In techie circles bringing up the topic of security through obscurity is like bringing up religion or politics at a cocktail party where you don’t know anybody. It might go over really well, or you might find people calling you names that my friends in HR would chastise (or fire) me for printing in the blog.

Security through obscurity (STO – sorry, I am going to get tired of typing “Security Through Obscurity”) is the concept that you can be secure if you hide information. Anyone who has been in the military will probably know it better as “need to know” or “loose lips sink ships” or “don’t ask don’t tell”. OK, maybe not the last one.

Anyway STO is like oxygen (without the little number 2 subscript) a little sustains you a lot will kill you. Everything in moderation… including moderation! Sometimes security through obscurity is the perfect application of defense in depth, but not alone. You use STO when you don’t tell people your password and that is a really smart. When you are presented with a login screen and you get something wrong, a good site will only tell you that your username or password was wrong, not which one. That is security through obscurity (STO) as well. Recently I came across a very amusing failure to use STO where it would have been a low cost and reasonably effective application of the concept.

I recently bought a Lenovo X220 laptop. I love the odd little beast. It has a 12.5 inch screen, which is quite an unusual size. It is small enough to be very portable and large enough to see, but I really love having 3 USB ports intelligently placed so that no USB device can block another port! But, I digress…

A big part of security is having a good back up. Actually having multiple good backups so that if one fails you do have a backup plan (I’d apologize for the pun, but I really am not sorry). To those of us who work in security (and hundreds of millions of other people) this is a good idea, but the concept seemed to get lost somewhere at Microsoft and/or Lenovo. One of the first tasks I do when I get a new computer is to make factory recovery discs. Lenovo has a program that assists you in making your factory recovery discs so that if something catastrophic happens you can restore the system to the exact state it was in when you took it out of the box.

There is a strange bug in the Lenovo factory restore program, but thanks to the failure to hide something that could have been easily hidden I was able to bypass the bug, bypass the copy restrictions and make my legitimate backup discs. I’m not exactly sure what the bug is because I don’t know Lenovo’s intent. The factory restore has 3 options. You can make bootable media, you can make the restore discs, or you can make both. As long as you don’t make the restore discs you can make a gazillion bootable discs, but if you make the restore discs the program will not let you get to the point of making another bootable disc. The bug is either in denying you access to make boot discs or letting you make a gazillion of them in the first place.

Now on to where STO (remember, Security Through Obscurity) might have been a good idea for Lenovo.

I created the bootable “disc” on a thumb drive, but later decided I would like to also have a copy on a CD or a DVD as well as make an extra set of restore discs to keep in a separate location. Remember, data backup works best when you have redundancy. If one back up fails or gets destroyed then you retrieve your other backup. When I tried to make the second bootable disc the program said I could only have one copy of Windows. I called IBM and complained and they did send me a set of restore discs at no charge. I also started looking around and in the system restore folder I found a file called “service_done.ini”. Unlike all of the other files in the folder, the time date stamp was the same as when I made the system restore media. Inside the file it looked like this…

[SERVICE]
DONE=1

Hmm, the program worked when that file wasn’t there and stopped working after it appeared? Hmm, inside there appears to be a counter. What do you think that might mean? Maybe, just maybe this is how the program knows I already made a set of discs? So, I did the logical thing and moved the file. Lo and behold I could make the factory restore discs again!

It would have been really easy to make it far more difficult for a user to work around the one copy limitation of the program. I am not promoting piracy, you can simply make legal copies the DVDs you already made so you have multiple backups for legitimate purposes. The entire copy protection mechanism in this case is simply a waste of disc space and time and promotes ill will among law abiding customers. Yes, there is a place for copy protection and no you often do not want to spend much on it because it will be defeated, but it would have cost as little to have made a much more obscure and effective copy protection mechanism than the service_done.ini file.

I’d like to have stopped here, but there is also an important lesson about programming best practices in this story too.

Out of curiosity I decided to play around with the service_done.ini file a bit. Where it said “DONE=1” I changed the number 1 to 00335 and then ran the program again. I could make more copies again! I changed the value to 2 and the system would allow me to create more restore discs.

In this specific case there is no security problem, but this is the type of programming approach that leads to serious security problems. The developer either didn’t care (understandable for this specific app) or did not understand the real goal of the program. In this case you really are not trying to see if only 1 copy was made. You want to know if more than zero copies were made. The logic should not be “if done=1 then don’t let Randy make any more discs”, it should be “if done not equal to or less 0 then don’t let Randy make any more discs”. If DONE is equal to something less than 0 there’s a problem! The programmer only accounted for the situation where the file did not exist (make discs) and the situation where “DONE=1”, but there are other situations to account for as well. It is these unaccounted for situations that hackers eat for breakfast.

In a recent post about the Sony hacks I spoke about data validation. http://blog.eset.com/2011/05/24/back-to-the-basics-%E2%80%93-aka-not-sony-again The Lenovo program wasn’t validating data input. I actually put the word “Verboten” as the value for “DONE” and the program let me make discs. A failure to validate data leads to problems such as SQL infection attacks and buffer overflows. Even though this wasn’t a security problem for this application, as a developer you want to have a disciplined approach to writing code securely.

In all probability the one set restriction was a silly Microsoft mandate even though the factory restore program claims that the restore discs can only be used on my system. The truth is that it will only work on systems with the exact same BIOS as mine.

Thanks to Lenovo/IBM for the excellent example for teaching a little about STO and data input validation and also for the free factory restore DVDs! Now, if only I could remember where I put the first set of restore discs, but asset tracking will be another blog!

Randy Abrams
Director of Technical Education
Cyber Threat Analysis Center
ESET North America

Originally posted here:
Security Through Obscurity

It’s been a really rough time for Sony. I have a hunch that in the past month “Sony CTO” has leapt past toilet cleaner on the list of least desirable jobs. Last month there was the massive Sony PlayStation/Qriocity breach that leaked more data than a Wall Street ticker leaks stock prices. Then a Sony subsidiary in Japan called So-Net was hacked. Next comes word from Naked Security that Sony BMG in Greece has been hacked. Are all of these unrelated? Is there cause for you to be concerned?

If you are responsible for security at a significantly sized company and haven’t forced a companywide password change since the PlayStation breach you probably better go sit down on the toilet before you read the rest of this.

I don’t know if the So-Net and BMG hacks were directly related to the PlayStation hack, but I can tell you that many people use the same passwords for multiple web sites. This means that if I have the stolen data from Sony’s PlayStation breach, I can start mining for corporate access. Do you think that employees of So-Net and BMG might just happen to also use PlayStation? Their email addresses also might just reveal where they work. If you want to play the ponies then place a bet on same password different account. That means if a user’s email address was “@sony.com”, or any other Sony property, anyone with the stolen data has a great starting place to try to obtain authenticated corporate access. I certainly hope that EVERY Sony employee and employee of Sony subsidiaries has been forced to change their passwords recently!

Now the bad news for the rest of us… if the user’s email address was @eset.com, then an attacker can try to access the ESET network and hope that the password in the database is the same. I hope our employees know better, but I wouldn’t bet on anyone who knows better not making the mistake. If any of your users used their company email address to register with Sony, then you probably are at risk as well. Even if they didn’t use their work address, if their Facebook or other web facing information makes it easy to identify where they work then there is an elevated degree of risk.

There was a whole lot more valuable information in the data breach than access to PlayStation and Qriocity accounts, there was access to email accounts, social networking accounts, and corporate accounts when users chose to use the same password everywhere.

If you are responsible for IT at your company and haven’t forced a password change since the PlayStation breach, as soon as you are done on the toilet, you might want to make a mandatory password change your next item of business.

Randy Abrams
Director of Technical Education
Cyber Threat Analysis Center
ESET North America

View post:
Hacking Sony for Fun and Profit (And Let’s Nail Your Company Too)

I received an email from Comcast (my ISP) announcing their “Constant Guard™ Security Service”. Basically, if Comcast thinks a customer is infected with a bot they will email the customer and offer to help clean up the computer. The Constant Guard service claims to do a lot more too, but Comcast is quite ambiguous about parts of it.

The email Comcast sent to their customers starts with

“Dear Valued Customer,

We know that protecting your identity and using the internet safely are both very important concerns for you.”

Later in the email it says

“Ensuring your online safety and security is our top priority”

Really? Their top priority? Then why does Comcast advise customers to set up Outlook in a manner that will transmit their username and password in plain text? This is especially problematic if the customer is using unsecured WI-FI. Why does Comcast not even warn customers of that danger in the instructions for setting up email clients to access Comcast email?

Comcast’s negligence of the most basic security and privacy issues does not bode well for their “Constant Guard TM Security Service”. Comcast actually gives security and identity protection very low priority.

One of the claims that Comcast makes of their Constant Guard™ Protection Suite is that it “Conceals what you type online to protect your personal information”. Unfortunately Comcast does not explain what data is protected or how it is protected. An email to Comcast asking for clarification of this was replied to with highly non-specific marketing hype.

Given Comcast’s history of willful neglect of basic security, I believe their Constant Guard Security Service is more marketing hype than security.

Randy Abrams
Director of Technical Education
Cyber Threat Analysis Center
ESET North America

View post:
Will the Comcast “Constant Guard™ Security Service” Work?

For those of you who have just been itching to test drive the beta of ESET Smart Security version 5 or ESET NOD32 version 5 the beta is now available. Just head over to www.eset.com/beta and I am sure you can find it.

As always, remember that this is beta code and use on production systems is not recommended. Back up everything that is important to you. While we don’t expect any serious problems, regular back ups are a good thing regardless of whether or not you are using beta software.

Finally, be sure to use the feedback link on the same page where you download the beta for any bug reports or feedback. We do not take bug reports or feedback for beta testing in the blog.

Randy Abrams
Director of Technical Education
Cyber Threat Analysis Center
ESET North America

Excerpt from:
ESET Version 5 Beta is here!

The bad guys know you far too well. They know that all they have to do is say they have video footage of Bin Laden and many people will mindlessly click. As is always the case with any big news headlines, there are fake videos being posted with the intent of infecting your computer and other things you really aren’t looking for. The bad guys also understand search engine optimization (SEO) and know how to make their malicious sites show up early in the search results.

Always stick with well known sites for your news information. You can go to sites you haven’t heard of before, as long as they are coming recommended by friends and you know that your friend actually did recommend them. That means a simple email, IM or Facebook post doesn’t cut it… you don’t know if your friend’s account was compromised. You need to have a dialog with your friend.

The truth is that no matter what you are looking for the bad guys are trying to make sure you find their bad sites, however when it comes to natural disasters, such as the recent tornados in the south of the USA, Charlie Sheen, the earthquake and tsunami in Japan, or celebrity news, the bad guys go into overdrive in trying to trick you into going to their web pages.

Look carefully at your search results and stick to well known sites. YouTube does not count as a well known site because they have virtually no control over what gets posted, hence it is a common place for the bad guys to post videos. The folks at YouTube are quite good at removing the bad posts, but it takes time.

Randy Abrams
Director of Technical Education
Cyber Threat Analysis Center
ESET North America

Read the original post:
Osama Bin Laden Video Malware

As I have blogged about the Android platform a recurring comment has been “When will ESET have protection for my Android?” Well, I still don’t know when it will be available for sale, but for those who understand the risks involved with running beta software, have backed up all of their data on their Adnroid devices and want to give it a spin, you can download the beta at http://www.eset.com/us/beta/mobile-security-for-android. Also at that site is a link to provide feedback and bug reports!

By the way, for those of you like me who have a CDMA device (Verizon, Sprint, etc.) the SIM features do not work exactly right yet.

Randy Abrams
Director of Technical Education
Cyber Threat Analysis Center
ESET North America

Read more here:
ESET Mobile Security Beta for Android is Here!

Not one to let Epsilon or Oak Ridge National Laboratories hog the media spotlight, Sony, a seasoned expert at security blunders such as the famous Sony rootkit, has taken the spotlight for one of the biggest security breaches of all time. Hackers were able to access Sony’s network and according to Sony http://blog.us.playstation.com/2011/04/26/update-on-playstation-network-and-qriocity/ the information compromised includes “name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained.”

Given the number of users who use the same password for multiple sites, I would expect there to be a ton of accounts compromised. This will go far beyond PlayStation, email and social networking accounts are likely to be compromised and even bank accounts as well.

If you have a Sony PlayStation Network/Qriocity account you need to assume that all of the data mentioned is in the hands of the bad guys. If you use the same security questions and answers at other web sites, you need to change the answers. Take a look at http://blog.eset.com/2009/05/04/honesty-is-not-the-best-policy-for-password-resets for pointers. If you use the same password on other sites that you used on the Sony site, you need to change those passwords. Of course you will need to change your Sony password when the PlayStation Network site comes back online.

Sony has additional recommendations at http://blog.us.playstation.com/2011/04/26/update-on-playstation-network-and-qriocity/. One of the recommendations that bears merit is for US residents to have the major credit reporting agencies place fraud alerts on their files. Sony warns that this may make it difficult for criminals to open credit in your name, but it also may make it a bit more of a hassle for you to open new lines of credit.

I am struck by the contrast between this incident where Sony is warning people that there is a problem and the Sony rootkit fiasco where Thomas Hesse, President, Sony BMG Global Digital Business, said “Most people, I think, don't even know what a Rootkit is, so why should they care about it?” Perhaps Sony knows that most people do know what identity theft and fraud are.

If you are a security expert looking for a job, I would keep my eyes on the Sony website as clearly they have significant need for experts who understand defense in depth. Knowledge of encryption and multi-factor authentication systems will probably be desired as well.

Randy Abrams
Director of Technical Education
Cyber Threat Analysis Center
ESET North America

Visit link:
Sony PlayStation Network and Qriocity Services Hacked – 77 Million Accounts at Risk

Not one to let Epsilon or Oak Ridge National Laboratories hog the media spotlight, Sony, a seasoned expert at security blunders such as the famous Sony rootkit, has taken the spotlight for one of the biggest security breaches of all time. Hackers were able to access Sony’s network and according to Sony http://blog.us.playstation.com/2011/04/26/update-on-playstation-network-and-qriocity/ the information compromised includes “name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained.”

Given the number of users who use the same password for multiple sites, I would expect there to be a ton of accounts compromised. This will go far beyond PlayStation, email and social networking accounts are likely to be compromised and even bank accounts as well.

If you have a Sony PlayStation Network/Qriocity account you need to assume that all of the data mentioned is in the hands of the bad guys. If you use the same security questions and answers at other web sites, you need to change the answers. Take a look at http://blog.eset.com/2009/05/04/honesty-is-not-the-best-policy-for-password-resets for pointers. If you use the same password on other sites that you used on the Sony site, you need to change those passwords. Of course you will need to change your Sony password when the PlayStation Network site comes back online.

Sony has additional recommendations at http://blog.us.playstation.com/2011/04/26/update-on-playstation-network-and-qriocity/. One of the recommendations that bears merit is for US residents to have the major credit reporting agencies place fraud alerts on their files. Sony warns that this may make it difficult for criminals to open credit in your name, but it also may make it a bit more of a hassle for you to open new lines of credit.

I am struck by the contrast between this incident where Sony is warning people that there is a problem and the Sony rootkit fiasco where Thomas Hesse, President, Sony BMG Global Digital Business, said “Most people, I think, don't even know what a Rootkit is, so why should they care about it?” Perhaps Sony knows that most people do know what identity theft and fraud are.

If you are a security expert looking for a job, I would keep my eyes on the Sony website as clearly they have significant need for experts who understand defense in depth. Knowledge of encryption and multi-factor authentication systems will probably be desired as well.

Randy Abrams
Director of Technical Education
Cyber Threat Analysis Center
ESET North America

Read more here:
Sony PlayStation Network and Qriocity Services Hacked – 77 Million Accounts at Risk

The subject lines of our blog posts may, or may not be appealing to you, but we hope you’ll enjoy the body of our posts, and if you do, there is now a “Like” button down at the bottom of the page for each blog post.

For those of you using NoScript, you’ll need to allow (or temporarily allow) facebook.net or you won’t see the button.

Why a “Like” button, but no “Dislike” button? Well, “Liking” a post is like tipping the messenger, but disliking a post is like shooting the messenger, and that just isn’t cool

If you really want to express your disapproval, you can always leave a comment. If you use NoScript and don’t want to allow Facebook.net, we’re security folks, we understand… You can also do things the old fashioned way and leave a comment too!

Randy Abrams
Director of Technical Education
Cyber Threat Analysis Center
ESET North America

Excerpt from:
Do You Like My Body?

Many parents are rightfully concerned about their kid’s participation in social networks. There are a number of areas to be concerned with. Who are the kids talking to? Is there a pedophile stalking them? Parents might worry about the friends their kids are making online and what kind of people, even their kid's own age, they are associating with. Some parents will be concerned about how much time their kids are spending online versus out in the sun and developing interpersonal skills in person. There are resources available to help parents learn how to be more effective in providing guidance to their children when using social networking sites however, these are not the parenting skills I am talking about.

I have a friend who is meticulous about having as small an internet footprint as possible. MY friend is 23 years old and is not in the computer security field. My friend is a regular person who happens to value her privacy more than most people her age and wants to control what information about her is public and what is not. My friend is a private person who shares what she wishes to share with people she wishes to share with. Respecting her privacy, I will not share her name.

In today’s world, many parents are not affording their children the choice that my friend and millions of other people have. Many parents are posting a lot of information about their children, in some cases on almost a daily basis. I do believe that these parents have every great intention in the world and are simply very, very proud of their child. I applaud their pride and encourage them to share that pride with their children, but if you are such a parent, are you really being fair to your child? Will your child have the same choice that my friend has when it comes to controlling the information about them on the Internet? If you didn’t see my blog about Facebook retaining the right to exploit minors you might want to read that to see one way in which innocent looking data sharing can be abused.

I suspect that many parents are not considering how the information they post now may be used in the future. The cute little picture or story you tell about your kid may be the item that kids in the 5th grade will use to mock your child in class. The picture you think is cute today may be an embarrassment in the future.

To some extent how public this information becomes depends upon what your privacy settings are and who you choose as friends. To use Facebook as an example, you may be very careful about who you choose as friends, but may have friends who are not very discerning about who they accept friend requests from. If you share your wall with “Friends and friends of friends” then you have lost control of who has access to your data.

If you use apps on Facebook, and are not extremely careful then you may be sharing all of your data with the world. Even if you are careful, if you use apps on Facebook you may open your account to malicious hacking. In late 2009 a company called RockYou was hacked. RockYou makes some very, very popular applications for social networking sites. The hack resulted in the compromise of user names and passwords. RockYou had not encrypted the passwords so about 32 million people’s passwords were disclosed. RockYou claimed to have fixed the problems, but a quick check today of their popular “Zoo World” game shows that you have to switch from https to http to use the game. In other words, RockYou still can’t spell encryption, much the less use the technology. What this means to you is that if you use Facebook Apps you may well compromise your account.

The information posted on the internet does not go away. Eric Schmidt, the CEO of Google has predicted that in the future young people will have to change their names to escape their cyber-past. As a parent, you probably can’t prevent your child from making some mistakes that may result in them wanting to change their name, but not all kids will make such mistakes. As a parent, do you want to be the one who made the mistake that lead your child to feel the need to change their name? A name change is a big deal. It means those years down the road, the rekindling of meaningful relationships will not be an option. There is a lot more to it than that, but it is not an action that comes without significant ramifications.

As a parent, you can teach your children to respect the privacy of others by being an example and respecting theirs. I am not saying that you should never post anything about your child, but do be aware of how much you are posting and recognize that your child is not you and as they become adults they may have entirely different desires with respect to how much of their lives are an open book.

So, what can you do as a proud parent who wants to share, but wants to protect as well? You might consider two different Facebook accounts. Use one account for sharing YOUR information with anyone you want to and however you want to. For the account that you document your child’s life with, lock down your privacy settings. Only share information with friends, not with friends of friends or everyone. Do not use a profile picture of your child and preferably not of a human at all. Invite ONLY your family members and very closest friends to be Facebook friends on this account. If you choose to use your child’s name for the profile, be prepared to relinquish ALL control of the account when your child is old enough to have their own account… it’s only fair. Do not install ANY apps on that profile. Apps are an invitation for information disclosure. With each post, ask yourself the following questions. 1) Will my child potentially one day ask me why I was so rude or inconsiderate as to share this information with the people I shared it with? 2) Do you friends and family really want to know that little Jane went through a whole case a diapers today due to the flu? Finally, use a very, very, very good password. You are forcing your child to trust you with their information, it is your duty to be a responsible steward of that information.

Randy Abrams
Director of Technical Education
Cyber Threat Analysis Center
ESET North America

Read more:
Facebook Parenting Skills