Follow grumpybozo on TwitterFollow me on Twitter, where I write more and shorter
May 9, 2013

drumsnwhistles:

Screencaps of info relating to UniteBlue hosting. @TrinaCuppett @OmegleWarden @GlobalRevOrg @DkChoco

It’s important to understand what Robtex output is and isn’t. It’s lightly sifted and robotically explained data, it is not the product of informed analysis: not “information.” It is also inherently incomplete in important ways. Using Robtex as a source of initial clues is fine, but it is rarely going to be able to provide all the data needed for a serious investigation of the relationships between online entities. Perfectly legitimate and common relationships can be totally invisible to Robtex without any anyone making any effort to obfuscate them or even any errors of any sort.

So, who hosts UniteBlue?

The name “uniteblue.com” resolves to the IP address 69.174.246.134.  69.174.246.134 is an IP routed to the Peer1 San Antonio data center. It is in an address block whose registration carries Peer1’s “ServerBeach” brand and a San Antonio address, implying that it is used for their retail/commodity hosting there. There is one “reverse DNS” record (i.e. PTR type, mapping IP-> name) for that IP, pointing to atk.financialonline.com.br. However, atk.financialonline.com.br actually resolves to a different IP address (64.34.169.186) which is also on a Peer1 network, also registered as ServerBeach, but apparently in Herndon, VA. The Herndon IP has a reverse record pointing to the name va.financialonline.com.br, which thankfully has symmetric resolution back to the same IP. Both of the *.br names seem to be functional as both http and https server names, but their server roots all redirect to URL’s that kick back 403 and 404 pages (not found/access denied) depending on the name and protocol. If those are operational websites, they are clearly not intended for public use. Interesting as well is that when HTTPS is used, both present a certificate issued to *.financialonline.com.br, so it is very likely that the forward DNS is legitimate.

So, what to make of this?

Not much. UniteBlue uses commodity hosting. Unshocking. I have my criticisms of commodity hosting and specifically of ServerBeach, but I’m biased: my current gig is a company that provides *custom* hosting and I’ve spent a couple of decades in the trenches of network abuse response. Peer1 & ServerBeach have a special cage in my menagerie of scorn, but the explanation of that would be a long geeky screed that would lose all readers and say almost nothing about this case. The only useful bit: I am not in the slightest way surprised that Peer1 has a single PTR record pointing to a stale customer name for an IP that they use for a commodity shared hosting machine.

So, is UniteBlue connected to arms merchant ATK?

I would see absolutely no basis for that question, were it not for an unfortunate tweet by Karoli tha got some attention. I can see no evidence that ATK (a.k.a. Alliant Techsystems) is connected to the name atk.financialonline.com.br by anything other than the ‘atk’ hostname and that’s a weaker than weak coincidence. Just as ATK is a brand name of Alliant and ServerBeach is a brand of Peer1, the English word “Financial” and the associated financialonline.com.br domain are a brand of Atatika, a Brazilian financial software company. It seems more likely that ‘atk’ is an abbreviation for the company name or some component of their software rather than a reference to a US defense contractor. The DNS serial number for financialonline.com.br implies that it has not changed since 2009, so even if the name was at some time intended to indicate an Alliant (ATK) connection, the name has not resolved to the IP address hosting UniteBlue since long before UniteBlue existed. Peer1 has an obviously stale PTR record for an IP address that they are now using to host an unknown number of websites, one of which is UniteBlue but none of which are the site that once used the name atk.financialonline.com.br. In short: making a connection from UniteBlue to ATK relies on imputing random significance to a random coincidence in a DNS record that is at least incorrect and seems at best to be stale by 4 years if in fact it was ever correct. 

August 9, 2012
Another Stab At The Apple & Amazon Pwning

Inspired by: Secret Security Questions Are a Joke - Slashdot

So-called “Security Questions” have been spreading in use as a mechanism for password recovery, but anyone who knows anything about computer security knows that they are not about securing anything, they are about loosening security.

That’s not altogether bad. The flipside of strong authentication is that it is easy for users to lose the ability to authenticate themselves. Passwords are forgotten, certificates are deleted, temporal PIN gadgets are lost or destroyed, etc. Having a way to reset the primary authentication mechanism helps mitigate that risk. However, the “security question” mechanisms in broad use are mostly far too loose because they draw on a common universe of research-vulnerable questions (e.g. “Mother’s maiden name”) and in many cases (as with Apple and Amazon) are mediated by humans whose jobs are mostly not focused on security, but rather on low-skill customer support for which their employers pay very little. It is not rational to expect that those workers will follow a rigorous security policy that requires them to take time and risk disappointing customers. No amount of security policy rigor can address the problem that security policy is routinely ignored.

It appears that the case of Mat Honan hinged on absurdly weak security question policy at Amazon and a failure at Apple to follow policy in regards to security questions. The best fix isn’t to tighhten and try to enforce policy, it is to change the nature of the process. Authentication recovery mechanisms need to meet 2 simple criteria:

  1. The secondary authentication information must be truly secret, known only to the user and the provider.
  2. There must be no way for a special pleading to override the formal mechanism short of persuading the people who defined the mechanism that it should be bypassed.

This means that sometimes users will lose access to their accounts because they can no longer provide either the primary or secondary authentication factors. It may mean that sometimes real security professionals will have to listen critically to the sob stories of careless users. 

For the real world where that sort of change isn’t going to happen in most cases at any point in the near future, smart users must adapt to the fact that most service providers have de facto lax security. I included some user-relevant lessons in my last post but here are a few more concrete ways to stay safe:

  • When offered a choice, pick security questions with non-researchable answers. If your spouse or sibling could answer the question, it’s a bad one. If a Facebook “friend” could answer it, it’s worthless. 
  • Answer bad security questions with memorable and unique lies. For example, you might tell Apple that your mother’s maiden name is Wozniak or that you graduated from Cupertino High School, while telling Amazon that she was born a Bezos and you went to Seattle Country Day School (dunno if that even exists…)
  • Use an email service that provides a way to invent working unique addresses on the fly so that you can give a unique email address to everyone who asks for one. This is easier than you may think, since GMail supports “+” tagging and arbitrary insertion of periods in addresses.
  • Don’t let anyone store a credit card number in their system that can be used by any other vendor. I said this in my prior post but it is worth repeating.
  • Shun providers who behave badly. For example, some time ago a provider who shall remain nameless (as they may have changed) tried to “canonicalize” addresses I gave them by doing transformations on parts that might have been tags and trying to send mail to the modified addresses. Because I use my own complex and obscure mechanism for unique addresses this only meant that they bounced a few messages off my mail server, but the result was that I deleted my account and blocked all of their mail on my mail server.
  • Avoid the temptation of making any online identity a “hub” for everything you do online. Especially avoid this with free accounts (e.g. Google, Facebook, Twitter, Yahoo, etc.) because ultimately those are provided and governed at the whim of the provider. Apple accounts are slightly better because their email accounts are associated with you being a paying customer, but they also can have such serious powers (e.g. remote wipe) that it is unwise to have them hooked to anything else (like a GMail account) that might turn out to be part of an attack surface.
  • Be as autonomous as you can be. Having your own domain name is a start, but it’s just the prerequisite for a stack of DIY online services that you may or may not be up to handling on your own. At a minimum, having your own domain can be the basis for varying degrees of control over your email addresses that you really cannot have if you stick to using addresses in domains that you do not own. 
 

August 7, 2012
The Lessons of Mat Honan’s Very Bad Weekend Are Not Really New

The story is here: How Apple and Amazon Security Flaws Led to My Epic Hacking | Gadget Lab | Wired.com

This is only news because it happened to a writer for Wired. The “hack” didn’t expose any previously unknown vulnerabilities, the children doing it didn’t demonstrate any significant technical skill or use any sophisticated tools,  it was essentially just a case of random vandals digging around online where they could dig easily and telling a few lies to “customer support” staff whose work can never be worth much more than the sub-median 3rd-world wages they are paid.

I’m NOT picking on Mat Honan here. It’s pretty clear that he’s a gadget guy not a security expert and as a journalist I’m sure he gets more and slicker pitches from hucksters who find security a nuisance than from security experts. Real computer security isn’t cool. It isn’t fun. It isn’t in any sense spiffy. If you think it is, you’re a geek. I do not say that as an insult, just to note that we are not normal. I have given up scolding normal people for not being security geeks. It’s pretty well proven that a lot of generally normal people love gadgetry but have no affinity for system security.Mat Honan wasn’t particularly careless or clueless, he just had never absorbed some clues that those of us who work in security have sadly stopped talking about much. Clues that are among the least cool, fun, or in any way spiffy lessons of computer security:

  • Any secret which you share with someone else so that they can authenticate your identity later is a password. That includes things that are not very secret (e.g. “mother’s maiden name”) that can be used to recover or reset “the” pasword. This means that “security question” access recovery mechanisms are de facto security-weakening tools.
  • Don’t use the same password for different accounts. This is a hard one, since it really is not practical to use a completely different password for every account without using a keyring tool, which ultimately is one password for everything. However, a secure keyring is MUCH better than using just one password everywhere or keeping all of your passwords in a plaintext note in some “cloud” service.
  • Don’t give anyone an unrestricted credit card number or bank account number to store for easy reuse. Yes, I know Amazon, PayPal, Apple, and others all really want this. They are stupid and effectively evil. Really. It’s not in a bad way; they don’t intend to be stupid or evil. That doesn’t make it much better. If you can’t resist easy one-click purchasing, get a Discover or other card that provides single-vendor numbers, so that you can’t break the previous rule with a card number. After all, a credit card number is a password to your money and Mat Honan’s example shows that even a part of a number can become part of a de facto alternative password to your account. The same card number linked to many accounts becomes a common and very weak password to them all and to your money.
  • An authentication system that has a fallback system that lets you recover from a lost or forgotten password is less secure than one which does not.
  • If it can be, human judgment almost always will be the weakest link in any security system. It takes an unusually weak assembly of mechanical security mechanisms to out-fail a person who has the power to circumvent it. If an authentication system includes the ability to call a human and beg for access, that will be the easiest way to break it.
  • Security and convenience are directly and intrinsically opposed to each other. Secure systems are not cumbersome and easy-to-use systems are not insecure as a result of poor design, but by necessity.
  • Using email addresses as unique identifiers for people is irresistible, so they become (sigh) a sort of secondary password. If you use one email address for everything, see the second clue…
  • Incumbent technical constraints are often not seen as part of security but may in fact be critical tacit assumptions for the security of systems that are perfectly functional — but are made insecure —with those constraints removed. Parables of this include WEP, the silly kerfuffle created by Steve Gibson over “raw socket” support in Windows, and a long parade of schemes to stop spam based on assumptions that spammers wouldn’t do things that they so far hadn’t done which basically only demanded audacity and motivation.
  • Email isn’t secure. It can be in specific cases and could be in general with existing tools, but in the real world as it is today the main protection most people have against undetected interception of their email in transit is the fact that there’s so much email in transit all the time and so much of it is pure worthless garbage.  The “needle in a haystack” analogy applies, but a better one would be “corn kernels in the sewer.”
  • Backup is a critical security component because information loss is much more common than and usually worse than information leakage.
  • There are many degrees of security and many degress of attacker. If you allow yourself to be “low-hanging fruit” you will be vulnerable to low-effort attacks from a huge population of weakly motivated opportunists. The other side of this is that very small improvements in how you maintain your own security can raise your vulnerability above where most random vandals will bother.

These boring old truths have implications for “Cloud” services that sell themselves as hubs for a digital life enabled by frictionless sharing and synchronization and yadda yadda yadda. Mat Honan did things that those of us who are Security Geeks have given up warning against. Those warnings make people who wear ties and sign paychecks doze off and wake up grumpy. We’ve spent the past decade or so biting our tongues and taking paychecks and hoping that it would all work out, but it hasn’t. It never will, because it fundamentally can’t. Systems and applications that are most appealing when used in fundamentally insecure ways cannot be made secure. Systems and applications whose security is dependent on end users practicing good security hygeine will not be secure. Systems and applications whose provider-side security is dependent on adherence to policy rather than operation of tools will always be crackable by social engineering.

None of this is news. Back when the press made a big deal of Kevin Mitnick as a great “hacker” it was known by many people who wore that label proudly with no connotation of criminality that he was in fact just a very good con man with unremarkable technical tools and skills. We have had standards, tools, and tested best practices for online security since before most people had heard of the Internet, but still most service providers don’t bother with them. There is a geek subculture where good security hygeine is the norm and then there’s the world at large where many people use one email address and one password and let all of their accounts everywhere interact freely with each other to the extent that losing one to a random script kiddie essentially means losing them all. People who don’t understand that they have to deal with inconvenience as a price of security and that they can’t rely on providers who promote convenience to maintain security will always be the easiest prey for the largest field of predators.


 

Related articles, courtesy of Zemanta:

April 24, 2012
Sophos fires up the FUD machine.

A slightly worse version is “awaiting moderation” as a comment on the Sophos blog: 1 in 5 Macs has malware on it. Does yours? | Naked Security]

It is irresponsible fear-mongering to claim that the widespread presence of Windows malware on Macs is in states that “can still be spread to others” without backing that claim up in detail. 

The top two families you cite are carried in email, and are readily identified as “spam” by eye or by low-end spam filters like those used in Mail.app or by most consumer mail providers. It certainly is possible to forward email, but forwarding infective spam is an unusual act. Some of the others are things I would expect to find in the browser caches of reckless wanderers, but they are hardly an infective threat to anyone from that position.  

The comparison to Chlamydia  is worse than tacky, it is outright deception. Chlamydia is frequently asymptomatic in the short term but it is living and causes problems in the long run.  Chlamydia is not less transmissible by people who have no acute symptoms. For malware that requires Windows to run and propagate, presence on a Mac is not a quiet infection, it is (at worst) non-destructive storage.  In some cases storage itself renders the malware inert over time because the attack vector itself is dependent on finding control systems online that don’t live in any one place forever.   

One of the reasons Mac users have been reluctant to adopt AV software is that it is perceived as bloatware that does nothing of direct value for a Mac user. Is it worth the AV overhead for the average Mac user to know when he has surfed past a page that has IE-specific evil JavaScript in it or when the latest blatant phish in his Junk folder is recognized specifically as containing a Windows attack vector? Not really. Flashback and PubSab change that analysis significantly, but not enough for a lot of Mac users. Maybe if the major AV vendors could claim to have prevented infections before Apple’s sluggish fix for the Java hole they would be more convincing.

I am not saying that all Mac users who choose to run bareback are behaving wisely, whether or not they rationalize that decision based on the de facto Windows focus of all AV software. However, it would be a lot easier to persuade Mac users who DO rationalize their recklessness if there was a lightweight Mac AV tool that didn’t spend most of its time worrying about Windows malware.

It would also help if AV vendors stopped spewing blatant bullshit in an effort to scare Mac users into buying their tools. The simple truth really ought to be adequate without dressing it up in nonsense. 

I should add that while I have copies of some free versions of commercial Mac AV software and have a clamav installation whose database is updated automatically, I run bareback. Clamav only scans things when I manually ask it to, I have not installed any of the commercial packages, and I have no intention of making anything act as automatic protection for me. That’s not because I think the cost/benefit analysis is generally correct, but because:

  1. I work in security and so occasionally have a need to work with blobs of data that are or may be malware.
  2. I have a huge junk email archive that I access via IMAP using multiple MUA’s and can’t be bothered to exempt all of their local stores just to please some aggressive AV. 
  3. Under normal conditions I practice meticulous computer and network hygeine. This may not provide perfect protection, but it has held for a long time. Someday a trojan may fool me, but none has yet… 

I do think that it is time for Mac users to accept the end of the era of general Mac safety. It was always a bit more myth than reality, but one that has held up over the years in part because of the FUD that has periodically spurted out of AV vendors to meet rapid debunkery. Mac users have had an arguably rational skepticism protecting our myth. I wish that now that the AV vendors have a real wolf to be telling us about, they’d stop turning it into a ravening horde of Wargs. 

Some related links, selected from the bottom half of what Zemanta offered:

January 3, 2012
"Aftermath" is harmful television

I surfed across National Geographic Channel recently as part of a struggle to think about something other than an annoying cloud orchestration problem, and encountered a marathon of “Aftermath.”  This series is thankfully just 4 1-hour episodes to date, with each one devoted to dramatic and CGI-heavy tellings of the hypothetical follow-on effects of various catastrophic events.

The problem with Aftermath is that it seems to be produced with the same attention to actual science as is given to the average SyFy Original Movie (e.g.  ”MegaFault,” “Polar Storm,” or “Sharktopus.” ) Rather than looking at the aftermath of events on the edge of possibility or slow-moving events that are poorly understood, they create absurd scenarios and then hypothesize wildly about the results, unbound by reason or science because they’ve already tossed out such limitations in the premise. For example, one episode postulates the rapid deceleration of the Earth’s spin without offering any particular mechanism for it. Any student of Astronomy understands that the Earth IS slowing, albeit very gradually, due to tidal friction from the Moon and Sun. That process is not subject to random speed-up, so it does not much lend itself to disaster-movie graphics. However, hand-waving about stresses between the layers of the planet slowing at different rates gave them a great excuse to show a map of the US shattered by glowing rifts and have a newsy voice speak of volcanic activity in the Midwest. Capping it off,  they apparently found the real prevailing wind results of the Coriolis Effect too complex and confusing to present or to justify their preferred graphics, so they simply lied about it in both words and pictures, showing and stating that northern hemisphere Westerlies were matched  by symmetric southern hemisphere Easterlies. I’m guessing that they have no plans to show that episode in southern hemisphere countries.

This sort of counterfactual buffoonery is to be expected in the Saturday night crapfest on SyFy. No one in their right mind expects adherence to fact from the channel that brings us Ghost Hunters and Sanctuary. Aftermath is harmful TV because it is flashy bullshit being produced and broadcast under the brand of National Geographic as if it is science programming. It also takes up general concepts that deserve serious treatment (i.e. fossil fuel depletion, climate change, overpopulation) and gives them absurd treatments deserving of ridicule instead. It is a shame. 

Liked posts on Tumblr: More liked posts »