Monday, April 27, 2009

Truecrypt Installation on Fedora 10

TrueCrypt 6.1 on Fedora 10 was quite straightforward. Here is a quick list of steps to follow:

1. Download the TrueCrypt 6.1 source tarball from

2. Untar the source:
[root@slash-the Download]# tar -zxvf TrueCrypt\ 6.1a\ Source.tar.gz

3. Install required libraries:
[root@slash-the Download]# yum install nss-pkcs11-devel fuse-devel wxGTK wxGTK-devel gnome-keyring-devel gcc-c++

4. Export the Cryptoki include folder:
[root@slash-the Download]# export PKCS11_INC=/usr/include/gp11

5. Run make
You may get the following error messages:
../Common/SecurityToken.cpp:654: error: ‘CKR_NEW_PIN_MODE’ was not declared in this scope
../Common/SecurityToken.cpp:655: error: ‘CKR_NEXT_OTP’ was not declared in this scope

5.1 Open Common/SecurityToken.cpp in your favourite editor.

5.2 Scroll to line 654

5.3 Comment out line 654 and 655. It should look like this:

5.4 Save and exit

5.5 Run make again

6. TrueCrypt is now compiled:
[root@slash-the Download]# cp Main/truecrypt /usr/share/bin

Wednesday, April 22, 2009

Cisco puts more security in the cloud

SAN FRANCISCO--Cisco is set to make several cloud-related security announcements at the RSA conference on Tuesday, including the expansion of its hosted security services and the integration of security-as-a-service applications with corporate network infrastructures.

The new products include Cisco Security Cloud Services, Cisco IPS Sensor Software 7.0 for intrusion prevention, and Cisco Adaptive Security Appliance 5500 Series 8.2 software with a botnet traffic filter for identifying infected clients and remote access capabilities.

The company uses what it calls "SensorBase," a massive threat-monitoring network overseen by 500 workers in its Cisco Security Intelligence Operations center. The center collects data from 7,000 devices and hundreds of millions of client computers, providing snapshots of activity at different times and locations that can indicate if a large attack is going on, said Ambika Gadre, director of product marketing in the security technology business unit at Cisco, during a briefing on Monday.

The company also is announcing Cisco SAFE, a security reference architecture organizations can use as a guideline for deploying security solutions, and Cisco Information Technology Governance, Risk Management and Compliance consulting services.

In addition, Cisco is introducing the Cisco WebEx Collaboration Cloud for software-as-a-service, a network to provide high performance and security for conferencing, instant messaging and other enterprise work group activities. Also new is the Cisco WebEx Node for ASR 1000 Series, which allows the edge router to act as a point of presence in a corporate network for online meetings.

As confusing as it may be to keep the separate announcements straight, one analyst said Cisco's overall security strategy is a good one.

"There's been a rejuvenation of security at Cisco. They've had a hard time dealing with big picture things," said Peter Christy, principal of the Internet Research Group. "Their long-term vision is that security migrates with you" through the cloud.

Patrick Peterson, a security researcher at Cisco, described some of the threats facing corporations, including cybercriminals based in Russia and the Ukraine.

"They are the Bill Gates of cybercrime," because they are tech savvy and have an innovative entrepreneurial sense, he said.


Tuesday, April 21, 2009

The Great Brazilian Satellite-Hack Crackdown

CAMPINAS, Brazil — On the night of March 8, cruising 22,000 miles above the Earth, U.S. Navy communications satellite FLTSAT-8 suddenly erupted with illicit activity. Jubilant voices and anthems crowded the channel on a junkyard's worth of homemade gear from across vast and silent stretches of the Amazon: Ronaldo, a Brazilian soccer idol, had just scored his first goal with the Corinthians.

It was a party that won't soon be forgotten. Ten days later, Brazilian Federal Police swooped in on 39 suspects in six states in the largest crackdown to date on a growing problem here: illegal hijacking of U.S. military satellite transponders.

"This had been happening for more than five years," says Celso Campos, of the Brazilian Federal Police. "Since the communication channel was open, not encrypted, lots of people used it to talk to each other."

The practice is so entrenched, and the knowledge and tools so widely available, few believe the campaign to stamp it out will be quick or easy.

Much of this country's geography is remote, and beyond the reach of cellphone coverage, making American satellites an ideal, if illegal, communications option. The problem goes back more than a decade, to the mid-1990s, when Brazilian radio technicians discovered they could jump on the UHF frequencies dedicated to satellites in the Navy's Fleet Satellite Communication system, or FLTSATCOM. They've been at it ever since.

Truck drivers love the birds because they provide better range and sound than ham radios. Rogue loggers in the Amazon use the satellites to transmit coded warnings when authorities threaten to close in. Drug dealers and organized criminal factions use them to coordinate operations.

Today, the satellites, which pirates called "Bolinha" or "little ball," are a national phenomenon.

"It's impossible not to find equipment like this when we catch an organized crime gang," says a police officer involved in last month's action.

The crackdown, called "Operation Satellite," was Brazil's first large-scale enforcement against the problem. Police followed coordinates provided by the U.S. Department of Defense and confirmed by Anatel, Brazil's FCC. Among those charged were university professors, electricians, truckers and farmers, the police say. The suspects face up to four years and jail, but are more likely to be fined if convicted.


Monday, April 20, 2009

Should We Reward Hackers for Finding Flaws?

Dr. Charlie Miller, famous Mac hacker, announced at this year's CanSecWest hacking contest that he would no longer be releasing exploits for free, to the vendor or anyone else. Further, Charlie and a few friends have started a "No More Free Bugs" campaign, which even has its own logo.

I've met and very much respect Charlie Miller, and I believe his intentions are good. He just wants to make a living doing what he is good at. The services he provides are valuable, to the software vendor and to us all. Still, I'm bothered by one nagging question: Will or won't Charlie sell his bug findings to parties with malicious intentions? He hasn't yet made a clear, definitive statement on that. I suspect he won't, but for now, I don't know for sure.

(It took Charlie Miller only 10 seconds to crack the Mac at CanSecWest. Now he says he's found a way to trick the iPhone into enabling shell code.)

I feel for Charlie and other truly elite, well-intentioned hackers like him. I've met many of them over the last 20 years, and I know that discovering vulnerabilities isn't the easiest way to make a living. I've known talented hackers who provided independently found exploits to the vendor and were offended when the vendor didn't want to pay them for their hard work. I've seen these initially well-intentioned hackers begin multiyear vendettas against the vendor, who they purportedly wanted to work for, by announcing bug after bug in retaliation. I've seen scorned hackers sell bugs to competitors and beat up the vendor in the press.

Penny in a haystack

Selling exploits is a money-making opportunity like never before, especially if you're a black hat. A hacker that doesn't care who gets his exploit can sell a decent vulnerability finding for a widely distributed software program for $5,000 or more. Prices on the black market are hard to find, but I've seen offers for up to $100,000 for a remote buffer overflow exploit against Windows Server 2003. Considering that multiple crimeware syndicates are making tens of millions of dollars, or more, a price of tens of thousands of dollars for a well-coded exploit is pretty cheap in the grand scheme of things.

Even in the white hat world, many legitimate parties are paying for bugs and exploits. First, many vendors (including my full-time employer, Microsoft) pay millions to internal and external bug finders, although they are almost always (if not always) contracted before the bugs are found. CanSecWest and other hacking contests pay for new zero-day vulnerabilities. Several other organizations, like the Zero Day Initiative, pay for new vulnerability findings. They make their money on the back end by selling protection products to their clients. Lastly, it's a poorly kept secret that our government has huge teams of people working on finding exploits for offense and defense purposes. There have even been attempts at open-air vulnerability auctions.

Black and white

The sad fact is that a found exploit doesn't earn the white hat hacker nearly as much money as the same exploit would bring in the black hat market. That's because white hat hacking is about fixing the product and protecting people, while black hat hacking is about separating people from their money. A friend of mine at a large software company did an analysis of the company's spending for internal and externally hired vulnerability finders, and he said the money paid often worked out to less than $25 per found bug. It's hard for any legitimate hacker to make a decent living at those wages.

But they do. I guess that's it in a nutshell. There are lots of ways to make money in this world. My computer books would sell a lot more if they contained porn, or I could supplement my income with tax-free money by selling illegal drugs, but I've got to be able to look at myself in the mirror in the morning and be proud of what I'm doing. I get paid to hack, but I've never done it without permission or with ill will toward anyone. Whatever personality trait takes to be involved with something malicious, it's missing from my DNA.

Many companies make a decent if not robust living finding bugs for vendors. Maybe they aren't making $5,000 or more per bug, but they've built successful -- sometimes highly successful -- businesses doing it the right way. They've become industry names and created individual stars. Their owners have grown the company, created long-term careers for their employees, and are able to hold their heads up high without a moment of second-guessing.

For every infamous black hat hacker, I can name two infamous white hat hackers and their companies -- names such as @Stake, ZDI, iDefense, David Litchfield, Foundstone, Dave Aitel, Immunity, and so many more.

Charlie and other "No More Free Bugs" advocates deserve to make a living doing what they do best. But I hope they consider the types of people and companies they will be selling their bugs to. We need them to assure us that they are on our side every time.

Pirate Bay Team Sentenced to Jail

A Swedish court has found the four men behind file-sharing site The Pirate Bay guilty of infringing copyright law, sentencing them to a year each in jail and ordering them to pay £3 million ($4.5 million) in damages to 17 entertainment companies including Warner Bros (TWI), Sony Music Entertainment (SNE), EMI and Columbia Pictures. The media companies had been seeking $17.5 million.

Despite the verdict, The Pirate Bay remains open for business — that is, the non-commercial business of pointing users to content, but not hosting it, which its lawyers contend is legal. Though entertainment companies are cheering the victory, it doesn’t seem like it will have any direct effect on the more than 20 million people who use The Pirate Bay.

The folks behind The Pirate Bay — founders Gottfrid Svartholm Warg and Fredrik Neij, spokesman and programmer Peter Lunde, and funder Carl Lundström — were hardly stony-faced about being convicted, and said they would appeal and don’t plan to pay the fine. Here’s an archive video of this morning’s exceedingly casual press conference, and The Pirate Bay’s Peter Sunde as quoted by the BBC:

“It’s so bizarre that we were convicted at all and it’s even more bizarre that we were [convicted] as a team. The court said we were organised. I can’t get Gottfrid out of bed in the morning. If you’re going to convict us, convict us of disorganised crime.

“We can’t pay and we wouldn’t pay. Even if I had the money I would rather burn everything I owned, and I wouldn’t even give them the ashes.”

For background on the proceedings, see our pieces The Definitive Primer to the Pirate Bay Trial and So What’s Really Going on With That Pirate Bay Trial?.

source: CNN