Archive

Posts Tagged ‘Security’

ThruGlassXfr starts to make an impact

October 2nd, 2014 Comments off
Reading Time: 2 minutes

logoIt is awesome to see that Ian Latter’s work on bypassing all security measures to exfiltrate data via the screen is starting to be received by the InfoSec community. Today an article written by Richard Stiennon on Ian’s presentation at COSAC has been syndicated through to Forbes. Well done Ian!! this follows up on a post I did in July when I was allowed to start talking about TGXf.

As part of Ian’s presentation preparation (and in response to a number of CFP reviewers NOT READING HIS SUBMISSIONS) he also prepared a number of videos demonstrating the capability of ThruGlassXfr along with his ThruKeyboardXfr.

ThruGlassXfer Open Letter (PDF) – TGXf VER8 FPS5 GD
http://youtu.be/IXlYDYjqFLU

Android smart-phone in flight mode, downloading a PDF from Youtube via a Laptop screen
http://youtu.be/2_8GlFdlb0Y

TGXf Demo – Open Letter PDF, ANSI (Terminal) Version 1 at 8 FPS
http://youtu.be/ZrMN54Rooec
(i.e. you don’t need graphical access to steal data)

TKXf Demo – Keyboard upload of virus to hardened Windows platform
http://youtu.be/2Szza7dQZsY
(i.e. I can type a virus into Windows .. stop me)

TKXf Demo – Keyboard upload of payload via Windows to Linux
http://youtu.be/QmROf-Tx92E
(i.e. I can type any payload into anything via anything .. stop me)

TCXf Demo – Attacker exfiltration from Linux via socket over PuTTY/XPe/HP Thin Client
http://youtu.be/sMHx5VDpFjQ
(i.e. I can route anything via anything over screen and keyboard)

And my personal favourite!!!!!
TCXf Demo – IP networking over Screen and Keyboard!
http://youtu.be/PdjhevoBKbs

Yes that last one is a functional network over TGXf and TKXf…

As a Security Enthusiast I love seeing this, though I have to say as a Security Technology Vendor and IT Outsourcing and Management Supplier it causes me pause. Now I finally have that enthusiasm back to write that paper on the risks of BYOD.

 

ThruGlassXFER – exfiltration via QRCode

June 10th, 2014 Comments off
Reading Time: 1

This week Ian Latter, under his MidnightCode moniker, started to release information on his proof of concept for the exfiltration of information using QR Codes called ThruGlassXFER. This is ahead of his presentation at COSAC in Ireland and time at BlackHat later this year.

The full ThruGlassXFER White-Paper and proof of concept apps are coming. I was privileged enough to see this project as it emerged including the functioning proof-of-concept. The White-Paper will walk people from first principles through to sample code. There are also some inventive ways to get the base code onto secure systems.

This can put to bed the argument that a system that delivers a remote display, mouse and keyboard, only, are secure and that information cannot be easily exfiltrated. Yes, I understand that this is an oversimplification of the potential issue. Looking forward to how this is received and what people do with it.

My hat goes off to Ian!

Categories: exploits, Security Tags: ,

Thoughtlet – Are we moving to a single device?

June 15th, 2013 Comments off
Reading Time: 7 minutes

This isn’t a fully fleshed out thought. It is the beginning of some musings after looking at the Apple WWDC announcements and how they are building tighter integration between OSX and iOS. It was also spurred on by this article. As users are being driven by portability and the lag between feature parity of devices is shrinking, and looking at the history and trends of personal computing purchases, are we finally moving to the “single device”? What will this new “single device” look like and what affect will it have on the current trends in the market?

Screen Shot 2013-06-17 at 9.42.33 AM

If you don’t like my picture there are others to choose from

Personal computing kicked off in the 1980s with the personal computer. This was the first time that general and flexible computing was available to the average person.

In the 1990s mobile phones took off as did the personal digital assistant (PDA) in the mid to late ’90s. This took communications and personal computing mobile. Given the limited capabilities of the PDAs at the time, most people still had a desktop PC. Those lucky enough, also had access to laptops in the ’90s, these too had limitations and for the more powerful users, increased their device count further.

In the late 1990s PDAs merged with phones to create the first smart phone, reducing the number of devices a person carried.

The 2000s brought the advancement of laptops as the norm and in the latter part of the decade saw the introduction of net books and ultrabooks as a way of increasing the portability of computing, it also saw the paradigm (can’t believe I used paradigm) shift in mobile telephony with the introduction of the iPhone. This new interface saw people’s view of mobile computing change forever.

By 2010 tablet computing, on the back of smart phones, came to market and introduced another compromise to computing. This now sees people with 3 devices, notebook, smart phone and tablet computer, each needed for a specific purpose, notebook as the data entry and manipulation device, smart-phone for the all purpose device and a tablet as the compromise of the two, meeting somewhere in the middle.

In 2013 we now see the decline in PC sales and increase in smartphone sales with tablets of varying specification and size, trying to balance capability and portability, as well as smart-phones that are so large that the challenge the smaller of the tablets on the market. Why? This jostling and positioning is trying to meet the consumers needs what are these needs?

 

I argue that people are trying to get that balance right. Ideally they don’t want a phone and a tablet, but the phone screen is too big, or the tablet too big to always have with them. If this is truly the case then the real future is going to look a lot different from where we are now, reaching an almost sci-fi climax.

 

I think what will eventually happen is that the processing power that a mobile phone can have will be comparable with that of the ultrabooks of today. Once this happens is there really a need for everyone to  have 16 devices? The new devices will be like the smart phone today with a docking capability to turn it into a powerful data entry and manipulation tool or a sleeve that allows it to have a bigger, interactive display like that of a tablet or laptop .

iphone_5_aluminum_oc_dock

vision of future of personal computing

If this is the case, what are the implications to current enterprise trends?

 

Cloud Services – Today file sharing tools like box and dropbox allow us to share files with others, but most people tend to use them as a way of syncing and backing up their own personal data. In the single device world this won’t need to change. whilst the sync capability will be less of a concern, the sharing capability will increase as it does today, moving from file sharing to collaborative content creation and manipulation.

BYOD – the Bring your own device phenomenon,like cloud, is moving past the disruptive trend and becoming the norm. With a single device, the only barrier is compartmentalisation of work and personal. As mobile computing power increases so will the ability to have capabilities like personas or profiles. Allowing the seamless switching between contexts work and personal contexts

Security implications – This will cement the concept of the micro perimeter (see really crappy Figure 2 below). Mobile computing and secure code execution is becoming more and more mature, so too has the shift in desktop computing. We’ve moved from the personal firewall and the Hypervisor to the Micro-visor (see Figure 1 below) providing the ability to secure the execution of the operating system itself, as well as temporary sandboxed instantiation of the applications as they are used. Incorporating the Mobile device management (MDM) platform concept into a policy based micro visor, allows the seamless movement from personal device to multifunction device, with employers being able to specify policies for the components under their control.

Hyper-Micro

Figure 1: Hypervisor to Micr-visor

Figure 2: Evolution of the micro-perimeter

Figure 2: Evolution of the micro-perimeter

I think that the trends of today are not going to change much or slow down, each seems to fuel the other in regards to personal computing. There are still niches in the market to be had to help consumers and businesses ease into this new paradigm (there you have it I use paradigm)!

UPDATE – 18/6/13: After a brief twitter exchange with Brian Katz (@bmkatz) and Ian Bray (@appsensetechie) I realised that I conflate the concept of Mobile Device Management, Mobile Application Management and Device Data management into the MDM terminology.

I see Mobile Device Management,  device control, as the initial stage in the evolution of dealing with the data management problem. Application management is controlling the conduit to the data via enforcing trusted applications (another potential flaw). Ultimately the data is the only thing that anyone truly cares about. This is an oversimplification of the problem as there are other concerns and factors that come into it.

UPDATE – 22/6/13: Further comment from Tal Klein (@VirtualTal) reminds me that there will always be a multi device driven by consumption/creation as well as an aggregation and administration drive to consolidation of devices. I can see that there will continue to be those that have specific needs and require multiple devices (driven by technology adaptation, or scenarios). I’m also driven by watching my family’s adoption. I’m the only one that really has multiple machines, everyone else really utilises dual devices, and only uses the secondary device due to lack of feature parity on the primary iDevices.

Bruteforce become DOS

May 27th, 2013 Comments off
Reading Time: 2 minutes

I noticed that I started too get a few emails from Wordfence about invalid login attempts. Now as I have both wordfence and Google two factor authentication happening I wasn’t worried, though I thought I’d do a large IP range block just to cut down on the noise.

 blocked login
What I found was that my provider was being really awesome in their pro-activeness and started automatically detecting brute force attacks on WordPress sites and removing the login.php
As I stated above I have both Wordfence installed, this will automatically block users and IP addresses that have attempted too many times to log in to a site. But what I also have is Google 2 Factor authentication set up as well, stopping these clowns.
 2FA
So whilst my provider was doing an awesome job preventing those-bad-guys™ from getting to my site, they in essence have locked me out too. Hats off to the support team for pulling this together. But the next stage really needs to include, not only scanning for the fact I run wordpress to block attacks, but scan for plugins too. Or even better, allow me to opt out..

Optimising Security

September 18th, 2012 Comments off
Reading Time: 1

There is a great post today by my friend Daniel Baird over at his site Outside the Asylum on Optimising Security.

It shows the relationship between the cost of security, risk and profitability of an organisation.

As I commented on his site, I can see a number of follow up posts on this and how you flesh out the data-points that support it. It is a juggling act that every one of us in the information security space plays.

Categories: Security Tags: ,