. Contact with family and friends is abridged, as is contact with persons who do not share group-approved attitudes. Economic and other dependence on the group is fostered.

TACTIC 3. Prohibit disconfirming information and non supporting opinions in group communication. Rules exist about permissible topics to discuss with outsiders. Communication is highly controlled. An “in-group” language is usually constructed.

TACTIC 4. Make the person re-evaluate the most central aspects of his or her experience of self and prior conduct in negative ways. Efforts are designed to destabilize and undermine the subject’s basic consciousness, reality awareness, world view, emotional control and defense mechanisms. The subject is guided to reinterpret his or her life’s history and adopt a new version of causality.

TACTIC 5. Create a sense of powerlessness by subjecting the person to intense and frequent actions and situations which undermine the person’s confidence in himself and his judgment.

TACTIC 6. Create strong aversive emotional arousals in the subject by use of nonphysical punishments such as intense humiliation, loss of privilege, social isolation, social status changes, intense guilt, anxiety, manipulation and other techniques.

TACTIC 7. Intimidate the person with the force of group-sanctioned secular psychological threats. For example, it may be suggested or implied that failure to adopt the approved attitude, belief, or consequent behavior will lead to severe punishment or dire consequences such as physical or mental illness, the reappearance of a prior physical illness, drug dependence, economic collapse, social failure, divorce, disintegration, failure to find a mate, etc.

These tactics of psychological force are applied to such a severe degree that the individual’s capacity to make informed or free choices becomes inhibited. The victims become unable to make the normal, wise or balanced decisions which they most likely or normally would have made, had they not been unknowingly manipulated by these coordinated technical processes. The cumulative effect of these processes can be an even more effective form of undue influence than pain, torture, drugs or the use of physical force and physical and legal threats.

How does Coercive Psychological Persuasion Differ from Other Kinds of Influence?
Coercive psychological systems are distinguished from benign social learning or peaceful persuasion by the specific conditions under which they are conducted. These conditions include the type and number of coercive psychological tactics used, the severity of environmental and interpersonal manipulation, and the amount of psychological force employed to suppress particular unwanted behaviors and to train desired behaviors.
Coercive force is traditionally visualized in physical terms. In this form it is easily definable, clear-cut and unambiguous. Coercive psychological force unfortunately has not been so easy to see and define. The law has been ahead of the physical sciences in that it has allowed that coercion need not involve physicalforce. It has recognized that an individual can be threatened and coerced psychologically by what he or she perceives to be dangerous, not necessarily by that which is dangerous.
Law has recognized that even the threatened action need not be physical. Threats of economic loss, social ostracism and ridicule, among other things, are all recognized by law, in varying contexts, as coercive psychological forces.

Why are Coercive Psychological Systems Harmful?

Coercive psychological systems violate our most fundamental concepts of basic human rights. They violate rights of individuals that are guaranteed by the First Amendment to the United States Constitution and affirmed by many declarations of principle worldwide.
By confusing, intimidating and silencing their victims, those who profit from these systems evade exposure and prosecution for actions recognized as harmful and which are illegal in most countries such as:fraud, false imprisonment, undue influence, involuntary servitude, intentional infliction of emotional distress, outrageous conduct, and other tortious acts.

51 things women wish men knew

2008-02-23T14:47:00.004Z

This is a public service announcement, shortly to be followed by "1056 things men wish women knew... well actually just one or two."

1. When you see a girl with huge knockers, do not go "Damn!" and then laugh appreciatively to yourself - we can hear you.

2. Whenever possible, please say whatever you have to say during commercials.

3. If you don't act like soap-opera guys, don't expect us to dress like Victoria Secret models.

4. Mark anniversaries on a calendar.

5. There is no such thing as too much spooning.

6. Just because you L the C doesn't mean we have to S the D.

7. This is how we see it . . . Don't call = Don't Care.

8. Which also means that if we don't call, take the hint.

9. We like you to be a little jealous . . . but overly possessive is not necessary.

10. Putting things in our butt does not turn us on.

11. Return favors: we massage, you massage; we shave, you shave (and not just your face).

12. Foreplay is not an option . . . its a prerequisite.

13. We're allowed to be late . . . you are not.

14. Eye contact is key.

15. Don't take longer to get ready than we do.

16. Laugh at our jokes.

17. Three words . . . honesty, honesty, honesty.

18. Girls can be groupies. Guy groupies are stalkers.

19. We never have to wonder if your orgasm was real.

20. Do not start with us. You will not win... not kidding .. we ALWAYS win

21. Would you like it if a guy treated your sister that way? We didn't think so.

22. If you ask nicely, we usually answer the same way.

23. We will never have enough clothes or shoes! Ever!

24. We have an excuse to act bitchy at least once a month. Come on guys...most of you have more PMS then us girls..

25. Open the door for us no matter where we are . . . even at our house and getting into the car. I know it seems like a lot but is it that hard?

26. We love surprises!

27. We liked to be kissed softly, not with an iron tongue.

28.Pay attention to the little things we do, because they mean the most.

29. Boxers and maybe boxer briefs sometiems . . . NEVER whitey-tighties, NEVER!

30. Clean your room before we come over.

31. Always brush your teeth before you see us . . . a fresh mouth and white teeth are a necessity plus we do the same for you.

32. When we use our teeth it means that you suck at going down on us, so we are just returning the favor.

33. Even though you are sometimes insensitive and hurt us, we still love you with everything we are.

34. Sometimes even when you think we hate you, we don't, we just want you to apologize so we can be allowed to love you again

35. Don't act hard around your friends because I won't make you hard tonight. AKA don't be an ass

36. Sometimes "NO!" really means "NO!"

37. "Wife Beaters" are not an adequate form of fashion.

38. If we wanted to be on video tape, we'd be a porn star not your girlfriend.

39. Sensitive guys are great . . . but crying more than we do in a movie just isn't right.

40. Don't let ex-girlfriends cause drama, relationships are stressful enough!!!!!

41. It takes a special kind of stupid to forget birthdays.

42. Guys who are good cuddlers = guys who know how to satisfy a woman.

43. "Fat Chicks" have feelings too--all chicks have feelings.

44. Silent treatment + shoulder shrugs + tears + yelling + nasty looks = YOU DID SOMETHING WRONG!

45. If you are not a good dancer, please be self-aware.

46. Just because a girl doesn't pick up on the first ring doesn't mean she's not waiting by the phone.

47. You don't have to spend a lot, if it means a lot.

48. Don't say you love me if you don't mean it.

49. Don't lie to us . . . we will catch you...eventually we always catch you.

50. When the girls get together, we talk about EVERYTHING. Meaning my best friends know everything about you.

51. Don't Make Promises You Can't Keep

So, how many of those things were actually a surprise, gentlemen?