Critics say hole created for upgrades could be exploited by someone with nefarious plans by Ian Hoffman

Computer scientists say a security hole recently found in Diebold Election Systems’ touch-screen voting machines is the “worst ever” in a voting system.

Election officials from Iowa to Maryland have been rushing to limit the risk of vote fraud or disabled voting machines since the hole was reported Wednesday.

Scientists, who have conferred with Diebold representatives, said Diebold programmers created the security hole intentionally as a means of quickly upgrading voting software on its electronic voting machines.

The hole allows someone with a common computer component and knowledge of Diebold systems to load almost any software without a password or proof of authenticity and potentially without leaving telltale signs of the change.

[ Read more… ]

A week or so ago I came across an article entitled “A Student-Hacker Showdown at the Collegiate Cyber Defense Competition”. I heard never heard of this particular event before, but it definitely sounds cool. I would love to get a team together at the school where I work and try to compete in this next time around. I’d also love to hear from anyone who’s been involved in it in any fashion. For those who don’t know, I work at a post-secondary institution in Bloomington, Indiana, and do various sysadmin/netadmin/infosec chores there. I’ve thought about trying to organize some sort of “capture the flag” game, but it’s never moved past the “hey, that’s a cool idea” phase in my head. =)

We have a certain application that requires the setuid bit to be set on a certain executable in order for a certain process to work. Yes, I’m being intentionally vague here and, yes, I realize the dangers of setuid executables. That said…

I received an e-mail today telling me that the “certain process” didn’t seem to be working properly. The last “good run” was on March 7th, a bit over two weeks ago. I got looking into the matter and discovered entries in logfiles warning that the intended operation couldn’t be completed because the “certain executable” wasn’t setuid root. (These log files are massive, too large for me to visually read through everyday or I would be — duh). Anyways, I determined that, on March 7th, a vendor supplied update was installed (by me, even!) that updated the “certain executable”, restoring it’s non-setuid state. Restored the setuid bit and was ready to call it done when I decided that it’d be nice to prevent this from happening again. What I ended up with is the following bit of Perl that checks $filename to see if the setuid bit is set and emails $administrator if it’s not. I set this up to run from cron on a frequent basis, then called it “done”. Note: I’ve intentionally obfuscated a few things here, but maybe this snippet can be of benefit to someone else.

#!/usr/bin/perl #

$Id: monitor_setuid.pl, v 1.0 2006/03/23 20:23:17 jlgaddis Exp $

#

This script checks $filename for the existance of the setuid

bit. If $filename is not setuid, an e-mail is generated to

$administrator warning them of the fact.

#

use Net::SMTP;

$filename = “/path/to/setuid/executable”; $administrator = “you\@example.com”;

stat($filename); if (-u $filename != 1) { $smtp = Net::SMTP->new(’localhost’) or die(”Can’t connect to localhost:25/TCP”); $smtp->mail(’from@your-domain.com’); $smtp->to($administrator); $smtp->data(); $smtp->datasend(”Subject: SETUID CHECK FOR $filename FAILED\n”); $smtp->datasend(”\n”); $smtp->datasend(”An automated check for the existance of the setuid\n”); $smtp->datasend(”bit on $filename failed.\n\n”); $smtp->datasend(”THIS FILE IS NOT SETUID!\n”); $smtp->datasend(”\n”); $smtp->dataend(); $smtp->quit; }

exit 0;

Well, it lost my indentation when I pasted it, but you get the picture…

Secunia Research has publicly reported another 0-day vulnerability in Internet Explorer. Microsoft apparently confirmed (with Secunia) the vulnerability on February 21st, but no patch during the March release. A “confirmation” of the vulnerability has been posted on the Microsoft Security Response Center Blog as well. They didn’t come right out and say it, but if you read between the lines…

The Internet Storm Center has raised the Infocon level to yellow, as they report seeing at least one proof-of-concept exploit (which fires up calc.exe).

The workaround is to disable Active Scripting in IE, but I’m wondering what all this is going to break. I’d love to be able to do it in my environment, but I can’t just blindly do that without understanding the repercussions. Any ideas? Thanks.

“CCIE9277″ has a really good, detailed article (complete w/ screenshots) called “Configuring a free VPN solution in your home” which shows you how to set up a secure connection between Microsoft Windows XP and a D-Link router. I use IPCop and IPSec myself, but this article is very helpful, in major part due to the provided screenshots.

I’ve mentioned before that we subscribe to the Yahoo! Music Unlimited service. For $60/year, you can download all the music you want from their collections. It is a subscription service, however, so if you cancel or stop using it, your licenses eventually expire and you’re unable to play that music anymore. It’s been worth the money so far, though, especially since you can “authorize” up to three PCs and two mobile devices on a single subscription. This means all the music you download is sync’d across (up to) 3 PCs and you can also transfer it to two mobile devices (MP3 players, PDAs, etc.) IF you also subscribe to the “music to go” option, which adds a bit more to the cost. In my opinion, however, it’s well worth the cost.

Enter tunebite.

Today someone pointed out to me a piece of software called tunebite. tunebite removes the Digital Rights Management (or DRM) from the music files you download. It does it in an indirect way, however. It works by monitoring the output from your sound card and feeding it back in to the tunebite software, where it then re-records the music. You can select between having it converted to OGG, MP3, or WMA audio files. I prefer MP3 myself (seems to be the most portable), so I selected that option.

The free trial will only record the first 30 seconds of a song, but that was good enough for me to see that the software was worth it. I now have the full version (you can buy online, of course) and used it to “convert” some DRM-protected WMA files downloaded from Yahoo! into non-protected MP3 files. It just works, and it does a great job. You have to play the files through something like iTunes or Windows Media Player and it records your output files as the song is playing. On my system, it used “high-speed dubbing” (similar to how you could duplicate old cassette tapes) to record at 3x normal speed. My sound card runs into an LCD monitor with built-in speakers, so I simply started it recording, turned off the monitor, and walked away. When I came back, it had successfully converted the files I selected into unprotected MP3 files that I can now burn to CD.

I’m not sure what kind of legal issues may be involved in this, however, so it’s possible that this may be illegal or, at the least, possible violate Yahoo!’s terms of service. Nonetheless, tunebite rocks, and it’s well worth the purchase price (less than $20 USD). I highly recommend it for anyone interested in doing this.

A month and a half or so ago, I wrote about some security podcasts I listen to on a regular basis. I was specifically looking for some good technical podcasts that I might be missing out on. Network security pro Martin McKeay (who hosts a security podcast himself) directed me to Security Catalyst and Sploitcast.

I’ve managed to find some others “on my own”, mainly thanks to the fact that I somehow stumbled across the Yahoo! Music Engine Podcast Plugin (thanks to Jeremy Zawodny). I’ve been using the Yahoo! Music Engine (YME) and subscribing to their service since just after Christmas. I had bought Lindsey a Dell DJ MP3 player for Christmas, so we subscribed to the Yahoo! Unlimited service so that she could keep it full of the latest music. Since Yahoo! lets you share the music between three PCs and two mobile devices, I also installed it on my laptop which usually travels back and forth to work with me. I started putting a few songs on my PDA as well, and the YME worked flawlessly transferring the files back and forth.

So, anyways, as I was saying… The YME is incredibly easy to use and sync’ing a mobile device with it is as easy as plugging your device in. I’ve been listening to podcasts for a while, but it’s been a manual job of downloading them using Juice then dragging them over to the PDA in Windows Explorer.

Now that I’ve got the Podcasts plugin installed, I’ve dumped Juice and subscribed to a bunch more podcasts inside of the YME application. It’s set to check for updates on a daily basis (it stays resident and active in the system tray) and will automatically download them. YME is configured to automatically sync with my device whenever it’s plugged in, so all I will have to do to get the latest podcasts is drop the PDA in its cradle and wait for it to sync. Kickass!

So, here’s a list of what I’m subscribed to now (in no particular order):

• -Technorama
• -Gillmor Gang
• -SABAGsecurity
• -Geek Muse
• -PodcastStudio.net Show
• -Geek News Central
• -Security Now! ¹
• -NerdTV
• -A Day in the Life of an Information Security Investigator
• -PaulDotCom Security Weekly
• -InfoWorld Daily Podcast
• -The Security Catalyst
• -We Hate Tech
• -KFI Tech Guy
• -Friends in Tech
• -Silicon Valley, Technology, Media InfoTalk
• -Z100 Phone Taps
• -Network Security Blog
• -Diggnation
• -In The Trenches
• -CyberSpeak
• -this WEEK in TECH

That’s all of ‘em, I think. Let me know if I’m missing out on anything worth listening to. I like the shorter ones as it’s only about a 10-minute commute to work (if I stop for gas or smokes). I usually let the longer ones build up until either I have to travel to Indianapolis or somewhere fairly far away or until I just finally decide to delete ‘em. Since I’ll probably be spending a day or two in the hospital, maybe I can catch up on some of ‘em then. The only thing there to do is watch TV, which I don’t do anyways, so at least I can listen to some podcasts.

Hmm, I do know two I.T. guys that work there at Bloomington Hospital, though — one of the Microsoft guys and one of the Information Security guys — and I did notice Cisco wireless AP’s hanging outta the ceiling on my way to X-ray. Wonder if I could get access to the wireless network while I’m there? =)

¹though Gibson is a f**kin’ idiot - “I WROTE MY OWN WEBSERVER IN x86 ASM!!!” –siglite, making fun of Gibson

Here’s another open position, this time it’s a “Lead Security Engineer” at Indiana University:

The following position reporting to Tom Davis, IT Security Officer, Office of the Vice President for Research & IT, at IUB is being posted internally and externally. If interested, you must apply online at http://www.indiana.edu/~hrm/employment/ola.html. Refer to position number #00016490.

Lead Security Engineer - PA 14

Generally, assists the staff and management of departments within OVPIT and UITS as well as senior technical managers in various University departments in examining their environments for system and information security exposures. Provides high level technical and practical expertise/consulting. Must gain, maintain, and apply a significant depth of knowledge in many widely varied technology areas, including computing, data and voice networking, and complex security systems and software.

Responds to requests for security analysis and input to technology projects. Designs, develops and implements complex security software. Evaluates, recommends, and implements vended security software. Responds to requests for security analysis and reviews. Analyzes develops, implements and maintains network and system security analysis and other tools. Collects, analyzes, and distills information regarding current known system vulnerabilities and solutions. Collects, analyzes, and disseminates information regarding current intrusion methods and protections. Collects and disseminates or applies information regarding current best practices. Responds to incidents of breaches in computer security and provides advice to and/or participates in the collection of technical evidence. Recommends security policies and procedures. Develops and maintains automated reporting and other mechanisms. Produces reports, papers or other products.

Qualifications: Bachelor’s degree (Computer Science desirable) is required, and at least three to four years related experience, or equivalent combination of education and experience. Advanced systems analysis, programming, and systems administration experience is required (UNIX preferred, Windows and others very helpful). Working knowledge of computer networking configurations, general data networking, associated protocol suites (e.g., TCP/UDP, IP, etc.) and related issues is required. Solid technical background, with the capacity to subsequently learn and apply security and audit principles and practices is required as is demonstrated excellent oral/written communication skills, and interpersonal skills.

Working knowledge of voice communications, associated protocols, and related issues is desirable. Other desirable technical experiences include C and PERL programming, and relational database management systems.

Limited Criminal Histories (LCH) checks will be required for all external finalists and for internal finalists with less than 1 year on staff.

If you have children, check out the National Sex Offender Registry web site. Just plug in your physical address and get a listing of registered sex offenders in your area.

Now the privacy implications of this are numerous. I am one that generally believes that when a person has paid their debt to society, they should be “free”. I also believe, however, that people should be made aware when convicted sex offenders are residing in the same neighborhood, especially if those people have small children (and it was a child molestation type of offense). There’s a very fine line here.

Anyways, plug in your address and run the search. I was quite surprised by the data it returned from my previous residence in Mitchell, Indiana. I was also quite surprised that there were three convicted sex offenders living within a mile of Lindsey’s mother (they have four minor children in the household).

Thanks again to Martin McKeay for the link.

So apparently CardSystems, the company responsible for the biggest compromise of consumer credit card data in history, has settled with the Federal Trade Commission. From the eWeek article, “FTC Settles with CardSystems Over Data Breach“:

The proposed settlement requires the privately-owned company to adopt stricter security measures and have an independent audit every other year for the next 20 years.

Correct me if I’m wrong, but I don’t see anything mentioning any type of financial penalties in there. There will be a period when the FTC accepts public comment, and just like Martin McKeay (thanks for the link), I’ll be providing some feedback on this one.