What a sad fucking joke the Transportation Security Administration has turned out to be. Not only they do engage in security theater that does little to nothing in preventing actual threats, not only have they removed any desire I might have had to fly anywhere anytime soon, but now they’ve gone and posted their entire screening manual online:

Massive TSA Security Breach As Agency Gives Away Its Secrets – ABC News

In a massive security breach, the Transportation Security Administration (TSA) inadvertently posted online its airport screening procedures manual, including some of the most closely guarded secrets regarding special rules for diplomats and CIA and law enforcement officers.

The most sensitive parts of the 93-page Standard Operating Procedures were apparently redacted in a way that computer savvy individuals easily overcame.

The document shows sample CIA, Congressional and law enforcement credentials which experts say would make it easy for terrorists to duplicate.

Here you go, terrorists! Everything you need to bypass our shitty security system! It includes a detailed listing of the limitations of our x-ray machines and the fact that we only check 20% of checked bags by hand. Those two bits of information alone should make smuggling a bomb into the luggage compartment a lot easier to do. You’re welcome!

“This is an appalling and astounding breach of security that terrorists could easily exploit,” said Clark Kent Ervin, the former inspector general at the Department of Homeland Security. “The TSA should immediately convene an internal investigation and discipline those responsible.”

Gee, ya think?

“This shocking breach undercuts the public’s confidence in the security procedures at our airports,” said Senator Susan Collins, R-Me., ranking Republican member of the Senate Homeland Security and Governmental Affairs Committee. “On the day before the Senate Homeland Security Committee’s hearing on terrorist travel, it is alarming to learn that the Transportation Security Administration (TSA) inadvertently posted its own security manual on the Internet.”

I hate to be the one to tell the good Senator this, but most folks already have little confidence in the security procedures at our airports.

OK, perhaps “most” is an overstatement, but there’s a lot of us who have little confidence in the TSA and this certainly justifies that lack of faith.

“This manual provides a road map to those who would do us harm,” said Collins. “The detailed information could help terrorists evade airport security measures.” Collins said she intended to ask the Department of Homeland Security how the breach happened, and “how it will remedy the damage that has already been done.”

My guess is they’ll come up with even more annoying and pointless procedures that’ll further depress airline profitability causing more of them to go belly up. Soon you won’t be able to take anything onto the plane and everyone will have to fly 90% naked wearing only loincloths which will have to be inspected by TSA agents with very cold hands.

The TSA claims the manual is old and outdated, but I’d be claiming that too if I had caused such a massive fuck up. They’ve asked for the original version to be taken offline, but it’s too late to put that genie back in the bottle. Once it hit the net it was all over the world in short order and there are plenty of places you can read it. Wanna read it for yourself? Even ABC News has a copy of it online for your planning convenience.

No need to thank the TSA. They’re not listening to you anyway.

As if you really needed yet another reason to make sure your computer is patched and you have a decent anti-virus solution installed, now comes word that an infected PC could lead to you being charged for having child pornography:

An Associated Press investigation found cases in which innocent people have been branded as pedophiles after their co-workers or loved ones stumbled upon child porn placed on a PC through a virus. It can cost victims hundreds of thousands of dollars to prove their innocence.

Their situations are complicated by the fact that actual pedophiles often blame viruses — a defense rightfully viewed with skepticism by law enforcement.

“It’s an example of the old `dog ate my homework’ excuse,” says Phil Malone, director of the Cyberlaw Clinic at Harvard’s Berkman Center for Internet & Society. “The problem is, sometimes the dog does eat your homework.”

via AP IMPACT: Framed for child porn — by a PC virus by AP: Yahoo! Tech.

It shouldn’t come as any surprise considering that many trojans and viruses are designed to allow full access to your PC for any of a number of nefarious purposes be it the sending of spam email to launching DDoS attacks. It was only a matter of time before someone thought to use them as a handy repository for their child porn.

It is possible to successfully defend yourself in cases where you’re a victim of a computer virus, but it’s not cheap and it still destroys your reputation:

Fiola and his wife fought the case, spending $250,000 on legal fees. They liquidated their savings, took a second mortgage and sold their car.

An inspection for his defense revealed the laptop was severely infected. It was programmed to visit as many as 40 child porn sites per minute — an inhuman feat. While Fiola and his wife were out to dinner one night, someone logged on to the computer and porn flowed in for an hour and a half.

Prosecutors performed another test and confirmed the defense findings. The charge was dropped — 11 months after it was filed.

The Fiolas say they have health problems from the stress of the case. They say they’ve talked to dozens of lawyers but can’t get one to sue the state, because of a cap on the amount they can recover.

“It ruined my life, my wife’s life and my family’s life,” he says.

The folks at F-Secure Corp. estimate that at any given time 20 million of the 1 billion Internet-connected PCs are infected with viruses that could give the bad guys full control. That estimate sounds a little conservative to me, I suspect it’s much higher than that. So make sure your systems are patched and secure. An ounce of prevention could save you a lot of trouble later.

Microsoft entered the free anti-virus utility arena today with the release of Microsoft Security Essentials:

Microsoft Security Essentials provides real-time protection for your home PC that guards against viruses, spyware, and other malicious software.

Microsoft Security Essentials is a free* download from Microsoft that is simple to install, easy to use, and always kept up to date so you can be assured your PC is protected by the latest technology. It’s easy to tell if your PC is secure — when you’re green, you’re good. It’s that simple.

Microsoft Security Essentials runs quietly and efficiently in the background so that you are free to use your Windows-based PC the way you want—without interruptions or long computer wait times.

Early reports from folks that participated in the beta and others who have tried the final product are that it’s pretty good so I thought I’d give it a shot. It’s most attractive feature is that it’s relatively lightweight, the Vista/Win 7 (64 bit) install was 4.71MB and XP was 8.61MB, and it has a low impact on system resources. I’ve been running the free version of Avast Anti-Virus for home users for a few years now and it does a pretty good job, but can slow your system down a bit at times. One big advantage of Microsoft’s solution over Avast’s is that I’ll no longer need to reapply for a license key once a year. Not that it was ever a huge burden, but it’s nice not to have to worry about it.

Assuming, of course, that I decide to stick with it. Already after install it managed to detect a dormant trojan on my system which Avast had missed. The trojan wasn’t running as it had never been launched, but it was still surprising to see it was on my system. Avast probably would’ve caught it if I were to launch it, but it’s always best to catch it before it ever gets a toehold on your system. I suspect it tagged along on a recent ISO burning utility I downloaded to fill an immediate need as I couldn’t find my Nero Burning ROM discs. The folks over at ArsTechnica are impressed with it as well.

The upshot is that you now have even less of a reason not to have an up-to-date anti-virus utility on your system. Between all the free options already out there and this new almost no-hassle offering from Microsoft there’s no good reason not to protect yourself.

The folks over at philosecurity.org have a great interview with an adware author article that anyone using Windows who’s interested in keeping the PC secure should read. Matt Knox is a developer who worked for a rather notorious adware company called Direct Revenue for awhile. In the course of the interview he discusses why he took on the job:

S: Let’s back up a second. Why did you write adware?

M: I was utterly and grindingly broke for a little while.  I started working on SPAM filtering software. That work got noticed by [Direct Revenue], who hired me to analyze their distribution chain.  For a little while, the site through which all their ads ran was something like top 20 in Alexa. Monstrous, really huge traffic. Maybe 4 or 5 months into my tenure there, a virus came out that was disabling some of the machines that we had adware on. I said, “I know enough C that I could kick the virus off the machines,” and I did. They said “Wow, that was really cool. Why don’t you do that again?” Then I started kicking off other viruses, and they said, “That’s pretty cool that you kicked all the viruses off. Why don’t you kick the competitors off, too?”

It was funny. It really showed me the power of gradualism. It’s hard to get people to do something bad all in one big jump, but if you can cut it up into small enough pieces, you can get people to do almost anything.

As adware became more widespread and the potential profits became apparent programmers started including code that would kick competing software off the PC as well as keep anti-virus applications from disabling them. An arms race soon broke out with folks trying to figure out how to keep their programs from being detected and removed. An increasingly complex technique that is referred to as persistence:

So we’ve progressed now from having just a Registry key entry, to having an executable, to having a randomly-named executable, to having an executable which is shuffled around a little bit on each machine, to one that’s encrypted– really more just obfuscated– to an executable that doesn’t even run as an executable. It runs merely as a series of threads. Now, those threads can communicate with one another, they would check to make sure that the BHO was there and up, and that the whatever other software we had was also up.

[...] We did create unwritable registry keys and file names, by exploiting an “impedance mismatch” between the Win32 API and the NT API. Windows, ever since XP, is fundamentally built on top of the NT kernel.  NT is fundamentally a Unicode system, so all the strings internally are 16-bit counter Unicode. The Win32 API is fundamentally Ascii. There are strings that you can express in 16-bit counted Unicode that you can’t express in ASCII. Most notably, you can have things with a Null in the middle of it.

That meant that we could, for instance, write a Registry key that had a Null in the middle of it. Since the user interface is based on the Win32 API, people would be able to see the key, but they wouldn’t be able to interact with it because when they asked for the key by name, they would be asking for the Null-terminated one. Because of that, we were able to make registry keys that were invisible or immutable to anyone using the Win32 API. Interestingly enough, this was not only all civilians and pretty much all of our competitors, but even most of the antivirus people.

We also wrote a device driver and then a printer driver.  When you write a device driver you get to do all sorts of crazy things, even crazier than the things you typically get to do in Windows. This was right around the time that the company [got sued by Eliot Spitzer and started shrinking ]. They made a somewhat poor business decision at the same time to get visible, and they branded their ads and everything at the same time that they were having me kick all of our competitors off and we were doing all that persistence stuff.

Eventually Direct Revenue shut down in mid-2007 and a final judgment in the lawsuit levied a $1.5 million fine against the company’s four founders—Joshua Abram, Daniel Kaufman, Alan Murray, and Rodney Hook—which seems like a lot until you consider that the company made more than $80 million in just three years with the founders themselves earning around $28 million. Proving once again that being a total douchebag can be very profitable indeed even when you get sued.

In addition to reading about the techniques used to keep the software on your PC the other fascinating insight comes from how the money is made. Remember the entry I wrote yesterday about how there appears to be a credit card scam making money 25 cents at a time over thousands of credit cards? Adware profits work on a similar principle:

The good distributors would say, ‘This is ad-supported software.” Not-so-good distributors actually did distribute through Windows exploits. Also, some adware distributors would sell access. In their licensing terms, the EULA people agree to, they would say “in addition, we get to install any other software we feel like putting
on.” Of course, nobody reads EULAs, so a lot of people agreed to that. If they had, say, 4 million machines, which was a pretty good sized adware network, they would just go up to every other adware distributor and say “Hey! I’ve got 4 million machines. Do you want to pay 20 cents a machine? I’ll put you on all of them.” At the time there was basically no law around this. EULAs were recognized as contracts and all, so that’s pretty much how distribution happened.

Multiply 4 million machines by 20 cents each and you get $800,000 from just one advertiser. As anyone who’s been infected with adware knows there’s often at least four or five clients of any particular company.

Linux fans will be happy with Knox’s suggestion for avoiding adware on their PCs:

S: In your professional opinion, how can people avoid adware?

M: Um, run UNIX.

It also helps to avoid using Internet Explorer if you have to run a Windows box (or just stubbornly insist on doing so as I do).

Meanwhile back in the Windows ‘verse all the anti-virus and system patches in the world won’t make a bit of difference if no one bothers to actually apply them to their systems. A new malware package known as Conficker has been making sudden gains on systems across the net taking advantage of a vulnerability in Windows that was patched months ago. This prompts Joel Hruska over at ArsTechnica.com to ponder whether critical updates should be forced onto systems:

Microsoft issued a patch for MS08-067 on October 23 and rates the severity of the flaw as “Critical.” for all previous versions of Windows 2000, XP, XP-64, and Server 2003. Windows Vista and Windows Server 2008 are apparently less vulnerable; Microsoft’s aggregate severity rating for these two operating systems is “Important.”

There’s a story within the rise of Conficker that I think is worth exploring. Microsoft appears to have dealt with this issue in textbook fashion; the company issued a warning, released a patch, and (presumably) rolled that patch into November’s Patch Tuesday. A significant amount of time—five to six weeks—has passed since Microsoft released its fix, yet PC World reports Conficker may have already infected as many as 500,000 systems.

It would be extremely fascinating to see data on how a patch spreads throughout the Internet once released by Microsoft as well as information on whether or not the severity of any particular flaw affects how rapidly users move to apply the patch. Events like this this raise the question of whether or not Microsoft should have the capability to push critical security updates out to home users automatically, regardless of how AutoUpdate is configured. I say home users for a reason; businesses and enterprise-class companies may still need to deploy the patch on a specialized timeline in order to ensure servers stay operational.

The idea of mandatory updates is unpopular with a lot of folks, myself included, but there’s a fair argument to be made here. Microsoft takes a lot of shit for having major holes in their OS, but a lot of those holes are patched within a reasonable time upon their discovery. Those patches don’t do any good if they’re not applied and the average PC user is not a technical support guy like me and probably won’t even be aware that he needs to apply patches, but he won’t hesitate to blame Microsoft if he gets infected. At the very least I could see an argument for setting the option for critical updates to be installed automatically as the default with the option to turn it off for folks who know what they’re doing. We already have a number of different software packages, mostly DRM systems, that update themselves automatically whether the user wants them to or not and a lot of folks seem to have no problem living with that situation (the rest of us just don’t use that software). I see a much stronger argument that can be made for Microsoft doing the same with critical updates than any DRM system.

The problem of unpatched systems has gotten bad enough that back in 2005 some ISPs started blocking infected systems from using their services and others have been breaking Internet protocols in controversial ways to try and combat the problem, but the best offense is a good defense and that means individual users keeping their systems patched and running current anti-virus software.  The question then becomes: Should Microsoft be allowed to at least force the critical updates on its users?

The security through obscurity that Mac users have enjoyed for years is finally starting to crumble and even Apple is owning up to it. They recently put out a support advisory last month in which they recommended that Mac user start running anti-virus software on their machines. It’s long been a gloating point for Mac users that anti-virus software was unnecessary on their systems, but as Apple’s market share increases it’s getting a point where there’s a profit motive for malware authors to start writing for the Mac platform and some of them already are.

Still there’s a resistance to the idea that the Mac may be vulnerable to the same sorts of malicious software that Windows users are and that prompted Graham Cluley to ask in a blog entry Do you really need anti-virus on your Apple Mac?

It started with just a small pebble being dropped into a pond. Apple updated one of its support advisories on 21 November, informing its customers that they are recommended to run anti-virus software.

Most people would never have noticed this announcement. I didn’t at first. I only heard about it when I saw the guys from Intego mention it on their Apple security blog on 25 November. A couple of days later, recovering from a bout of man-flu, I blogged about a new piece of Apple malware and mentioned in passing that Apple were now recommending their customers run anti-virus software.

Today, however, that small pebble dropped by Apple has turned into a tidalwave of commentary – and we’re seeing lots of news stories about Apple urging Mac users to protect themselves with anti-virus.

So, do you really need anti-virus on your Apple Mac?

From there he goes on to list seven facts and the comes to the following conclusion:

So, back to my original question, do you really need anti-virus on your Apple Mac?

The answer is yes.

It’s worth noting that Mr. Cluley works for Sophos, a company that produces anti-virus, anti-spam, firewall software packages for both big and small businesses, so it’s possible he may have a conflict of interest in promoting anti-virus software on the Mac. The fact that Apple has recommended the practice and that Mr. Cluley has been active in anti-virus research for some time prior to joining Sophos should help balance that out. That and the seven facts he lists make a pretty good argument.

The threat for Apple users is still relatively small compared to what Windows users face, but if Apple continues to gain market share then it won’t take long for it to grow. Of course the best defense is being educated about the threats, but for a lot of people that’s a commitment they don’t seem to be able to make.

According to this video (and this article), there are now services that can pinpoint exactly where a Google search is coming from, down to the exact address. While many of us have known that the search terms we enter in search engines aren’t exactly secret, there has always been the assumption (correctly?) that who is searching for something remains secret. Or at least wasn’t going to be shared with just anyone. Apparently, even that isn’t true anymore.

The ramifications are pretty significant. If you live in a house and not a big apartment building, your identity is pretty easy game with such a tool. Getting embarrassed by more or less targeted advertising (“We found from your searches that you are interested in naked teenagers wearing rabbit ears? Do WE have a deal for YOU!”) is almost the least worry (though if I got a call from the home business woman in the video clip, I’d be furious at having my privacy invaded, rather than show an interest in her stuff!) But there’s even worse possibilities – what if somebody finds our that you are looking for legal advice, or something similarly crucial to be kept private? Information about an illness, or depression for example?

At the moment, the searches seem to only allow tracking back from websites -> via search terms -> to the orignator of the query. But how long until the direction is reversible? Do we all have to become hackers and hide behind sophisticated software just to browse in peace?

I have to admit that this ArsTechnica article surprises and angers me:

A study conducted by security company Cyber-Ark indicates that a significant number of corporate IT personnel snoop sensitive data, and nearly 9 out of 10 would take company secrets and remote access credentials with them if they were fired. This could pose a serious security risk for many companies and expose them to industrial espionage and other dangers.

The results of the Trust, Security and Passwords study are based on a survey of 300 system administrators at the Infosecurity 2008 event in Europe. Of the study respondents, 88 percent admitted they would take sensitive data with them when leaving their current place of employment, and approximately one-third said that they would abscond with company password lists. That could be a serious cause for concern for companies that have complex and loosely secured technological infrastructure.

Cyber-Ark claims that one-third of companies participating in the survey experience data breaches and theft on a regular basis. Information is leaked to competitors through a multitude of vectors, including e-mail, portable devices, and USB thumb drives. More than a quarter are also the victims of internal sabotage.

I have worked for two of the Big Three automotive companies (Ford and General Motors) as well as a number of other companies where I had access to all sorts of sensitive data and information and not once did I ever consider stealing any of it. Not because of any possible consequences of such an action, but because it would be wrong to do so. I’ve worked at the General Motors Design Center in Warren where I saw all manner of prototype vehicles that car magazines would love to get the details on ahead of time as well as the Milford Proving Grounds where the prototypes were put through their paces. I worked in the Alpha Building at Ford Motor Company where literally gigabytes of data on whole car lines were stored on various PCs and network shares. When I was laid off from Ford, twice, I was seriously upset, but not once did I consider the possibility of taking anything with me.

Sure both companies had policies in place meant to make such thefts harder – certain workstations GM blocked writing to USB devices of any kind – but nothing that I didn’t have knowledge of how to circumvent and certainly nothing proactive enough to have stopped me had I wanted to take any data. I suppose I’m just too honest to think of such things. I have a sense of honor at the idea that I’m entrusted with the care and support of such data. It angers me that so many others would violate that trust because, at a minimum, it makes my job that much harder. Stupid and ineffective restrictions, like the blocking of USB devices, just end up getting in the way of fixing machines and just the fact that so many others are untrustworthy means I’ll be looked at with suspicion by association. Hell, it means I’ll be looking at my fellow colleagues with suspicion as well and that’s just not the sort of work environment I want to be in.

The fact that this survey was done by a security company probably means it’s somewhat inflated, but if it’s even remotely close to the truth it’s very upsetting indeed.

The folks over at Wired.com have an entry up on how and why you should enable Gmail’s SSL feature that is worth a read:

Why? Because without it, anyone can easily hack someone’s account and in two weeks it is going to get even easier. Mike Perry, a reverse engineer from San Francisco, announced his intention to release his Gmail Account Hacking Tool to the public. According to a quote at Hacking Truths, Perry mentioned he was unimpressed with how Google presented the SSL feature as less-than-urgent. It is urgent, and here’s why.

The reason why is pretty simple. Without the SSL feature turned on Gmail only uses a secure connection for the initial login and then all session data is sent back and forth unencrypted. The problem with that is your session data includes your login information which kinda defeats the point of having it encrypted during the login. Someone sitting with a packet sniffer looking at your network traffic could snatch that info from the data stream and have full access to your account and all the archived emails. By turning on the SSL feature the entire session will be encrypted from beginning to end.

You can tell if your session is encrypted by looking at the address bar of your browser. If you see HTTPS: at the start of the address while reading your email then you’re encrypted. This feature is turned off by default so if you haven’t specifically turned it on then you’ll want to. You can do that by clicking on the SETTINGS link in the upper right corner of the Gmail screen and on the GENERAL tab (which should be the default that comes up) you scroll down to where it says BROWSER CONNECTION and click on the box for “Always use https.” Then just press Save Changes to update your account. You may need to quit and login to Gmail again to make sure it’s working.

You won’t notice anything different about how Gmail works from before, but you’ll be a little better protected.

If this article at SearchSecurity.com is correct then Vista’s security system has been rendered moot for folks who insist on using Internet Explorer:

In a presentation at the Black Hat briefings, Mark Dowd of IBM Internet Security Systems (ISS) and Alexander Sotirov, of VMware Inc. will discuss the new methods they’ve found to get around Vista protections such as Address Space Layout Randomization(ASLR), Data Execution Prevention (DEP) and others by using Java, ActiveX controls and .NET objects to load arbitrary content into Web browsers.

By taking advantage of the way that browsers, specifically Internet Explorer, handle active scripting and .NET objects, the pair have been able to load essentially whatever content they want into a location of their choice on a user’s machine.

Researchers who have read the paper that Dowd and Sotirov wrote on the techniques say their work is a major breakthrough and there is little that Microsoft can do to address the problems. The attacks themselves are not based on any new vulnerabilities in IE or Vista, but instead take advantage of Vista’s fundamental architecture and the ways in which Microsoft chose to protect it.

“The genius of this is that it’s completely reusable,” said Dino Dai Zovi, a well-known security researcher and author. “They have attacks that let them load chosen content to a chosen location with chosen permissions. That’s completely game over.

“What this means is that almost any vulnerability in the browser is trivially exploitable,” Dai Zovi added. “A lot of exploit defenses are rendered useless by browsers. ASLR and hardware DEP are completely useless against these attacks.”

I doubt that there’s truly little Microsoft can do about the problem, but the solutions involved might be unpalatable to their business goals (e.g. drop ActiveX altogether). The attack appears to rely on Internet Explorer specifically so one possible solution for Vista users is to switch to a different browser such as Firefox or Safari. Which, really, they probably should do anyway.

What’s more interesting is the conclusion of the article:

Dai Zovi stressed that the techniques Dowd and Sotirov use do not rely on specific vulnerabilities. As a result, he said, there may soon be similar techniques applied to other platforms or environments.

“This is not insanely technical. These two guys are capable of the really low-level technical attacks, but this is simple and reusable,” Dai Zovi said. “I definitely think this will get reused soon, sort of like heap spraying was.”

Unless those other platforms are running Internet Explorer and ActiveX I’m not sure how they’d be vulnerable, but then the article doesn’t go into great detail on exactly what the hack involves. Microsoft has said their aware of the presentation and are interested in looking at it more closely once it’s made public.