An appreciation My old friend and former colleague Steve Bellovin has an interesting blog at Columbia, where he's a professor of computer science. Steve is one of those guys who has just done stuff for his whole career. As a graduate student he helped invent Usenet, which I credit as being the first computer social network. His time at Bell Labs (which is where our paths first crossed) produced a lot of different things, possibly most famously his work with Bill Cheswick on internet firewalls and security. For his last sabbatical from Columbia, he was the Chief Technologist of the Federal Trade Commission for a year. Steve's blog is not notable for it's volume, it's notable for its gems -- thoughtful and thought provoking pieces on a wide variety of topics. There's currently a pair of posts worth reading.

There's an interesting article in Computerworld about the report of a blue-ribbon panel of the NIST looking into allegations in the Snowden documents that a key cryptography standard was weakened by the inclusion, at the NSA's behest, of a weak pseudo-random number generator.

It takes me a fair amount of time to get to some of the client sites I work at, so I'm always looking for interesting podcasts, which are especially useful in areas where audio streams cut in and out. Based on a teaser at the end of NPR's Planet Money podcast, I tried the NPR TED Radio hour (podcast information here), and now I'm hooked.

I was working with a client implementing a vulnerability scanning program. We were analyzing some results when I noticed a few systems vulnerable to Heartbleed. This was a surprise, since it is a Windows shop, although the scan showed a lot of Tomcat around (presumably vendor systems) OpenSSL is not used by Java either. We ran it down and it turned out to be the server management GUI for a couple of machines. This reminded me that there was a fair amount of embedded code, management GUIs for servers, router firmware, etc., that could be vulnerable. What to do? My friend Steve Bellovin would say the most important thing is "Don't Panic." I concur. Also, don't aggressively scan for it if you have older servers on your network. HP's note on Heartbleed and embedded code notes: IMPORTANT: Reports have been received that scanners used to identify the Heartbleed vulnerability cause first-generation Integrated Lights-Out (iLO) and Integrated Lights-Out 2 (iLO 2) to lockup and become unresponsive. Although the server's operating system will continue to function normally, first-generation iLO and iLO 2 will no longer be responsive over the management network. To recover, power must be PHYSICALLY removed from the server. HP recommends not using vulnerability scanners to test first-generation iLO and iLO 2 devices, as these products are not vulnerable to the Heartbleed vulnerability.

In October, HP Tipping Point's Zero Day Initiative notified Microsoft of a use-after-free vulnerability in Internet Explorer 8 that could potentially allow remote code execution by an attacker. According to ZDI, Microsoft confirmed that the reproduced the bug in February, but took no action. ZDI's policy is to disclose unpatched vulnerabilities 180 days after vendor notification, although they waited almost two additional months before disclosing this week.

EBay is asking all of its users to change their passwords, following a recently discovered data breach from late February. Apparently employee login credentials were compromised, allowing intruders to access a database containing eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth. However, the database did not contain financial information or other confidential personal information. Unfortunately, data breach announcements throw around the term "encrypted password" loosely, so we don't know if they are encrypted (meaning they can be decrypted with a key, not a best practice), or hashed (meaning they cannot be decrypted, which is good). In either case, there are bigger risks associated with the breach of personal data that could be used to aid identity theft.

What Happened This Week The US Department of Justice announced charges against five members of the (Chinese) Peoples Liberation Army Unit 61398 for cyber industrial espionage against Westinghouse, SolarWorld, U.S. Steel, Allegheny Technologies Inc., the United Steel, Paper and Forestry, Rubber, Manufacturing, Energy, Allied Industrial and Service Workers International Union, and Alcoa Inc. (News coverage: NYT, WSJ (may be behind their paywall), Washington Post) The indictment alleges that the defendants conspired to hack into American entities, to maintain unauthorized access to their computers and to steal information from those entities that would be useful to their competitors in China, including state-owned enterprises (SOEs). In some cases, it alleges, the conspirators stole trade secrets that would have been particularly beneficial to Chinese companies at the time they were stolen. In other cases, it alleges, the conspirators also stole sensitive, internal communications that would provide a competitor, or an adversary in litigation, with insight into the strategy and vulnerabilities of the American entity. “This is a case alleging economic espionage by members of the Chinese military and represents the first ever charges against a state actor for this type of hacking,” U.S. Attorney General Eric Holder said. “The range of trade secrets and other sensitive business information stolen in this case is significant and demands an aggressive response.” While these are serious allegations, there was a certain high theater about this. The Attorney General held a press conference. The DOJ and FBI issued press releases, complete with "Wanted By The FBI" posters with color pictures of each of the PLA officers and the note that if you see one of these people to call your local FBI office. Somehow, I don't expect any of them to plan a trip to anyplace with an extradition treaty with the US anytime soon.

Disclaimer: These notes are neither product recommendations or complete reviews. They are intended to share a couple of things I'm playing around with right now. Feedback in the comments section would be welcome, especially shared experience with these apps. F-Secure Freedome VPN F-Secure, the Finnish security company, has made a bit of a splash in the technical media (not to mention Forbes as well) lately with their mobile VPN and security app Freedome. Freedome is intended to enhance anonymity and reduce tracking for mobile device users on iOS and Android. F-Secure claims: "We’ve gathered the most sophisticated security features – VPN, anti-virus, anti-tracking, and anti-phishing – into one intuitive service. With the push of a button, Freedome watches your back."

Brian Dye, Symantec's senior vice president for information security, caused lot of virtual ink to be spilled when he told the Wall Street Journal that antivirus "is dead. We don't think of antivirus as a moneymaker in any way." According to Dye, traditional signature antivirus picks up about 45% of cyber attacks. Eeva Haaramo points out on ZDNet that this is not news. Symantec's endpoint protection products (as well as those of their competitors) already look for suspicious activity that may come from previously unseen viruses. They also integrate a local firewall, spam protection, and other new features.

There's been a lot of hand-wringing about the current state of cryptography lately. We've had two publicly disclosed bugs that rendered widely used cryptosystems ineffective in some cases. One was Apple's "goto fail" bug in iOS, which could allow an attacker to intercept all traffic in what the user thought was a secure session. The other was the "Heartbleed" bug in OpenSSL which allowed the compromised of data in memory of an SSL server, including private keys.