Tuesday, April 26, 2011

Ding dong

After closing time at the bar, a drunk was proudly showing off his new apartment to a couple of his new friends.
He led the way to the bedroom where there was a big brass gong and a mallet.
"What's up with the big brass gong?" one of his guests asked.
"It's not a gong. It's a talking clock," the drunk replied.
"A talking clock? Seriously?"
"Yup," replied the drunk.
"How's it work?" the friend asked, squinting at it.
"Watch," said the drunk man. He picked up the mallet, gave the gong a heavy whack, and stood back.
The three stood looking at each other a moment.
Suddenly, a voice from the other side of the wall cried out, "YOU ASSHOLE! IT'S THREE O'CLOCK IN THE MORNING!"

Security -

I successfully completed the certification exam for CompTIA Security+. Then I saw this in the building.
View from outside the security door.
I'll give you a hint. That's one of those magnetic door sensors you see inside the door frames in some places. The problem? I'm out in the hall.
Yes, this sensor is installed on the wrong side of the door. Poorly, I might add; that's double-sided foam tape barely holding the sensor on the door jamb.
This may not seem like much of an issue but as an example, let's walk through a couple of ways I would, er, a malicious intruder could exploit this.
  • Hold onto the information. If you learned anything from Indiana Jones and the Last Crusade, it's that the wired door is the important one. 
  • Simply cut the wire. The false alarm would tie up responders here at this door while an intruder was left free to operate at another location. 
  • Hack the sensor. The signal coming off that sensor probably isn't complex. It could be trivial to rig up a device to replicate it. Install the signal generator on a tap then cut the wire. The intruder is now free to breach the door while the "sensor" continues to report nothing wrong. 
Standard issue cipher lock
Speaking of breaching that door, looking at the handle reveals a standard-issue cipher lock. That's the one with a keypad. You'll note both a keyed deadbolt and a keyhole on the lock itself. Very convenient that the keypad can be bypassed with a regular key. Or a pick set. Or a bump key.

So how would you protect your facility against this sort of vulnerability? First, obviously, install your door sensors on the correct side of the door. Second, establish a security presence inside the building with guards patrolling the hallways and a camera on that door. Also, train the building tenants to approach unidentified personnel and confirm their identity. Third, standardize the appearance of all the doorways. If all the doors look equally secured, an intruder won't be able to pick out the high value targets easily.

Monday, April 25, 2011


SSGT Darryl "Shifty" Powers died on June 17, 2009. He was an American Hero.

The following essay was written by Mark Pfiefer. It is often incorrectly attributed to Chuck Yeager, MG (ret.), also an American hero but not the author of this piece.

Shifty volunteered for the airborne in WWII and served with Easy Company of the 506th Parachute Infantry Regiment, part of the 101st Airborne Infantry. If you've seen Band of Brothers on HBO or the History Channel, you know Shifty. His character appears in all 10 episodes, and Shifty himself is interviewed in several of them.

I met Shifty in the Philadelphia airport several years ago. I didn't know who he was at the time. I just saw an elderly gentleman having trouble reading his ticket. I offered to help, assured him that he was at the right gate, and noticed the Screaming Eagle, the symbol of the 101st Airborne, on his hat.

Making conversation, I asked him if he'd been in the 101st Airborne or if his son was serving. He said quietly that he had been in the 101st. I thanked him for his service, then asked him when he served, and how many jumps he made.

Quietly and humbly, he said "Well, I guess I signed up in 1941 or so, and was in until sometime in 1945..." at which point my heart skipped.

At that point, again, very humbly, he said "I made the 5 training jumps at Toccoa, and then jumped into Normandy... do you know where Normandy is?" At this point my heart stopped.

I told him "yes, I know exactly where Normandy is, and I know what D-Day was." At that point he said "I also made a second jump into Holland, into Arnhem." I was standing with a genuine war hero... and then I realized that it was June, just after the anniversary of D-Day.

I asked Shifty if he was on his way back from France, and he said "Yes... And it's real sad because, these days, so few of the guys are left, and those that are, lots of them can't make the trip." My heart was in my throat and I didn't know what to say.

I helped Shifty get onto the plane and then realized he was back in coach while I was in First Class. I sent the flight attendant back to get him and said that I wanted to switch seats. When Shifty came forward, I got up out of the seat and told him I wanted him to have it, that I'd take his in coach.

He said "No, son, you enjoy that seat. Just knowing that there are still some who remember what we did and who still care is enough to make an old man very happy." His eyes were filling up as he said it.

And mine are brimming up now as I write this.

Shifty died on June l7 after fighting cancer.

There was no parade.

No big event in Staples Center.

No wall-to-wall, back-to-back 24x7 news coverage.

No weeping fans on television.

And that's not right!

Let's give Shifty his own memorial service, online, in our own quiet way.
Please forward this essay to everyone you know. Especially to the veterans.
Rest in peace, Shifty.

Sunday, April 10, 2011


Birthday Attack is a total gibberish wall of text. I realize that and I wanted to include an image to break up some of the monotony.
So I went looking for a suitable image to use. I thought a picture of a creeper would go well in the bit of Minecraft fan fiction I wrote to illustrate a birthday attack. My first stop was obviously Minepedia, where I found a great picture of a creeper, but I also found a scary copyright warning on the same page.
I'd rather deal with the creeper

What that notice is saying is that the Minepedia is hosted on a Curse server, but they don't have the copyright because that belongs to Mojang, the creators of Minecraft. More importantly for my purposes, I did not find anything like a Creative Commons license. It's not a requirement, but I'd be more comfortable using an image with a clear status.

Tuesday, April 5, 2011

Birthday Attack

In celebration of my recent birthday, I'd like to ask everyone a question. How big a crowd do you need before you find two people with the same birthday?
The easy answer is 366 people. Since there are only 365 days in the year, any larger crowd will guarantee that two people in the group share a birthday. Surprisingly, you really only need 23 people to have a better than even chance that two people in the group will share a birthday. For a lot of cases, a 50% chance of finding a match is more than enough.
Let's consider a group of 23 people. We want to calculate the probability that they all have different birthdays. Remember, in probability, an event that will happen has a probability of 1 and you count down from there to zero as the event gets increasingly improbable. We'll ignore leap years and assume all birthdays are equally likely. Taking those into account would put the math even more in our favor.
The probability that the first person has a unique birthday, since you haven't recorded anyone else's birthday, is 1. The probability that the second person has a different birthday, out of the 364 days left, is (1 - 1/365). The third person, with two days already marked out, as a probability of (1 - 2/365) to have a birthday different from the first two. To get the probability that all three people have different birthdays, you multiply the individual probabilities, like so: 1(1 - 1/365)(1 - 2/365).
Continuing this way for the entire group, (1 - 1/365)(1 - 2/365)...(1 - 22/365) = 0.493. With a little extra math, 1 - .493, the probability that two people in a group of 23 will have the same birthday is 0.507 or 50.7%! That's interesting but how can it be applied?

False Positive

The big news last week in consumer electronics was that Samsung was not installing keylogging software on their new laptops.
Security consultant Mohammad Hassan was using VIPRE, a malware scanner from GFI. VIPRE had reported a localization package as an infection called StarLogger. StarLogger is in a class of malware known as keyloggers, which record a users' key presses to collect information like user names and passwords as they're typed. StarLogger usually installs itself to the C:\WINDOWS\SL directory which, as it so happens, is also the installation directory of Windows' Slovenian language pack.
I don't do malware research on consumer electronics so I'm not familiar with how they're supposed to be reported. However, sprinting to a major tech blog to report the latest malware is probably not the preferred method. And anyway, computer malware is such a rapidly evolving battlefront that signature-based defenses have not been effective in quite some time. The list of blocked items is so long that system performance is often affected more by the scan than the infection. Heuristic (behavior-based) scans aren't much better, either. So many of the tricks the old code monkeys used to program with are practically worms and viruses in their own right.
So, while there is enough blame to go around most of it belongs on us. We get the blame for letting the story get ahead of the news and jumping at "cyber-threats" around every corner.