Friday, January 28, 2011

atsec Newsletter Published


We published our German newsletter and invite you to take a look. The topics include:

  • atsec's impressions from last year's ICCC
  • Establishing a Certificate Authority
  • The IEEE Protection Profiles for Multi Function Printers
  • atsec at the Datenschutzfachtagung
  • Milcom 2010 and AFCEA
You can download our newsletter from the atsec website.

Wednesday, January 26, 2011

Root of Trust in Smartphones

by Courtney Cavness

Just last week, I finally got my first smartphone. I’d been one of those who pooh-poohed the idea of needing to be online at all times. “I just need a phone to make a call, a camera to take a picture, a computer to compute,” said I.

But all that changed in mid-December when I won an iPad in a raffle. I hardly knew how to work it, and so spent a few days playing with it to understand all the capabilities and features of my new toy. I was amazed at how light and fast it was. I could read on this thing! Download books instantly! Install games for my kids to play while they waited in the doctor’s office! If wifi was handy, I could check email and browse online. Sure, I could do all those things on my laptop…but that machine now seemed so cumbersome, so heavy, so slow. Heck, it had a top I had to open, for goodness sakes! Who’s got that kind of time?

And so, without realizing it, I was mentally readying myself to discard my trusty, old, beat-up, $19 phone on a pay-as-you-go plan and obtain mobile nirvana in the form of a shiny new smartphone.

From my personal market research (full disclosure: this simply consisted of some internet searches and asking friends about their smartphones), I learned which one was known as the best “phone” for a smartphone, which had “dying” vs. the newest technology, which was most secure (one online article comparing smartphones mentioned that one was so secure, it was what the president of the United States uses). But, what they all had in common was apps.

Apps: a term that was bandied about so ubiquitously that I could only diffidently nod as everyone spoke with loyalty of the apps available on their brand. I assumed I could worry about that later.

I boiled down my search to a few potential candidates, went into my chosen carrier’s store and told the salesperson what features were important to me in a smartphone. Turns out, everything I needed was available in all of them. All the choices started to look so much alike that I asked the salesman which phone he recommended. Without hesitation, he led me to one that he openly acknowledged was the “least secure” of them all. He described himself as a "techie" and said it was his personal favorite because it was based on open source. Ergo, he said, the maker expected its users to play with the internal controls of the phone - to “hack” it.

That didn’t sound like a good idea to me. So, I did more online searching and indeed found forum discussions devoted to “rooting” a smartphone to give yourself admin access to change read-only files and customize it. Other discussions were dedicated to the various ways to tether smartphones to other devices and share the wifi connection among them.

It was clear I had a lot to learn. And the best way was to jump in, buy a smartphone, and play with it. Now, a week later, I too can toss about smartphone terms like an expert. But, one thing has niggled away at my enjoyment of my smartphone. The apps.

Where did these apps come from? Who verified there was no malicious code in the widget I just installed that helpfully displays an analog clock on my main screen? Could I install a virus scanner on my phone? I looked for, and found, a security app. But how do I know the vendor of that security app is reputable and has protected their code? I can see reviews from happy users, but who is vouching for the security of any of this? Where is the root of trust?

There are two types of apps: those you pay for, and those that are free. Since the cost of apps are typically low ($1 - $6 range), I tend to go with the apps that cost money. I am taking a gamble with each app I download, and it is my thought that if the author of the app is charging money, hopefully they are worried about their integrity and reputation; knowing that if those are damaged, others won't be willing to pay a fee for their services in the future.

That’s my thought, anyway. But, it's no real form of protection.

One thing I learned about two of the frontrunners in the smartphone arena is their different approaches to development. One has an “open” policy, meaning the apps can be decompiled and their source code reviewed – assuming that you can read code. (And, even if not, you might gain some reassurance that there are others who can and do, and would warn the community if there was a problem.) The other runs a tight ship, and has a fiercely-controlled environment where, one would hope, the available apps are somehow vetted.

To get the most from my smartphone, I accepted a certain trade-off wherein I decided to assume a limited risk to my personal security. I won’t do my banking with my phone, nor will I store business-related information on it, but my smartphone is now chock full of my personal information. It’s got a link to an online calendar of personal dates, uploaded photographs, social networking sites, a history of my text and voice messages, and the ability to track my location. Everything is ostensibly there for my convenience, but it's worrisome in its totalitarianism.

Which smartphone is the best? I would say that is purely a personal preference, and brand loyalty abounds. Which smartphone is the most secure? That’s the question you should be asking. And the answer is not definitive. Not until it becomes a standard practice for smartphones and their associated apps to undergo some type of known security evaluation by an independent, third party.

Tuesday, January 25, 2011

Is Your Particle Accelerator Secure?

by Andreas Fabis

After the Stuxnet attack on industrial centrifuges, security experts scrambled to dissect and understand the advanced and persistent threat that the worm embodied. With this attack, a new chapter in the book of cyber-warfare was written wherein a very complex, well-designed, and narrowly-targeted attack was successfully carried out on critical infrastructure – a scenario that, so far, has been more reminiscent of a Hollywood movie plot than a real-world threat.

The effort devoted to creating the Stuxnet worm was deemed to be beyond the capabilities of individual hackers, so it should serve as a serious wake-up call for IT professionals, managers of airports and power plants, and government agencies: the attackers are professionals themselves!

Traditional anti-virus software would not have helped protect against Stuxnet, because it was a brand-new, customized malware that only affected very specific networks. It was also delivered via USB stick directly to the host computer; like most current virus outbreaks, it started within the secured perimeter.

The IT infrastructure (hardware and software) intended to control industrial machinery was designed to be operated by trusted personnel only. But control of this IT infrastructure is now accessible via its connection to networks, and relies on minimal or non-existent security; after all, it wasn’t built with outside threats in mind, but for maximum performance and efficiency. So, when this infrastructure is exposed to attackers, existing vulnerabilities can be easily exploited.

The Stuxnet attack also raises questions about assurance within the supply chain. How can government organizations and companies who run critical infrastructure make sure that none of the countless components used in their systems open back doors to attackers, or contain malicious code that waits, undetected, for the command to shut down or hand over system control to an attacker?

Organizations will have to look at all levels of operation to defend against these kinds of elaborate attack. Some points for scrutiny include activities to:

  • put in place organizational security policies and procedures that identify critical assets and mitigate risks connected to them
  • educate employees to make them aware of attack scenarios such as social engineering, tainted USB sticks, and phishing attempts
  • use certified hardware and software that offers appropriate assurance for its intended environment
  • broaden the scope of IT security to include industrial machinery and all equipment connected to networks

From our view as a consulting company, we have always looked at IT security as being inextricably intertwined with your business as well as your operations. IT security should not be an add-on; it should support and protect your whole business, and serve as an active part of your organization.

Monday, January 17, 2011

The KGB Hackers

Author Klaus Schmeh wrote an article for the Heise Telepolis magazine about the German hackers who spied for the KGB at the end of the 1980s. After the hackers surrendered, atsec’s Chief Scientist Helmut Kurth – at the time working for the government contractor IABG - was tasked with reviewing the evidence. He worked his way through the discs, printouts and notes and delivered a report that gave the authorities a clear picture of how the hackers worked and what they were able to do.

Their methods were crude in comparison to those of their modern day counterparts. Helmut Kurth remembers: “They weren’t geniuses, but they had a lot of stamina.” The lack of computer and network security at the time helped them with their activities – e.g. many mainframes computers still had the default passwords in place.

The affair ended after Clifford Stoll, an astrophysicist at Stanford University, found traces of intruders in the logs of the university mainframe and started a meticulous hunt for the perpetrators. Finally his work led the German authorities to the hacker group.

Helmut Kurth remembers the trial that ended with a suspended sentence for the group: “The defendants confirmed the findings of my report and didn’t even try to deny their espionage activities. The prosecution couldn’t demonstrate that the hackers caused great damage and the affected companies reported that nothing of importance had been stolen. I am not so sure that this is the truth – after all, no company likes to admit that they have been a victim of hackers.”

The whole article is available in German at the Heise website.

Wednesday, January 12, 2011

Protection Profiles Workshop for Developers

Writing a good Protection Profile that captures the security problem of the sponsor and can be used by developers and evaluators with specific TOEs requires a significant investment of effort.

The Common Criteria is an internationally-accepted standard used as a basis for the evaluation of security functions and properties within Information Technology products and systems. Protection Profiles specify an agreed set of security requirements for a class of IT products and are often used in purchasing decisions by IT product purchasers such as large corporations and government bodies.

There has been a lot of activity in developing Protection Profiles that are relevant and meaningful to a particular industry or IT product class. Recent success includes collaborative work on defining PPs for Operating Systems, Multi Function Printers, and Smartcards. Others are already underway or in the planning stages.

atsec and a group of IT security companies have joined to teach developers how to write Protection Profiles.

The workshop will take place on
February 15th 2011, 9:00 am to 5:00 pm at:

InterContinental Hotel, Howard Room, 4th floor
888 Howard Street
San Francisco, CA 94103

The registration fee for this event is $200. Please register at here.

Wednesday, January 5, 2011

Is your Pentester licensed?

by Steve Weingart

Most people don’t know it, but in Texas, any third-party computer security testing (such as penetration testing, forensic imaging or data recovery) where the tester could be exposed to your customer’s data, must be performed by a licensed Texas investigations company.

Not many security testing companies get licensed, but if they are exposed to 3rd party data to an extent that is more than inadvertent, the license is required.



You might think that this sounds crazy, but it actually makes a lot of sense. People who may get access to your (and your customer’s) data should be verified as being honest folks who are not criminals. While most security testing companies routinely perform background checks on their employees,unless your testing company is licensed, you never know for sure .

As part of the process for registering individuals as investigators, the person’s fingerprints and social security number are sent to both the state and the FBI. So any criminal record will be determined well in advance of anyone gaining access to your computers or data.

The real advantage for you is consumer protection. The Texas Private Security Board monitors the licensed investigators and will initiate action if an investigator violates the law, or if a complaint is filed against them.

So, is your Pentester licensed?