Security

2 days straight now on IRC (##security on irc.freenode.net if you want to say hi) I have had to help someone compiling a program deal with it failing mid-stream. This is especially prevalent on security packages like fuzzers and such. First, what is stack protection? Buffer Overflow Protection In software, a stack buffer overflow occurs when a program writes to a memory address on the program’s call stack outside of the intended data structure; usually a fixed length buffer.[1][2] Stack buffer overflow bugs are caused when a program writes more data to a buffer located on the stack than there was actually allocated for that buffer. This almost always results in corruption of adjacent data on the stack, and in cases where the overflow was triggered by mistake, will often cause the program to crash or operate incorrectly. This type of overflow is part of the more general class of programming bugs known as buffer overflows.[1] ...

During my Air Force days I was involved with the roll-out of the “CAC” for Air Mobility Command at MacDill. No one could understand why the military would put so much time and money into giving all personnel new ID Cards and equipping machines with readers that did nothing at that point. The main feature back then was that when you removed your CAC your machine would automatically lock. Well, that or you would just leave your CAC at work and need to call a coworker to come retrieve you from the gate. What I failed to understand back then was that Multi-factor Authentication (MFA) was something fundamentally needed for our nations and armed forces security. This should have been apparent and clear to me as I scattered around some of the bases most secure locations to find mission essential passwords affixed to stickies on the monitor. ...

In my continuation of howto secure your phone habits while on the go, we have come to anonymizing your traffic. There are a few reasons to do this: On a public internet network and have no access to a VPN In a country that censors the internet (Hi China!) You like to keep your identity somewhat off the grid for whatever reason TOR was developed to allow for all of the above. Due to the open nature of Android and the user-base, it was quickly ported back in 2009. The Guardian Project leads the effort and has since provided 4 main components. Today I will be focusing on the Orbot (TOR+Proxy) and the Firefox extension to allow proxy usage. In addition you can use their Jabber client for anonymous and encrypted chatting. So lets get to setting things up! A few things you need to grab from market: ...

Since everyone is talking about the fit and finish (which is great other than the battery) I thought I’d talk about the security of the device. Google has already spoken about the separation of user/system with the web browser functions so I will skip that portion. The majority of my work was looking at how the OS responded to simple pentesting scans. I used version 5.21 of Nmap running on MacOS 10.6 Server. The ChromeOS box was patched as of 12/11/10. ...

For there record if you say "CAC Card" in my presence you will be "SOL Luck" talking again soon. If you are running Linux or Mac there is a good chance you haven’t been touching my CAC, otherwise known as Common Access Card. George Bush signed HSPD-12 way back in 2004 to mandate the usage of CAC and multifactor authentication on federal networks. The DoD giggled as it was already deploying limited installs at choice commands and was way ahead of the curve. The rest of the government and corporate entities are starting to roll-out the installs and a common theme I see is lack of heterogenous OS support. In this day and age your CIO/CTO/CISO must think beyond what the Microsoft sales lead tells them and think of the user base. Here is a big hint to save you from looking silly – You can’t say iOS/Android development is important to your divisions and then mandate they use Windows computers to comply with your SmartCard policy. I only mention that having sat in the room when the mobile development PM had to make his leadership aware they were basically shutting his group down. ...