This sort of surge in the numbers of attacks against a class of vulnerabilities is hardly unique, or even new.  When “Smashing The Stack For Fun And Profit” came out in Phrack, the low-hanging fruit of buffer overflows enjoyed great popularity.  When they dried up, hackers moved down the stack into Layer 2 with a number of creative abuses for ARP.  There has been no shortage of effort put into higher-level protocols either, as the current number of XSS, SQLI, CSRF, and other web/Ajax hacks show.  There are even signs that the human mind is pretty far from safe.  The implication of this is that an observer can follow the trend and predict, roughly, where next year’s feast of vulnerability will be – usually one layer up or down the stack from where the current crop is found.

The common thread, of course, is that attackers can and will leverage the reactionary nature of the security industry.  When a new vulnerability becomes known, there is a great hue & cry, or at least a patch release, and then everyone goes back to being ‘safe’.  Even when a trend becomes well-known, as is the case for several types of web application vulnerabilities, the reaction is limited to mitigating the specific class of issues shown to be an immediate threat.

When I was a sysadmin, this was known as ‘fire-fighting mode’ and, when it constituted the majority of the technical staff’s time, a sure sign of administrative incompetence.  Certainly, emergencies arise – that’s the nature of life, especially when dealing with complex machines.  However, a spot of pre-planning could automate the admin’s repetitive tasks, ensure that most failures never become emergencies, and mitigate most of those that do; all of which free up staff hours for the important things, like playing Quake.  Er, I mean keeping up on new technology and how best to make it serve the enterprise.

This concept can be applied to the development of secure systems, from the product to the architecture level.  It isn’t possible, usually, for developers to predict what new classes of bugs will be discovered to be exploitable, however, a certain degree of caution in where one accepts data from, how information is passed and stored, what portions of the mechanism are exposed for inspection, and thinking carefully about what the mechanisms that process data are capable of would go a long way towards assuring that the shiny new bug will have minimal impact in the world.  In the real world, where resources are limited, immediate attention should be concentrated on the areas where bugs are currently being found and those that are likely coming up.  This is precisely the sort of thinking that a good Secure Software Development Life Cycle will implement.  This happens less often than it should (hint: if your SSDLC is limited to running a scanner to detect known classes of bugs, you’re doing it wrong) but I am happy to see more and more companies beginning to develop some consciousness that it is cheaper to fix bugs before the software ships.  From here, we need to assist companies in seeing that an SSDLC is an important facet of modern software development, and those groups that are only doing code audit for known bugs are helped to see that there is a better way, and that the costs for doing it right are lower than those of developing and distributing a patch, both in real dollars and corporate good-will.



The students came to class pre-equipped with a certain degree of apprehension. We had heard she was a tough grader, and gave demanding tests. We hadn’t heard wrong. As long as the students kept their cool, though, they were by no means outlandish. One trival example comes from the first exam, where we were meant to sketch out the circuit to create a multiplier. Well, we hadn’t studied those, but we had gone over adders & counters, so it wasn’t much of a stretch. Thinking during a test shouldn’t be beyond the pale, really.

If it were only that she gave good tests, I wouldn’t be writing this. What really struck me was how completely organized she was. During the first class session, she gave us her notes. All of them. For the whole semester. This thick packet of information goodness spelled out quite clearly all of the planned materials that would be appearing on the boards, all in her extremely neat block letters (an EE background showing through). That isn’t to say that her lectures were rigid. Monmouth, being a small school, had a class size somewhere around 25 students, so questions during the lecture were practical. Dr. Daulard encouraged them, and used them to clarify points, and once everyone understood, she moved on, back to the prepared notes. Those notes were additionally useful for the professionals in the class, who sometimes missed a session for reasons relating to their employment. They could review the materials and miss very little; far better than only reading the appropriate sections of the textbook.

Her clarity of thinking and expression was impressive, and of great help to the class. The subject matter yields to the well-organized mind and she could, and did, show us the way. While there was some small language barrier, it was far lower, and far more quickly overcome, than certain other professors at Monmouth, precisely because she understood the material so well, and seemed to grasp where students would trip, even before we did. Sometimes, the extra reinforcement was already in the class notes. Spooky.

In the end, what I know of digital logic circuits is entirely down to taking this class with her. That understanding of the most basic elements that make up a computer has stood me in good stead all of these years, and helped with learning so many other things. In a field of smart, caring, dedicated professionals, some of whom were friends, Dr. MT Daulard stands out as one of the best professors I had there. And, Dr. Daulard, if by some chance you are reading this, thank you.

The Sandpit from Sam O’Hare on Vimeo.

I wanted to install Ubuntu 9.10 Netbook Remix on the system, both so he can get some familiarity with an OS that isn’t from Microsoft, and because of the greater security of the OS.  I knew the netbook would support Linux well, and assumed the modem would have no issue as well.  This latter turned out to not be entirely true.  Here’s how I got it working.

The Novatel Ovation MC760 used by Virgin Mobile is a dual-interface device, meaning it can appear as a usbserial modem device, or as a usbstorage device.  It initially presents as usbstorage, so that Windows systems can load the drivers and other software.  Linux, of course, has drivers built in and only needs to force the device to present as a modem to make it work.

I found some initial instruction from http://www.tenxfactor.com/2009/07/ubuntu-broadband2go-working.html but found the process listed for connecting to be too manual for my son.  I then found some additional information at http://code.google.com/p/vmdialer/ that detailed how to make it work correctly, without user intervention.

Here is the complete process I followed:

1. Activate the modem on a Windows or OS X system, as instructed in the package.

2. Install usb-modeswitch on the Ubuntu system

3. Edit /etc/usb_modeswitch.conf to add the following section:

########################################################
# Novatel U760 USB modem
#
# Contributor: Richard Laager

DefaultVendor= 0×1410
DefaultProduct= 0×5031

TargetVendor= 0×1410
TargetProduct= 0×6002

# only for reference
MessageEndpoint=0×08

MessageContent=”5553424312345678000000000000061b000000020000000000000000000000″

########################################################

4. To eject the device automatically on insertion, add the file /etc/udev/rules.d/99-novatel.rules

ENV{ID_CDROM}==”?*”, ENV{ID_SERIAL}==”Novatel_Mass_Storage*”, RUN+=”/usr/local/bin/bb2go %k”

5. Add the file /usr/local/bin/bb2go with the contents:

#! /bin/sh
CD=$1
eject $CD
sleep 2
modprobe -r usbserial
sleep 2
modprobe usbserial vendor=0×1410 product=0×6002
sleep 2

6. The file /usr/local/bin/bb2go must be executable and should not be owned or writable by a non-privileged user:

chown root /usr/local/bin/bb2go
chmod 755 /usr/local/bin/bb2go

After restarting udev or rebooting, inserting the device will automatically eject the pseudo CD and create the modem.
Then, about 10 seconds after inserting the device, the normal Ubuntu network manager option for a CDMA data connection becomes available.  Tell it your connection is through Virgin Mobile/Helio (if it asks) and it will connect.

And that’s all it took!

2.6 Valet steal (S2-E3)
Alex sneaks into a car park, dressed up in a fluorescent jacket and posing as a car park attendant, as soon as the real attendant leaves for a temporary break. A mark arrives with a luxury car; Alex collects the keys and parks it. As soon as the mark is out of sight, Alex drives away with the car. That would already be pretty good value for just a few minutes’ “work”, but that’s not all—the car has a sat-nav in the glove box, and the sat-nav has a “home address” pre-programmed into it. There’s even a copy of the home keys. All Alex has to do is drive to the mark’s home (in the mark’s car, knowing he’s not in) and empty it.

It then goes on to extract guiding principles from those scams, such as “The Social Compliance principle” in which, “Society trains people not to question authority. Hustlers exploit this “suspension of suspiciousness” to make you do what they want.” and then ties those back to the related scams so you can see how they work:

But the social compliance principle has of course much wider applicability than just the impersonation of police officers: in the valet steal (section 2.6), Alex only needs a fluorescent jacket and a convincing attitude to become a car park attendant and drive away with the mark’s expensive car. Similar situations include the fake waiter scam (S2-E8), where Alex pretended to take food orders from customers and walked away with the credit cards of his marks; and the bogus workmen scam (S2-E8), where the hustlers entered a house by posing as workmen from the water board and then Paul robbed the place while Alex distracted the houseowner.

Included towards the back is a table showing how each of the scams discussed relate to the principles. This really hammers home how fraudsters push people’s buttons, using multiple techniques to pressure, reassure, cajole and control their victims. Without a similar understanding of human nature, it’s impossible to design systems to help people resist this sort of attention.

Interspersed with tales from conventional crime the paper relates both the scams and their governing principles to information and systems security. This, of course, is the main thrust of the work. Some of the correlations stretch things a bit, such as fitting the classic friction between security and convenience under the discussion of the Distraction principle, but most are right on the ball.

I recommend this paper for anyone who designs or evaluates security systems of any sort.  I would also recommend it to individuals, because a greater understanding of how scams happen will help prevent crime.  In the end, awareness is the thing: individuals need to be aware of what criminals will do, and designers need to be aware of how individuals will react.  The criminals, as it happens, are aware already.

*Nice advert, now I want to see the show!

Then I tried to embed a presentation from slideshare.net. It seems that b2evo allows only a subset of HTML in posts, as it wouldn’t recognize the tags I needed. I could easily just post a link, and am confident I could hack it to allow my embed (modifying the video plugin used for embedding YouTube clips seemed promising.) I just didn’t know what the next problem was going to be. Changing while I still only had two posts seemed the way to go.

So welcome to the new blog, powered by WordPress. Changing over was delightfully easy, and upgrading to the latest version was brainless. I was even lucky enough that the theme I’d used for b2evo and based my site on (I’m a hacker, not a web artist) was originally a WordPress theme.

I’m looking forward to seeing what other plugins and widgets are available.

Slides:

The image in the masthead was taken on Cape Cod in 2008, and shows the view heading back from one of the ocean beaches in Wellfleet. It’s one of those places to which I keep returning, to recharge my batteries.