One of the banks I use is Bank of America. When I first signed up for online access I was asked to create a SiteKey, and I thought, wow, this is clever security. SiteKey attempts to prevent phishing attacks by displaying, upon login, a graphic image that the user has set up themselves and given a unique name. This SiteKey is accomplished by using a secure cookie that is stored on the user’s computer; when logging in the server verifies some encrypted data in the cookie and presents you with your image. The premise is based on the theory that if you see your unique image and name, you can be certain that you are logging into their authorized website and not someone pretending to be Bank of America (phishing scam). That sounds all well and good, right? Not exactly, since a clever hacker using social engineering might just be able to get away with grabbing your logon credentials and hijacking your account. The proof of concept demonstrated here uses a man-in-the-middle attack.

Here is the definition from wikipedia:

In cryptography, a man-in-the-middle attack (MITM) is an attack in which an attacker is able to read, insert and modify at will, messages between two parties without either party knowing that the link between them has been compromised. The attacker must be able to observe and intercept messages going between the two victims….

The breakdown occurs because there needs to be a way to allow someone to logon to a new computer. Let’s say you want to check your balance at work. So, BOA will ask you a secret question and if you answer it correctly you will get that cookie and then future logon attempts won’t need to ask you a security question. Once that is set, all future visits to the BOA site will show you your Sitekey graphic once you put in your username.

Here is how the grad student Christopher Soghoian did it. You get an email from a phisher that looks like a BOA email with the logo and everything. Inside the email is a link that tells you to log on to your account. You click on the link and you are directed to a phisher’s site that looks exactly like BOA’s website. The malicious site asks you for your login id, and you type it in. The phisher site goes off (behind the scenes) and grabs your security question. This is normal since BOA allows you to log on to the site with multiple computers and assumes that you are signing on using a computer that you don’t normally use. The phishing site presents your security question that you had setup when you first signed up with BOA. Then the phisher site goes out to BOA and uses your answer to get your site-key and presents it to you on a page that looks perfectly like BOA. You’re like, “hey that’s my Sitekey - all must be well and you proceed with typing in your password. Your login credentials are now known by the bad guys; you have become a victim of a phishing attack. Some do say that, in reality, this attack could not actually be done, since BOA uses clever monitoring tools provided by RSA that would trigger an alarm if the same IP address was repeatedly requesting this type of first time logins. In any case, it just goes to show you how careful and vigilant one should be when entering private information online.

Here are some tips to avoid get phished:

1. Never ever click on a link to log on to any site from an email. If you stick by that rule, you should be fine. Log in by typing the address directly into your browser or use a bookmark.

2. Always look for security lock to the right of the address, or glance at the address bar to see if the URL starts with https. If not, close your browser (don’t even think of logging on). The video of the attack done by Chris shows the lock to the left of the address bar , which actually threw me off for a second until I saw “http://” without the “s” (very clever indeed).

3. Think about getting some anti-phising software that you can download. Firefox has this technology already built into it.

I mentioned in a previous post that I am a MAC switcher. We bought a Mac in February of 2006 when Apple made their historic switch to Intel processors. We love our 20 inch IMAC. We are heavy ILIFE applications users and really appreciate the reliability and overall computing experience on the MAC. In this day and age though, it’s hard to get away without one or two Microsoft applications. For me that one program is Microsoft Money. I’ve tried all the other personal financial programs offered on the Mac platform; Quicken for MAC and MoneyDance. The only one I really like is Microsoft Money, which is not available for the Mac. Parallels for MAC allows me to run this Windows program right on my Mac!

There are two approaches to running Microsoft on your MAC. The first is offered by Apple and is called Bootcamp. Bootcamp gives you a program on your Mac that guides you right into running Windows surprisingly quick. You do need a copy of Windows; I used Windows XP. Bootcamp does support Vista now, as well. With bootcamp you decide which OS you want to run at boot-up time. A downside of using Bootcamp is that you can’t run Windows and MAC OS X simultaneously, side by side. Since Bootcamp gives you all the drivers during the install, options such as the right click on the mouse work. iSight video works in Windows. This is a nice option for someone who is a little nervous about making the switch to the MAC .

The other approach is to use Virtual Machine, referred to as “VM”. A VM is software that creates a virtual operating system or an OS and programs to run in. The user interacts with the VM as if it’s a separate OS and the guest OS thinks it’s the only OS using the computer. The benefit to using a VM is that you can run multiple OS’s side by side simultaneously. The VM is essentially running a software virtual OS and needs it’s own RAM to run, therefore, a minimum of 1 gig on your MAC is essential . I have 2 gigs on my MAC and I allocated 512 to the VM which is running XP. I’m currently trying out Parallels for MAC .

Parallels is able to run my bootcamp partition so it was not necessary to reinstall Windows. I’m very happy with parallels. There is a lot you can do, like saving snapshots of your VM. Say you are about to install something on your VM OS online that you’re not sure you want to keep. You can create a point prior to your install on XP and then revert back to the point before the install (it was spyware or something else nefarious you found out) . You can also share files between OS X and the VM (XP in my case). Here is a snapshot of my Parrells screen in which I’m running a few OS X programs and in the VM I’m running XP with IE open to my blog.

In the security field, random numbers are critical for generating encryption keys, such as when you connect to your bank site over an SSL(secure) connection. It is a widely accepted fact that computers by themselves cannot generate truly random numbers. This is due to the fact that “chance” is not part of the computer’s characteristics. It is very difficult to program a computer to do something by chance.

Wikipedia defines a algorithm:

“In mathematics, computing, linguistics, and related disciplines, an algorithm is a finite list of well-defined instructions for accomplishing some task that, given an initial state, will terminate in a defined end-state.”

Programs are written using algorithms or instructions that the computer follows exactly and are entirely predictable. This is where pseudo random numbers comes into play. Pseudo-Random Number Generators or (PRNG’s) are algorithms that use mathematical formulas to produce a series of numbers that appear to be random. PRNGs are also deterministic; meaning, if the original starting point is known then the sequence of numbers can be generated again a later point. That starting point is also known as a ’seed’. A seed is a number needed to initialize the PRNG. If the seed is known, then the random numbers or keys can be determined and that is precisely why a good random seed is critical. In some cases the random seed is deliberately shared between two systems. The seed then becomes the secret key and each system should be able to generate a matching sequence of random numbers, which would be used to sync up remote systems.

The other method used to generate random numbers is True Random Number Generators or TRNG. In this method randomness is introduced from physical phenomena independent of the computer. An example of a really good physical phenomenon that is used is radioactive material. The rate at which radioactive material decays is truly unpredictable. Another physical phenomenon is atmospheric noise, also a true unpredictable source.

Both the TRNG method and the PRNG have their own unique set of characteristics. For example, a PRNG is extremely efficient in that a series of random numbers can be generated in a very short time period. The TRGN method, on the other hand, is not efficient. TRGN are non-deterministic and PRGN are deterministic. It is important, therefore, to understand the application uses of random numbers and to pick the appropriate generator or method for that application.

Here are some good sources for futher reading.
random.org
wikipedia on PRNG
newsforge

Egress filtering is an important concept in security. While we understand that a firewall is a hardware/software solution that prevents the bad guys from getting into your network by closing ports and allowing only ones that are are absolutely necessary. Egress filtering allows only certain traffic out of your network while the rest is blocked from leaving. This is critical in case something malicious slipped through your network and now wants to ‘phone home’ with information about your shopping habits. Or perhaps your computer has been compromised and is infected with a virus or worm and, as a result, you have a bot on your computer. This bot will attempt to establish communication with whoever is controlling it by connecting to the outside world. A firewall with egress filtering will halt thease nefarious activities.

The million dollar question is “Do I need a software firewall on my home PC to prevent outbound traffic? “. I would say that for Ingress filtering, the answer is absolutely yes. If you are running Microsoft XP Service Pack 2 you already are running a firewall or if you are behind a router you are protected from the outside. For myself, I find software firewalls to be taxing on my system. Also, many people install a firewall like ZoneAlarm or Norton Internet Security and then ,when prompted if the program should be allowed to connect to the internet, they answer yes to everything, which is essentially useless. In short, if you’re careful with your system and are not in the habit of installing software you find on the internet blindly, or clicking on links in an email, I would say you should be fine. The other alternative is to get a less susceptible OS, OS X on a MAC. I did!

Here is a a good article on the subject.

The netstat command is a very handy command available for use on all OS’s. When invoked netstat shows the network connections made by your computer, the ports used, and the status of these connections. It will also show you what services that may open waiting for connections. This knowledge can help in ascertaining if your system is vulnerable to attack.

Nmap a is a free popular port scanning security tool , used by both good and bad hackers alike.
For someone breaking into a network, this tool is used to gather as much information about the network that is possible; mapping it out or as it’s called, fingerprint the target. On the other side, the good guys use NMAP internally to determine if there are any unauthorized services running on their network. This tool kind of levels the playing ground so to speak.

I downloaded the free tool at home and was playing around with it on my internal network. As a caveat, scan your own hosts or networks that have given permission to scan only. Unauthorized scanning of a host with the intent to breaking into may be unlawful, one should keep this in mind when using this tool..

There are two ways of scanning using NMAP; regular TCP connect scanning and stealth scanning.
Without going into the geeky details of TCP/IP, stealth scanning attempts to determine if a port is open on the target system by soliciting a SYN/ACK and not completing the 3-way handshake, then ultimately going in under the radar. However, even this type of scanning is now being logged with modern firewalls and IDS (Intrusion Detection Systems).

The TCP connect mode actually completes the 3-way handshake. The downside for a hacker would be that most servers log connections including the source IP address and the IDS may be tripped , and these are things a hacker would like to avoid while fingerprinting a network.

Here is some basic NMAP commands to get started.

TCP() connect scanning:
# nmap -sT 192.168.1.2

Syn/Stealth scan.
# nmap -sS 192.168.1.2

I wanted to share my first infosec book review on amazon I wrote back in August of ‘06.

“Defend I.T.: Security by Example” is one of my first reads on IT security. I am currently a programmer, looking to get into the information security field.

This book has successfully turned my interest in IT security into intrigue. Each chapter is a different real life case study, with techniques used and lessons learned. Coming from a technical background, I appreciated the technical depth that the authors delve into. From the get go in Chapter 1, the authors present a tutorial on the popular scanning tool called NMAP which is fascinating. The network diagrams throughout the book were very helpful in explaining to the reader the difficult concepts such as Distributed Denial-of-Service attack and Ingress and Egress filtering.

“Defend I.T.: Security by Example” introduced me to many new concepts including IDS, INGRESS, EGRESS, DMZ, SSO, ZOMBIE,FIREWALL’s, VPN’s, PKI, and DOS attacks, just to name a few. Overall, this book is very informative and well-written.

I highly recommend this book as a great addition to your IT Security library.

There are well known forms of authentication in security we use often to identify someone’s identity to systems. Three forms are; something you know ( i.e a password), something you have (i.e a bank card, secureId token), something you are (i.e fingerprints, retnal pattern). For example, when you use your ATM card at a bank you are using something you have (bank card) and a pin (something you know) , this is called multifacter authentication.

On Security Now (a fantastic podcast) Q and A episode 92 someone wrote in about another way of authenticating users using IP intelligence. IP intelligence is knowing approximately where you are located when using the internet. So you can have a website display local resturants based on the the IP he logged on to the site with.

The applications of this technology is great. When discussing authentication this can be used to further verify someone’s identity. If I log onto my bank site with a IP address that originated from Geneva, that might be a good indication to the website that it’s not me logging on. There are third-party’s services that offer this to the extra security contious web site. This works nicely , since , the IP address of the user logging in using a SSL connection can’t be spoofed. So next time you’re in China and you can’t log into your banking site you’ll know why

Anyone have an other forms of authentication you’d like to share ???

Wow this is exciting !!!! I recently got my google reader all set up with a bunch of different feeds from bloggers and news ect. On a whim I decided start my own blog. I feel like writing in a blog can help my writing skills and help me express my thoughts and ideas, at the same time provide others with information that I hope will be informative. I’m totally intrigued by the information security world and hope to some day work in the field. To be proactive I started studying for the CISSP. I hope to share some of the things I learned that I find interesting. Please post your comments.