It's with great pleasure I announce that this blog has come to its 1st year

During this year we've covered several important issues, and we've also experienced periods without any posts (for instance, this blog doesn't know what July was )

The level of visits started slowly, with just a few at the beginning, but in the last few months the daily average raised significantly.

Just by chance, on the day of its birthday the blog passed the 5000 visits, reaching the total number of 5078 since August 18th 2009, the day I installed the ClusterMaps service.

I leave here as a remembering the map of this year's visits, just before it was reset:

I wish we can still cover important issues next year, even more than during this year.

I hope you can understand that the writer is a fan of his job, and has always several projects to attend simultaneously so there may be a few days from post to post.

I thank you all for your visits, your support and your words. Do not hesitate to contact me if you need anything.

My deepest regards, here's for a fruitful next period.

First, I chose a provider, in this case Gmail. Then, I downloaded the original login site and did the following adjustments:

1. I cut all communications the site did to Google
2. I changed the user and password information destination
3. I manually added a Favicon from the provider's official icon repository
4. I created a new script that receives the information sent from the login site and shows it on-screen

The finished product turned out to be a Gmail home site, dangerously similar to the original, with a behaviour dangerously different.

In order to really know how easy is to make this part of the attack, I can tell you that it took me approximately half an hour of a very relaxed work.

For this to be a full Phishing attack, the next step would be to deceive the user into entering the address where the site is being hosted, believing he's entering Gmail's real site.

I will clearly NOT ease that task for you, but I will leave you with the login site, that independently is harmless.

I invite you to test the site (by entering fake credentials, obviously).

Next provider, Facebook

Link: http://www.matiaskatz.com/gmail/

A working post with its BACK to the street. Yes, as you read it, a fully functional working booth, with drawers and papers and A PC, installed in a way that the operator stays with his back to the street, and having the PC screen and the papers at plain sight from the street, since this company is in the ground floor and the front is made of glass and without curtains.

I leave you with a picture so you can laugh of the situation:

By the time I took the picture the booth had been occupied, but when I first noted the violation there was nobody sitting. In the PC screen you could see the inbox of a corporate mail account. Then, when the operator sat down and the other lady came to ask for something, the inbox was minimized letting a beautiful CRM with the company's content come to focus.

When I got to take the second picture from the far, a security guard had already appeared on the window (as you can see circled in red in the picture), who was making me a negative sign with his finger, letting me know that I wasn't allowed to take pictures... To which I politely answered "I'm on the public street" while comfortably taking the picture, ignoring his incoherent prohibition.

Needless to say, this is a SERIOUS security fault, caused by a LACK of logic from whoever takes the decisions about the subject at this company.

It's such an incredible situation, and it's such an obvious opinion the one any security professional may have about this, that there's no sense in writing anything else about the issue.

I'll simply leave you with the pictures so you can stare with your mouths open, and shaking your heads from left to right trying to understand how this kind of things keep happening.

You can download the magazine from this link (Spanish): http://www.asegurarte.com.ar/Revista_Elderechoinformatico_N4.zip

Link to the full article (Spanish): http://www.elderechoinformatico.com/index.php?option=com_content&view=article&id=321:-revista-electronica-el-derecho-informatico-no-4-junio-2010&catid=82:revista-electronica&Itemid=111

I will publish the article here in 2 weeks.

I leave you in this ocation with a document from Microsoft that addresses the management of encrypted database inputs, through native functionalities in its DB engine, MS SQL Server.

This way, an extra protection layer can be easily added, estabilshing an application security strategy in these layers:

1. Encryption when generatin the information
2. Encryption when exchanging information
3. Encryption when storing information

A more graphic way to explain it can ve seen in the image provided by Microsoft in their article:

Link to the article (english): http://www.microsoft.com/technet/prodtechnol/sql/2005/sqlencryption.mspx

Link to the document (english): http://download.microsoft.com/download/8/b/2/8b22991f-3f2f-4cea-b2ba-55c190841145/TDEandEFSBitLocker.docx

Caso #3: Major supermarket chain, Tuesday 8 PM, City of Buenos Aires

After finishing buying groceries I started walking towards the supermarket exit.

When passing through the end of the large hallway I found the "delivery" sector, made by 3-4 PC and a couple of printers.

On this occasion, the hallway was with a complete lack of personnel, as you can see in this first picture:

After approaching to the PC screen that was on, I managed to see the following:

1. The PC was not locked
2. The case (and its tempting USB ports) were at plain access
3. The screen showed a CRM application in which there were listed all the addresses corresponding to every delivery request that had been recently uploaded to the system

I took a picture of that list, but I'm obviously not going to show it to you I'm just going to leave you, as a gift, with a second picture (a closer one) showing the CRM application that handles the delivery requests.

Far beyond the obvious fact of being able to insert a USB device that rapidly infects the PC with some sort of malware, I ask you:

What happens if I capture that list of remaining delivery addresses, I dress myself with clothes that simulate or appear as if they were the uniform of the supermarket boys, go to those addresses, ring the bell and say "I'm from the supermarket?"

The answer is quite obvious.

Big was my disappointment when I found out that to be able to "join" this group, I should COPY an endless text string and PASTE it in my navigation bar.

What kind of group requires that process to join?

Mmmm,weird...

It got weirder when I analized a little bit the text and found out that there wasn't a single link or URL to be folowed, but the execution of a Javascript call containing (among other things) the command "new RegExp('\\b\\\\n\\g\\j\\g\\F\\g\\i......"

Obviousely, this is a malicious execution that needs the poor user to introduce the execution in his/her browser by hand.

I leave you an image of the supposed group, so that you don't fall in the trap.

I have just opened the "In Fraganti" section. In this section I will be publishing content that puts organizations of all kind in evidence of their failure regarding information security.

I invite you all to collaborate with material of your discovery to publish in our own "wall of shame".

I'll start the opening with the first case:

Case #1: Important Bank. Buenos Aires City, "Obelisco" zone, Friday 23 hs.

This bank has their line of ATM machines separated from the bank with a big glass wall. There's a work desk next to that wall:

You can clearely see an open folder, containing customer information that sould be confidential:

The following tuesday (today) I approached the bank and asked about that flaw. The employee in information informed me that there are no blinds on purpose, to protect the bank from burglars by not letting them hide behind anything.

When I told him about my discovery, the bank employee said the following: "Yes, the person who works in that post is a little off".

Secret passages in castles, values hidden inside jars or hollowed books, underground militar bases, etc...

Can't help but wonder: Is that the best of measures?

The daily practice tells us that the secret passages have no access control, the jars with hidden values have no key, and the vehicles that arrive to the underground militar bases use to drive and park on the "ground floor", publishing their movements.

Do not get me wrong, obscurity is a great method to impose security. It's no wonder it has trascended throughout milenniums. Mi question focuses on the level of effectiveness of a total security state if its only measure is obscurity.

If I were a king, I would not feel secure at all if the only thing that could stop an attacker from reaching my royal chamber is a secret passage with no access control or guard (as we have seen in many books and movies).

Why can't be a guard in that secret passage also? Hmmm, maybe because in that situation it wouldn't be "secret" any more.

Let's talk of the present day now. Let's list some of the most discussed items about IT security:

1. Cryptography: Many years have passed since cryptoanalysists have realised that the obscurity in algorithms was not the safest method in providing security. That's why the algorithms were opened and now centralize their security in the key.
   Now, does that mean that if I were to create an algorithm of my own and DIDN'T published its code, it would be less secure? Not at all, in fact I'm seriousely considering it .  It's just that the big fishes in the matter decided to change their posture regarding security concepts in an encryption algorithm.
   And all the developers/admins/infosec officers thank them very much for their decision, since thanks to their publication all of us can implement their algorithms in our applications, internally.
2. Social Networks: I say it over and over again, in class, in clients and even in dinner with friends.
   Many people brag about "not having a Facebook user". Is that a good decision? Aren't we facilitating the job of a falsifier or identity thief, by not having a "computerly tangible" base about our profile? What's easier to falisify than something that is not publicly known?
   Imagine the following situation: A supposed archeologist goes to a collector and says "look, I have the holy grail in my possession, I dug it from a grave in Morocco". Far beyond the skepticism, the collector will never truly be sure if the afirmation from the archeologist is false.

   Now, imagen the following situation: A smuggler goes to a collector and says "look, I have the Mona Lisa, I stole it from the Louvre". The collector calls the museum and asks "Hi, do you have the Mona Lisa there? - Yes, we have it on display". And the mission of the smuggler to sell a falsification does not succeed.

   By having our real profile in the social networks, we increase the difficulty of stealing our identity for the attacker. But please, set a strong password  to the Facebook user!

   By the side, I invite you to question the following (for those who don't have a user in Facebook): Is it so wrong to belong in this social network, if you can maintain a short, simple, sober, professional profile that does not publish any really important information?

3. Network Perimeter: To configure services so they do NOT work in the standard ports is a good practice.
   But what happens, at the side of the attacker,  if when scanning the perimeter there are 5 open ports found? The attacker will have a time X of analysis more invasive to find out the services behind those open ports.What if we open 30000 ports in a perimeter? The analysis time calculation is not exactly X * 30000 (it's a little less, actually), but we would be increasing the difficulty of the attacker's job, anyway. The only thing to do is to correctly secure those ports/services and that's it. Having 30000 ports open, from which only 5 point to real services (in non-standard ports) and the rest point to a simple honeypot (or whatever), seems to me more secure than having publicly visible only what really exists and works.

To sum up, in my opinion it is best to be shown in a secure way, than to be hidden and feel safe.

I'd rather invest in a safe with a security level 10 and to leave it laying in the middle of the hallway, than to buy a safe with a security level 8 and hide it behind a painting.

I'd rather have a Facebook profile, secure it and not publish any really confidential information, than to NOT have it and letting somebody open it in my behalf.

I'd rather have a port scan to my perimeter to throw a result of hundreds of open ports with an effectiveness level of 10%, than to have thrown 4-5 ports with an effectiveness of 100%

And thousands of etceteras.

Is there one only response? I don't know. Feel free to comment (and/or complain) after reading.