Michael N. Dundas

Title of this article doesn’t really do it justice. It is a good article that gives a high-level understanding of the concept of Trusted Booting of a device. Good read for individuals in or working with law enforcement and digital forensics. As this type of technology becomes more and more mainstream, it will become much more difficult to surreptitiously obtain access to or data from devices without the owners cooperation.

I blogged about the security risks of cloud computing a few weeks ago.   There may be another reason to be careful of cloud computing … cost.  A friend of mine just did an analysis of the cost to go to cloud computing for a software company.  He used his company as the example.

I am at a conference this week speaking and participating.  An individual asked about BotNet detection for a particular product.  Specifically they highlighted several vendors that have solutions that detect BotNets.  I find this concept amusing and more of a marketing or positioning type of thing.  Stating  “We detect BotNets” is like stating “We do security”.

Anyone doing security research or investigations today realizes that almost all attacks are part of a botnet.  Most botnets are really just advanced shell programs that allow you to deploy whatever exploit or attack you want.  Botnet software usually takes care of the control, messaging, encryption requirements, exploit updates and allow the author to use other code or ‘plugins’ to create the BotNet behaviour they wish.

It is rare you will detect a Bot, rather you will detect the existence of a bot via the behaviour it exhibits.  This behaviour is usually in the form of spam, a D/DoS attack, phishing scam for personal data are examples.  It is important when assessing vendors for security that you go deeper than “We detect Botnets”.  How do you detect Botnets?  How do you ensure it is a valid BotNet and not just a P2P application?  The answer to questions such as these will tell you if a vendor honestly understands and knows security.  Good vendors of security will respond with responses that highlihgt the concept that a product detects bots and/or botnets but via intelligence gathered by behaviour patterns, subscriber or network history, chronology and external data.

Here are two graphs showing inbound HTTP from a link off a small service providers network.  The first graph is Jan 19th, 2009 day prior to Obama’s inauguration.  The second graph is Jan 20th, 2009 the day of the inauguration.  If you look at 11:00 – 12:30 you can clearly see the abnormal bandwidth increase due to this being broadcast live over the internet and this is just HTTP, not other streaming protocols that might have been used.

You can clearly see the increase in bandwidth on this one link during the Inauguration.  This has happened before. Twitter has inauguration data that shows the same trend for their micro blog service.

As the Internet becomes more and more the media for information, bandwidth is going to constantly increase and spike when these type of events occur. Service providers need to effectively manage the bandwidth, ensuring fairness, privacy, and deploying appropriate infrastructure to support the trending increase in bandwidth over the next 5-10 years.

I look at my family over the last 3 years. We hardly watch television and any shows we do watch, we watch via the Internet. We listen to the radio via the internet. We get all information and news via the Internet. We communicate almost exclusively via the internet.

Apple finally announced that they will be removing DRM from all tracks available in iTunes.  DRM sure is taking it a long time to die, a very slow and agonizing death and it really frusterates me.  Most people I speak to about DRM think it has to do with piracy and falling sales, which anyone in the technology industry knows is far from the truth.

My wife pointed me to an article by Cory Doctorow showing how we as humans fail to understand the statistics of rare events such as gambling and terrorism.  Bruce Schneier has written about this topic in the past too.

AWS

Amazon, quietly fixed a significant cryptographic vulnerability in their request signing code, seven and a half months after the discovery.   This type of behaviour is very typical of all software vendors.    Of course this is nothing new.   I would suggest the problem is going to become more critical in the next few years.  More and more companies are offering services in a ‘cloud computing’ form and the customer base is increasing to include end users not just other businesses.  Social networks, online backup services, online crm services and the list goes on.   Everyone  using these services is at the mercy of the vendors to fix the problem — there are many more people show concern and  complain and the number is increasing.

This blog is a perfect example.  It is currently located on WordPress.com.  Great service, but the database, interface, and software are not under my control.  I do have the option to download, setup and run the software myself — although I have the resources and technical capabilities to do this easily,  I do not have the time, so I assume the risk (which is minimal given the type of data) and use a third party service.  Unfortunately, many people do not have the technical expertise and are forced to use an external service,  completely at mercy of the company offering the service.

I have done a lot of consulting for law firms over the years and this is slowly becoming a bigger issue for them.  Law firms, medical offices, financial institutions, and any other business have personal and private data from their clients that needs to remain confidential and  in their control.  For example, what happens if you are a law firm that chooses to store their client data offsite using a third party company that in turn uses cloud computing services which you may or may not be aware of.  There are many good reasons to do this such as cost, decrease in requirement for I.T. infrastructure, decrease need  to hire staff or pay consultants to keep software and systems up-to-date.   Any technical issues are the responsibility of the hired company, not the firm.   Now if the cloud computing company has a security vulnerability that takes them time to fix and during that time someone uses that vulerability to extract the law firms data who is to blame?  The law firm for choosing to not keep control of their data, the company that the law firm purchased services from, or the third party cloud computing company?  David Canton wrote about cloud computing concerns this fall.

It will be interesting to see how government and the legal community handles this in the next few years.  I am just waiting for a client to sue a law firm, medial office or some other company as their data somehow was made public.   The best situation from a security perspective will be if there is a breech of data that is involved in an ongoing legal proceeding.

I really wanted to change the look of my blog.  The previous look was quite ‘old looking’.  I am not an artistic creative type, so I found a new template, used Gimp and poof.   I also switched from blogger.com, to wordpress.com.   The wordpress interface has much improved, as well as much better selection of templates and options.

Since I have been listening to last.fm lately and just recently pulled a capture file for analysis, I was wondering if audio extraction would work in the case of an investigation. Turns out using the procedure I wrote back in Oct works well. The end result is a directory of files containing the streamed audio from last.fm which can be played as standard mp3 files.

I signed up and started periodically using last.fm in Feb 2006. I stopped in August 2006 and didn’t go back to it just this past December. If you are wondering how I know that in such detail it has to do with how last.fm keeps a profile on you, but I’ll save that for another post. I have found that the selection of music it picks for me has greatly improved since I first signed up.

There are different encoding formats for video and audio that affect the bandwidth and timing requirements for the transmission of streaming content. Ignoring the technical details around this for now, if a end user decides to stream audio from a service such as last.fm, how much bandwidth do they require to listen to that single stream? To test this, I selected a track that was approximately 120 seconds in length and captured the audio stream while it played. The track played fine with no delays or problems. I captured the audio stream in two places, the laptop where the song was being played and on my service provider’s network at the demarcation point between my service provider and their upstream service provider. Capturing the same stream at two points allowed me to compare both captures for issues such as dropped packets or other anomalies or problems. My provider actually has two upstream providers, but a quick check of the BGP routing table showed all the data for last.fm coming from just one of the upstream providers.

Using simple math, if a service provider has 5000 subscribers and we assume that at peak 1% are listening to streaming audio in their home via one of the many services available on the Internet, that is a minimum rate of 7.85 Mb/s of bandwidth allocation the service provider must provide for the subscribers just listening to streaming audio. This does not include services such as web browsing, online gaming, watching video, downloading, or any other of the tasks that can be done over the internet. The demand to have more bits per second to the home is going to constantly increase. Weather service providers are able to keep up with this demand is a subject of debate.