Silicon Shecky

Infosec Practitioner

Connect

This week and some thoughts on Kaspersky

By Leave a Comment

Interesting week this week for me. I uploaded a few new Powershell Scripts to my Github, mind you that while changing telephone numbers or unchecking an attribute box in AD is not sexy security, these scripts do show how to do some manipulation. The Attribute box for “Deny this user permission to Remote Desktop Session host server,” is the more interesting one due to Powershell having to manipulate the object using LDAP instead if normal AD commands. This is due to that attribute as part of the normal AD schema being buried in a single attribute that covers a bunch of odds and ends, and tough to manipulate otherwise. The idea of manipulating AD through LDAP does leave questions open to LDAP bugs being exploitable through Powershell, and how easy that could be. Also it means you have to make sure that some sort of LDAP logging is on, as some of the smaller attributes might not have changes logged by AD into the Windows Event Logs. I am going to investigate further into that.

One of the big things going on in our world is the whole Kaspersky debacle. So much information and/or misinformation has been floating around, that it really feels to me like a lot of this is PR posturing by the U.S. Government. What I want to point out is a few things.

  1. The data that was found using Kaspersky was not on a government machine. This was another Contractor that took classified materials out of the NSA and back to his house. This is important as we do not know the motives of this contractor. Yes I am going to go a little tin foil hat here, but what if it was a setup? What if said contractor intended for the data to get swiped from his home machine. I am not saying this is the case, but it is a possibility.
  2. The source of proving the Russians used Kaspersky to do this ex-filtration was Israel. More specifically Israeli hackers who had hacked into Kaspersky’s network. Think about that. If the Israelis hacked into Kaspersky’s network, why must Kaspersky have worked intentionally with the Russian government? Now Kaspersky being hacked is a black eye on the company, but we all know that there is no perfect security and anything can be hacked.
  3. Vendors work with Governments. Period. NSA had RSA put in a backdoor into its encryption. McAfee and Symantec have at times worked with the U.S. Government. It is a fact of life.
  4. Reuters reported that German intelligence found no evidence of Kaspersky software used for hacking. Now we start getting back into a he said/she said about what has happened.
  5. With all the cloud systems out there, this same hack is possible to do using Symantec, McAfee or any other AV vendor.

Now I am not saying that there are not issues, trust issues that Kaspersky has to work through, but this is the good ol’ U.S.A. here. We forgive Target, Home Depot, soon, Equifax, and all these other breaches of our own personal data. Keeping Kaspersky off Government machines I can understand, but it is still one of the top AV vendors and I will continue to recommend their software for home users until I see better proof not to. Remember in this day and age, it is all about who you want to have the data, and in the end it is probably everyone who does have it.

Security – Open Source vs. Closed: It’s a matter of eyes

By 1 Comment

For years there has been the whole what is more secure, Open or Closed source? Microsoft has and still takes a beating over this. Truth, though, is a different thing.

We all have heard of Heartbleed by now. The 2 year old security gap in OpenSSL has been all over the news. During all of this, a hole in the much loved Chrome browser that will allow websites to turn on your microphone and record what you are saying was announced. Another bug that had been around for a while (August 2013). Meanwhile, the hated entity known as Microsoft has been pretty much unaffected by these issues. Maybe it is time to remove our preconceived and ancient thought over security in the Open vs. Closed Source world.

The argument has been, from what I have heard and can tell, that Open Source is more secure because you have more eyes looking at it. The code is open and out there so people can find the issues faster and with the collaborative nature of Open Source, will be patched faster. Truth of the matter, as has been shown over the past week, is that it is not the case, and security holes can get past this set of checks and balances just as they can in any Closed Source system. The surprising thing is how long it has taken to find Heartbleed. One would think, with all those eyes looking at the code, that it would have been found much sooner. Of course this has led to the theories of the bug being an NSA backdoor. True or not, the code was still out there for everyone to see.

Chrome is a slightly different issue. Here is a bug that was found over 6 months ago, that still hasn’t been patched. It was brought to Google’s attention and they sat on it. Could this be another NSA (or insert your favorite Government agency here) backdoor? A way to spy on you without warrants? We will never know for sure, but it does show one major hole. Our thinking of Open Source and security is not completely correct. It is not the be all end all.

What has been lost in this is that Microsoft, and its Closed Source implementations of SSL have been free and clear of the Heartbleed problem. Microsoft at one time was awful with security. In this day and age though, it has gotten a lot better. It is responsive to holes, and the amount of out-of-band patches and workarounds for Zero Days is quite speedy. In fact the biggest security holes in Microsoft systems, is usually Java and/or Flash. Flash is still Closed Source, but Java was at one point more open. Java also is embedded in the web very deep. Try using NoScript at it’s tightest levels and see how much of websites get blocked, and how many websites complain about Java not being turned on. Yet through all of this, Microsoft is the one that still takes the blame, especially in the public’s eye. That is because we, the ones in the know, have done little to reeducate the public, and ourselves.

Do not get me wrong. I have nothing but love for the Open Source community. Collaborative efforts are awesome, and the community puts out some fantastic software, and alternatives to Closed Source (and overpriced) programs. It just has to be realized that it is no more secure than Closed Source. In the end it is all about the eyes on the code and the people looking for the holes. Remember Security is a process, not a destination.

The OS future

By Leave a Comment

Windows 8 has been unveiled, OSx is Roaring, and Ubuntu is trying to create a Unity. These new OS’s give us a peek at the future, but what does it really say?

Over on ZDNet Ed Bott wrote a nice article on Windows 8. I’m not going to go into it in detail, but the Article and the screen shots got me to thinking, what is the future of the Operating Systems in general? Ubuntu and Windows have come up with new GUIs, and they are different. Geared toward simplifying navigation, are these becoming too simple? Are we getting to the point of making something that a fool can use, and only a fool will use it?

I am not against change, as long as there is a good reason for it. Making a GUI more user friendly is not a bad thing. The big problems I have with the way Ubuntu, and now Windows are going about it though worries me from a support standpoint. How much more difficult is it becoming to find the deep areas that those of us who do troubleshoot machines use? How much more training will we need? How will this affect how people use the OS in a business environment?

The OS that has changed the least in GUI appearance over the years is Macintosh. The basic layout, and where you find things has been essentially the same going back to its beginning, with just some upgrades to that classic look and feel. Apple boasts about how easy it is to use a Mac, and from an OS standpoint, they are right. You don’t have to learn a new GUI with every update. You have your bar up top which allows for the classic drop down menus. They added the dock at the bottom, but you don’t have to use it.

Unity, the new look kills off the classic menu structures to get at your programs. It takes more clicks to find something that is not docked. The more elegant look actually becomes more complex. When you log into the OS, you can choose to go back to the Classic look, but it is not prevalent on how to, although it is simple if you know where to look. Still, the more complex sets of clicks to find an installed program can be a big hindrance to acceptance. Also realize the look doesn’t add anything to security.

Windows 8 poses a bigger question. With it being meant for touch screen, although you can use a mouse and keyboard, and the look and feel being more toward Microsoft’s phone OS, how is this going to complicate finding files, finding software you install? The desktop space is a premium but, as we all know, you put too much there it becomes hard to find what you are looking for. Also what about software that is not on the desktop? How about file exploring especially if you are on a network where items are kept on multiple network drives?

These questions, and where the companies want to steer the computing world are really what will shape the future, and also cause problems. Too much change at once is not good, and change for its own sake usually causes more problems than its worth. Only time will tell what the answers are but, from first glance, it seems as if making the look the same across all platforms is happening, and from there, maybe you get into a situation like Chrome OS, where it is basically a browser, and nothing is kept locally. If that is the case, you can port your GUI look across multiple devices easy, but then who owns your information since it will not be stored locally? Its something to think about.