KonBoot and the importance of protected bootloaders.

A few weeks ago, I made a KonBoot USB drive.  KonBoot allows you to circumvent log-in screens and passwords on a number of diffrent operating systems. Now before you run off and buy one (which you might want to take advantage of for 64bit systems), you can make a 32bit KonBoot for free!  KonBoot works by booting into a KonBootOS off of the removable media, then hooks the orginal operating system's kernel on the main media (typically the hard-disk, but IronGeek's version allows you to select any device), and then depreciates the OS's log-on system. Similarly, if you boot into any non-standard operating system, you have the ability to modify files of the orginal operating system on the hard disk.  This can be used to retreive files with access controls, as the access controls are not implemented in the non-standard operating system. To protect one's self from Kon-boot or any non-default OS file snooping, there are a number of protections to have in place.  One should always have a BIOS-settings password, restricting individuals from tampering with your bootable device list.  Next, restrict your bootable devices to only your hard-drive or the device with your default opperating system such that even with a password lock individuals can't use your system with a non-standard opperating system.  You also don't need a full on-boot BIOS password, a password on the settings alone should be sufficent. Another major tool for your file defenses is a fully encrypted hard drive, such that even if the threats can boot into a non-default OS, they can't reliably modify your operating system.  So go have fun with KonBoot, and protect yourselves with BIOS passwords and encrypted drives!

Operation Swiper

On October 7th, The New York City Police Department indited 111 individuals in what it claimed as one of the largest identity theft rings to date.  The sting was titled 'Operation Swiper', which used international cooperation to round up several carders around the world.  The carders focused on credit card theft through illegal underground networking. Therefore people involved are being charged not only with cyber theft but also organized crime allegations.  The elaborate crime rings stretched from Asia, The Middle East, Africa, Europe and even to The United States.  A full report issued by The Distract Attorney of Queens in New York can be found here.  I also highly suggest you listen to the following podcast with Misha Glenny, as he details how cybercrime more directly effects you, as an end user.

The Leonard Lopate Show: Cyberthieves, Cybercops, and You:

Kelihos Botnet Take Down!

On September 27, Microsoft announced it took down it's 3rd botnet this year, Kelihos.  Microsoft has previously worked with partners to take down both the Rustock and Waledac botnets, which dramatically reduced spam across The Internet. What's more, Microsoft finally named a defendant in a botnet case, holding Dominique Alexander Piatti responsible for operating the botnet.  Microsoft was not alone in this botnet take down however, they were greatly aided by security company Kaspersky.  Kapersky successfully 'sinkholed' the botnet, meaning it's still functional just completely controlled by them.  This is quite difficult to do, as they had to gain control of a peer-to-peer network which acted as a middle layer in distributing commands from control nodes to worker zombie machines.  Unfortunately, Kaspersky can't issue out a command to patch and dissolve the bonnet, as this would be against the law for executing remote code on another person's computer. Therefore, Kapersky can only remain in control by sinkholing the botnet, meanwhile Microsoft put out a signature for their anti-virus suit Microsoft Security Essentials, urging people to download it and scrub for the botnet code. This was a major step in battling botnets, as we are finally catching and prosecuting those responsible, although I can't help but feel that the battle isn't over until the botnet has been dissembled.

Motorola DroidX - Updated to Android 2.3.3 on 10/3/2011

Late last night, the Motorola DroidX operating system updated from Androidv2.2.3 Froyo to Androidv2.3.3 Gingerbread.  This new update brings a stylish new look, a sleek interface, and an optimized home bar. Overall, this updated OS brings about more streamlined interaction, although there still are a few bugs, such as managing the keyboard with text messages. The style of the update also seems much darker, which I personally enjoy.  Unfortunately, it seems to take a much heavier toll on battery, draining it almost 1/3 faster throughout a fairly average day.  If you use the DroidX and noticed this update, comment and let me know your thoughts on GingerBread Android v 2.3.3! A superb list of features can be found at the Android Developers page.

Four Evolving Trends in Security Research

At The CSIT's 2011 Belfast Cyber Summit, which is The UK's Center for Secure Information Technologies, international researches gathered to discus the evolving trends in cyber security research and development. The summit saw speakers from all around the globe, each giving their countries perspective on threats in the cyber landscape. The overall consensus of the summit was research and funding still needs to be directed in four major areas, these are:

1. Adaptive Security Technologies: This group encompasses self-learning security solutions.  This means using heuristics to actively sense and learn about new threats.  Of course, these self aware systems typically have difficulties with anomalies, such as brand new attacks or small time user attacks, but are better geared for the larger environments that The Internet presents.  Heuristic methodologies should be able to detect, model and stop automated attacks that previously overwhelmed classic security controls.
2. Protection of Smart Grid Utilities: This area is dedicated to enhancing our previously existing grid infrastructure with security controls and patches.  Recently, much research has been done in SCADA systems and viruses targeting such systems.  This puts the general public at a huge risk, as many of these systems are also part of critical infrastructure.  This research is vital to any nation's security, and we will certainly see an interesting evolution grid security in months to follow.
3. Mobile Security:  Mobile security is another hot bed of research.  With the sheer amount of personal data that intersects at any smart phone, cell phones now become a rich target for exploitation.  There have been huge advances recently in mobile security on all fronts, and one should always be aware of their own mobile solution and the vulnerabilities they face.  This research greatly effects each end user, and is evolving faster than the mobile landscape itself.
4. Multifaceted Security:  There is still a large gap when it comes to the human interpretation of current cyber security threats.  This topic includes large sums of research from the community, especially in terms of international legislation, policy, economics, groups, and individual rights.  There are many factors that motivate individuals nowadays, such as hacktivism, profit, and /or notoriety.  Researchers must combine their efforts with law makers, software developer , and large user groups, in an attempt to both protect end users' rights and corporate assets.

I highly encourage you to check out the original pdf at:
http://www.csit.qub.ac.uk/media/pdf/Filetoupload,252359,en.pdf

Convergence.io

Originally published to: binaryculture.blogspot.com
Tools at: convergence.io

"A Decentralized Solution to Certificate Authorities: Moxie Marlinspike's Convegence.io

By now, I hope most people understand that certificate authorities are not invulnerable to hacks, and putting full trust in any single source is just poor faith.  This point is only amplified when we invest full trust in multiple stand-alone authorities, such as the situation we have today. If any single one of our trusted authorities fails,then we the end users are left vulnerable. Moxie Marlinspike sums the whole situation up rather nicely in this video:

At the end of the video, Moxie announces Convergence.  Converge is a new FireFox add-on, that runs in the background, and verifies the CA's result through multiple physical channels.  This provides a decentralized perspective to aid in authentication confirmation.   Convergence was built on a white-paper entitled, Perspectives.  His solution at convergence.io also takes care of several information leaks that existed in the original Perspectives implementation.  I highly suggest user's instal this FireFox add-on!  It has several verification options which provides a huge amount trust agility, allowing user's to set their level of paranoia.  It still has some problems, but Moxie is also accepting code reviews and donations.  The point is: We need more technologies like Convergence, which harness the decentralized strength of the Internet, and protect all individual users! "

The Death of a Certificate Authority

If you didn't already know, DigiNotar was hacked mid-July. (DigiNotar was a certificate authority, which verifies a website is authentic when using https). This had many serious consequences as several of their certificates were stolen and used in the wild. The attack is believed to have originated in Iran, and there are reports of the certificates being used in Iran to man-in-the-middle Google's search engine. This is extremely dangerous, and because of this many browsers have removed DigiNotar from their trusted root CAs, including Chrome, Firefox, and Internet Explorer. Safari user's still remain vulnerable, although it is easy to fix yourself, by removing DigiNotar from your list of trusted CAs. So what does that mean for DigiNotar? Unfortunately, if browsers no longer trust you as a root CA, you are destined to fail and will likely go out of business.

The greatest take away from this entire incident, is the public eye-opener to how much we trust and rely on certificate authorities. This is a serious issue, and has been for quite some time, as pointed out by researcher Dan Kaminsky several years ago. I think everyone should take the time to read this article, where the EFF points out the larger issue: using certificate authorities to verify websites is not a sustainable solution! We can do better, Internet. We need new solutions, such that this issue does not resurface!