<acronym title="test acronym with link">acronym+link</acronym>
Archive for October, 2005
With a Blog titled “Visible Procrastinations”, this essay is well matched …
by John Perry
Version of April 25, 1995
… All procrastinators put off things they have to do. Structured procrastination is the art of making this bad trait work for you. The key idea is that procrastinating does not mean doing absolutely nothing. Procrastinators seldom do absolutely nothing; they do marginally useful things, like gardening or sharpening pencils or making a diagram of how they will reorganize their files when they get around to it. Why does the procrastinator do these things? Because they are a way of not doing something more important. If all the procrastinator had left to do was to sharpen some pencils, no force on earth could get him do it. However, the procrastinator can be motivated to do difficult, timely and important tasks, as long as these tasks are a way of not doing something more important.
Structured procrastination means shaping the structure of the tasks one has to do in a way that exploits this fact. … With this sort of appropriate task structure, the procrastinator becomes a useful citizen. Indeed, the procrastinator can even acquire, as I have, a reputation for getting a lot done. …
Ever had one of those emails that says *I know the policy says no, but this is the exception*? Well this one is certainly within that strike zone …
Just wondering if ******* or you people are using free Internet call program such as Skype or MSN?
Skype is a little program for making free calls over the internet to anyone else who also has Skype. It’s free and easy to download and use, and works with most computers. Download Skype now or learn more about Skype (incl. screenshots).
It will be very helpful if you do, it is free, and easy. Otherwise phone calls are too expensive for two hours, whichever way it is.
Our POLICY was pretty clear, Skype was not to be installed or used on EDFAC machines. We are wary about Skype especially wrt the Skype Security Overview – Rev 1.6 – 1/26/05 
VoIP and Skype Security 
Skype Security Overview – Rev 1.6 – 1/26/05
Page 3 of 10
… 2. Some Skype “peers” are actually “super-nodes.” When Skype is run on a computer that has a public IP address and is not otherwise behind a firewall, it can become a “super-node.” These computers are used as rendezvous points so that computers behind firewalls can receive connections from other Skype users. Although Skype refuses to explain the details of their protocol, it is likely that computers behind firewalls scan the Internet looking for super-nodes, then form and maintain long-term connections with these other computers. The super-nodes then proxy connections to the encumbered connections behind the firewalls. …
As Mark O’Neil says “Skype relies on PCs with public IP addresses in order to act as “super nodes” to route calls”. This means that our University machines with public IP adresses sitting on reasonable bandwith make pretty good “super nodes”. This also means that we pay for other peoples calls as we route the traffic carrying the traffic for machines behind NAT firewalls — altruism only goes so far
Skype is now owned by eBay, this means that some of the Sharman Networks (KaZaa) baggage has shifted away from the product with the transfer to eBay. Due to their e-commerce nature, e-Bay is a more *trusted* party that Sharman. There is still a fair question as to whether GAIM or other ‘SpyWare’ is still installed with a Skype installation. But we still have an issue with Privacy/Security because at the CyberCrime 2003 conference, Joseph E. Sullivan (eBay’s Director of Compliance and Law Enforcement Relations) said “We do not require a subpoena except for very limited circumstances. We require a subpoena when we need the financial information from the site, credit card info or sometimes IP information.” Privacy, you ‘aint got no privacy! This looks and smells bad.
VoIP Wars and the Winner IS 
Monday, October 10th, 2005
The big 4 voip providers: Skype, Gizmo, Voipbuster and Jajah are competing with various weapons.
Skype continously offers new bells and whistles as does Jajah who also offers the lowest rates. While Voipbuster offers free calls to fixed lines in many countries.
… Skype, I use them for peer to peer, IM and paid calls. In general I am happy with their service. Though, we shall have to wait see what Ebay’s plans are. Skype’s has added new features recently. You now have for an additional fee SkypeIn a phone number your friends can call. You answer in Skype. Skype Voicemail takes your calls when you’re busy or offline. Personalise Skype Express yourself — get some new ringtones, sounds and pictures. Call Forwarding Re–direct calls to your mobile, landline or to another Skype Name. …
In short, Skype was installed on our ‘loaner’ laptop, with a generic account. It worked well in this instance — although I think this application is still deeply in the *watch this space* territory.
Skype security and privacy concerns 
Scott Granneman, 2005-09-22
… If eBay goes down the wrong path with Skype, we need to move ourselves – and our friends, families, and business associates – to a more open, yet secure, alternative. If we don’t keep our eyes – and ears, naturally! – open, we could find, after a few years, that we’ve lost something special, and there’s no possiblity of getting it back. …
 Skype Security Overview – Rev 1.6 – 1/26/05
 User Guides [Skype]
 Network Administrators Guide – PDF [Skype]
 Skype Security Center [Skype]
 Skype Tips [SkypeTips.com]
 VoIP Wars and the Winner IS [VoIP Value Guide]
 Skype security and privacy concerns (2005-09-22) [SecurityFocus]
 Sponging Skype (Monday, January 10, 2005) [Mark O'Neill's Radio Weblog]
 A closer look at VOIP security (Saturday, September 24, 2005) [Mark O'Neill's Radio Weblog]
Technorati Tags: Skype
* Smile Brendan *
The federal government’s proposed voluntary student unionism (VSU) legislation will effectively sound the death knell for university sport in Australia (along with just about every other service offered by student organisations).
On Sunday night, Federal Education Minister, Brendan Nelson called in to the North Ryde Hockey field to watch his daughter play.
The match that had just ended featured Macquarie University and UTS.
Bad timing Brendan.
*smile for the camera*
The real reason at last!
Security Gumshoe Makes His Mark
In this riveting, yet darkly comedic serial security tale from Mark Robertson, social engineering consultant and CTO, a security gumshoe named Chip Byte and Elisa Pascal, gumshoette, track unscrupulous mercenaries, crackers, hackers and shady characters — including the powerful Dr. DelTree — to protect businesses against security threats.
To learn more about these street-smart security defenders (and how to secure your organization), click on the links and read each story segment …
From PART I – She ashed her cigar and said, “Protect your networks first, and tell your people to button it, not to talk so much, ’cause you don’t want people like me snoopin’ around for big money.”
From PART IV – Oh man, the owner of this notebook had assumed a few things:
- It would never get stolen.
- No one would ever look at the contacts and their information.
- No one would ever open the financial software.
- No one would ever know how to look at a spreadsheet.
- No one would ever undelete and look at every single keystroke up to over 90 levels of undelete.
- No one would ever read what was in the cache including the unprotected chat text.
- Anyone who found it wouldn’t care about the kind of work he did.
From PART V – The first thing I do when a computer disaster strikes is take inventory. What caused the situation is important, but the most important thing is—what do I have left that is usable? What is salvageable? What is totally write off-able? Where are my backups? Is there a safe place to go to regroup and strategize? I was mad at myself for not having a plan. Just a tiny little plan for when things went haywire. I hate having to respond to a crisis in the middle of a mini-Armageddon, which this turned out to be.
From PART VII – She opened a small lipstick; in one end was her color, the other end contained one bullet. On the counter in her kitchen was an open package of peach gelatin. Beside it was a PC board with etchings on it. I knew what this was right away. Biometric cracking 101. It was an old trick, but still effective. I hoped Elisa would figure out that her fingerprint-scanning USB memory stick was compromised.
From PART VII – I rammed the USB driver into my USB port. I read the only file on it: “GOOD BYE.” Not again! I threw my notebook out the window and waited for the explosion. None this time. Boy, did I feel stupid. That was a great notebook, too.
RightNow is a CRM application that has been selected by the University of Melbourne to handle student enquiries . The problem is that it uses a PC with IE6.0+, AND requires an Active X Control to install two applications. Oh Fun!
Being security minded, let’s see what happens when we run this in FireFox (our SOE browser). What actually breaks? This is where we discover the JS browser blocker in play …
FIG1. Good old fashion “No you Don’t!” popup
Luckily we have an extra trick up our sleeve … bring in the FireFox extensions! Time to install IE View, and configure the RightNow URL to always be opened in IE. This doesn’t stop the problems in IE, it just means that FireFox can remain the default browser as it becomes aware of how we need to handle this url.
FIG2. Install and configure IE View
Does it work? Oh yeah!
FIG3. IE View reloader
The next step is to setup RightNow as a trusted site in IE (because we have ActiveX blocked from everything but trusted sites, don’t we grasshopper!? see Fig5). Add the site to the trusted site list, but still have your trusted site prompting for permission to istall ActiveX controls. For the URL’s see [2a] and [2b] below, as the example in the screen shots is not quite correct.
FIG4. Do you trust this site? An internet login without https://
Guidance for Securing Microsoft Windows XP Systems for IT Professionals
National Institute of Standards and Technology (US)
Computer Security Resource Center
A NIST Security Configuration Checklist – Special Publication 800-68 (Draft)
… Make the following modifications to the Internet zone:
+ Under ActiveX controls and plug-ins, set Script ActiveX controls marked safe for scripting to Disable.
+ Under Scripting, set Active scripting to Disable. This will disable all scripting, including ActiveX. If this impacts required functionality, change the setting to Prompt.
Summary of Recommendations
Next we have the ActiveX Controller installation … I need to get further details about this wee beastie. As you can proably guess from the NIST quotes above, ActiveX Controls are not a secure environments best friend. There is a document “The Deployment of RightNow Component Files” that documents the ActiveX Controls, so we are not totally in the dark on this front.
FIG5. IE Active X secure settings [Internet zone]
Securing ActiveX controls
ActiveX controls are executable programs that can be delivered to your machine over the Internet. They can be written in several languages and are based on the OLE specification. They are compiled into 32-bit machine language for Microsoft® Windows® platforms and run only on Win32-compatible machines. ActiveX controls can manipulate local disk systems, make connections to other computers and networks, and can transfer files. They can do these things without user interaction, which is why ActiveX controls need to be well-secured to ensure that they are not misused unintentionally or maliciously. 
FIG6. Process Manager Install
Another issue that we will need to deal with is the password being published on a public website … Now resolved
 RightNow Project [ACS]
[2a] RightNow Admin [RightNow_UNIMELB]
[2b] RightNow Admin [RightNow_EDFAC]
 IE View FAQ [Mozilla]
 IE View Installation [Mozilla]
 Guidance for Securing Microsoft Windows XP Systems for IT Professionals [Computer Security Resource Center]
 Securing ActiveX controls [IBM]
 Improve the security of ActiveX and browser add-ons while maintaining usability [TechRepublic]
1. Fearful or uneasy anticipation of the future; dread.
2. The act of seizing or capturing; arrest.
3. The ability to apprehend or understand; understanding.
The latest Bali bombing has added a bit more concern to the planning of our Malaysian trip for 2006.
This Advice is current for Thursday, 06 October 2005.
The Advice was issued on Thursday, 22 September 2005, 17:21:01, AEST.
Australians in Malaysia should exercise a high degree of caution, particularly in commercial and public areas known to be frequented by foreigners. The risk of terrorist attack against Western interests in Malaysia remains.
Australians are advised to avoid all travel to coastal resorts, islands and dive sites off the east coast of Sabah. We continue to receive credible reports that terrorists are planning kidnapping attacks targeting resorts frequented by foreigners. Terrorists have in the past kidnapped foreigners from the eastern part of mainland Sabah, and from the islands and sea off its east coast.
Australians intending to travel overland from Malaysia to Thailand should be aware of the travel advice for Thailand which recommends that travellers defer non-essential travel to the far southern Thai provinces of Yala, Pattani, Narathiwat and Songkhla, including deferring non-essential overland travel from and to the Malaysian border through these provinces. 
 Travel Advice: Malaysia [SmartTraveller.gov.au]
A family of three tawny frogmouths has taken to roosting in our dead gum tree in the front of our block. It has become a sport for the kids to ‘count how many owls we have today’. I had been looking at the dead tree and thinking about trimming it up a bit but leaving it for habitat … I am certainly leaving it as habitat now
Something I had not been aware of: Avoid using pesticides or snail baits where frogmouths feed, as they love to eat snails, slugs and moths 
 Tawny Frogmouth [Australian Museum Online]
 Help keep the tawny frogmouth safe in your local area [NPWS-NSW]
But there are other highly visible reminders. It’s always instructive to have a look at the top right corner of the screen of someone using the Firefox browser. If there’s a small red, upward-pointing arrow, it means that the user hasn’t updated the latest bug-fix and security updates.
Ironically, in addition to having the best user interface and performance of any browser – with the possible exception of Opera – Firefox is probably the most security conscious. It releases patches for any vulnerability much faster than Microsoft, for instance, and it’s set to look for updates automatically. 
A green arrow shows that updates are available, most probably for extensions. A blue arrow shows that an update process was halted.
Bluetooth is most commonly used to create a “Personal Area Network” linking mobile phones, PDAs, headsets. etc. the vast majority of users of these networks do not think that their ‘personal network’ can be exploited …
Enter stage left: Multiple variations of wardriving like techniques to locate and exploit Bluetooth devices. It would be good to find vendors shipping their devices with the Bluetooth “off” by default.
Homeland (wireless) defence
… The most basic Bluetooth security mechanism is the user’s ability to choose if a device is in discoverable or non-discoverable mode, but unfortunately, your phone or other Bluetooth is probably discoverable, because that’s the default, and you didn’t know that you should change it. … 
Now we have met the problem, how do we determine its scope? Grab a laptop with Knoppix as a live CD/DVD or installed (Knoppix includes bluetooth USB support.) The laptop may have a built-in Bluetooth interface, or you can use a USB Bluetooth key.
A good starting tools is the BlueZ bluetooth stack/suite
While googling on the topic, you will find lots of references to customized software used for the scanning (and by references you see people mention it, but nobody coughs up a link.) Since my initial goal was simple enumeration of devices and quick assessment of how “juicy” a given target area is, I did not have need for actual bluetooth exploits. I found that the basic tools in the BlueZ tool suite were sufficient for my needs.
Starting simply with:
This will list the hardware ID numbers and a manufacturer’s name of any device advertising in range. That “advertising” part is important. These would be the wardriving equivalent of wide open WAPs broadcasting.
If you are looking for particular services to exploit — er enumerate, you can simply scan for devices that support the feature of interest. For example, to find devices capable of setting up a dial-up internet connections, you would use:
sdptool search DUN
Other interesting services to search for are FTRN (for file transfer,) and OPUSH. 
Unlike wardriving, this is more of a sit-and-wait game. Bluetooth devices and users are mobile, so it’s better to pick a proper high-traffic area (or better yet: the meeting room where you’re holding your audit kick-off meeting.) With enough sensors and proper placement, you can track the movement of your bluetooth users within your facility or campus. I’m sure nobody would do anything bad with that information. :-\ 
Trifinite has developed a specialism in unearthing Bluetooth security shortcomings, the latest of which illustrates implementation problems rather than more deep-seated security concerns with the protocol. Car Whisperer only works because many car manufacturers use standard Bluetooth passkeys such as “0000″ or “1234″ which are easy to guess. “This is often is the only authentication that is needed to connect,” according to Trifinite.
“Since the attacker’s laptop is fully trusted once it has a valid link key, the laptop could be used in order to access all the services offered on the hands-free unit. Often, phone books are stored in these units. I am quite certain that there will be more issues with the security of these systems due to the use of standard pass keys,” Trifinite notes. 
Ok, we are suffering from the ‘good old two hit’ on-by-default and known-default-passwords
Bluetooth is a short-range technology, so hackers must be physically close to prospective victims. At first it was thought that they could only eavesdrop on users’ communications, but the Israeli researchers discovered that hackers can force their way into a Bluetooth session by masquerading as a device that has already been paired with a target and assume control of it. 
As I have been saying for some time when people ask “What is the safest way to use Bluetooth” … DON’T!
 Homeland (wireless) defence [BleedingEdge]
 Handler’s Diary October 1st 2005 – Bluetooth Auditing [SANS]
 Linux Bluetooth hackers hijack car audio [The Register]
 Bluetooth: Those Spying Eyes [VARBusiness]
 Cracking the Bluetooth PIN – Yaniv Shaked and Avishai Wool