It appears that a professional penetration tester with some 17 years experience in the job has managed to hack his way through from an unnamed civilian government agency network right into the heart of a not at all civilian FBI crime database in less than six hours from start to finish.

The report reveals how the security consultant at PatchAdvisor was able to uncover unpatched vulnerabilities within the government agency web server and network during a routine and otherwise harmless scan. This kick started a chain of events that began with grabbing logins being reused on a number of enterprise systems which then became open to inspection, and in turn revealed unsecured account details to provide the pen tester with Windows domain admin privileges. As anyone who has the slightest experience on either side of the hacking fence will recognise, this has become a classic case of an escalation-of-privileges exploit.

So it should come as no surprise that it led to the ability to access a police workstation on-site, nor that in turn this led to the pen tester being able to install monitoring software upon it to discover applications connecting to the FBI National Crime Information Center database. If he had so wished, and it seems he did not, then the next step would have been installing a keylogger to grab the logins required to access it.

I guess the moral of this tale comes down to the obvious and oft repeated mantra of no matter how solid the security further up the food chain (in this case that FBI database) if the small fish are allowed to swim freely around at the bottom of the tank then eventually some shark is going to come along and gobble up everything. Patch management coupled with sensible firewalling of that police network could surely have prevented what has become something of an embarrassing as well as potentially serious, in the face of the ongoing war on terror, security slip up.

A recently revealed vulnerability with Debian OpenSSL cryptographic libraries, covered in detail within the Debian Security Advisory DSA-1571-1, allows secure web sessions to be potentially decrypted by an attacker. In fact, the vulnerability impacts on Debian children distros as well, but that is almost by the by. What isn’t is the reasoning for the vulnerability to exist in the first place. Now you might be assuming that, like most of these things, a bit of unintentionally sloppy and insecure programming during development was to blame. While the words sloppy and insecure certainly still spring to mind, unintentional most certainly does not.

You see, according to an excellent piece of analysis at Dark Reading it appears that the programmer was “using Valgrind to debug applications in an effort to prevent security flaws. But two lines of code from the OpenSSL libraries caused Valgrind to complain, which prompted the programmer to take them out after an inquiry and short discussion on the OpenSSL development mailing list.” Amazing as it may seem, this simple act resulted in “two years’ worth of weakened cryptographic key creation (both SSH keys sand SSL certificates) on Debian-based systems.”

In effect, the work-around meant that every single one of the 32,767 cryptographic keys could now be generated ahead of time and that means a brute force attack becomes, pretty much, child’s play.

In his Dark Reading analysis, John Sawyer claims that this means “All communications that had been perceived as “secure” for the past two years — and into the unforeseeable future — could now be compromised if their encryption was based on the flawed keys and certificates.”

Sure, the developers concerned were only trying to make something more secure, and there was certainly no malicious intent involved here. But the irony is that it proves Linux can be just as insecure as Windows in some regards, perhaps even more so. More so, why so? Well, the perception is that Linux is secure, period. Working from that basis, users are perhaps more inclined to think less about the security and privacy implications of their online sessions. In the case of Debian users that could have devastating implications.

And the moral of this tale? Be it Linux or Windows, the user should always treat security seriously and never expect the OS to be a virtual fortress…

Guilty as charged. I print hardcopy of important documents so they do not get lost, so that I can keep them safe, so that I can easily share them with anyone who might need to see them. And it appears that I am not alone in participating in this retro-archiving activity, despite my high tech background, as a new report from the EMC Corporation suggests British business is printing so much stuff that it is costing around

Like many people, I book our family holidays online these days. With young kids, we tend to stay within the confines of the UK and opt for a holiday cottage rental. Now there are numerous sites offering the ability to search for and book such a holiday cottage, covering the UK and beyond. They work by taking a fee from the owner of the cottage for each successful booking. They also seem to suffer from what I like to call the Tottenham Court Road effect whereby it used to be the case that you could not play one shop off of another in TCR when buying electrical goods because most of them were owned by the same people. So it is with the holiday cottage rental industry, the numerous differently branded services seem to come back to just one or two companies in the end.

Anyway, to cut a long story short, we found our ideal little cottage snuggled deep in a forest in North Wales for the dates we needed and paid a deposit back in July 2007. believe me, to get the good ones you do need to book that early! The balance of the rental is due tomorrow, although Cottages4You do not seem that keen on taking my money.

Being a good web warrior I attempted to pay online last night using the secure payment server, only to discover that the secure payment server did not want my money for a reason that wasn’t forthcoming. The error it returned was simply that it could not proceed with the transaction and I should try again or call the office and pay over the telephone. Well, what with it being after office hours I decided to try again. This time I got a different error, apparently the secure payment server was not actually working at the moment and would I mind awfully phoning the office. I gave it one more chance today, trying the elusive payments server again. yep, you guessed it, call the office is said.

So I called the office, debit card in hand, ready to pay the rental balance which was fast approaching its due date deadline. Here’s a precis of the conversation:

Cottages4You - Hello how can I help?

Me - I’d like to pay my final rental balance please

Cottages4You - Do you have your booking reference?

Me - Yes, it is XXXXXXXXXX

Cottages4You - Have you just tried to pay on the Internet?

Me - Yes, it wouldn’t let me

Cottages4You - Sorry, when an Internet payment attempt fails it locks us out of accepting payments on your account for 20 minutes so you will have to call back later

Me - <flabberghasted silence before hanging up>

Can you bloody well believe it, in this era of web based transactions where immediacy and availability are often the only thing that differentiate one service from another, that a company can be so daft? Customers are encouraged by Cottages4You to pay via the secure server, and when it barfs through no fault of those customers they are then unable to pay over the telephone– despite the website telling them to do just that. It really does drive me mad; mad enough to probably not bother using this service for future rentals. I’ll try the old fashioned method and pick up a copy of Daltons Weekly in order to approach the landlords directly instead. I might even save some money, not to mention sanity, in the process…

Now that the media interest in rootkits seems to have all but evaporated, you might be forgiven for thinking that the problem has been solved, that the bad guys have moved on to another mode of attack, that the good guys have won. Forgiven, but wrong.

According to recently published tests by those hardy chaps over at AV.Test who, funnily enough, spend pretty much their entire working lives being a thorn in the side of the AV industry by putting security products under the microscope and testing them until they burst, rootkits are still very much on the criminal radar.

The trouble is they are unlikely to be on yours because the AV.Test grilling has revealed that around half of the rootkits they used during the testing process went undetected by security suites and online web scanners alike. The German security boffins used both Windows XP Home Edition and Windows Vista Ultimate Edition in the tests which threw multiple rootkits onto the clean computing lab-rats as well as multiple malware infections that used those rootkit technologies to remain hidden.

As far as XP was concerned the security suites performed better than the online web scanners, catching 66 percent of the installations compared to 53 percent. Actually cleaning up and removing the detected rootkits proved to be a real problem for the web based scanners in particular, in fact they could only manage an average successful removal rate of just 32 percent. XP based dedicated rootkit detection and removal tools did better, although with an average detection rate of 80 percent it is hardly confidence inspiring if you ask me: they still left 20 percent of the evil little buggers running quietly away with the user none the wiser.

The Vista testing was a little confusing, using only those AV tools which had been updated or ‘frozen’ as of October 2007, and AV.Test reports that the average detection rate of 90 percent upon inactive samples was surprising as most of the samples involved were released two or three years previously. Certainly you might imagine a newly updated AV tool to find all of those. You might even imagine they could remove them, but only 54 percent were removed OK.

When it came to the more recent active rootkit installations, Windows Live Onecare did pretty badly considering it should have the edge when talking about things that hook into the Vista OS at kernel level. According to the report it could only detect one of the six installed and active rootkits.

So which tools proved to be the ones with big smiles on their binary faces? Only three AV solutions managed to detect and remove all the active and inactive rootkits thrown at them:

• F-Secure Anti-Virus 2008 6.80.2610.0
• Norton Antivirus 2008 15.0.0.58
• Panda Security Antivirus 2008 3.00.00

It has been a long while coming, but following the acquisition of Postini by Google last year the enterprise version of Google Apps is finally getting the security it deserves and its users demanded. The new Google Web Security for Enterprise is now available as a web service and incorporates real-time malware protection along with policy enforcement and URL filtering.

Tim Johnson, a Google Product Marketing Manager, has blogged about how it enables “the safe, productive use of the web, without incurring hardware, upfront capital, or IT management costs” although I am not sure where that left enterprises who were using Google Apps for their business remotely up until now. The free add-on extends the kind of security that in-house workers enjoyed to off-network ones as well, which is of course good news albeit bloody late in the day if you ask me.

“Protecting off-network users used to require them to connect via a VPN when they were out of the office

Virgin Media, together with Nortel and Juniper Networks, has successfully conducted a North-South 40G trial over a live commercial network covering 217 miles of the current 10G network infrastructure. As far as I am aware this is the first time such a trial has been attempted in the UK, certainly the first to be successful or I am pretty damn sure the PR companies would have been shouting about it given the competition in the domestic broadband market right now.

It all took place, so I am reliably informed, late in April and involved carrying live 40Gbps wavelength traffic across that 350km optical network span using Nortel core optical kit and Juniper Networks T-series core routers with 40Gbps interfaces. By deploying 40Gbps technology in this way, Virgin was able to increase the performance of both IP/MPLS and optical networks as well as, obviously, the overall capacity. Perhaps most importantly, however, it showed that Virgin Media is up providing a dynamic 40G wavelength service over the entire length of its Nortel supplied Common Photonic Layer: that’s 2500km nationwide to be precise.

The April trial itself happened between the Manchester and London PoPs where the Juniper Networks high-performance T-series core routers are located. It is the first time that 40Gbps transport has happened over a commercial network carrying live traffic over the 40G wavelengths in the UK without any regeneration, external dispersion compensation or costly Raman amplification by using the Nortel 40G Adaptive Optical Engine WDM transponder technology. This allows those 40Gbps wavelengths to be deployed “immediately” and in conjunction with the fact that the existing Juniper T-series router cores can be upgraded to 40G ports means that, hopefully, more effective deployments of next generation services can be achieved for a relatively low incremental investment.

“Our aim for this trial was to ensure we continue to meet the growing capacity needs of the high-speed services we deliver and provide a quality experience for Virgin Media customers,” said Daniel Hennessy, director of Technical Architecture, Virgin Media. “Our strategic suppliers have demonstrated very clearly how existing network assets can be scaled to meet the growth in demand associated with evolving customer behavior and step changes in the products provided as part of our high-speed broadband proposition. Our optical network will provide a solid foundation for growth as it takes advantage of technology designed to avoid electrical regeneration and where possible reduce the incremental cost of scaling transport capacity.”

Which just leaves me to ask the question: so when will a Virgin Media 50Mb service be available in my South Yorkshire village? Actually, when will any Virgin Media cable be available in my village? Never, oh, I see. Still, the thought was nice while it lasted…

There was an interesting presentation by David Lavenda, VP of product strategy with WorkLight, at the Secure Enterprise 2.0 Forum in New York this last week. While London was getting to grips with the whole Boris and Ken thing, Lavenda had his mind firmly on Web 2.0 security matters.

In his presentation, Lavenda predicted that this year will be the one that finally sees Web 2.0 technology going mainstream. Although to be honest I think that he is a little late in making the call seeing as the likes of Facebook, according to a recent Forrester report at any rate, has more than 70 million active users and MySpace 110 million registered subscribers. However, against that backdrop of success in certain consumer facing sectors, Lavenda told his audience that up and coming services such as iGoogle has already hit the big numbers with 22 million users and growth in excess of 260 percent per annum.

So you might have expected an upbeat presentation from Lavenda, but not so when it comes to security. He cautioned listeners about need to ensure that the access given to employees when it comes to these new breed of social web services and sites is secure in order to avoid very unsocial threats such as malware and other IT security attack vectors. Lavenda went on to explain that security concerns are simply not that well understood by a swathe of folks who just do not have a handle on actually using Web 2.0 within the enterprise context. It is understanding that this is not just a set of new development tools but rather a sea change in the user experience that is key to getting on top of the situation.

“They offer a personalised user experience that allows users to easily gather and aggregate information onto their browser, whether it is iGoogle, Facebook, MySpace or Yahoo” Lavenda explained. And the problem, he went on, is that by offering totally unfettered access there lies a real risk to companies. In fact, there lies a host of real risks: data theft, information leakage and liability for information misuse to name but three. And the reason for the risks being so high and so obvious to anyone who looks is simply that the kind of Web 2.0 services we see infiltrating the workplace were never actually intended for corporate usage. They are consumer creations through and through, and we all know what happens when you mix consumer services with corporate usage: you get a highly volatile solution to a problem that never even existed.

Perhaps WorkLight founder Yuval Tarsi puts it best when he says “the consumer and enterprise worlds are colliding.” Watch out for a bang of sonic boom proportions…