* Posts by Andrew Commons

56 posts • joined 22 Dec 2007

Page:

It's time for a discussion about malvertising

Andrew Commons

A discussion has already occured

On May 15 2014 According to a US Senate investigation, the current state of online advertising endangers the security and privacy of users. You can get the report via this page:

http://www.hsgac.senate.gov/hearings/online-advertising-and-hidden-hazards-to-consumer-security-and-data-privacy

It highlights the problems with the ad networks and the degree to which they are being abused. Unfortunately not much more seems to have come of it.

I have been confronted with an alert from a news web site demanding I turn off my ad blocker along with an alert from my AV software saying it blocked malicious content far too many times to consider dropping my shields.

My solution is to visit diverse news outlets that are reasonably trustworthy along with reliable free sites. In general the free sites are far better quality and actually contain news rather than click bait dressed up as news.

5
0

Osram's Lightify smart bulbs blow a security fuse – isn't anything code audited anymore?

Andrew Commons
Black Helicopters

Re: Why is it

"Also, security is not done well on PCs"

No.. should read "security is not done well".

Our (well some people's) unthinking desire to embrace new and shiny far outstrips our ability to understand and secure it.

This includes collateral damage as well as direct consequences.

7
0

IoT puts assembly language back on the charts

Andrew Commons

Re: Are there chips with no development support?

An old friend of mine refers to C as the "gentleman's assembler".

There are games you can play in assembler such as manually overlaying use once initialisation code and read/write storage such as I/O buffers that I'm not sure you can play with complied languages. If you are really memory constrained you grab at every straw :-)

0
0

Purloined password re-use checker pees in the security soup

Andrew Commons

Re: Once again, it's less of a risk to use a password manager ...

When PINs became unavoidable on credit/debit cards on this big island I reduced said cards to a minimal set where I could remember the PINs. While I was cancelling a card, in a Bank, the young person handling the transaction asked why I was doing this. I explained. They recommended that I use the same PIN on all my cards...it worked for them.

No amount of education seems to change this and the transactional middlemen - both black and white(ish) - do nothing to discourage it because they are making a killing.

1
0
Andrew Commons

It's an obvious attack

I would assume that any 'miscreant' worth their salt was on to this long ago.

2
0

Behold the ROBOT RECTUM... medics' relief

Andrew Commons

Re: Probeur

Can you imagine some of the code?

class Finger extends Anus implements Surprise{}

What would be an appropriate language for this? Squeak perhaps? Regardless it would have to be Tworing complete!

0
0

Oz doctors develop surgical robot designed to operate on your wallet

Andrew Commons

Not unexpected

To quote from the Australian AMA web site: "The AMA has adopted the World Medical Association's (WMA) Declaration of Geneva as a contemporary companion to the 2,500-year-old Hippocratic Oath for doctors to declare their commitment to their profession, their patients, and humanity."

This declaration appears to avoid these statements in the Hippocratic Oath (source Wikipedia):

"I will apply, for the benefit of the sick, all measures which are required, avoiding those twin traps of overtreatment and therapeutic nihilism."

"I will remember that I do not treat a fever chart, a cancerous growth, but a sick human being, whose illness may affect the person's family and economic stability. My responsibility includes these related problems, if I am to care adequately for the sick."

So nothing surprising here then.

2
0

Malware scan stalled misconfigured med software, mid-procedure

Andrew Commons

Re: Why?

A low priority process can bring a system to its knees by getting a lock on a resource that is required by other processes and not letting go of it because it's low priority and not given much processor time.

While there are ways to reduce the impact making it go away completely is non-trivial, as is this problem.

0
0
Andrew Commons

Re: Been there, seen that

I imagine patching and rebooting would also have been problematic as well.

The issue here isn't the AV software as such, it is the blind adherence to its use in an incompatible environment.

There are other ways to mitigate the risks, such as isolation and tight network controls, so it's all solvable.

1
0
Andrew Commons

Re: Medico's expertise

"The surgeon is ipso facto likely to be the smartest person around and therefore probably the one who knows most about ..."

Most of these people are very specialised and know a lot about a fairly limited problem space. Dentists know how to make a fortune out of 32 teeth but I would not bet on them knowing what to do when the lid comes off the computer, or when the bonnet of a modern car is lifted (which is pretty much the same thing nowadays).

They are highly specialised, this does not equate to smart. For example, New Zealander Nigel Richards is the current (I think) French Scrabble champion, he does not speak French (see http://www.theguardian.com/lifeandstyle/2015/jul/21/new-french-scrabble-champion-nigel-richards-doesnt-speak-french ) but he does have a very good memory and really knows how to play scrabble. Many of the med students I knew going through Uni reckoned that all you needed for medicine was the ability to memorise a telephone directory :-)

6
0

You can always rely on the Ancient Ones to cock things up

Andrew Commons

Re: Ah yes....

"we had to get it out of its crate before we could move it further"

Yup...and then you get to the goods lift. Remove all packaging before it stands any chance of getting into it. Press the button for the desired floor, squeeze the bugger into the empty lift ignoring all the alarms and then pray that the doors open on the right floor :-)

Miniaturisation has taken a lot of the excitement out technology.

3
0
Andrew Commons

Re: Ah yes....

"but I heard that her bottom wasn't really worth looking at"

You are obviously far more discriminating than I am. It took four burly wharfies to get her back up again, it was quite some bottom :-)

3
0
Andrew Commons

Re: Ah yes....

Well, if you were part of the flying squad you may have been there when the 'first in the country' VAX 8600 fell over ... physically.

It's not often you get to see the underside of one of those things. :-D

5
0
Andrew Commons
Coat

Ah yes....

Far too many years ago I was writing some commercial security software for DEC VMS systems. They had a built in account for Field Service, we had some examples in the product where this was referred to as 'Field Circus'... it was suggested by some distributors that this was not a good idea. We agreed and removed it, and then it came back, and then we removed it, and then.... It took a significant search and destroy effort covering every possible library and input to libraries across our development environments to nail it.

So situation normal really :-)

5
0

Auto vulnerability scanners turn up mostly false positives

Andrew Commons

Re: One Concern

And it has now been corrected without any comments making these comments notally inkomprehensibule.

2
0
Andrew Commons

Re: One Concern

It's on the El Reg sliding scale between Mostly and Never....

1
0
Andrew Commons

Re: One Concern

Not really. You have to take into account (a) how aggressive the scanning is, i.e. how willing the customer is to have things really broken, and (b) the context in which the scanning is taking place. If the target (customer) is sensitive then expect high false positive rates. If you are scanning from the outside network edge then internal controls that will mitigate an apparent vulnerability in a multi-stage attack may not be apparent.

It's not black and white.

1
0

C’mon Lenovo. Superfish hooked, but Pokki Start Menu still roaming free

Andrew Commons

You can always try YumCha

I recently roughed out the spec of a workstation - cabinet (it had to fit in a particular location), mother board, cpu (fast i7), memory (32GB) , 3 NICs, ssds and spinning rust, O/S - priced the parts through retail channels and sent out requests for quotes for the built box based on the partial parts list. I ended up with a built and tested box that met my requirements for a price that matched my estimates for the parts alone and it came with a warranty.

The result was cheaper than something equivalent from the major vendors and had no unwanted additions.

This was not cheap end of the market specifications so may not be something tat can be replicated in that space but it is working really well and I'm left wondering why I hadn't tried this before.

0
0

Debian on track to prove binaries' origins

Andrew Commons

I don't think this is what it is all about

"The feat will allow anyone to independently confirm that Debian binaries were built from a reported source package."

Back in about 1983 I managed a small group tasked, amongst other things, with distributing software to hospitals. Part of the QA process I introduced involved taking a release of the source code and a copy of the software used for acceptance testing. The next step was to rebuild the software from the supplied source and compare the results with the acceptance test versions. This was VAX/VMS and the undocumented CHECKSUM command was used for this comparison (CHECKSUM/IMAGE for the curious, it took out timestamps). If the two did not match it was all sent back to the developers with a 'please explain'.

Roll forward 10 years after a period of developing security software for VAX/VMS (see NIST SP 800-6) and I found myself doing something similar but more focused on determining whether the software had been built from code in the source code repository, effectively whether it was built from the approved package. This required a more detailed analysis of the information stored in the executable images and has some similarities to the initiative reported here.

So, I've done some of this stuff and have some idea of where it can come apart.

(1) Change your tool chain (even different version of the same tool chain) or architecture and it will all probably break. The Alpha VMS compiler/linker tools did not dump the same sort of information into the binaries and it largely invalidated the VAX/VMS tools I had developed.

(2) Different build options, even when using the same tool chain and target architecture, will result in functionally equivalent but very different binaries.

(3) Anything you find embedded in an image can obviously be manipulated so even if the same architecture and tool chain and options are used the contextual information must not be trusted without additional verification.

For all of the above I think this is not the 'feat' you are looking for.

Given some binaries and a source code package proving the link between the source code and the binaries is non trivial (again I have some form here having been tasked with reverse engineering the source code library that represented the executables currently in production...).

What they are testing is the statement "It should be possible to reproduce, byte for byte, every build of every package in Debian.", this is from the WIKI reference a couple of clicks on from the referenced "report note".

This has very little to do with the claim in this piece. If you have the same source code, and the same tool chain executed with the same options you should be able to prove that you have achieved the same results.

Nothing like the headline statement.

6
1

.Bank hires Symantec to check credentials

Andrew Commons

Here we go again

In the days when SSL was young the Certificate Authorities charged more for 'high assurance' certificates that required a little bit of proof before they were issued. This was all about TRUST.

Roll the clock forward a bit... the Certificate Authorities are now offering certificates with higher assurance that will show up with a green background to prove they can be trusted....trade in your old high assurance certificates for these new green ones.

Fast forward to today...the Certificate Authorities are going to issue certificates to a special domain to prove that they are trusted...trade in your green certificates for these new ones that will really be trustworthy this time.

And tomorrow?

They just keep failing to deliver and then turn around and take more money so they can fail to deliver again.

Nice business model.

2
0

Pity the poor Windows developer: The tools for desktop development are in disarray

Andrew Commons

Situation Normal - (SNAFU,TARFU,SAPFU,FUBAR,....)

This is symptomatic of the software industry over the years. Revolution rather than Evolution.

You have a set of tools that work reasonably well, experience with them has resulted in incremental improvements, defects in new developments are dropping.

<code>

Do While i < Age of Universe

Enter Moses i.0.

'Hey man, look at this new platform, it is sooo cool!'

And the multitudes are amazed and flock like lemmings to this new technology

that has no documentation or tool support but is the FUTURE!!!

Over time experience accumulates and tool support increases.

Loop

</code>

We are doomed.... stick with COBOL :-)

13
0

Australia mandates* cloud use by government agencies

Andrew Commons

Re: Thank goodness we've got the cloud sorted out here in the UK

@dan1980

"Some concerns are removed, some new ones are added but most still remain, albeit slightly changed."

Spot on. And now we are trying to figure out how to manage these concerns through contract management processes instead of through technical controls and we real beginners in this space.

1
0

Today's weather is brought to you by our sponsors

Andrew Commons

Yes, they are there

And already serving malware...the anti-malware software I use started warning me it had blocked content shortly after the ads first appeared.

Maybe our Senate should read the US Senate 14 May 2014 report "Online Advertising and Hidden Hazards to Consumer Security and Data Privacy"

1
0

Delaware pair nabbed for getting saucy atop Mexican eatery

Andrew Commons

Re: Why?

So they can use the headlines of course.

7
0

Help us out readers: How would you sniff and store network traffic?

Andrew Commons

Start simple

"the Learning Centre's WLAN and satellite WAN are both slow"

Latency will be the killer for the satellite WAN and some of this may be reflected in the local WLAN performance if 'local' requests are making it out local environment. DNS would be one candidate I guess.

So start by understanding what traffic is going through the satellite gateway, no need to sniff the traffic yet, just get connection logs if possible from the device itself, this should give you a good idea of what is going on with just src/dest ip and ports.

How you do this will depend on the capabilities of the gateway, best case is very careful use of remote administration access or using the VNC capabilities to get internal administration access otherwise you are facing big time latency - two day round-trip.

1
0

Comet-chasing Rosetta spies SWEATY prey

Andrew Commons

@AC

Of course, the urethra squared law.

2
0
Andrew Commons

Re Bootnote

Surely the rate at which a comet passes water is more properly measured in terms of the concepts expressed in this El Reg piece:

http://www.theregister.co.uk/2014/06/30/most_mammals_finish_peeing_within_21_seconds/

So instead of 'Olympic Swimming Pools' maybe 'Cats urinating per minute'?

5
0

DAMN you El Reg, CALL ME A BOFFIN, demands enraged boffin

Andrew Commons

Re: Reaching out

I always thought that was misspelt and the 'a' should have been a 't'....

1
0

Remember Control Data? The Living Computer Museum wants YOU

Andrew Commons

Re: Memories...

"I got used to programming save/restore points throughout large runs."

I got used to bribes :-D

I wonder what was more effective? I also had to read several boxes (2000 per box I think) of cards in on the high speed card mangler regularly so being on good terms with the operators when working out which bits of compacted card had been read and which ones you had to try and resurrect via duplication was important.

The human element has really gone out of modern computing :-D

0
0
Andrew Commons

Re: Port That Job!

Aaaaahhhh 60-bit registers on the Cybers.

Actually there were two sets of registers - A and X - which were 18 and 60 bits respectively (there may have been B as well which were also 18 bits, in fact I'm pretty sure of it). X for data and A for address...and there were 8 each of them. from memory A0 was just a dumb register, A1-A5 were paired with X1-X5 and loading a value into them (A1-A5) fetched that memory location into the corresponding X register. A6 and A7 were the reverse and loading a value into them wrote the contents of X6 or X7 to memory. This resulted in quite a bit of mental gymnastics to make sure that whatever you needed to get back into memory was in one of the two registers at the right time...which is where the use of a couple of (three?) XOR operations to swap values in registers was a lifesaver.

No hardware stack of course :-)

An interesting architecture.

3
0
Andrew Commons

Re: I'm a museum piece, myself

The Cyber series were rather fun, there was a mean Startrek game on them (or at least the ones I got to play with) and an animated Snoopy that alternated between the circular main console displays. Inside they were a birds-nest of wires.

1
0

The ULTIMATE space geek accessory: Apollo 15's joystick up for sale

Andrew Commons

Because they did.

0
0

550 reasons to buy this book for your beloved: COCKROACHES of Oz

Andrew Commons

Re: Cockroach anecdote

@Anonymous IV

Google "willy cockroach".

Writers seem to be fascinated by the idea.

0
0
Andrew Commons

Re: Cockroaches aren't poisonous, right?

Well that's only one per 14,476 square kms - they do need a lot of space.

0
0

McAfee accused of McSlurping Open Source Vulnerability Database

Andrew Commons

If you read the OSVDB blog post.....

McAfee made 2,219 requests over about 3 days. This is from their web logs. Using Fiddler it looks like a single search request on vulnerability Id would produce 1 entry in the osvdb.org web logs so assume that represents the number of vulnerabilities that were looked up over 3 days...that's 2% of the database of 105,316 vulnerabilities.

I would say that that is probably automated so would breach these terms:

4. Obtaining data from this website in a programmatic fashion (e.g. scraping via enumeration, web robot, crawler, etc) is prohibited. Such activity is likely to trigger security software that will permanently block your IP from accessing the site.

But it doesn't look like an attempt to grab the database.

McSlurp or McBeatUp with sour grapes as a side?

1
0
Andrew Commons

Re: Data quality?

@big_D

Possibly....but a real vulnerability reported in 1902 would be worth searching the database for...but the only way of finding it seems to be starting at 1, then 2, then.... A vulnerability discovered in the Dalton Adding Machine would rewrite computer security history!

2
0
Andrew Commons

Data quality?

From the OSVDB home page:

The project currently covers 105,316 vulnerabilities, spanning 123,155 products from 4,735 researchers, over 112 years.

The vulnerability with Id of 1 is dated 1998-12-25, presumably the 112 years comes from the date of another vulnerability...any idea which one?

1
0

The verdict is in: Samsung to pay Apple $120m chump change, but gets tiny rebate

Andrew Commons

Re: Where would we be if....

Maybe you should read some more:

http://www.nytimes.com/1989/12/20/business/xerox-vs-apple-standard-dashboard-is-at-issue.html?src=pm

Apple licensed the mouse.

5
3
Andrew Commons

Where would we be if....

Xerox PARC patented stuff?

Or maybe they did and just let it slide.

Anyone know?

6
1

A real pot-boiler kicks off Reg man's quid-a-day nosh challenge

Andrew Commons

The problem with the free food angle...

Is that there is probably a far better way of addressing the problem.

Two slices of bread with a bit of egg squashed between them will retail for between 1.50 and 2.00 quid/euros according to a bit of google.

A loaf of bread, a dozen eggs, and thou beside me in the wilderness to get the punters to stop should double the value in a morning....by the end of the week you have started a franchise and world poverty is something you are talking to Gates and Bono about.

0
0
Andrew Commons

Re: Try harder!

I've had nettles served as a component of a soup in an expensive noshery, I've actually picked the nettles used. It's not a 'Wow' experience, more novelty, but not at all unpleasant.

Fruit from trees on private land were fair game when I was a young lad...the practice was called 'scrumping'.

Shellfish are a great resource if you have access to someone who actually knows what isn't going to kill you. Collecting them helps pass the time between snacks as well.

Mushrooms were a part of my diet in the 50's and 60's, collected on the vast grass expanses of airfields.

0
0
Andrew Commons

Re: The rotters at work

I'm not sure what the price of beer in the UK is anymore but I imagine that 5 quid for a pint of really good beer would not be unheard of.

Now make it last a week.

0
0
Andrew Commons

Try harder!

Have a look at this:

http://www.bbc.com/news/business-22263706

And check out Jack Monroe in the Guardian.

You can also look for road kill while collecting the wood and maybe throw bits of wood at the wild life - something that used to be quite effective once upon a time here in the realm of Vulture South :-)

cheers

Andrew

3
0

Anatomy of OpenSSL's Heartbleed: Just four bytes trigger horror bug

Andrew Commons

There are a lot of comments here...

...so this may have been covered already. Apologies if it has.

Some poor guy is now being pilloried as being responsible for this because he 'commited' it. The real culprit is the QA process that lead up to that commit. Name them.

That's all.

1
0

Ethical hacker backer hacked, warns of email ransack

Andrew Commons

Ethical Hacking <> Any Idea of Governance

Amusing.

They may be certified to hack you but they have no $%$^ idea how to protect you.

Cloud comes with a whole range of risks that are very difficult to address. They obviously did not employ their own 'skills' on their own Cloud provider.

Or maybe they did...which gives you a lot of confidence in their 'certified' graduates.

3
1

A potted history of cloud computing

Andrew Commons

Re: What about financial security/

MegaUpload - Kim DotCom - if I have the references correct.

You should have no confidence it it is 'freemium' and limited confidence otherwise. They can be located anywhere and you probably don't have the $$$$'s to chase them if they decide to dump you.

0
0
Andrew Commons

@boltar Re: Oh the security....

The resources required are in this case related to the effort dedicated to governance. This doesn't really correlate with the complexity of individual systems but will be correlated with the complexity of the systems run across the organisation and the impact of a compromise of those systems.

Looking at it from a different perspective, Email may be (relatively) simple (ever configured sendmail?) but the contents of email will be very sensitive. This warrants a high level of governance.

So the simplicity of the technology is trumped by the sensitivity of the information it maintains.

2
1
Andrew Commons

@Mike Pellat Re: Oh the security....

It comes down to whos contract is being executed. If it is the service providers then what you say is very true. If, on the other hand, it is your contract in your jurisdiction then you may have a leg to stand on. But if it is a big provider you are probably signing their contract.

0
0
Andrew Commons

Oh the security....

"Some mission-critical enterprise apps will not lend themselves to cloudification and security concerns for some will trump cost considerations. But why would you not use cloud versions of software such as CRM, email, billing and office apps?"

This is all from a very jaundiced security perspective, and it is only scratching the surface.

Due Dilligence.

A good starting point is probably ISO27K certification to verify that the controls are documented and then SOC1 and SOC2 certification to verify that the controls are being operated effectively. Map this to a not uncommon scenario where the 'service provider' you are dealing with is using compute infrastructure from a second party who is, in turn, using physical facilities from a third party. The physical guys may have heard about SOC1 and may well have ongoing certification because it's good for business, the layer up may have heard of ISO27K and are likely to be getting certification 'any time now' but a SOC2 will bring a wrinkle to their brow. The organisation that your business wants to deal with is looking at you blankly on all fronts.

Stop that or you will go blind.

Are you getting on top of your network/system/application/user/admin/.... monitoring? Have a SIEM and starting to get some value out of it? Factored that into your Cloud solution? So you have events arriving via syslog or you are polling using WMI to get a view of your assets that is comparable to that which you get with on-premise solutions? Dream on.

Dependence on exposed services.

Calling web services or doing other fancy stuff with DNS resolution on public DNS servers? Are you factoring in the risk of these services being compromised? The more entangled you get from an infrastructure perspective with your cloud service provider the greater the likelihood that you will have to start looking at these issues.

Human resources.

Disgruntled employees. Is it a concern for you within your organisation, how do you deal with them? How do all the potential organisations in your supply chain deal with them (see Due Dilligence).

Procurement.

There are some interesting challenges here. Is the cloud provider signing a contract with you are are you signing a contract with them, if the latter then you are going to have very little control. The whole due dilligence here will also be way beyond your procurement folk and concepts like data sovereignty are going to take a lot of explaining. If you are also moving into an environment where date breaches can attract serious penalties (like here in the land of Vulture South) then you have to try and factor that into the contractual arrangements.

Contract Management.

So you have a contract. Fabulous. Has anyone seriously seen all the clauses in the contract managed and enforced? Have you estimated how much effort that will take given that you have lost visibility of a lot of things that are important?

Conclusions...

"CRM, email, billing and office apps". These are all probably significant if you have data breach legislation.

Is it really worth the effort?

6
0

Malware-flinging Linksys vulnerability confirmed as a HNAP1 bug

Andrew Commons

Since June last year

I have seen GET /HNAP1/ HTTP/1.1 requests dropped at my (personal) edge servers. It ramped up in December last year.

So it has been known for quite a while?

1
0

Page:

Forums