Skip to main content

Posts

Showing posts from 2011

Creating an Encrypted Bootable OSX Lion USB Recovery Disk

With Apple's latest operating system release 10.7 - Lion they have included a number of new features which make it a bit more convenient to both backup and secure your data in case of a failure.  In this short post I'll explain how to use a generic external drive to make a secure bootable disk for your mac.

First a disclaimer and some assumptions regarding your setup.  I have used these instructions to get a working disk on my setup - but this does not mean that the same steps will work for you, so use caution - and if anything goes wrong please feel free to add to these steps.

I am also assuming that you are using the latest operating system patches for OSX and I'm at version 10.7.2.

Step 1 - Connect and prepare your external USB drive.

Connect your USB disk and open disk utility.
Change the formatting scheme of the disk to include two partitions, a 1GB partition, and a partition using the remaining disk space.  I named one as RECOVERY and one as TIMEMACHINE.  Ensure that…

Announcing new team member - Benoit Desforges

I'm very pleased to announce that we've added another significant resource to our team.  Our new advisor Benoît Desforges brings international experience and a fresh perspective on information risk management.

Prior to joining, Benoît worked for KPMG's advisory group, he holds several professional designations including CISSP, CISA, GCIH, and GAWN.  When he's not teaching advanced networking courses for a local university, Benoît enjoys travel and time with his family.

Benoît will be providing our clients with security advice and building out a number of new and improved professional service offerings.  He'll also be regular contributor to our blog.  Congratulations Benoît!

New Trust Solutions

With the all of the activity circling around SSL certs and CA trust, there is an inherent trust problem.  Internet users have been taught to trust the PKI scheme that we use for all secure browsing activity.  There are two very valid cases for the destruction of this trust:

1.  Law-enforcement / Government interception.  There are product vendors whose business model is to supply equipment to law enforcement and government clients which can "law-fully" intercept communications without the knowledge of the end-user.  Example is www.packetforensics.com.  Although I do not have a link (can anyone supply a corroborating link?), there are several product pages that are not publicly accessible which would likely confirm this fact.  In order for these products to work, the SSL certs that are used would have to be trusted by the browser software to avoid being detected as un-trusted.  I am theorizing that these certs would be generated by one of the trusted roots within the existing…

Blindly Trusted Roots

With both Comodo and Diginotar both having their security breached, it highlights some of the important trust issues we have on the Internet.  The process of trusting these root CA's is extremely important as they serve as the foundation of protecting our information as it is transmitted across public and untrusted networks.

Both of the breaches resulted in fraudulent certifications being issued and used to impersonate high-traffic sites such as google, yahoo, skype and live dot com properties.  These certificates were used to trick browsers (and users) into thinking that they were connected to a valid site, when they were not.

More importantly though is the realization that the trust in the root CA system on the Internet has been eroded.  With two publicly disclosed breaches, how many undisclosed breaches have their been, and how many breaches of these CA's have not even been discovered?

While the use of fraudulent certificates on high-volume consumer sites is a big issue, th…

Application Security - Don't Wait for the Breach

The ongoing Sony saga, the Conservative Party, and now CodeMasters.  High-profile breaches of data are becoming everyday occurrences.   Reports like Verizon's DBIR indicate that more than 90% of these incidents would have been avoidable using basic security controls.  TripleCheck offers straight-forward assessment services to ensure that you're organization is prepared to meet these challenges.  Call or email us today to gain assurance over the security of your environment.

May Security Catch-up

Its been much too long since my last post - Sony's PSN network has been breached a few times, a record number of vulnerabilities have been published, and the US government has released a new set of cyber space strategies.

On the cool tools and technologies there have been lots of notable releases:

Some research from Albert Cotesi New Zealand on the traffic flowing from IOS to 3rd parties, now sniffable thanks to MITMProxy, and instructions on getting it working with IOSAs always SQLmap is making life easier for the vulnerability assessor and pen-tester.Microsoft has released an updated to the Enhanced Mitigation Experience Toolkit - I'll be looking into this over the next few weeks, and how it can be applied practically.New major version of Backtrack also released, for those of you that are still relying upon live-cd's as a source for tools.

RSA SecurID Information Breached

In a disclosure made by RSA today, they indicated that they have been breached by an "extremely sophisticated cyber attack" which has partially compromised the SecurID information which millions of clients use to provide strong authentication to services.

It is not yet clear what information was breached or what the impact will be to RSA customers, but for now I would suggest that people stay tuned to ensure that they take appropriate action based on what RSA and others release.

Update 1 - Found the recommendations made by RSA to customers regarding how to better protect their environments. I have added my comments on what these recommendations could mean to RSA.


• We recommend customers increase their focus on security for social media applications and the use of those applications and websites by anyone with access to their critical networks.

This could mean that part of the RSA breach was associated with a social media application attack vector - maybe employees reusing pass…

Canada's Federal Government Targeted in "Cyberattack"

A couple of news outlets are reporting that a new attack which has resulted in unauthorized access to "highly classified federal information in two key departments".

There isn't much to the story at this point, other than it appears that some lock-down of Internet services has taken place at the affected agencies, and some analyst's reports seem to point the finger at China.

The real story here is that the storyline starts "An unprecedented cyberattack..." where it would appear by the details released so far, that this is simply another routine spear-fishing attack targeting a valued target.

Some of the scarce technical details regarding the attack include:

"The hackers apparently managed to take control of computers in the offices of senior government executives as part of a scheme to steal the key passwords.."

"Canadian government cybersecurity officials immediately shut down all internet access at the Finance Department and the Treasury Board, …

Microsoft Attack Surface Analyzer - Review

As part of their involvement at the Black Hat security conference in virginia the microsoft security team has released a new beta of a tool to assist security analysts in understanding the security impacts and effects that result from installation of software that performs unknown installation features.
The Attack Surface Analyzer or ASA for short is based on a slightly dated, but still very relevant Carnegie Mellon paper on measuring attack surfaces - link.  The beta product implements a few of the methodologies discussed by creating baselines of system information before and after the installation of the target software, then analyzing the differences noted and providing an analysis based on a predefined set of security properties (set by Microsoft).
This approach is not new, however Microsoft's product makes the work of baselining, analyzing and reporting extremely easy, with a easy to read browser readable report generated for the analyst.
I decided to test this tool out with sof…

Business Browsing Insecurity

Just finished my talk on browser insecurity for the Calgary ISACA chapter.  Thank you to those who attended.  The intention of the topic isn't to scare people, but to help inform those that only hear from vendor's regularly regarding the state of their controls.

Here is a link to the presentation in both pdf (with speaking notes) and the ppt formats.

PDF Presentation
PPT Presentation

If anyone wants to continue any of the discussions we had afterward please feel free to email or call me.

PCI-DSS Version 2.0 - Standard Effective

If you've stayed connected to the PCI-DSS world, you'll know that version 2.0 of the standard was released late last year.  As of January 1st, 2011 stage 2 has begun, which means the standard becomes effective.  Which unfortunately only means that stakeholders (merchants, processors, etc) should start using the new standard and not the old, not that the standard provides effective security (that would be nice if you could just announce that kind of thing).  Here is a link to the standard's lifecycle to make this more clear.

Keep in mind that you can still use the old standard for compliance reporting for 14 months, but if the new standard is available, its likely a good idea to get a handle on the changes and how they'll affect your compliance program.

Encryption Fails - Embedded SSL Keys - PS3 root keys

A couple of noteworthy failures in the implementations of encryption.

The littleblackbox project over at google code aims to provide a list of all of the private keys embedded into device firmware by vendors that are too lazy to create unique private keys for devices.  This includes consumer devices, some commercial devices, basically anything that has a private key embedded in common firmware shipped with the device.  Once you have the private keys you can then decrypt future communications from the devices (read: admin interface traffic, SSL vpn session negotiation, etc).

This affects lots of products and software including many of the popular dd-wrt devices.

Want to add to the list of recognized private keys, simply download the binwalk tool and feed it a firmware file from your device.

It also appears that the root encryption key from Sony's PS3 game console has been discovered and posted by Geohot on his site.  Here is a video from fail0verflow's explanation of the weaknesses…

Google's Michael Z Releases a Contentious New Tool - cross_fuzz

Lcamtuf or Michael Zalewski has released a tool to test browsers for security issues by parsing the DOM object model, injecting values into a large number of objects, and triggering garbage collection by destroying the created objects.  A more detailed explanation of the tool and how it works can be found here:

http://lcamtuf.blogspot.com/2011/01/announcing-crossfuzz-potential-0-day-in.html

The interesting part is that Microsoft had previously asked to have the tool's release delayed due to an un-patched vulnerability discovered in the IE browser, exploitable on XP.  Michael declined to delay the release stating that he had reason to believe that possibly nefarious individuals were aware of the bug, and may be exploiting it in the wild.

Some commentary over at Slashdot here

Interesting start to 2011!