Wednesday, April 29, 2009
Prohibition does not work in any form.
The modern "War on Drugs" is another arm of the military industrial complex with wholly political aims to prevent countries like coloumbia from propping up dictators. Ronald Regan had some good ideas, but his own Intellegence agencies was caught trafficking cocciane during the 80's. However I am not an american, I am a Canadian so therefore I will concentrate on that which I may have some power to change.
Harper's government is very pro-war on drugs, they aimed to increase policing aginst gangs and gang warfare; they wish to reduce the minimum age that a child can be tried as an adult and during his "Throne Speech" he stated that they will "Get tough on crime".
Canada has this nasty habbit of not voting! And when we do vote we are in a minority; this minority government was elected by less than half of the Canadian population, but that's a whole other issue.
Recently a 14 year old girl died as the result of an "Extacy" overdose;
http://www.edmontonjournal.com/Students%20mourn%20Edmonton%20girl%20after%20ecstasy%20overdose/1538627/story.html
It's a tragic and sad story, youth culture typically rebels in any way shape or form and this girl had told her parents that not even a week earlier "She would never do drugs".
I could go on for hours about the Drug wars in the southern united states and Mexico but; again that's American.
My point is this; as a country we are all hypocrites that don't vote.
Tobbacco and Alcohol kill and maim more people every year than illicit drugs, yet illicit drugs account for a multi-billion dollar underground economy. This black market allows gangs to arm themselfs; it's the source of the ability for criminals to fight the police and it's at the core of the opposition of the "War on Drugs".
Any General will tell you that during WWII we started bombing ball bearing factories; since without ball bearings the germans could not fix thier trucks which were essential to the blitz-kreig style of fighting. We also bobmed civilian populaces, and commited horrors that remain the worst in human history.
Milton Friedman once stated;
"If coccciane was legal, crack would not exist."
Remove the economics behind the industry and tax & regulate it, by no means is it ok to consume things like Meth, Heroin, Cocciane, "Extacy" for any duration of time due to the damages incurred but addiction is a medical issue and should be treated as such. Instead we turn addicts into criminals or they themselfs become criminals to support their habbits. The medical industry can produce these at a fraction of the price; hell Cocciane Hydrocloride was invented by Merk, Meth-Amphetamine was developed by the Germans during WWII and the various party drugs have been around since thier development in the 50's and 60's, under government and privately funded psycedelic resarch programs which were the precursors to the science behind SSRI's.
The only sure path to harm reduction is to prevent the psychosis and neruological damage before it becomes a socitotial and or ciminal issue. There are now a pelthora of SSRI's, NSSRI's, MAOI's and others that act upon the same potentials to block the limbic reward path of most illicit chemicals, Methadone programs have improved the situtations in many cities; and programs could be designed for a fraction of the current costs of enforcement.
In short:
We may build schools and hospitals or we can build armies and graveyards, it's your choice.
You may support the military industrial complex or you can support your people.
Saturday, April 25, 2009
Insider Attacks
Insider Attacks
Insider attacks are defined as security breaches where a person with access to a corporate system and or network misappropriates information from that system; or when an internal employee of a given company commits a security violation against that company. (Einwechter)[i] The NIST articulates that the most prevalent and common threat to any company is the insider attack as it is the least monitored and most difficult to detect; this was as of 1994 and has remained a constant fixture in network and systems security throughout the years. (Bassham et al.)[ii]
Forensic Techniques
The forensic techniques available currently include local system analysis, network traffic analysis and log file reporting and analysis; however these techniques are primarily used to detect and compile evidence where a case is known or where an external and foreign entity has compromised an internal system or network. Insider attacks may compromise a system but they may do so with user accounts that have administrative access to said system or with tools used internally to gain access to privileged information. Thus forensic techniques are not designed to detect and alert security personnel to internal violations as they may be mistaken for routine administration and operations. Examples include any case where an employee conducts network traffic analysis to obtain the usernames and passwords of individuals with access to sensitive information and then impersonates those individuals within their own network to facilitate the changes they desire; or where an employee with administrative access to network infrastructure changes said infrastructure against the policy of the company they are employed by; such as modifying their salary within the Accounting Database or damaging systems intentionally due to a grievance with their employer.
Anti-Forensics
According to Kerckhoff’s principal and it’s reformulation as Claude Shannons Maxim “The Enemy knows the System”. (Kerckhoff)[iii] Although we are referring to internal systems and operations that may or may not involve cryptography; when the “Enemy” is an internal employee this truth determines the maxim extent of the systems risk and its potential for grievous damage to the company.
Anti-forensic techniques and tools include Alternative OS and Systems use methods, Data Manipulation (Secure Data Deletion, Overwriting Meta-data, Preventing Data-creation), Encryption, Encrypted Network Protocols, Program Packers, Steganogarphy, Generic Data Hiding and Targeting Forensic Tools directly to exploit them. (Garfinkel)[iv]
Although anti-forensic techniques were initially developed to secure systems for military operation, these tools may also be used by malicious persons during internal attacks against the targeted internal systems, combined with the intimate knowledge that an internal attacker will maintain of the company and its operations, the personnel involved the methods used to detect these attacks become even more difficult.
Synopsis
One may argue that the best method to prevent internal attacks is to employ good people and to keep them happy. However since companies can’t please everyone all the time there’s bound to be conflicts that arise as the result of corporate restructuring, salary and pay differences and general employee alienation.
Technical methods to prevent internal attacks include the “Segregation of Duties”(ISACA)[v] and “Segregation of Systems and Networks”; (Kupersanin)[vi] Thus by logically segregating access to resources by both function, location and internal client access requirements we may mitigate the potential for one employee to commit attacks. In addition to this internal financial systems are of paramount concern and should have segregated administrative, functional and operational client accounts that are limited to those resources that require access for their duties. Examples of this are that a payroll clerk should not have the ability to modify salaries in the financial application used to control payroll; that function should be limited to the executive & middle management as well as human resources personnel; general LAN WAN administrative accounts should not have access to these systems and access should be limited to only one or two people that act at the managerial level of network support and operations. Thus a LAN/WAN administrator would not have either the permission, nor the access required to change their own salary.
References
[i] Einwecher, Nathan (Security Focus, March 20th 2002) Preventing and Detecting Insider Attacks Using IDS [Online] World Wide Web, Available from: http://www.securityfocus.com/infocus/1558 (Accessed on April 25th 2009)
[ii] Bassham, Lawernece E.; Polk, Timothy W. (NIST, Security Division, March 10th 1994) Threat Assessment Of Malicious Code and Human Threats [Online] World Wide Web, Available from: http://csrc.nist.gov/publications/nistir/threats/subsection3_4_1.html (Accessed on April 25th 2009)
[iii] Kerckhoff, Auguste (Journal de Science Militare, February 1883) LA CRYPTOGRAPHIE MILITAIRE. [Online] World Wide Web, Available from: http://www.petitcolas.net/fabien/kerckhoffs/#english (Accessed on April 25th 2009)
[iv] Garfinkel, Simon (Naval Postgraduate School, 2007) Anti-Forensics Detection and Countermeasures [Online] PDF Document, Available from: http://simson.net/clips/academic/2007.ICIW.AntiForensics.pdf (Accessed on April 25th 2009)
[v] N.a. (ISACA, 2008) CISA Review Manual 2008, Chapter 2, Page 112 [Online] PDF Document, Available from: http://www.isaca.org/AMTemplate.cfm?Section=CISA1&Template=/ContentManagement/ContentDisplay.cfm&ContentID=40835 (Accessed on April 25th 2009)
[vi] Kupersanin, William (Insecure.org, November 15th 2002) Security Basics: Contractors on Company Networks – Network Segregation [Online] World Wide Web, Available from: http://seclists.org/basics/2002/Nov/0426.html (Accessed on April 25th 2009)
Thursday, April 23, 2009
XSS Attacks
Cross Site Scripting (XSS)
Cross Site Scripting is a type of computer security vulnerability where a malicious third party utilizes code injections and encoding techniques to exploit a given web-site or to harvest confidential data and facilitate phishing, or to execute scripts on client’s machines. [i] One of the major issues of Cross site scripting is that the End-User is often un-aware of the attack. (Rafail)[ii] XSS is used as CSS is often confused with Cascading Style Sheets.
There are many types of XSS attacks;
Simple Persistent (Hope et al)[iii]
DOM-Based (Klien et al)[iv]
Non-Persistent[v]
Persistent[vi]
Identity Based
(Session Cookie theft and Impersonation)
Although these are known types of XSS attacks, any web-portal which allows the input of dynamic content where other users may see the posted content or a portal that relies on a database back-end i.e. Message Boards, Forums, Online Sales Listing sites etc, any of these types of site may be vulnerable to an XSS attack. XSS attacks often utilize a web-browser supported scripting language in conjunction with HTML to harvest user information or session cookies and then that gathered information is then used elsewhere. An XSS attack also has the added feature of circumnavigating most corporate security systems such as firewalls and if the site that is the host of the XSS attack is encrypted with TLS/SSL then proxies as well.
Crimes
Crimes that may leverage XSS can be fraudulent; session hijack of an online banking transaction, defamation and or slanderous; impersonating a public figure and posting to a hate related web site, and identity theft and or unauthorized access of public and private systems via browser exploit. Initial estimates place around 70% of web sites that allow user input as vulnerable.(Berinato)[vii]
Investigation Techniques
Techniques for investigating XSS do exist and include the standard methods of computer forensics however since all XSS attacks involve web-sties with dynamically generated content that is non-local and dynamically linked to the exploit; the investigation techniques used must cover databases, code analysis and general HTML. (Shiuh-Jeng et al)[viii] The most common form of forensic investigation technique used for XSS exploits is log file analysis. The procedure used is to locate the victims of the XSS attack and analyse their systems, locate the server and then from the server that is hosting the attack; locate the malicious server hosting the code of the attack, analyse that server and develop a suspect profile that also determines where else this same attack may have been used on the primary site. Depending on the severity of damage caused the police may seize all assets involved to determine the origin and mitigate any further Damage. (Shiuh-Jeng et al)[ix]
Mitigation
Mitigating cross-site scripting attacks requires action of the web-user and their browser in addition to web-site developer test and engineering: just as firewalls have become the de-facto standard to defend against unwanted network traffic; xss-filters attached to web-browsers have become standard on all popular web-browsers. Conducting Input validation tests on web-sites expecting to host forums and or content management software also mitigates the potential for XSS exploits.
References
[i] N.a. (CGISecuirty, March 2008) The Cross Site Scripting FAQ [Online] World Wide Web, Available from: http://www.cgisecurity.com/xss-faq.html (Accessed on April 24th 2009)
[ii] Rafail, Jason (CERT Coordination Center, Carnegie Mellon University 2001) Cross Site Scripting Vulnerabilities [Online] PDF Document, Available from: http://www.cert.org/archive/pdf/cross_site_scripting.pdf on (April 24th 2009)
[iii]Hope, Paco; Walther, Ben (O’Reilly Media Inc, 2008), Web Security Testing Cookbook,p. 128, ISBN 978-0-596-51483-9
[iv] Klein, Almit (Web Application Security Consortium, July 4th 2005) DOM Based Cross Site Scripting or XSS of the Third Kind [Online] World Wide Web, Available from: http://www.webappsec.org/projects/articles/071105.shtml (Accessed on April 24th 2009)
[v] N.a. (Web Application Security Consortium, 2005) Threat Classifacation [Online] World Wide Web, Available from: http://www.webappsec.org/projects/threat/classes/cross-site_scripting.shtml (Accessed on April 24th 2009)
[vi] N.a. (Web Application Security Consortium, 2005) Threat Classifacation [Online] World Wide Web, Available from: http://www.webappsec.org/projects/threat/classes/cross-site_scripting.shtml (Accessed on April 24th 2009)
[vii] Berinato, Scott (CSO, January 1st 2007) Software Vulnerability Disclosure: The Chilling Effect [Online] World Wide Web, Available from: http://www.csoonline.com/article/221113/Software_Vulnerability_Disclosure_The_Chilling_Effect?page=7 (Accessed on April 24th 2009)
[viii] Shiuh-Jeng Wang; Yao-Han Chang; Wen-Ya Chiang; Wen-Shenq Juan (IEEE, FGCN 2007) Investigations in Cross-site Script on Web-systems Gathering Digital Evidence against Cyber-Intrusions [Online] PDF Document, Available from: http://ieeexplore.ieee.org/Xplore/login.jsp?url=http%3A%2F%2Fieeexplore.ieee.org%2Fiel5%2F4426076%2F4426188%2F04426216.pdf%3Farnumber%3D4426216&authDecision=-203 (Accessed on April 24th 2009)
[ix] Siuh-Jeng, Wang; Yao-Han Chang; Hung-Jui Ke; Weng-Shenq Juang (Tiwan Central Police University, Shih Hsin University, December 9th 2007) Digital Evidence Seizure in Network Intrusions against Cyber-crime on
Internet Systems [Online] PDF Document, Available from: http://dspace.lib.fcu.edu.tw/bitstream/2377/11011/1/JOC_18_4_7.pdf (Accessed on April 24th 2009)
XSS Attacks
Cross Site Scripting (XSS)
Cross Site Scripting is a type of computer security vulnerability where a malicious third party utilizes code injections and encoding techniques to exploit a given web-site or to harvest confidential data and facilitate phishing, or to execute scripts on client’s machines. [i] One of the major issues of Cross site scripting is that the End-User is often un-aware of the attack. (Rafail)[ii] XSS is used as CSS is often confused with Cascading Style Sheets.
There are many types of XSS attacks;
Simple Persistent (Hope et al)[iii]
DOM-Based (Klien et al)[iv]
Non-Persistent[v]
Persistent[vi]
Identity Based
(Session Cookie theft and Impersonation)
Although these are known types of XSS attacks, any web-portal which allows the input of dynamic content where other users may see the posted content or a portal that relies on a database back-end i.e. Message Boards, Forums, Online Sales Listing sites etc, any of these types of site may be vulnerable to an XSS attack. XSS attacks often utilize a web-browser supported scripting language in conjunction with HTML to harvest user information or session cookies and then that gathered information is then used elsewhere. An XSS attack also has the added feature of circumnavigating most corporate security systems such as firewalls and if the site that is the host of the XSS attack is encrypted with TLS/SSL then proxies as well.
Crimes
Crimes that may leverage XSS can be fraudulent; session hijack of an online banking transaction, defamation and or slanderous; impersonating a public figure and posting to a hate related web site, and identity theft and or unauthorized access of public and private systems via browser exploit. Initial estimates place around 70% of web sites that allow user input as vulnerable.(Berinato)[vii]
Investigation Techniques
Techniques for investigating XSS do exist and include the standard methods of computer forensics however since all XSS attacks involve web-sties with dynamically generated content that is non-local and dynamically linked to the exploit; the investigation techniques used must cover databases, code analysis and general HTML. (Shiuh-Jeng et al)[viii] The most common form of forensic investigation technique used for XSS exploits is log file analysis. The procedure used is to locate the victims of the XSS attack and analyse their systems, locate the server and then from the server that is hosting the attack; locate the malicious server hosting the code of the attack, analyse that server and develop a suspect profile that also determines where else this same attack may have been used on the primary site. Depending on the severity of damage caused the police may seize all assets involved to determine the origin and mitigate any further Damage. (Shiuh-Jeng et al)[ix]
Mitigation
Mitigating cross-site scripting attacks requires action of the web-user and their browser in addition to web-site developer test and engineering: just as firewalls have become the de-facto standard to defend against unwanted network traffic; xss-filters attached to web-browsers have become standard on all popular web-browsers. Conducting Input validation tests on web-sites expecting to host forums and or content management software also mitigates the potential for XSS exploits.
References
[i] N.a. (CGISecuirty, March 2008) The Cross Site Scripting FAQ [Online] World Wide Web, Available from: http://www.cgisecurity.com/xss-faq.html (Accessed on April 24th 2009)
[ii] Rafail, Jason (CERT Coordination Center, Carnegie Mellon University 2001) Cross Site Scripting Vulnerabilities [Online] PDF Document, Available from: http://www.cert.org/archive/pdf/cross_site_scripting.pdf on (April 24th 2009)
[iii]Hope, Paco; Walther, Ben (O’Reilly Media Inc, 2008), Web Security Testing Cookbook,p. 128, ISBN 978-0-596-51483-9
[iv] Klein, Almit (Web Application Security Consortium, July 4th 2005) DOM Based Cross Site Scripting or XSS of the Third Kind [Online] World Wide Web, Available from: http://www.webappsec.org/projects/articles/071105.shtml (Accessed on April 24th 2009)
[v] N.a. (Web Application Security Consortium, 2005) Threat Classifacation [Online] World Wide Web, Available from: http://www.webappsec.org/projects/threat/classes/cross-site_scripting.shtml (Accessed on April 24th 2009)
[vi] N.a. (Web Application Security Consortium, 2005) Threat Classifacation [Online] World Wide Web, Available from: http://www.webappsec.org/projects/threat/classes/cross-site_scripting.shtml (Accessed on April 24th 2009)
[vii] Berinato, Scott (CSO, January 1st 2007) Software Vulnerability Disclosure: The Chilling Effect [Online] World Wide Web, Available from: http://www.csoonline.com/article/221113/Software_Vulnerability_Disclosure_The_Chilling_Effect?page=7 (Accessed on April 24th 2009)
[viii] Shiuh-Jeng Wang; Yao-Han Chang; Wen-Ya Chiang; Wen-Shenq Juan (IEEE, FGCN 2007) Investigations in Cross-site Script on Web-systems Gathering Digital Evidence against Cyber-Intrusions [Online] PDF Document, Available from: http://ieeexplore.ieee.org/Xplore/login.jsp?url=http%3A%2F%2Fieeexplore.ieee.org%2Fiel5%2F4426076%2F4426188%2F04426216.pdf%3Farnumber%3D4426216&authDecision=-203 (Accessed on April 24th 2009)
[ix] Siuh-Jeng, Wang; Yao-Han Chang; Hung-Jui Ke; Weng-Shenq Juang (Tiwan Central Police University, Shih Hsin University, December 9th 2007) Digital Evidence Seizure in Network Intrusions against Cyber-crime on
Internet Systems [Online] PDF Document, Available from: http://dspace.lib.fcu.edu.tw/bitstream/2377/11011/1/JOC_18_4_7.pdf (Accessed on April 24th 2009)