Archive - October, 2007

Hacking the Emergency 911 system

October 21, 2007 in musings, Security with 0 Comments

My wife and my ‘non-security’ friends think I am too paranoid. According to them, I overreact to simple situations and am too cautious. I’ll admit there may be some truth to that, but this is a perfect example of why I feel I respond this way. A family sound asleep in their home. Husband hears what he thinks is a robber outside. He grabs a kitchen knife and goes out to investigate. He is met by a swat team that has surrounded his house. He and his wife are handcuffed. They are released when the police determine that there is not a kidnapper holding them at gun point in their house. Why did they think that was the case you ask? Someone hacked the 911 emergency system and placed a call that appeared to come from that house saying they had a gun, had already murdered one person and were going to shoot others.

I don’t think the police did anything wrong or overreacted, but it could have gone bad. The husband could have been shot by an officer reacting without thinking due to lack of experience or fear. The simple answer is ‘well he should have just called the police and not investigated himself.’ Although that may be true for this particular circumstance, there could be other circumstances where it is not that simple. Do you call the police as soon as you hear a noise? I don’t. I usually grab my kali sticks and go take a look. You can’t burden the police with every single issue without checking the seriousness of it first. If everyone just called the police as soon as they heard a suspicious noise or saw suspicious activity, the system would break down and the bad buys would win because the police would be busy constantly answering false alarms. In my city if I call the police for a noise that turns out to be nothing, they will actually fine me.

Six months later they finally caught the person that did this. Hopefully, I am just being my paranoid self but I fear this is just a small sign of things to come. Too many things hooked up by networks and computers and not enough time, money, and expertise spent on actually securing systems.

Browser based rootkits

October 17, 2007 in Security with 0 Comments

A post by Petko D. Petkov, a researcher in the area of client exploits on Browser based rootkits. The advantages of using them and why they are hard to detect. Personally, I believe his prediction. There will be more and more of these in the future. It only makes sense.

Mobile phone tracking and law enforcement access

October 15, 2007 in Privacy and Anonymity, Wireless with 0 Comments

Great article by Jennifer Granick on mobile phone tracking. We all know that service providers keep the location information in a database for each mobile phone as it moves from tower to tower. I am unaware of the retention time for this data, but it is probably safe to assume forever.

The article focuses on the requirements to legally obtain access to mobile location information. Unfortunately, it appears that it is getting easier not harder. A simple showing of ‘relevance’ is now enough for law enforcement to request mobile location information. This is just one example of many that show the privacy laws in the United States being eroded away slowly, undetectable to the average person. Eventually one day the world will wake up and say “Wait a minute! What happened? We need to do something.” But by then I fear it will be too late.

This of course doesn’t apply to Canada yet, but that is only a matter of time.

Internet Map

October 9, 2007 in musings with 0 Comments

A colleague of mine had a reference to these Internet maps on his blog. Thought it was cool, so I am adding it as well. They use The Dimes Project data to map the Internet. I was chatting about the sample sizes as that could seriously affect the graph. If there are only a handful of people in Australia for example that are involved with the Dimes Project versus many more in Europe, that would obviously affect the look of the graph. Still neat though.

Security: The requirement of people and the goals of the bad guy.

October 8, 2007 in customer service, Security with 0 Comments

Experts: IDS is here to stay is an article who’s title is a little misleading. It is about IDS (Intrusion Detection Systems). Why IDS is still of value given the number of IPS (Intrusion Prevention Systems) available and why the author Bill Brenner feels IDS will be around for a long time. However, what interested me about the article was the view on customer requirements, and the security landscape.

Bill Brenner comments on who he feels are the top four IDS/IPS security vendors and the fact that they all have excellent detection technology and are backed up by security teams. Many companies don’t like the latter. They want to sell a product that requires minimal to no employee requirements. The device should be able to everything automatically without any people or with as minimal people as possbile. Although this is a wonderful goal, with security and it’s intricacies as it exists today, this is very far from the truth. Systems and automation are good, but smart people are still required. Bruce Schneier and other security professionals have echoed this again and again. “Humans will beat computers at hinkiness-detection for many decades to come”. If you create a method of detection, the bad guys will figure out a way around the method. People are still your best bet.

Bill Brenner comments on customers of security products wanting more automation, the ability to pull data from disperse systems, analyze and assemble this data into a big picture scenario more quickly. This is the message we have been receiving from our customers over the last year and is exactly what my company is constantly working toward. It is the key to having a reasonable chance of detecting and stopping the bad guys on the Internet. Given the change in security over the last decade from worms and viruses where the author’s goal was ‘fame’, now it is BotNets and spyware. The goal now is stealth not ‘fame’. Add to this the money that can be made by selling BotNet and spyware services. Current methods in the industry do not hold up these threats. My investigations for customers as of late have clearly shown this and most security professionals will echo this sentiment.

Security and State requirements

October 7, 2007 in Profiling with 0 Comments

Lately myself and my team have been trying to solve some more difficult security problems with the detection of certain malware. It used to be that detection of malicious activity could be done effectively with minimal state.

Lately every time we discover a new piece of malware, and entertain possible detection mechanisms, we constantly end up dealing with the issue of resource requirements to detect the malware for many of our proposed solutions.

Anyone else having similar issues? Would love to hear your opinion.