The latest low blow for Apple

ZDNet covered a study done by French researchers at CNRS claiming that Mac Pros manufactured before 2008 contain at least one carcinogenic chemical, Benzene. The researcher making this claim detected a suspicious odor upon unboxing, and later found 7 compounds in the machine that can be hazardous to humans. O'Grady at ZDNet said that the odor was a known problem backed up by posts from other users on message boards. The article has this great quote:

This problem is as bad for Apple as the contaminated milk problem for China, and it may very well be the first scandal of this kind in the computer industry.

(Why are there so many great quotes and analogies about Apple?) The evidence on both sides is pretty convincing. One one side there's a researcher who's own lab colleuege is calling his science into question, (comments), and on the other side is a typically silent Apple with no comment. It's implied that they are aware of the problem, and are doing everything to fix it quickly, but also that they don't think that the problem is really a problem. (i.e. They know the computer smells funny, but aren't going to say it gives you blood cancer.) I, for one, would like to believe that.

A recall would probably be slightly irritating for Apple. (Making the sure bet assumption that they'll never prove Mac Pros cause cancer.) Apple had to recall 1.8million notebook batteries in 2006 due to a overheating battery. They were barely effected, but the manufacturer Sony took a several point hit. Will Apple be able to shift the blame this time as well?

EDIT: There is a semi-update on Apple's nonposition on this.
Apparently they're "looking into it" even though they don't believe it's true. Because that's what major corporations do when one person says something that everyone else basically thinks is nonsense... they launch a research campaign.

How Sarah got her hack on

When McCain chose Palin as his running mate, the US Secret Service descended upon her home in Wasilla, Alaska. They set up a perimeter around her house with 24 hour surveillance. They set up alarm equipment. They might've installed bullet proof windows.

But they ignored her computer.

And she got hacked.

The news reports speak about shadowy cabals of hackers performing mysterious rites to break into her computer. It was much simpler than that. Her "secret question" in to reset a lost password was "Where did you meet your spouse?". The secret answer was an easily guessed "Wasilla high".

The "hacker" saw the e-mail address "gov.sarah@yahoo.com" appear in a Washington Post story about the Governor. He tried the password recovery tool and found the question. He googled for information about the answer. After a few tries like "high school" he finally got the right one, "Wasilla high".

This is an obvious flaw that most people have with their accounts. Look at your friends e-mails from services like Yahoo and Google. Go to the logon page, click on something about a "lost password", and check out their secret question. Chances are good that you can figure out the answer. Checking out their question isn't illegal, but successfully guessing the answer might be.

This was how Paris Hilton got her account hacked. Her secret question was "What's your favorite pet's name?". The answer, Tinkerbell, was prominently in the news, so pretty much everyone knew the secret answer.

After calling the Secret Service to get them protect the VP nominee, the first thing McCain should have done is call a cybersecurity consultancy (like Errata Security) to protect her computer and online accounts. Fixing the "secret question" would have been the first thing we did. This would be followed by changing all her passwords, especially fixing the fact that she probably uses the same password for all her accounts. Next, we would have fixed her home network, especially the insecure WiFi setup she probably has. We would have scanned her computer to see if she were already infected with malware/bots, and then reconfigured her (and her families) computers so that they couldn't accidentally be infected. We would have made sure that all appropriate data was encrypted, and that she could access her accounts in an encrypted fashion (to avoid pesky things such as Sidejacking). Depending on how paranoied the campaign wanted us to be, we probably would have just backed up everything and wiped all her computers and rebuilt them from the ground up to be secure.

We also would have educated her on cybersecurity. The reason that Gov. Palin was using Yahoo mail to begin is probably because she found it inconvenient using the VPN software to logon to her office e-mail. We see that a lot in business: people use private e-mail services like Yahoo and Gmail to carry out corporate activities because they are annoyed with how their own computer staff have things set up. Yet, your computer people set things up this way precisely because there are obvious things that hackers can do to break into your data, such as guessing a poorly chosen "secret" question.

It would be harsh to judge Gov. Palin as being stupid about cybersecurity. The risks she chose could be appropriate for a private citizen not in the spotlight. However, those risks changed the moment she became a VP candidate - her cybersecurity was not adequate to defend against the hightened hacking threat.

BTW, most of us at Errata Security are a bit to the right of the political spectrum. Go McCain/Palin!

PS: Yahoo Mail will give your secret question to anybody who asks for it. Gmail will only give out your secret question after 5 days of inactivity on the account. Yet again this shows why Gmail is more secure than Yahoo Mail.

The Perfect NetBook: Eee 701 2G Surf

The Register has a review of netbooks (mini notebook computers).

For security professionals, the best netbook I've found is the original one, the Eee PC 701 (aka. Eee PC 2G Surf). The thing that makes it perfect is the Atheros WiFi card in the computer and the $250 price tag.

WiFi hacking/pen-testing requires a card that can both receive packets in monitor mode and send/inject inject raw packets.

WiFi was designed with the idea that the chip should include it's own low-power microprocessor to take care of all the management traffic. In this way, the host machine can be asleep saving power. The consequence of this is that the host machine is typically unable to see the raw packets nor send raw packets of its own.

Atheros designed its chips to be more open. The "madwifi" project was able to create Linux drivers for Atheros chips that allow full control over packets.

Other chips allow a subset of these abilities. There are several others that allow "monitor mode" to receive packets. Few, though, allow the ability to send every type of packet. They will overwrite the sequence numbers, for example, or prevent fragmentation. Others will refuse to send corrupt packets.

When doing WiFi fuzzing, you need to be able to craft every type of packet, including corrupt packets (indeed, that's the point of fuzzing -- to see how a system handles corrupt packets).

The easiest method for WEP cracking is to replay encrypted ARP packets (identified by their size and broadcast address) over and over to generate encrypted responses. After about 40,000 response packets, the 128-bit WEP can be cracked in just a few seconds. I cracked my home WEP test network in about 15-minutes.

For cracking WPA, you need to be able to send deauth packets to force stations to re-authenticate. You then grab this information and hope they've chosen an easily guessable password that can be dictionary cracked.

The best thing about the Atheros chipset is that there exists full access-point software. That means you can setup the Eee PC as a full access-point. For pen-testing, you can also set it up as an "evil twin" -- so that users log onto your access-point instead of their intended one (allows you to intercept their traffic as they surf the Internet).

The Eee PC models contain Ralink chips for 802.11n. Right now, there are no driver for either monitor mode or transmit for these chips. (Note that the Wikipedia article on Eee PC claims that all models use Atheros WiFi chips -- this is wrong). You can, however, buy $33 mini-pci cards and replace the WiFi if you want.

Another important feature is the SD slot within the Eee PC. At NewEgg, 4GB cards are $10 and 16GB cards $40. It's pretty easy to install BackTrack distro and boot from these cards. You could replace the existing OS, but I'm to lazy and boot distros like BackTrack and Knoppix from SD cards.

LookingGlass Vendor of the week: Google

Google just released Chrome, their own web browser. We decided to run it through Looking Glass and it doesn't look half bad. They at least have ASLR enabled on a few of their libraries, no NX though. Chrome is not as bad as some apps I have seen but that is not saying much.

Spammers like Aarvarks more than Zebras?

In the news recently is this story that suggests how much spam you get may depend on the first letter in your e-mail address. It suggests that if you choose an e-mail address like "zebra@erratasec.com" you will receive a smaller proportion of spam than if you choose an address like "aardvark@erratasec.com".

This paper has impressive scientific looking graphs. The problem is that it really isn't scientific at all. It is a lot of guesswork built upon assumptions.

One of the first problems is that they only looked at a single ISP, Demon Internet (a big ISP in Great Britain). The effects they see could be localized to that ISP.

Another problem is that they ignore most spam. Demon Internet blocks connections from "blackholed" IP address (Internet addresses that are known to send lots of spam). They also ignore other kinds of spam, such as those pretending to be bounce messages. The spam they are ignoring may change the picture if it were factored in.

Another problem is how they classify spam, which is done by "Cloudmark". What they may be seeing is not so much that "aardvark" receives more spam than "zebra", but that Cloudmark is more likely to identify is as such (possibly falsely even).

The author theorizes that "the root cause is likely to be spammers using 'dictionary' or 'Rumpelstiltskin' attacks to guess valid email addresses". There is not nearly enough data to support that theory.

I would suggest a different cause. The UK has a lot of recent immigrants, especially from places like Poland, who have names that start with letters that are not otherwise common in the UK, such as 'z', 'v', 'o', etc. Other spam studies show that English is the most spammed language. An immigrant speaking another language is therefore likely to receive less spam simply because they aren't giving out their e-mail address to English-speaking places.

My theory is testable by doing the same study using the LAST letters of e-mail addresses instead of the FIRST. I suspect that the letter 'i' not a common last letter of English surnames, but more common elsewhere (such as Poland or Italy). If the author's theory is correct, then there should be no significant distribution among the last letters of e-mail names. If my theory is correct, you'll see a similar pattern as with the first letter. (Note that I doubt either theory is correct - there is probably more going on than either of us can imagine).

In scientific terms, this is a "control". Finding a pattern is spammed e-mail addresses isn't interesting unless you can show that a pattern is unlikely or surprising. I'm not surprised that they found a pattern with the first letter of e-mail addresses. I suggest, however, that instead of the single reason they found "likely" that there would be many reasons.

The reason I'm jaded on this issue is the old paper on Outwitting the Witty Worm The paper concluded that the worm targeted a "hit-list" of machines on a US Military base. However, the paper was deeply flawed because the authors looked only at the packet headers instead of the packet payload. If they had examined the payloads, they would have found that there was no "hit-list" targeting a military base. Their conclusion that the data "suggests" an "insider" (who knew about the systems) was therefore completely false.

That is the thing we learn over time in our industry. There are a lot of interesting anomalies to be found out there, but the theories explaining the anomalies are usually bogus. I find Dr. Clayton's anomalies interesting, but I believe his conclusions have absolutely no validity.