Robert J. Brown is the Director of Information Security for WesCorp, the nation's largest Corporate Credit Union with $24B in assets and 1100 Credit Union members. He has over 13 years of experience in the information security industry as an entrepreneur and founder of an INC500 company as well as senior consultanting roles for PricewaterhouseCoopers and Trusted Information Systems. He also holds the CISSP and CISA certifications.

February 8, 2009

CUISPA 2009 References

Enclosed are the links and references used to create the CUISPA 2009 presentation on Mobile Security.

Admob Mobile Metrics
Mobile Device Information
WAP Development Considerations
WAP 2.0 User Identification for Secure Services
Mitigating Cross-site Scripting with HTTP Only Cookies
HTTP Only Cookies
Morgan Stanley Technology & Internet Trends
WURFL
iPhone for the Enterprise
OWASP
Barclays Tightens Mobile Banking Security
Mobile Banking - Is it Ready for Prime Time
Cross-domain Cookie Provider
mFoundry
Firethorn
MShift
iPhone User Interface (CSS Library)
Microsoft ActiveSync Deployment Guide

For whatever reason, the last linked Microsoft document was very difficult to locate. Most ActiveSync instructions are on blogs or other sites but this is the real MS deployment guide.

Posted by Robert J. Brown at 9:13 PM |

December 7, 2008

Tyan Toledo q35T S5220 motherboard and FreeBSD

This is a short recap of experiences with FreeBSD on the Tyan q35T S5220 server motherboard. I had not seen a similar post elsewhere on the net so I put this together in an effort to help others who might have this board.

Before you begin, make sure you have the latest BIOS from Tyan. They don't distribute it on bootable media, so you probably have to hack around placing the BIOS files on a bootable CD image from www.bootdisk.com.

With FreeBSD 7.0, the first thing I saw was that the boot process hung and did not complete when starting from a CD on the PATA/IDE chain. It does successfully complete the bootup and launch sysinstall for FreeBSD 8.0 (200812 snapshot) but that's another story since I want to run 7.X for now.

My goal was to run the root disk as a 500GB PATA/IDE drive. I had this on the PATA interface with a DVD-ROM, both using cable select. After research and testing with 8.0 as well as Linux to get a better feel for the hardware, the first thing to know is that the PATA (IDE) controller uses an ITE 8213 chipset. This has not been supported in FreeBSD until a commit to the 7.0-STABLE branch after release (in October 2008).

Given the recent support for this I figured there was an issue with the DVDROM that was on this controller. I also have an external Plextor PX-716UF. I figured USB support would be better so I booted the 7.1-RC1 install CD from this drive instead. I launched all the way into sysinstall this time and was able to successfully start the installation from the Plextor. I am still unsure of why this did not work from the PATA DVD-ROM but I'll troubleshoot and file a bug after a bit of time getting the OS up and running. I thought I was out of the woods... but was foiled by many cd0 read errors and a failed installation. I re-burned the distribution CD in case my media had a problem but it didn't help so perhaps there is ALSO a USB problem.

I couldn't give up at this point so I figured that I would try the BOOTONLY CD and install via the network to minimize information reads from the CD. I booted successfully, configured the network, and installed without any read/write errors. I went with the minimal install just to be safe. After a reboot the OS booted properly with no other issues. This was cause for celebration.

All of this took many hours to figure out. The short of this is that if your FreeBSD install hangs somewhere, try installing from a USB DVD/CD drive instead of one on the PATA chain. If that still doesn't work, try the bootonly and an install from the network. That turned out to be the key to at least getting to a bootable multiuser system.

Posted by Robert J. Brown at 11:54 PM |

November 10, 2008

FreeBSD 7.1 Xorg configuration for VMWare guest

I thought it might be useful to post a properly configured /etc/X11/xorg.conf file for running FreeBSD 7.x under VMWare workstation using the open-vm-tools. This configuration works for me with Gnome on FreeBSD for both the mouse and screen options. Note that you do not have to have the console mouse configured - this config uses the direct PS/2 device.

Note that you may have to update the font paths. The /windows font directory represents a copy of the C:\windows\fonts directory from a Windows XP system. This enables all of the Windows fonts to be available to FreeBSD. The other font directories were all installed via the FreeBSD ports system.

xorg.conf

Posted by Robert J. Brown at 3:54 PM |

August 30, 2007

LinkedIn PwC Alumni - Revised Instructions

Here are the updated instructions for joining the PwC Alumni group on LinkedIn as of late 2008.

1. *** IMPORTANT *** If you did not previously work for PwC, PW, or C&L, you are not eligible for the group. This includes all of the recruiters who regularly request group access and are denied. Please don't click the link if you didn't work for the firm.

Let me state that again because it is regularly ignored.

If you did not previously work for PwC, PW, or C&L, you are not eligible for membership in the group. This includes recruiters, HR managers, people who try to join every possible LinkedIn group, etc.

Assuming you worked at one of the firms, and ONLY if you worked at the firm, click on this link. You will now be listed in the system as having a pending membership to the group.

2. Make sure your PwC work experience is on your LinkedIn profile and is visible. Some people have elected to keep it private which is fine, but you definitely need to send me an email if I can't see PwC somwhere on your profile.

3. If you do not have PwC listed on your public profile, send me an e-mail to rjb .a.t. robertjbrown .d0t. com. You will have to manually insert the @ and the . in my address - otherwise spammers will find me. Mention that you wish to join the group and also provide the name of the partner you worked with most frequently.

It will take a minimum of a few weeks to approve membership to the group. The volume of requests has grown from a few per week to close to 20 per day. There are over 3000 group members as of this post and it is becoming a very valuable resource for reaching out to former colleagues. The time it takes for approval is increased when non-PwC alums request membership in the group which is why the wording above has been highlighted.

It will not increase the speed of your approval by sending additional e-mails. All approvals are tracked in the system, so if you see it in your profile as 'pending' your request for membership has been added to the pending queue.

Posted by Robert J. Brown at 11:14 PM |

August 30, 2006

ConsumerReports Virus Test

If you haven't seen the news reports, Consumer Reports has been catching quite a bit of flack for their recent test of antivirus products. The methodology they used was to take existing viruses, modify them in some way, and then test to see which virus scanning products picked up their "new" viruses. Apparently many people in the security community think this is a Bad Idea because it involves the creation of "new" viruses. This was irresponsible in their eyes.

I'd like to outline why I think what Consumer Reports did was a good thing and why I am in support of their efforts.

The major virus software developers, including McAfee and Symantec, have an enormously profitable business selling software and virus definition updates. It's a great business idea - people keep paying for the software over and over because it is licensed and not sold outright. The challenge from a security perspective is that antivirus software is more reactive than proactive - it has similarities to the traditional issues with a pattern-based intrusion detection system. They are both great for stopping specific known threats, but do not work as well against unknown threats.

To understand why this is an issue, let's think about how an attacker works. Look no further than 9/11, Richard Reid, or the recent case in London of the liquid bomb plot. The attackers analyzed the security controls in place at the airports and attempted to exploit vulnerabilities in those defenses. They did not try to pack a suitcase with a bomb and check it in because they knew that this was not as likely to work and may be caught in the security scanners. In the same manner, an attacker wishing to distribute a virus can test their new code against the top products in the market just by downloading them. The bad guys are analyzing the defenses to find a hole. It's an endless arms race and the only way to get better is by improving the products to better defend against new attacks.

Focusing on this specific class of product - antivirus - how do you defend from a situation where the bad guys can see your controls and create tactics to evade them? One way is to improve the products in such a way that they are self-defending. McAfee even claims to have done this on their web site:  "<VirusScan's> advanced heuristics and generic detection even finds new, unknown viruses."

I'm glad the product is able to do that. As an informed consumer, I'd like to know how well the product stacks up to those claims. As a CISO, it's my business to identify and mitigate risks to my company. I want to know what product can best protect me from both known and unknown threats.

Moving back to Consumer Reports, they figured (rightly so) that the only way to validate the product claims was to modify existing viruses and test them against the software. So they created new variants of known viruses and reported the results. Did their new viruses "escape" and infect anything other than their testbed? To date, nothing has been reported. No damage was done because they appear to have employed care in how they conducted the test. I would expect this from an industry leading product evaluation company that brought in competent  security consultants such as Dr. Avi Rubin.

What's the bottom line? Consumer Reports obtained an independent test result that I am very interested in - which products were best able to cope with new and evolving threats. This information is valuable to me because it was created by a credible not-for-profit institution and provides details to help me choose the best product for defending against both existing and new threats.

Posted by Robert J. Brown at 11:00 PM |

August 20, 2006

WPAD: Windows Proxy Auto Detect Vulnerability

I was installing my own Squid cache this weekend for my home network and wanted to set it up such that when my devices are home, they automatically use the proxy. I looked into it a bit, and Windows Proxy Auto Detect, or WPAD, seemed like a good solution. Basically, you turn on "automatic proxy detection" in your browser - be it Internet Explorer, Firefox, Flock, Safari, or anything else - and it automatically finds the proxy server.

How does it find the server? It uses a DHCP configuration setting or DNS to search for the entry "wpad.yourdomain.com" where yourdomain.com is your local domain as served up by your DHCP server. If that host resolves, it looks on that server for a wpad.dat file - a small bit of javascript that tells the browser what the proxies are. If that file is there, the browser blindly trusts it and executes the javascript to obtain the proxy settings right from that file - even if you have completely disabled Javascript in the browser. The next logical question for me was "where is the authentication for this?" and the answer is: there is no authentication.

This is scary for a number of reasons. If you can set a proxy for someone, that means you can force them to connect to a proxy YOU control. This is a man-in-the-middle attack and you can now obtain login credentials or anything else - including for SSL sites. Now, this gets even better if you combine it with a DNS cache poisoning attack or a second/fake DHCP server. How about you go to the local wireless hotspot and redirect WPAD to a server you control (even prior to asking for the credit card input)? You can now intercept their browsing sessions. How about you check into a local hotel? Do you suspect that a number of executives will be staying there with browsers preconfigured to look for a local proxy? I do. Oh, and the best part of this is that this is 100% transparent to the user - no pop-up box or other warnings are provided.

Allowing an unauthenticated network device/file to modify your behavior without your knowledge or consent is bad security. Although there have been published exploits for this in the past (and Microsoft fixes such as MS99-054), this remains as a vulnerability - especially combined with DNS cache poisoning or a second DHCP server controlled by an attacker. In today's world, the assumption must be made that computers are not stationary. They move around, and hence their security environment changes with them. Long-standing "features" like WPAD should be either secured or eliminated based on risk. The world has changed since this was introduced and our products should also change based on the updated risk profile.


Posted by Robert J. Brown at 10:02 PM |