Recently in Infosec Category

In the latest Crypto-Gram, Bruce finds signs of the Blaster worm in the official interim report on the August 14th blackout.

Let's be fair. I don't know that Blaster caused the blackout. The report doesn't say that Blaster caused the blackout. Conventional wisdom is that Blaster did not cause the blackout. But it seems more and more likely that Blaster was one of the many causes of the blackout.

BTW, if you're in infosec and not subscribed to Crypto-Gram you are a silly goose.

The SANS Institute, as part of its regular series of Wednesday Webcasts, departed from its normal focus on IT-oriented Information Security to focus on personal Information Security, or Ten Ways to Hack Proof Your Identity. Identity theft is an increasingly important topic that EVERYONE needs to be aware of, lest you end up fighting thousands of dollars in bad credit rung up by someone who swiped your credit history for their own purposes. While you generally aren't liable for the charges on a credit account (debit cards have different rules), the average cost to fix such a problem is 600+ hours over several years, and over $1000 in personal expenses. Don't buy the hype from your credit card company or the credit agencies who offer you 'protection' for a few extra dollars a month. There is no way for them to protect you from ID theft that doesn't involve you being more vigilant. At this point, no one can protect you but you. It's also important to realize that this is not an online-only problem. I would wager that most ID theft takes place via stolen mail left in mailboxes. Take the time to at least glance over the slides, and take the "Identity Quotient Test". Simple behavior changes such as buying - and using - a shredder, removing your name from pre-approved credit lists issued to credit companies by the credit agencies, and more secure handling of documents could save you a lot of headaches.

The webcast does require you to register with SANS - something anyone interested in Infosec should already have done - but you can always sign up and ask them not to send you any of their newsletters if you aren't interested in the topics they cover.

Good news on the electronic voting front. I thought I had mentioned the Voter Confidence and Increased Accessibility Act of 2003 before in this space, but apparently I had not. In any case, this bill, assuming it passes, should address all of the concerns about the auditability of electronic voting in time for the November 2004 general election.

As criticism of electronic voting systems heats up across the nation, three Republicans have signed on to support a bill that would force e-voting machines to produce a paper trail. Previously only Democrats had vowed to support the bill.

Republican congressmen Tom Davis of Virginia, Christopher Shays of Connecticut and New Hampshire's Charles Bass have agreed to co-sponsor the Voter Confidence and Increased Accessibility Act of 2003, which was introduced to the House in May by Rush Holt (D-N.J.).

The bill would require electronic voting machines that currently don't offer a paper trail, such as touch-screen voting machines, to produce a receipt. The receipts would allow voters to verify that a machine recorded their vote correctly and would be used as an audit trail in case of a computer malfunction or other election irregularity.

There are currently 74 co-sponsors of the bill. Davis, Shays and Bass, however, are the first Republicans to sign on as co-sponsors. Davis is the former chair of the Republican Congressional Campaign Committee.

Congressman Holt said voter receipts should not be a partisan issue, as all parties should be concerned about the integrity of voting systems.

In other electronic voting news, David Chaum, noted cryptographer, inventor of eCash and founder of DigiCash (a mid-90's neighbor of mine at CWI/SARA in Amsterdam) has been working with other cryptographers in coming up with a very interesting way to provide voters with take-home receipts without the vote-selling concerns which have made this illegal in the past.

The new type of receipt is printed in two layers by a modified version of familiar receipt printers. You can read it clearly in the booth, but before leaving, you must separate the layers and choose which one to keep. Either one you take has the vote information you saw coded in it, but it cannot be read (except with numeric keys divided among computers run by election officials).

The half you take is supplied digitally by the voting machine for publication on an official election website. These posted receipts are the input to the process of making the final tally. A lotto-like draw selects points in the process that must be decrypted for inspection, but not so many points as to compromise privacy. Anyone with a PC can then use simple software to check all such decryptions published on the website and thereby verify that the final tally must be correct. Such audit cannot be fooled, no matter how many voting machines or other election computers are compromised or how clever or well-resourced the attack.

One of the few useful things the FBI's (now the DHS's) NIPC has ever done is work with SANS to produce the SANS Top Twenty. A new version was released this week. It's a great resource for those that don't sit around thinking about risk mitigation all day long.

Three years ago, the SANS Institute and the National Infrastructure Protection Center (NIPC) at the FBI released a document summarizing the Ten Most Critical Internet Security Vulnerabilities. Thousands of organizations used that list, and the expanded Top Twenty lists that followed one and two years later, to prioritize their efforts so they could close the most dangerous holes first. The vulnerable services that led to the examples above Blaster, Slammer, and Code Red, as well as NIMDA worms - are on that list.

This updated SANS Top Twenty is actually two Top Ten lists: the ten most commonly exploited vulnerable services in Windows and the ten most commonly exploited vulnerable services in UNIX and Linux. Although there are thousands of security incidents each year affecting these operating systems, the overwhelming majority of successful attacks target one or more of these twenty vulnerable services.

A few weeks back, Verisign implemented a wildcard in the .com and .net top level domains, which they are responsible for managing. What this means is that non-existant names, rather than getting an error returned from the TLD servers saying they don't exist, resolve to a Verisign server, which provides search services, and presumably tracks what folks are mistyping. This is a fairly common practice amongst some of the smaller TLD providers, but it has caused quite a stink in this case because of the size of these TLD's, and the unanticipated (by Verisign at least) side-effects. ICANN - the folks who dole out TLD registries amongst other responsibilities - tried asking nicely and were rebuffed. On Friday they put their foot down. This will get interesting and should serve as a bellwether for commercial control over Internet operations.

Given the magnitude of the issues that have been raised, and their potential impact on the security and stability of the Internet, the DNS and the .com and .net top level domains, VeriSign must suspend the changes to the .com and .net top-level domains introduced on 15 September 2003 by 6:00 PM PDT on 4 October 2003. Failure to comply with this demand by that time will leave ICANN with no choice but to seek promptly to enforce VeriSign's contractual obligations.

A good summary of ICANN's investigation is here. Related blogosphere commentary is here).

This is just plain stupid. I'm sure more gossip will come out about this in the next few days, but, to quote Richard Forno's comments on the ISN mailing list today: "and we wonder why IT security will never really improve". For those unfamiliar with Geer, he's a LONG time computer security heavyweight who's largly responsible for the merger of Boston hacker staple L0pht Heavy Industries and @stake a few years back which, as far as I'm concerned "made" @stake and was a major milepost on the slow and steady decline of the computer underground.

A computer security expert who contributed to a paper deeply critical of Microsoft has been dismissed by his employer, a consulting company that works closely with the software giant.

Dan Geer, a longtime computer security researcher, and several colleagues released a controversial study on Wednesday that called the ubiquity of Microsoft software a hazard to the economy and to national security. Although independently financed and researched, the study was distributed by the Computer and Communications Industry Association (CCIA), a Washington-based trade association largely made up of Microsoft's rivals.

While reading through a mailing list today, I came across a collection of papers that touched on something that interests me. How can you make something trusted out of something you can't trust? As an example, how can you trust that precompiled compiler to not insert a backdoor into your code? I'm linking to the papers here for reference sake, but some of you might find them interesting.

The first document is a lecture given by Ken Thompson on the occasion of winning the ACM's Turing Award.

The moral is obvious. You can't trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code. In demonstrating the possibility of this kind of attack, I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect. A well installed microcode bug will be almost impossible to detect.

I've seen this lecture before, but Thompson acknowledges an "Unknown Air Force Document" as the source for his inspiration of a self-replicating trojan. Apparently at some point someone figured out which document it was.

Multics Security Evaluation: Vulnerability Analysis

Last year the original authors issued an update to the paper and compared the computer security posture back in 1974 with the situation today and finds that things have gotten worse.

Thirty Years Later: Lessons from the Multics Security Evaluation

What's wrong with the picture of the Diebold Global Election Management System? I know at least one reader will see it.

I came across this link in an interview with blackboxvoting.com's Bev Harris on Salon today that some of you might find interesting.

The Denver Post has a short interview with Bill Joy, the retiring co-founder of Sun.

Q What do you plan to do next?

A After 28 years, talk to people, look around, and write some software myself (group of one). I'm still very interested in reliable software and computing; I'd love to write some (Java) software, which helped somehow with the vulnerability of the Net. I haven't worked out how this could happen, but I am going to think about it.

The Total Information Awareness program may have removed its ominous logo from its Web site -- but you can still get your TIA-insignia T-shirts, teddy bears, mugs and thongs! Hurry, though, they're going fast (into detention)!

I want the greeting cards in hat form.

[via Scott Rosenberg's Links & Comment]