The Wall Street Journal has a good story on a cryptologist, Lawren Smithline, that has deciphered a 200 year old encrypted message sent to President Thomas Jefferson. The message was sent to President Jefferson from his good friend and mathematician, Robert Patterson, so show off Patterson’s new encryption algorithm that would “defy the united ingenuity of the whole human race” and was made up of “upwards of ninety millions of millions” potential combinations.

For the 19th Century, the encryption algorithm was advanced and would have required many hours of time to decipher, but in the 21st century we have computers so Smithline wrote an application using genetic programming algorithms and in less than 100 instructions found the key that decrypted the message. The WSJ has a created a media clip that visually explains the encryption algorithm.

In the end, the encrypted message contained the following plain-text:

In Congress, July Fourth, one thousand seven hundred and seventy six. A declaration by the Representatives of the United States of America in Congress assembled. When in the course of human events…

Which is the beginning of the Declaration of Independence which President Jefferson was a primary author of. Oh, the irony. Stories like these make me want to get back into cryptology. I enjoyed the days in my youth when I spent time playing with ciphers.

Related posts

• No related posts.

If you run an IT organization and have not had a chance to look at the new Federal IT dashboard, take sometime today and look at it. The transparency that our new Federal CIO, Vivek Kundra, built is great! We, the American People, the investors if you will, are now able to see the performance of our investments in the US government. I have always touted transparency for IT and now project by project, each CIO within the government is required to report progress on all of their projects to the public.

Amazingly, Vivek only gave the CIOs 30 days to get their information up to date and even more importantly, since the IT dashboard obtains its information from the Office of Management and Budget (OMB), the agency CIOs have to not only update the information but update it through the proper channels for it to be placed into the dashboard.

With one simple portal, Vivek has increased the use of the standardized project management frameworks in place throughout the government, increased the accuracy of information, and has helped create a sense of urgency and fiduciary responsibility for each agency CIO because their performance is now open for all to see. Similar to posting your review for all to see on the company bulletin board, we have advocated that public access to information increases the chance that an employee will “do the right thing” For example, we recommend that when you are starting to deploy change management processes internally that any person that bypasses the change management controls and introduces an outage have their picture posted on a company wiki, sharepoint portal, etc as the “wild wild west cowboy” that “caused the problems”.

A little bit of public humiliation may be just what we need to get the governments IT projects back on track! Some examples:

• 49% of the VA’s IT projects are behind schedule
• 41% of Department of Homeland Security projects have “significant concerns”
• The Smithsonian Institution receives $60M and the majority of that investment goes to IT Infrastructure Maintenance
• The DoE has had an almost 50% decrease in IT spending since 2002

Oh, and in case you were wondering…many(over 30%) of the governments IT projects are behind or in need for serious help.

Check out Tim O’Reilly’s blog post about the Federal IT dashboard for more information on how it was constructed and how it receives data.

Related posts

• Will there be another Buffett? (1)
• Understanding Your Attackers with a Honeypot (0)
• Printers Are Not Just Dumb Peripherals (1)
• P2P: Still A Risk (0)
• HackersBlog – White or Black Hat? (0)

You may have heard about the embarrassing security breach a while ago where a file containing the blueprints and avionics package for Marine One(President Obama’s Helicopter) was found on a computer in Iran.  Since then, Congress has surmised that the details regarding President Obama’s helicopter were compromised by a government contractor that was using a peer-to-peer file sharing program.

But just two days earlier, the “Today Show” reported that more than 150,000 tax returns, 25,800 student loan applications and 626,000 credit reports became publicly available due to a similar incident with a file sharing program.

P2P file sharing doesn’t just tie up bandwidth.  It’s still a major threat to the security of any commercial, educational, or government enterprise.  And thanks to some inadvertent clumsiness it is now a threat to national security.   It isn’t just a danger to your home or office computer, entire corporate networks are susceptible to many attacks via P2P. 

It’s hard to defend the use of P2P when it goes against the basic principles we advocate about securing a computer.  In order to share and access files on a P2P network, you must open a TCP port through the firewall for the P2P software to communicate.  This essentially eliminates your defenses against malicious traffic coming through it.

When you willingly share the contents of your computer with an anonymous and unknown user, then all the firewalls and antivirus software in the world can’t help you.  Likewise, if you willingly download, install, and run any program of cryptic origin, then there is no telling what you are actually doing to your computer. 

Although previously thought to be a safe version of P2P, BitTorrent was used as a vehicle for a massive spyware distribution campaign in 2005.  Before that, the only danger found in BitTorrent was just occasional random executables.  But now it can evidently be harnessed for money-making campaigns complete with affiliates, distributors, and some big names in adware.

I could list a dozen reasons to ban P2P in the workplace, but I think the argument has enough power.  Unless there is a legitimate reason to use P2P they usually just tie up bandwidth, distract employees, and make your computers and network vulnerable.

Related posts

• Understanding Your Attackers with a Honeypot (0)
• Health Industry Should Beware HITECH (0)
• Email patterns can predict impending doom (0)
• Blocking the Big Ten (0)
• Will there be another Buffett? (1)

TAO Security, Richard Bejtlich’s excellent blog on digital security, posts a ficticious but all too real budget for a black hat. The point of Richard’s post is that

… for $1 million per year an adversary could fund a Western-salaried black hat team that could penetrate and persist in roughly any target it chose to attack.

This is a bold claim and one that I support 100%. I told some of my colleagues at McAfee years ago that we may see a situation in the near future where a talented penetration tester will have to make a choice in working for company A or company B where the only difference between the two isn’t the benefits, salary, or health care but the “evilness” of the company. With so much money being made in the blackhat world, the scenario Richard portrays is entirely real.

Related posts

• “Disinformation” Now a Big Trend Among Hackers (0)
• Why Information Security is Important (0)
• Why did they even have the data in the first place? (0)
• What framework should you pick? (0)
• Well it was here a minute ago… (2)

Consider this:  A hacker finds a security hole on your website that exposes hundreds of thousands private customer data including names, emails, and even passwords.  The hacker does not steal this information.  Instead, he quietly alerts you via email; but at the same time he makes the security vulnerability public information on his blog.

Do you: A) Thank the hacker for bringing the security vulnerability to your attention?  Or, B) seek legal action against the hacker who damaged your company’s reputation by alerting the public about your sloppy security?

This is the controversy surrounding “HackersBlog.org” – a blog where anonymous hackers alert the public about security vulnerabilities.  Each blog entry lists the site hacked, how the data was captured, and what private information is accessible.

The site made its first splash when a Romanian hacker named “Unu” hacked the databases of Kapersky – ironically, one of the leading companies in the security and antivirus market.  “Seems incredible but unfortunately, its true,” writes Unu, “Alter one of the parameters and you have access to EVERYTHING: users, activation codes, lists of bugs, admins, shop, etc.”

The next target, which occurred the very next day, was BitDefender – another antivirus software company.  Unu used an SQL injection to show how data could be easily extracted.

In an official statement, Kapersky denied the attack was successful.  BitDefender called the hack an attack and portrayed it negatively even though “the action did not intend to steal information but simply show a vulnerability.”  Usually when sites are hacked, the companies are left scrambling to put out the public relations fires.

So, alerting the website via email about the found vulnerability?  That sounds white hat enough.  So why expose the flaw to everyone publicly on the Internet and wreck the reputation of that company?  “If we just send an email, without making it public they would fix only that parameter that we announced,” says Unu, “and it is possible [for there] to be others too.”

It seems that HackersBlog owes its allegiance to the public and not to the companies who allow for these breaches in security.  “I’m not a criminal, I [am] not a burglar,” says Unu, “You do the work of a [pentesting firm] that could test the security of the site or [sic] server at the request of the owner. The difference is that the firm makes this for a big sum of money, a very big sum of money, and we do it as a hobby, for pleasure, free, and most of the times we do that much better, but we don’t even get a simple ‘Thank you.’”

Leave me a comment and let me know what you think about this Hacker Blog site!

Related posts

• Blocking the Big Ten (0)
• Printers Are Not Just Dumb Peripherals (1)
• “Disinformation” Now a Big Trend Among Hackers (0)
• Will there be another Buffett? (1)
• Why Be Secure When You Can Just Be Compliant? (0)

I am reading Warren Buffett’s Biography Snowball on my Kindle2 and it has been a great read so far. Buffet and his best friend, Charlie Munger, are amazing businessmen. I am about 30% through the book but I have noticed that the majority of Buffett’s early successful investments might be because of the fact that information was not as easily available as it is now.

For example, the death of Michael Jackson was spread throughout the Internet within minutes of the information being posted. Google went down, CNN was down, as was the LA Times websites because so many people were looking for the latest information. The velocity and availability of information today is amazing. With so much information available, is it possible for a another “kid from Omaha” to be able to find the gems of undervalued stocks that no one else sees? In the 1960’s Buffett was visiting companies, researching, and making moves based on information that although public, no one was able to easily find.

With everything being one search away, will we still have the capability to profit from the difficulty of finding information? I don’t have the answer but it makes me wonder about the availability of data within our organizations. As Searching becomes the new process to find information, enterprises will start deploying search engines internally that index and find data throughout the enterprise network.

Once that happens it will be a sweet pot of gold for an attacker =)

Related posts

• Understanding Your Attackers with a Honeypot (0)
• Transparency and IT: The Federal IT Dashboard (0)
• Printers Are Not Just Dumb Peripherals (1)
• P2P: Still A Risk (0)
• HackersBlog – White or Black Hat? (0)

The reality of the situation is that there is no such thing as a 100% secure place on Earth.  IT security professionals can only do what they can to make things as secure as possible.  There is no computer security defense that will succeed every time, forever, or as I say when presenting at conferences “You cannot buy your security at the local best Buy”. (NOTE: If you have an indepth udnerstanding of heypots, you can skip this post)

Because of my interaction and association with the Honeynet Project I am frequently asked what benefits honeynets can provide to the normal everyday IT security engineer. Simply put, honeypots provide us with early warning so we can be vigilant and prepare our defenses accordingly. 

Additionally, honeypot data is a great way to loosen the purse strings of corporate managers who are hesitant to dip into the company budget.  You can make a case for a larger IT security budget by showing them the attack data on the honey pot – who is attacking, how they are attacking, how often, and, most importantly, what damage they could potentially do to the enterprise if the proper defenses are not built.  Actual data speaks louder than any verbal argument.

Here’s an analogy to help you understand the importance of honeypots. 

Imagine you are tasked with defending your king’s castle from an impending enemy attack.  But you don’t know who the enemy is, where they are coming from, how many there are, or what kind of attacks they will use.  They may use spears, rifles, or just sharp rocks.  They may attack on horseback, with catapults, or maybe with tanks.

So what kind of defenses should you build?  A 30 foot tall wall surrounding the castle or a moat?  Should you put archers in the towers or build turrets?  Maybe you should just pile up a few sandbags and hope for the best. Maybe the real problem is the village idiot on the inside… =)

Without knowing anything about the impending attack, you do not know what an appropriate defense would be.  You may dig a futile trench around your castle while the enemy attacks with stealth bombers.  Or you may encapsulate your entire castle in an impenetrable crystalline dome while your five attackers sling rocks at it.  The latter defense may work, but your king might not be too happy with you for wasting his whole treasury on an unnecessarily robust defense.

A Honeypot is perhaps like a decoy paper version of your castle set up a mile before your actual king’s castle.  The paper castle has no value, but you can see what attacks your enemy uses when they attack it, and thus prepare accordingly.

Honeypots allow you to understand what kind of attacks you can expect.  With this knowledge you can allocate resources to defenses appropriately, without under or overspending. Now, with all that said not everyone can run out and install a honeypot and solve their problems. Honeypots require a lot of maintenance, watching, and i fnot properly installed you can actually decrease the security of your network.

If you don’t want to take the chance of hurting your own security posture, there are services that will configure and run honeypots for you and provide you with their data. Symantec and McAfee offer such services.

Related posts

• Blocking the Big Ten (0)
• Why did they even have the data in the first place? (0)
• Printers Are Not Just Dumb Peripherals (1)
• P2P: Still A Risk (0)
• Email patterns can predict impending doom (0)

From NewScientist:

EMAIL logs can provide advance warning of an organization reaching crisis point. That’s the tantalizing suggestion to emerge from the pattern of messages exchanged by Enron employees.

The Florida Institute of Technology analyzed Enron’s emails and found a correlation between the frequency of emails and their source and destination to the contiuied decline of the company. I love this type of research! Human interaction always seems to increase when “something is going down”.

This community of people asking questions and communicating more is a main reason why we recommend people to use Security Awareness as a mechanism to detect the internal “bad apple”, especially when layoffs or key employees will be let go. 

With these new email analysis techniques, perhaps analyzing odd patterns of communication may be another indicator that a problem may be forming with a bad employee…

According to the article:

They examined the number of emails sent, and the groups that exchanged the messages, in the period around these events. They did not look at the emails’ content.

which is something any business can do by working with their mail server admin. Maybe someone will write an open source application that can do this for any business.

Too bad email information is not public for companies that trade on the stock exchanges as this would be a great technical analysis tool!

Related posts

• Understanding Your Attackers with a Honeypot (0)
• P2P: Still A Risk (0)
• Blocking the Big Ten (0)
• Will there be another Buffett? (1)
• Why did they even have the data in the first place? (0)

The folks over at countryipblocks.net bring up an interesting question:  Does your local network really need to allow access to hackers located 12,000 miles away from you? 

Nearly 80% of all harmful or malicious Internet traffic comes from “The Big Ten.”  These are countries that include China, Brazil, Russia, India, Korea, Viet Nam, Ukraine, Turkey, Italy, and Argentina.  These are countries where great computer engineering talent is produced, but at the same time lack the local jurisdiction to respond to cybercrimes quickly and adequately.

Thanks to hackers from The Big Ten, you need to have a great deal of money, knowledge, and resources to protect your websites from the malicious traffic that originates in these countries.  Firewalls, encryption, antivirus, and security guarded systems are all part of the ongoing struggle to keep your enterprise safe.

But maybe there is an easier way.  As countryipblocks.net and other sites like it advocate, you could just block all visitors from The Big Ten by blocking the IPs of those countries.  If they can’t access your local network or your website, then they can’t cause any trouble.

It’s not that hard to do and there are several websites that instruct you how to create .htaccess files that will block IPs from countries of your choosing for your webserver (if you are running apache) or you can simply block them at your firewall. Whatever works for you.

This may be a simple and ideal solution for companies that have no reason to do business with The Big Ten, are not global companies, or that simply deem any business generated by those countries to be not worth the expense in IT security it requires to allow their traffic.

But it does seem a little unfair to “punish” an entire country because of the misdeeds of a few sordid cyber criminals, doesn’t it?  Some consider blocking countries by IP overkill when it’s better to understand the attacks made by these countries and work out a solution from there.

Also, blocking The Big Ten cannot be an alternative to an effective security policy.  Attacks can still come from that remaining 20%, and even right here in the US where your biggest market exists (Many botnet servers are actually located WITHIN the US).  Absent security would make your website a sitting duck in the face of inevitable attacks.