I read a nice post on “Securitycatalyst.com” that made me stop and think. We really need to appreciate the here and now. Sometimes I’ll look at my kids; they understand what it means to live life in the present moment. There is so much going on in our heads, so many thoughts. Do you ever stop to reboot? Clean out the cache? I like to sit quietly sometimes and just follow my breath; if a thought comes in I let it pass gently. This little meditation can be very relaxing. I’m a firm believer that this type of practice on a daily basis is especially essential in today’s high-tech world. As security folk, we also have to appreciate what we have. There are so many things to be grateful for. Let’s stop, think and thank on this long Labor Day weekend. Thank you Security Catalyst for the nice post.

One of the banks I use is Bank of America. When I first signed up for online access I was asked to create a SiteKey, and I thought, wow, this is clever security. SiteKey attempts to prevent phishing attacks by displaying, upon login, a graphic image that the user has set up themselves and given a unique name. This SiteKey is accomplished by using a secure cookie that is stored on the user’s computer; when logging in the server verifies some encrypted data in the cookie and presents you with your image. The premise is based on the theory that if you see your unique image and name, you can be certain that you are logging into their authorized website and not someone pretending to be Bank of America (phishing scam). That sounds all well and good, right? Not exactly, since a clever hacker using social engineering might just be able to get away with grabbing your logon credentials and hijacking your account. The proof of concept demonstrated here uses a man-in-the-middle attack.

Here is the definition from wikipedia:

In cryptography, a man-in-the-middle attack (MITM) is an attack in which an attacker is able to read, insert and modify at will, messages between two parties without either party knowing that the link between them has been compromised. The attacker must be able to observe and intercept messages going between the two victims….

The breakdown occurs because there needs to be a way to allow someone to logon to a new computer. Let’s say you want to check your balance at work. So, BOA will ask you a secret question and if you answer it correctly you will get that cookie and then future logon attempts won’t need to ask you a security question. Once that is set, all future visits to the BOA site will show you your Sitekey graphic once you put in your username.

Here is how the grad student Christopher Soghoian did it. You get an email from a phisher that looks like a BOA email with the logo and everything. Inside the email is a link that tells you to log on to your account. You click on the link and you are directed to a phisher’s site that looks exactly like BOA’s website. The malicious site asks you for your login id, and you type it in. The phisher site goes off (behind the scenes) and grabs your security question. This is normal since BOA allows you to log on to the site with multiple computers and assumes that you are signing on using a computer that you don’t normally use. The phishing site presents your security question that you had setup when you first signed up with BOA. Then the phisher site goes out to BOA and uses your answer to get your site-key and presents it to you on a page that looks perfectly like BOA. You’re like, “hey that’s my Sitekey - all must be well and you proceed with typing in your password. Your login credentials are now known by the bad guys; you have become a victim of a phishing attack. Some do say that, in reality, this attack could not actually be done, since BOA uses clever monitoring tools provided by RSA that would trigger an alarm if the same IP address was repeatedly requesting this type of first time logins. In any case, it just goes to show you how careful and vigilant one should be when entering private information online.

Here are some tips to avoid get phished:

1. Never ever click on a link to log on to any site from an email. If you stick by that rule, you should be fine. Log in by typing the address directly into your browser or use a bookmark.

2. Always look for security lock to the right of the address, or glance at the address bar to see if the URL starts with https. If not, close your browser (don’t even think of logging on). The video of the attack done by Chris shows the lock to the left of the address bar , which actually threw me off for a second until I saw “http://” without the “s” (very clever indeed).

3. Think about getting some anti-phising software that you can download. Firefox has this technology already built into it.

I mentioned in a previous post that I am a MAC switcher. We bought a Mac in February of 2006 when Apple made their historic switch to Intel processors. We love our 20 inch IMAC. We are heavy ILIFE applications users and really appreciate the reliability and overall computing experience on the MAC. In this day and age though, it’s hard to get away without one or two Microsoft applications. For me that one program is Microsoft Money. I’ve tried all the other personal financial programs offered on the Mac platform; Quicken for MAC and MoneyDance. The only one I really like is Microsoft Money, which is not available for the Mac. Parallels for MAC allows me to run this Windows program right on my Mac!

There are two approaches to running Microsoft on your MAC. The first is offered by Apple and is called Bootcamp. Bootcamp gives you a program on your Mac that guides you right into running Windows surprisingly quick. You do need a copy of Windows; I used Windows XP. Bootcamp does support Vista now, as well. With bootcamp you decide which OS you want to run at boot-up time. A downside of using Bootcamp is that you can’t run Windows and MAC OS X simultaneously, side by side. Since Bootcamp gives you all the drivers during the install, options such as the right click on the mouse work. iSight video works in Windows. This is a nice option for someone who is a little nervous about making the switch to the MAC .

The other approach is to use Virtual Machine, referred to as “VM”. A VM is software that creates a virtual operating system or an OS and programs to run in. The user interacts with the VM as if it’s a separate OS and the guest OS thinks it’s the only OS using the computer. The benefit to using a VM is that you can run multiple OS’s side by side simultaneously. The VM is essentially running a software virtual OS and needs it’s own RAM to run, therefore, a minimum of 1 gig on your MAC is essential . I have 2 gigs on my MAC and I allocated 512 to the VM which is running XP. I’m currently trying out Parallels for MAC .

Parallels is able to run my bootcamp partition so it was not necessary to reinstall Windows. I’m very happy with parallels. There is a lot you can do, like saving snapshots of your VM. Say you are about to install something on your VM OS online that you’re not sure you want to keep. You can create a point prior to your install on XP and then revert back to the point before the install (it was spyware or something else nefarious you found out) . You can also share files between OS X and the VM (XP in my case). Here is a snapshot of my Parrells screen in which I’m running a few OS X programs and in the VM I’m running XP with IE open to my blog.

In the security field, random numbers are critical for generating encryption keys, such as when you connect to your bank site over an SSL(secure) connection. It is a widely accepted fact that computers by themselves cannot generate truly random numbers. This is due to the fact that “chance” is not part of the computer’s characteristics. It is very difficult to program a computer to do something by chance.

Wikipedia defines a algorithm:

“In mathematics, computing, linguistics, and related disciplines, an algorithm is a finite list of well-defined instructions for accomplishing some task that, given an initial state, will terminate in a defined end-state.”

Programs are written using algorithms or instructions that the computer follows exactly and are entirely predictable. This is where pseudo random numbers comes into play. Pseudo-Random Number Generators or (PRNG’s) are algorithms that use mathematical formulas to produce a series of numbers that appear to be random. PRNGs are also deterministic; meaning, if the original starting point is known then the sequence of numbers can be generated again a later point. That starting point is also known as a ’seed’. A seed is a number needed to initialize the PRNG. If the seed is known, then the random numbers or keys can be determined and that is precisely why a good random seed is critical. In some cases the random seed is deliberately shared between two systems. The seed then becomes the secret key and each system should be able to generate a matching sequence of random numbers, which would be used to sync up remote systems.

The other method used to generate random numbers is True Random Number Generators or TRNG. In this method randomness is introduced from physical phenomena independent of the computer. An example of a really good physical phenomenon that is used is radioactive material. The rate at which radioactive material decays is truly unpredictable. Another physical phenomenon is atmospheric noise, also a true unpredictable source.

Both the TRNG method and the PRNG have their own unique set of characteristics. For example, a PRNG is extremely efficient in that a series of random numbers can be generated in a very short time period. The TRGN method, on the other hand, is not efficient. TRGN are non-deterministic and PRGN are deterministic. It is important, therefore, to understand the application uses of random numbers and to pick the appropriate generator or method for that application.

Here are some good sources for futher reading.
random.org
wikipedia on PRNG
newsforge

Egress filtering is an important concept in security. While we understand that a firewall is a hardware/software solution that prevents the bad guys from getting into your network by closing ports and allowing only ones that are are absolutely necessary. Egress filtering allows only certain traffic out of your network while the rest is blocked from leaving. This is critical in case something malicious slipped through your network and now wants to ‘phone home’ with information about your shopping habits. Or perhaps your computer has been compromised and is infected with a virus or worm and, as a result, you have a bot on your computer. This bot will attempt to establish communication with whoever is controlling it by connecting to the outside world. A firewall with egress filtering will halt thease nefarious activities.

The million dollar question is “Do I need a software firewall on my home PC to prevent outbound traffic? “. I would say that for Ingress filtering, the answer is absolutely yes. If you are running Microsoft XP Service Pack 2 you already are running a firewall or if you are behind a router you are protected from the outside. For myself, I find software firewalls to be taxing on my system. Also, many people install a firewall like ZoneAlarm or Norton Internet Security and then ,when prompted if the program should be allowed to connect to the internet, they answer yes to everything, which is essentially useless. In short, if you’re careful with your system and are not in the habit of installing software you find on the internet blindly, or clicking on links in an email, I would say you should be fine. The other alternative is to get a less susceptible OS, OS X on a MAC. I did!

Here is a a good article on the subject.