Michael Carson

While reading what is fast becoming one of my favorite blogs, KSplice, I came across an article on exploiting NULL pointers in Linux.  The article mentioned that some sources have called 2009 “year of the kernel NULL pointer dereference flaw.”  While I might think of other notable announcements from the year that was, there is no doubt that this class of vulnerability enjoyed a certain amount of popularity recently.

This sort of surge in the numbers of attacks against a class of vulnerabilities is hardly unique, or even new.  When “Smashing The Stack For Fun And Profit” came out in Phrack, the low-hanging fruit of buffer overflows enjoyed great popularity.  When they dried up, hackers moved down the stack into Layer 2 with a number of creative abuses for ARP.  There has been no shortage of effort put into higher-level protocols either, as the current number of XSS, SQLI, CSRF, and other web/Ajax hacks show.  There are even signs that the human mind is pretty far from safe.  The implication of this is that an observer can follow the trend and predict, roughly, where next year’s feast of vulnerability will be – usually one layer up or down the stack from where the current crop is found.

The common thread, of course, is that attackers can and will leverage the reactionary nature of the security industry.  When a new vulnerability becomes known, there is a great hue & cry, or at least a patch release, and then everyone goes back to being ‘safe’.  Even when a trend becomes well-known, as is the case for several types of web application vulnerabilities, the reaction is limited to mitigating the specific class of issues shown to be an immediate threat.

When I was a sysadmin, this was known as ‘fire-fighting mode’ and, when it constituted the majority of the technical staff’s time, a sure sign of administrative incompetence.  Certainly, emergencies arise – that’s the nature of life, especially when dealing with complex machines.  However, a spot of pre-planning could automate the admin’s repetitive tasks, ensure that most failures never become emergencies, and mitigate most of those that do; all of which free up staff hours for the important things, like playing Quake.  Er, I mean keeping up on new technology and how best to make it serve the enterprise.

This concept can be applied to the development of secure systems, from the product to the architecture level.  It isn’t possible, usually, for developers to predict what new classes of bugs will be discovered to be exploitable, however, a certain degree of caution in where one accepts data from, how information is passed and stored, what portions of the mechanism are exposed for inspection, and thinking carefully about what the mechanisms that process data are capable of would go a long way towards assuring that the shiny new bug will have minimal impact in the world.  In the real world, where resources are limited, immediate attention should be concentrated on the areas where bugs are currently being found and those that are likely coming up.  This is precisely the sort of thinking that a good Secure Software Development Life Cycle will implement.  This happens less often than it should (hint: if your SSDLC is limited to running a scanner to detect known classes of bugs, you’re doing it wrong) but I am happy to see more and more companies beginning to develop some consciousness that it is cheaper to fix bugs before the software ships.  From here, we need to assist companies in seeing that an SSDLC is an important facet of modern software development, and those groups that are only doing code audit for known bugs are helped to see that there is a better way, and that the costs for doing it right are lower than those of developing and distributing a patch, both in real dollars and corporate good-will.



During the early 1990s, the undergrad Computer Science program at Monmouth College included two semesters of digital circuit. The first of which was concerned with the building block components – adders, counters, memory – and the physical properties of the silicon we otherwise took for granted. It was during the first of these that I had the privilege to study under the instruction of Dr. Marie-Therese Daulard.

The students came to class pre-equipped with a certain degree of apprehension. We had heard she was a tough grader, and gave demanding tests. We hadn’t heard wrong. As long as the students kept their cool, though, they were by no means outlandish. One trival example comes from the first exam, where we were meant to sketch out the circuit to create a multiplier. Well, we hadn’t studied those, but we had gone over adders & counters, so it wasn’t much of a stretch. Thinking during a test shouldn’t be beyond the pale, really.

If it were only that she gave good tests, I wouldn’t be writing this. What really struck me was how completely organized she was. During the first class session, she gave us her notes. All of them. For the whole semester. This thick packet of information goodness spelled out quite clearly all of the planned materials that would be appearing on the boards, all in her extremely neat block letters (an EE background showing through). That isn’t to say that her lectures were rigid. Monmouth, being a small school, had a class size somewhere around 25 students, so questions during the lecture were practical. Dr. Daulard encouraged them, and used them to clarify points, and once everyone understood, she moved on, back to the prepared notes. Those notes were additionally useful for the professionals in the class, who sometimes missed a session for reasons relating to their employment. They could review the materials and miss very little; far better than only reading the appropriate sections of the textbook.

Her clarity of thinking and expression was impressive, and of great help to the class. The subject matter yields to the well-organized mind and she could, and did, show us the way. While there was some small language barrier, it was far lower, and far more quickly overcome, than certain other professors at Monmouth, precisely because she understood the material so well, and seemed to grasp where students would trip, even before we did. Sometimes, the extra reinforcement was already in the class notes. Spooky.

In the end, what I know of digital logic circuits is entirely down to taking this class with her. That understanding of the most basic elements that make up a computer has stood me in good stead all of these years, and helped with learning so many other things. In a field of smart, caring, dedicated professionals, some of whom were friends, Dr. MT Daulard stands out as one of the best professors I had there. And, Dr. Daulard, if by some chance you are reading this, thank you.

When I first saw The Sandpit by Sam O’Hare on Bre Pettis’ blog I thought it was an incredible example of using minis and stop motion film making. After a few seconds, it became apparent that it was something entirely more awesome; it’s…well, I don’t want to spoil it for you. Watch the film, then read about how it was created.

The Sandpit from Sam O’Hare on Vimeo.

For my son’s birthday, I bought him a netbook and an EVDO modem from Virgin Mobile.  The netbook has a good battery life, and the Virgin Mobile Broadband2Go means he can use it wherever he is, as long as there is coverage.

I wanted to install Ubuntu 9.10 Netbook Remix on the system, both so he can get some familiarity with an OS that isn’t from Microsoft, and because of the greater security of the OS.  I knew the netbook would support Linux well, and assumed the modem would have no issue as well.  This latter turned out to not be entirely true.  Here’s how I got it working. Read more »

I just finished reading Understanding scam victims: seven principles for systems security by Frank Stajano a professor at the University of Cambridge, and Paul Wilson who is on the BBC TV show The Real Hustle.
The document describes a variety of short cons, as highlighted on the TV show* including how they work, in very clear language. For example:

2.6 Valet steal (S2-E3)
Alex sneaks into a car park, dressed up in a fluorescent jacket and posing as a car park attendant, as soon as the real attendant leaves for a temporary break. A mark arrives with a luxury car; Alex collects the keys and parks it. As soon as the mark is out of sight, Alex drives away with the car. That would already be pretty good value for just a few minutes’ “work”, but that’s not all—the car has a sat-nav in the glove box, and the sat-nav has a “home address” pre-programmed into it. There’s even a copy of the home keys. All Alex has to do is drive to the mark’s home (in the mark’s car, knowing he’s not in) and empty it.

It then goes on to extract guiding principles from those scams, such as “The Social Compliance principle” in which, “Society trains people not to question authority. Hustlers exploit this “suspension of suspiciousness” to make you do what they want.” and then ties those back to the related scams so you can see how they work:

But the social compliance principle has of course much wider applicability than just the impersonation of police officers: in the valet steal (section 2.6), Alex only needs a fluorescent jacket and a convincing attitude to become a car park attendant and drive away with the mark’s expensive car. Similar situations include the fake waiter scam (S2-E8), where Alex pretended to take food orders from customers and walked away with the credit cards of his marks; and the bogus workmen scam (S2-E8), where the hustlers entered a house by posing as workmen from the water board and then Paul robbed the place while Alex distracted the houseowner.

Included towards the back is a table showing how each of the scams discussed relate to the principles. This really hammers home how fraudsters push people’s buttons, using multiple techniques to pressure, reassure, cajole and control their victims. Without a similar understanding of human nature, it’s impossible to design systems to help people resist this sort of attention.

Interspersed with tales from conventional crime the paper relates both the scams and their governing principles to information and systems security. This, of course, is the main thrust of the work. Some of the correlations stretch things a bit, such as fitting the classic friction between security and convenience under the discussion of the Distraction principle, but most are right on the ball.

I recommend this paper for anyone who designs or evaluates security systems of any sort.  I would also recommend it to individuals, because a greater understanding of how scams happen will help prevent crime.  In the end, awareness is the thing: individuals need to be aware of what criminals will do, and designers need to be aware of how individuals will react.  The criminals, as it happens, are aware already.

*Nice advert, now I want to see the show!

I started this blog using b2evolution because it was supported by my service provider and seemed straightforward. And it was, and the lack of an easy way to manage and edit templates on the server, some disconnects between the branch of the software I had and the documentation on the site and a few other issues seemed pretty bearable.

Then I tried to embed a presentation from slideshare.net. It seems that b2evo allows only a subset of HTML in posts, as it wouldn’t recognize the tags I needed. I could easily just post a link, and am confident I could hack it to allow my embed (modifying the video plugin used for embedding YouTube clips seemed promising.) I just didn’t know what the next problem was going to be. Changing while I still only had two posts seemed the way to go.

So welcome to the new blog, powered by WordPress. Changing over was delightfully easy, and upgrading to the latest version was brainless. I was even lucky enough that the theme I’d used for b2evo and based my site on (I’m a hacker, not a web artist) was originally a WordPress theme.

I’m looking forward to seeing what other plugins and widgets are available.

Thank you to the Penn State University Security Risk Analysis Club for having me out to speak to them tonight on the challenges in performing security audits on systems involving embedded devices. Their hospitality was great and the quality of questions and interaction from the students was fantastic.

Slides:

Welcome to my blog. This will be a place for me to relate pieces of life and technology that capture my attention. It’s my hope that these may be of use to you, the reader, and that you will let me know your thoughts.

The image in the masthead was taken on Cape Cod in 2008, and shows the view heading back from one of the ocean beaches in Wellfleet. It’s one of those places to which I keep returning, to recharge my batteries.