Categories
Hardware Process Tampa Bay What I’m Up To

Scenes from Day 3 of the “UC Baseline” cybersecurity program at The Undercroft

Wednesday: Day 3 continued the heavy hands-on portion of Hardware 101, the first segment of my five weeks at UC Baseline, the cybersecurity training program offered by Tampa Bay’s security guild, The Undercroft.

After taking apart and reassembling a desktop, it was time to up the ante and do the same with at least one laptop. I started with a Dell Latitude E5500, a bulky beast by today’s laptop standards, but one that’s more user-serviceable — and more easily taken apart — than most.

First step: Removing the battery.

The bottom panel was easy to pop open. It was held in place by nothing fancier than standard Phillips screws, which provided easy access to the RAM.

Next on the removal list: The optical drive. Once again, pretty straightforward — remove some anchoring screws, and then use a flathead screwdriver tip to push the the drive casing out.

The fan was quite easy to remove, as was the CPU heat sink.

Unlike the previous day’s desktop machines’ CPUs, which were in ZIF (zero insertion force) slots, laptop CPUs aren’t typically swappable, as they’re generally soldered onto the motherboard. This machine had a notebook-grade Core 2 Duo, which was typical for a mid-level laptop in the Windows 7 era.

It was also pretty easy to remove the keyboard…

…and once that was done, detaching the screen was a simple process.

With the disassembly complete, I laid out and labeled the parts that I’d extracted:

“All right, next challenge,” said Tremere, our instructor for the Hardware 101 portion of the course. “Disassemble, then reassemble the small one…”

I flipped it over, pleasantly surprised to see standard Phillips screws that were easy to access:

At this size, a laptop’s battery-to-actual-computer ratio jumps significantly:

This machine was still intended to be somewhat user-serviceable, so the battery and RAM were still easy to remove:

The drive didn’t take much effort to liberate, either:

The fan/heat sink combo didn’t put up much of a fight:

This is a machine made specifically for writing TPS reports and not much else, judging from its CPU. Still, I’m sure it could still do a serviceable job running a modern lightweight Linux — assuming it survives my disassembly and subsequent attempt to put it back together again.

Here are both patients, spread out across the operating table…

Re-assembly took a little longer, and I didn’t bother with photos of that process. I did manage to get it back together again, and with no extra parts!

I even the screen reattached! Later, I found a power adapter, and the machine managed start and get up to the BIOS screen, although the screen looked a little dim. Since I’m not trying out for a CompTIA hardware certificate, I’ll simply declare the procedure a success and not get too bogged down with fussy minutae such as “functioning” and “usable”.

Categories
Process Tampa Bay What I’m Up To

Why I’m excited about learning cybersecurity at The Undercroft

Another life in 2002

Paul Baranowski, me, and John “Captain Crunch” Draper at a liquor store/bar near the DNA Lounge in San Francisco, February 2002. Photo by The Register’s Andrew Orlowski.

From 2000 to 2001, I lived in San Francisco, where I took advantage of opportunities to hang out at Def Con, and I got to know a lot of the dot-com-bubble/bust-era cybersecurity/hacktivism community. I kept those connections and as a result, ended up working on a project that the Cult of the Dead Cow originated: a little hacktivism project called Peekabooty.

Peekabooty was a peer-to-peer proto-VPN (remember, Napster was still in its original P2P file-sharing form back then, and at the time BitTorrent was just a concept that Bram Cohen was working on and telling us about) that was meant to circumvent the Great Firewall of China and provide Chinese dissidents with access to sites banned in their location. Paul Baranowski did the real back-end work, I was the front-end developer as well as the technical evangelist, and because it was a Windows desktop app, we did it in Visual C++, as one did back in those heady days of the early 2000s.

Here’s a couple of snapshots of the user interface, which acted like a screensaver — it used cutesy bears (which I illustrated) to show nodes in your particular P2P network:

This screen shows that you’re running a VPN node, and no one’s connected to you. Tap to see at full size.
This screen shows that you’ve got 3 different kinds of nodes connected to you: one in the free world, a censored one, and one behind a NAT. Tap to see at full size.

We presented Peekabooty at CodeCon 2002 (you can listen to our presentation here). It’s still one of the proudest moments of my career, and we got to hang out with friends from our P2P days at OpenCola, as well as with new people:

And, of course, I learned so much!

I miss doing that sort of thing, and I think participating in The Undercroft’s UC Baseline program is an important step towards getting back to that kind of work.

Current life in 2020

Here I am in 2020 — laid off, but with a couple of side gigs to make a little extra money and prove that I haven’t been idle. Then last Thursday, I heard about the UC Baseline program and a scholarship. I decided to apply on a lark, figuring that they’d never pick me.

Photo: The Undercroft sign, featuring the Undercroft’s “mascot” — a stag standing upright in a suit, leaning jauntily against an umbrella, walking stick-style.They did pick me, and between the greatly reduced cost of attending and my not living paycheck-to-paycheck, I’m able to attend. I’m willing to play the gambit of not taking a full-time job for the next five weeks while ramping up some dormant security skills, because I think it’s a worthwhile one.

At the same time, I think that I can also be useful to The Undercroft by writing about my UC Baseline experiences and promoting them.

I’m looking forward to the experience. It’s an exciting course being taught in an amazing space by interesting people.

Further reading

Here are some articles about Peekabooty:

Categories
Process Tampa Bay What I’m Up To

Joey’s Bizarre Adventure (or: I’m in The Undercroft’s “UC Baseline” cybersecurity education program!)

Remember that scholarship to the “UC Baseline” cybersecurity program that I wrote about last week? In that post, I also wrote:

(I’ll admit it: Although I’m not likely to qualify, I applied.)

Well, I applied, and I qualified. The combination of a promotional bonus and an I-got-laid-off scholarship gave me a deep discount on the standard $6,500 price tag for the inaugural cohort of the UC Baseline course, which starts tomorrow and runs until Wednesday, August 19th. Class starts at 8:00 a.m. tomorrow.

Based in a gorgeous building in Tampa’s historic Ybor City neighborhood, The Undercroft could be described as a security startup incubator and coworking space, but they prefer to be described as a security guild and guild hall.

Here’s what Undercroft CEO Adam Sheffield has to say:

What we offer here is secure workspace for startups and medium-sized businesses in the security field that either want to start their businesses here in Tampa or make Tampa their home.

They’re also the home of a lot of interesting presentations, as this gallery of graphics for previous ones shows:

This isn’t my first exposure to information security culture, but it’s been a while, and I’m overdue for a refresher.

The first week of the program is Hardware 101, where we’ll spend five days covering the background and basics of the components that comprise modern systems. This should be fun.

To be continued!

For the next five weeks, I’ll be at The Undercroft (masked up, in a small cohort), learning. I’ll write about my experiences as I progress through the program.

Categories
Uncategorized

BYOD Roundup: The “BYOD for You” Book, Liability, and Shadow IT

A New Book: BYOD for You

byod for you cover

Most BYOD guides we’ve seen cover BYOD from management’s or the IT department’s point of view; BYOD for You is the first we’ve seen that covers it from the rank-and-file employee’s angle. Written by Daniel Lohrmann, who blogs at Government Technology and has a site at BYOD4U.com, this Kindle ebook is a quick read that helps you determine an organizations BYOD maturity level, secure your BYOD mobile device and maximize its benefits, and how to cope with the way personal mobile devices are handled where you work.

BYOD for You is an easy lunchtime read; it’s divided into eight chapters, most of them about a half-dozen pages long, which cover these topics:

  1. Categorizing your BYOD enivronment: Gold, Silver or Bronze?
  2. Your workplace’s BYOD program, or the lack thereof
  3. Security: How to safely use your mobile device at work and home
  4. MDM
  5. Privacy and other legal considerations
  6. Maximizing the financial benefits of BYOD
  7. Ethical dilemmas and proving you deserve your mobile device
  8. Building a personalized BYOD plan that outlives your device

Each of the chapters end with a section that provides suggestions on how to handle its topic depending on the BYOD maturity level of your organization. Lohrmann’s model for BYOD maturity has three levels, which are explained below:

  • Bronze: An organization operating at the Bronze BYOD level has employees who bring their own devices to work, but doesn’t have an official BYOD policy. It’s unclear about what happens when company information security policies and personal devices collide, if employees’ personal data will remain private, or if their work-related activities on personal devices will get them in trouble. Employees also bear all costs of using the device, even for work-related purposes. MDM is practically or completely non-existent.
  • Silver: In organizations operating at the Silver BYOD level, there is a basic BYOD policy that spells out how its data can be accessed, as well as issues of security and privacy, and there is tacit permission for employees to access their work email from their devices. Employees can choose between all-expenses-paid COPE devices or BYOD devices without any reimbursement for operating costs. MDM is limited; it’s often something basic, like what’s provided by Microsoft Exchange ActiveSync.
  • Gold: At the Gold level of BYOD, there’s a full BYOD policy, and employees are fully reimbursed for all device costs. All devices are under full MDM.

Even though it’s written for end users at a workplace, it’s a useful guide for managers who are new to the idea of BYOD and want to get a grasp of the major issues that can arise when employees bring their own devices to work. I expect that we’ll be using this in our consulting work and recommending it to our customers.

There’s a special deal if you buy it today (Wednesday, April 17, 2013): it’s selling at a dollar off — a mere CAD$3.03 at Amazon.ca, and USD$2.99 at Amazon.com.

BYOL: Bring Your Own Liabilities

justice

Mobile technologies bring new capabilities, but new complications as well. The CIO article BYOL: Bring Your Own Liabilities points out that the dual nature of BYOD devices — owned by the employee, but used part of the time on behalf of the company (and possibly subsidized) — present some new potential legal issues, whether or not your organization has a formal BYOD program. The article lists a number of ways you can reduce the risk of legal exposure in your BYOD program; the article goes into more detail, and we’ve summarized the main points below:

  • Policy: The article says that a policy defining your organization’s BYOD program is most important element of any BYOD strategy, and we’re inclined to agree. Such a policy should clearly define how your BYOD program will operate, specify the risks and responsibilities of the organization, employees and third parties, and define acceptable technologies and acceptable use. Most of it shouldn’t have to address legal issues, but having such a policy will help reduce your legal exposure. (By the bye, we’re pretty good about crafting mobile device policies, and we even have a guidebook to help you build your own.)
  • Liability issues: Figure out whether your organization or your employees are liable in certain cases, such as: Who’s responsible for misplaced or stolen devices? Who’s responsible in the event of a malware attack? Who pays for support?
  • Licensing: Are the apps on mobile devices — both company- and employee-owned — properly licensed?
  • Insurance: Will your organization’s insurance policy cover devices that it doesn’t directly own or lease?
  • Data security: As the article says: “Two topics generally colour the legal framework in the context of data security; these are confidential information and litigation obligations, both of which are concerns for any mobility based system.”
  • Confidentiality: We take our mobile devices (especially our smartphones) everywhere, and sooner or later, they’ll get lost or stolen. You need to consider the implications of missing mobile devices, from the loss of your organization’s sensitive information, to inadvertent breaches of confidentiality agreements with other parties, to remote wipes, to the consequences of remotely wiping an employee’s personal data. Along with the issues that come with confidential or sensitive data on the device, there’s also the issue of such data off the device, stored with third-party cloud services like Dropbox.
  • Discovery obligations: Data stored on mobile devices used for work may be subject to electronic discovery, the pre-trial phase in litigation where each party can get evidence from the opposing party. You may need to take measures to keep work and personal data separate, keeping in mind that your organization can’t object to producing some information in the discovery process simply because it has some personal employee information mixed in.
  • Privacy: One reason to try to keep work and personal data separate is to preserve employee privacy, especially when backing up information. Ideally, you want to back up only the work-related information and store no personal employee information (such as their address book or photos) on your organization’s backup system.
  • Surveillance and tracking: The ability to remotely track a device is a useful thing to have when it’s lost or misplaced, but it can be a cause for concern about its use for tracking employees. The article recommends the use of a data surveillance policy that clearly spells out how devices will be tracked, and if your organization will record information stored or transmitted by the device.

BYOD and Shadow IT

the shadow strikes

From an earlier article:

Shadow IT sounds like some kind of future slang that [William] Gibson would’ve coined, but it’s an office term referring to the set of applications and systems that are used in organizations without that organization’s approval, and especially without the approval of the IT department. It’s usually the result of one or a handful of employees discovering an application, service or system that solves a problem in a way that seems more effective, expedient, and more free of red tape than if it were solved by IT. Shadow IT usually starts off as an ad hoc solution, but if it becomes popular within an organization, its use can become standard practice, even without the approval or oversight of the IT department.

When people talk about shadow IT, they usually talk about the security issues. Mike Foremen in Huffington Post UK writes about another equally important issue: the creation of data silos, where information vital to the business lives in places where it can’t be found.

Categories
Uncategorized

Salmagundi for Thursday, December 15, 2011

salmagundi smallSalmagundi? That’s the word for a seventeenth-century English dish made of an assortment of wildly varying ingredients. Typically, they include some cut-up hard-boiled egg, but then after that, anything goes: meat, seafood, fruits and veg, nuts and flowers and all manner of dressings and sauces. The term comes from the French “salmigondis”, which translates as “hodgepodge”.

In this case, I’m using “salmagundi” as a term for a mixed bag of new items that you might find interesting as a developer.

The Tangled Web: A Guide to Securing Modern Web Applications

tangled web

I’m currently in the middle of reading Michal Zalewski’s new book, The Tangled Web: A Guide to Securing Modern Web Applications and it’s been a fascinating, enlightening and enjoyable read. At first glance, you might be tempted to simply sum it up as a “security book”; I think it’s more accurate to describe it as “a great review of how browsers, their protocols, programming languages and security features work, and how to write secure apps given this knowledge”. Given that web security is a rapidly moving target, especially with the browser vendors – even the formerly-pokey Microsoft – cranking out versions at a faster rate, Zalewski’s approach to the topic is the right one: make sure the reader is clear on the basic principles, and then derive the security maxims from them, giving the knowledge contained within the book a much longer “shelf life”.

The Tangled Web is divided into three parts:

  1. Anatomy of the web. A tour of the web’s building blocks, from URL structure, HTTP and HTML to how it’s all rendered: CSS, client-side scripting languages, non-HTML documents and plug-ins.
  2. Browser security features. All the mechanisms that keep the malware from 0wnz0ring your system – the same-origin policy, frames and cross-domain content, content recognition mechanisms, dealing with rogue scripts and extrinsic site privileges (that is, privileges that aren’t derived from the web content, but from settings within the browser).
  3. A glimpse of things to come. A look at some of the proposed security mechanisms and approaches that may or not become standard parts of the web.

Each chapter except the last ends with a “Security Engineering Cheat Sheet”, which functions as both a summary of the material within the chapter and a security checklist. The last chapter is titled Common Web Vulnerabilities and lists vulnerabilities specific to web application, problems to keep in mind when designing web apps and common problems unique to server-side code.

I’m going to be showing The Tangled Web around the office (especially now, since I’m physically in Shopify’s headquarters this week). I’m sure the developers know a lot of this stuff, but they’re a bunch who are always eager to learn, review and “sharpen the saw”, so I think they’ll find it useful. If you develop web apps, whether for fun or to pay the rent, you’ll want to check out this book as well.

CUSEC 2012: Montreal, January 19 – 21

turing complete

Ah, CUSEC: the Canadian University Software Engineering Conference. This for-students-by-students conference punches well above its weight class. I’ve been to tech conferences put on by so-called full-time “professionals” that can’t hold a candle to what the students behind CUSEC do every year in addition to their course loads.

Better yet is the caliber of speakers they’ve been able to bring in: Kent Back, Joel Spolsky, David Parnas, Greg Wilson, Chad Fowler, Kathy Sierra, Dave Thomas, Venkat Subramanian, Jeff Atwood, Tim Bray, John Udell, Avi Bryant, Dan Ingalls, Giles Bowkett, Leah Culver, Francis Hwang, Doug Crockford, Matt Knox, Jacqui Maher, Thomas Ptacek, Reg Braithwaite, Yehuda Katz, of course Richard M. Stallman, in whose auction I made the winning bid for a plush gnu, which I paid with my Microsoft credit card.

alan turingThis year’s CUSEC theme is “Turing Complete” in honor of 2012 being the 100th anniversary of Alan Turing. He established his place in history as the father of computer science by formalizing concepts like “algorithm” and “computation” with the concept of the Turing Machine, proposing the Turing Test in an attempt to answer the question “Can machines think?”, working as a codebreaker at Bletchley Park (I like to say “He beat the Nazis…with math!”) and coming up with one of the first designs for a stored-program computer. He even found his way into pop culture by getting name-checked in Cryptonomicon and The Social Network.

Once again, Shopify will be there as a sponsor and once again, I will be hosting the DemoCamp at CUSEC. If you’re a university student studying computer science or computer engineering, you should come to Montreal from January 19th through 21st and catch one of the best conferences you’ll ever attend. Bring your resume: we’re looking for talented programmers who want to work us!

HTTPcats

414

Cat pictures meet motivational posters meet HTTP status codes! It’s the Perfect Storm!

200

This article also appears in the Shopify Technology Blog.

Categories
Uncategorized

ScottGu’s Workaround for the ASP.NET Security Vulnerability

The ASP.NET Security Vulnerability

Poster for the movie "Hackers"

Chances are that you’ve seen the Microsoft Security Advisory, but in case you haven’t here’s the "tl;dr" version:

  • There’s a vulnerability in ASP.NET that was publically disclosed late on Friday at a security conference.
  • An attacker using this vulnerability can:
    • Request and download files within an ASP.NET application like the web.config file (which often contains sensitive data).
    • Decrypt data sent to the client in an encrypted state (like ViewState data within a page).

How Does the Vulnerability Work?

The vulnerability is based on a cryptographic oracle. When talking amongst the crypto crowd, an “oracle” refers to a system that gives away hints if you ask it the right questions.

Within ASP.NET, there’s a vulnerability that acts like a “padding oracle”. An attacker can send ciphertext to the web server and learn if it was decrypted properly by looking at the error code returned by the server. Make lots of requests like that while keeping track of the error codes returned, and you can learn enough to decrypt the ciphertext.

How Do You Work Around the Vulnerability (the high-level version)?

The vulnerability works because of the different error codes returned by the server. The workaround is to change the error handling withing ASP.NET so that it always sends the same error each time, regardless of the error, thereby cancelling the “oracular” behaviour.

More specifically, this involves enabling the <customErrors> feature of ASP.NET and mapping all errors to return the same error page.

How Do You Work Around the Vulnerability (the step-by-step version)?

Scott Guthrie’s blog has the step-by-step instructions for:

  • Working around the vulnerability
  • Making sure that the workaround has been enabled
  • Finding vulnerable ASP.NET applications on your server
  • Finding out more about the vulnerability

If you’ve got an ASP.NET-based application, make sure you’ve set up the workaround!

This article also appears in Canadian Developer Connection.

Categories
Uncategorized

The “500 Worst Passwords”

Hand-drawn list of the "500 Worst Passwords"

You’ve heard the stories about people choosing terribly obvious passwords for their various computer accounts, such as “password” and “12345”, but what are the other ones? In his book, Perfect Passwords: Selection, Protection, Authentication, Mark Burnett compiled the most common easy-to-crack passwords, most of which are ordinary words or key sequences that are easy to type on a QWERTY keyboard. I’m amused by some of the pop culture-based passwords, such as “Rush2112”, “8675309” and the X-Files inspired “TrustNo1”.

Someone else — I don’t who who did it — decided to turn that list into the hand-lettered poster shown above. You can click it to see it at a larger size.

In addition to being a good list showing the sort of password you shouldn’t use, it’s also a great name generator. You could take two random items from the list to create new character names for a Metal Gear game (“Tomcat Eagle1” makes just about as much sense as “Solid Snake” or “Sniper Wolf”) or any three to come up with the name of your band or prison softball team (“Bigdick Magnum Juice”).

This article also appears in The Adventures of Accordion Guy in the 21st Century.