From the what-is-the-world-coming-to department:

Attention parents of teenagers. This story has made the front page of Slashdot: Teens Share Passwords as a Form of Intimacy. First, you had to talk to your teens about alcohol and drugs. Then, the birds and the bees. Now add another item to your list of topics during The Talk: abstinence from pre-marital password sharing!

Brett Edgar

Brett is a Founder and the Director of Managed Security Services at TRUE. He has been working in the system and network forensics field since graduating from the University of Tulsa with a B.S. Computer Science in 2003. He speaks hexadecimal fluently and is TRUE's resident human Ethernet transceiver. He holds CISSP, CSSLP, and CNSS 4011-4015 certificates, loves MLB and NCAA Football, and when he gets tired of hexadecimal, he goes home to hang out with his wife and kid.

Twitter - More Posts

For the past week, BEAST has been the talk of the InfoSec community.  BEAST stands for “Browser Exploit Against SSL/TLS” and is a new way to execute an attack against CBC mode encryption algorithms.  The attack has been theorized for quite some time (2006 seems to be about the time it became known), but until BEAST, an attacker had no practical way to execute the attack, and even with BEAST, the attack against CBC is still difficult to execute.

To execute a BEAST attack you must be able to “man-in-the-middle” (MitM) the network connection between the user and the web server.  Simplified, that means the attacker must be able to make network traffic between a target user’s browser and the web servers that user is talking to flow through the attacker’s computer.

The truth is, if you can MitM connections, you are going to have an easier time executing social engineering attacks (poisoning DNS queries, for instance) than executing the BEAST attack, although a savvy user may notice the social engineering.  The other 90% of users are going to be blissfully unaware.

So why all the hubbub?  The answer to that question is there is no easy way to fix this vulnerability.  Google has added some functionality to its Chrome browser that should be make it much harder (to the point of improbable) to execute BEAST against a Chrome user, and Mozilla is also working on a fix for its browsers.  You can bet Microsoft is working on it, too, but there is no simple fix.  TLSv1.1 and later aren’t vulnerable to this attack, but even though those protocols have been around for half a decade now, they are sparsely deployed.  Of the major browser vendors, I believe Microsoft is the only one that even offers the option of enabling those protocols, and that’s only as of Internet Explorer 9.0.  Fat lot of good it does IE9 users though – almost no web server on the planet supports TLSv1.1 or higher.  Why?  Because almost none of the browsers support it.  Chicken, meet egg.

If you’re paranoid, consider not connecting to untrusted wireless networks. (If you’re that paranoid, you probably don’t connect to wireless networks anyway.) Those are the easiest types of network for an attacker to MitM your connection, though far from the only type that is at risk.

Personally, I’m not too worried about it (yet).  By the time this attack becomes widespread (if ever), I expect the remaining browser vendors will have released updates to make it much harder to execute.  Maybe this will finally spur the adoption of the newer TLS protocols, though, and give the PCI SSC something else to ban from the Internet…

Brett Edgar

Brett is a Founder and the Director of Managed Security Services at TRUE. He has been working in the system and network forensics field since graduating from the University of Tulsa with a B.S. Computer Science in 2003. He speaks hexadecimal fluently and is TRUE's resident human Ethernet transceiver. He holds CISSP, CSSLP, and CNSS 4011-4015 certificates, loves MLB and NCAA Football, and when he gets tired of hexadecimal, he goes home to hang out with his wife and kid.

Twitter - More Posts

With yesterday’s introduction[reuters.com] of Google Health, we can now add personal health records and related information to the types of data Google is storing. This service includes connections to pharmacies, like Walgreen Co. and CVS Caremark, and other health groups. It will “allow patients to schedule appointments, refill prescriptions, receive diagnostic results online, and instantly add their doctors’ email addresses to a list of contacts.”

This service sounds very useful and is likely to be used by many people. My concern is that as the diversity and sensitivity of data Google is storing increases, so does it’s attractiveness as a target for those with malicious intent. According to Marissa Mayer, Google’s vice president for search services and user experience, the service involves an additional layer of security and the data is stored separately from Google’s other data. Mayer stated that, “We certainly have put in place the foremost privacy policy[google.com] that we could construct.” We all hope so!

Dominic Schulte

Dominic Schulte currently serves as the Managing Director of Security Services & Consulting at TRUE, where he is responsible for the execution of a wide range of security and regulatory compliance services. Previously, Dominic worked with the National Security Agency (NSA) as a Global Network Exploitation and Vulnerability Analyst in the National Security Incident and Response Center (NSIRC). He holds CISSP, QSA and CNSS 4011-4015 certifications.

Reuters is reporting[reuters.com] that Canadian soldiers have been ordered not to post personal information to social networking sites like MySpace[myspace.com] and Facebook[facebook.com]. The apparent motive is safety – “Al Qaeda operatives are monitoring Facebook and other social networking sites.”

Many have heard of the potential effects that sharing the wrong information online can have on our careers and social lives, but few would view death as one of those potential effects.  “This may seem over dramatic … (but) the information can be used to target members for further exploitation. It also opens the door for your families and friends to become potential targets as well.”

Are these soldiers and their families really in danger or is this an exaggeration or a command with a hidden motive?

Dominic Schulte

Dominic Schulte currently serves as the Managing Director of Security Services & Consulting at TRUE, where he is responsible for the execution of a wide range of security and regulatory compliance services. Previously, Dominic worked with the National Security Agency (NSA) as a Global Network Exploitation and Vulnerability Analyst in the National Security Incident and Response Center (NSIRC). He holds CISSP, QSA and CNSS 4011-4015 certifications.

We can all breathe a collectively sigh of relief – terrorists now have the ability to communicate securely[reuters.com]. I was really starting to be concerned for their privacy…

Dominic Schulte

Dominic Schulte currently serves as the Managing Director of Security Services & Consulting at TRUE, where he is responsible for the execution of a wide range of security and regulatory compliance services. Previously, Dominic worked with the National Security Agency (NSA) as a Global Network Exploitation and Vulnerability Analyst in the National Security Incident and Response Center (NSIRC). He holds CISSP, QSA and CNSS 4011-4015 certifications.

On Friday, the DHS took another step forward[news.com] in their drive to increase the reliability of state drivers’ licenses by releasing their “Final Rule,”[dhs.gov] of minimum standards for compliance. These changes are required by the REAL ID Act of 2005 and have been a source of controversy in the security and civil-rights communities. Additionally, some states have passed legislation rejecting REAL ID.

Dominic Schulte

Dominic Schulte currently serves as the Managing Director of Security Services & Consulting at TRUE, where he is responsible for the execution of a wide range of security and regulatory compliance services. Previously, Dominic worked with the National Security Agency (NSA) as a Global Network Exploitation and Vulnerability Analyst in the National Security Incident and Response Center (NSIRC). He holds CISSP, QSA and CNSS 4011-4015 certifications.