Month: January 2014

How Many Requests?

On By Brian OlsonIn UncategorizedLeave a comment
The web used to work like this:

I send an http request by typing say “google.com” into my address bar, I get a single page back.

Simple, right? One request, one
page. No hassles. But then people wanted to add pictures to pages and the easiest way to do that was to make your web browser think you’d typed in a request for the image and send it back, so it became:

One request, one page that makes you send another couple requests for pictures.

Let’s play a game I like to call, how many requests does it generate. Here are some results:

google.com/voice:

Cnn.com:

Facebook.com (This one surprised me, I was expecting a whole lot more)

So going to one web page is really like going to anywhere between 75 and 243 pages. It’s not a problem, as long as the infrastructure of the internet can handle the load we put on it. But the next time it’s a little slow, cut it some slack. It’s handling a ton of activity to tell you how many likes your picture got.

Is Google Chrome Actually Listening?

On By Brian OlsonIn UncategorizedLeave a comment
If you’ve been watching security news this week, you’ve probably seen a number of articles about this exploit that the writer claims allows Google chrome to be turned into a surveillance tool. If true, this could be very concerning for Chrome users, but with all things cyber-security related, it’s best to apply some analysis to the situation before one runs to the hills. Here is some of the analysis and questions I asked myself going through this exploit.

What exploit is being presented?

This might seem simple, but it’s an important question to start with. What are you being told is actually broken and exploitable? Most demonstrations of an exploit require lots of other technologies to make them possible and the media will often mix these other technologies into their articles as being vulnerable too. So what should be focused on? In this case, the author is claiming that when you have given permission to a website to use your microphone, if a second window is popped up, it doesn’t always display the “recording” icon in popups (Does anyone not close popups with a vengeance? I thought humans have hated them since the 90’s).

Are non-vulnerable technologies being presented as scary?

Now it sounds a little less scary. It’s really just saying Chrome isn’t confirming your permissions setting to you (a bug, no doubt, but far short of turning chrome into an automated surveillance tool against the user’s will and without their knowledge). If you watch the youtube video on the bug, most of the video is spent on voice recognition and popups and demonstrating how the library the author is using can highlight predefined words as the library recognizes your speech. While this has it’s own implications for privacy, we are now very far away from what the exploit is actually about.
As a side note an easy way to raise fear in a person when you’re telling them about a vulnerability is to make it personal and to use buzz words from current events. Whether your discussing a facebook, email, google, gmail, or other kind of vulnerability telling someone you can catch their conversation about finances, boys they think are cute, or the NSA and Syria is a sure fire way to get attention. If someone does this, you should question how solid their exploit is and their motives in presenting it.

Does the presenter have anything to gain?

Motives in cyber-security are an oh-so-interesting topic, but let’s stay focused to Chrome and it’s reluctance to show us that it’s recording.
It took me a couple times reading through the article to really catch this line:
Now that’s interesting. It’s not an empty boast, his library is on github and has a number of downloads. But it is interesting that his library comes up twice in a not-so-long article, and is significant focus of his demonstration of a vulnerability that is only tangentially related. His demo code also has calls to Google analytics, allowing him to see how many people are running his demo.
He also discusses a rewards:
Mr. Ater isn’t just crying wolf, this is an issue. Google needs to fix it. But it is also possible he used a few fear tactics to generate media attention for his work.

Target Malware Attack: Are you at risk?

On By Brian OlsonIn UncategorizedLeave a comment
It’s recently been made known that the Target security breach was at least partially caused by malware installed on their POS systems. There are already a number of good technical explanations of how these work, so I won’t add to that. I’d rather discuss if your business is at risk. Most of the content from this post comes from an email I sent my manager on the subject.

What the malware does

When a POS system reads a card, the data travels in a path like this

Physical credit card -> Credit card reader -> USB Port -> RAM -> Application -> Encryption -> Hard disk or network

The data obviously may move back and forth between the application and the RAM a few times as it is processed, but the most vulnerable point in the path is when the data is in RAM before the application has touched it, and hence before the application can encrypt the data. So for at least a short time the data is sitting in RAM unencrypted, which is where the trojan can grab it.

Once the trojan has the data, it saves it in a DLL and then waits for a time when most stores (and consequently their networks) will be busy before sending the data to a control server over NetBIOS (which is how they get
data out without the POS having an internet connection) that can then forward the data to a server on the internet (there isn’t a ton I could find on this last step, but it would probably look like other data exfiltration).

Why Target was vulnerable

Apparently the hackers were able to get this software on a large number of POS systems at Target and scrape credit card data during the busiest time of the year (Black Friday). Every customer who comes through target has to pay some how, and a lot of them use credit cards. The high rate of customers through each POS system meant that a single compromised system would see a lot of individual’s information.

The fact that until now POS systems have not gotten much public attention for needing to be secured probably means they’re running old operating systems (I’ve personally seen a lot of XP) and probably don’t get patched
frequently may have made it easy to infect large numbers of POS systems very quickly.

How can I stay safe?


If you have an IT department capable of network segmentation, but your POS machines on a segment by themselves, and watch for any ICMP traffic coming out of them. Also lock down the ports that they are allowed to communicate with. Obviously they need to get windows updates and communicate with a server to send sale data, but you should know every port they talk to and prevent them from doing anything you don’t understand.

If you don’t have an IT department capable of doing this, make sure you patch your POS machines frequently. Run antivirus and malware detection on them. If you buy your POS machines from a vendor who handles patching, make sure your vendor is patching them and keeping them up to date.

Engineers vs. Help Desk Technicians

On By Brian OlsonIn UncategorizedLeave a comment
Second post coming out of my work combining two teams and creating a help desk.

I’ve spent a lot of time studying the different between an engineer and a help desk technician. I think it’s easiest to approach it through bullet points:

When presented with a problem

  • A help desk technician takes down a name, a couple keywords about the issue, and searches a knowledgebase of some kind or takes the notes to a supervisor to ask them what to do.
  • An engineer has background knowledge about the system or technology that is having a problem. They wrote the code, created the configuration files, etc. They turn on the creative side of their brain and start working on a new solution.

When asked to give an opinion

  • A help desk technician panics because opinions aren’t in the documentation.
  • An engineer spews forth sermons on the benefits of VI over VIM, chrome over firefox, etc.

When told they are going to support a new technology they haven’t worked on previously

  • A help desk technician cringes because they have to memorize how to find more documentation
  • An engineer gets excited because they get to learn something new.
I may sound a little critical, but I’m not trying to be. I’ve been both of these roles at various times in college and after, and they’re two different skill sets. One is just easier to train on a new job than the other. What’s also interesting is that a person in either job title can act like the other, but one transition works better than the other.

Help Desks

On By Brian OlsonIn UncategorizedLeave a comment

This post isn’t security oriented, or technical. It’s just what I’m working on most recently. At work a management decision recently blended our Network Infrastructure and Security Teams together and I was asked to run a project melding the two “on call responsibilities” and figure out a single point of contact or help desk setup so people would know how to contact us.

Help desks are tricky things. The ideal (most expensive) solution is to have happy, highly intelligent people on call 24 hours a day so that when the phone rings, someone who can immediately answer the question is available immediately.

helpdesk.jpg (648×427)

But it isn’t cost effective to have your software engineers sitting on the phone all day doing nothing but waiting for a call, so you start having them do project work and and watch the phone too. But then, their project work takes priority and they can’t answer the phone so you hire a less qualified person that you can pay less to watch the phone the time the engineer can’t be available and have the engineer write documentation for the less qualified person to cover whatever they don’t know.

That solution sounds good. The less qualified person answers the phone, finds the documentation or script they need and can answer the question. But engineers write documentation for engineers. When you have someone with less experience or education than an engineer reading it, the call usually turns into this on one end or the other:

I don’t think there’s a good way to convince engineers to get excited about answering phone calls. Maybe donuts every Monday or something. Really, help desks are just difficult. And you do the best you can with the people and skills you have.

Is I Robot coming?

On By Brian OlsonIn UncategorizedLeave a comment

Google has been in the news a lot lately for buying a number of robotics companies. If you’re not familiar, just search “google robotics” and read an article similar to, “Google plans to take over the world with advanced robotic war machines” (or something that sounds catchier with the same meaning).

Basically, google purchased a company that builds robots (pretty advanced ones, some of them pretty creepy at the time of this writing), which sparked a lot of discussion about which Sci Fi movies were coming and if we have to start worrying about terminator or I Robot coming true.

We’re still pretty far off from either of those. Don’t get me wrong, Google’s robot’s are still scary and could be dangerous, but they’re not going to be creepy in the way I Robot or Terminator was. Google’s robot’s have strong movement ability, agility, and are able to carry a lot of weight. But they’re not advanced in AI or human interaction.

These robots are really no different than a UAV or a car with a remote control, they’ve just developed different methods of locomotion. There’s no intelligence there, no ability to decide to kill their human masters and turn them into batteries.

What should actually scare us are things like IBM’s Watson which played jeopardy really well.

Even though Watson might just look like a box it’s ability to correlate events and answer questions is a lot closer to what makes I Robot and Terminator scary. The advances IBM made building Watson brought us closer to I Robot than any “big dog” running around a parking lot. I guess the lesson here is to package your robots cute so people won’t panic.

NOTE: There’s another article about what makes robots creepy, but hopefully I’ll have another post on that later.