After recently misplacing a USB drive (luckily already encrypted), I decided to put  together a quick guide for anyone interested in securing their data on USB/Local drives through encryption, using free tools available for download. 

These days everyone stores huge amounts of data on USB drives (be it small pen drives or larger hard drives reaching 1TB or more). We carry this information around in our pockets everywhere, sharing with co-workers and friends, at our clients and perhaps even in public locations.

The main question you should ask yourself from a security standpoint is “What stops somebody from connecting to your drive and viewing/stealing/destroying your data?  

Remember the old DOS command format L:\ /q (this one quickly deletes Gigabytes of data in seconds – of course we could use tools to recover at the expense of your administrator’s time and nerves..).

  Read the rest of this entry »

Gartner has listed tablets and mobile-centric applications as the top two technology trends for 2012, stating that “The implications for IT is that the era of PC dominance with Windows as the single platform will be replaced with a post-PC era where Windows is one of a variety of environments IT will need to support.”

CIO magazine says: “Mobile applications must be as effective as their desktop and notebook counterparts. “Getting mobile right requires a broad range of device support, a central point of control, a wide security net that ensures corporate data is never compromised, and the ability to shield end users from integration complexities.”

The term “mobile” now encompasses such a broad range of facets that it has become a subject related to the underlying IT architecture of a company, thus representing challenges for both IT and business, who need to work together to maximise efficiency, adoption and return.

The following are three common and basic challenges explained in simple terms:

• The choice of mobile devices for employees
• The management of the mobile fleet
• The choice of application development tools

1.      Choice of mobile devices – data security

Implementing a coherent policy for mobile phones and tablets is a major concern, as the choice has a direct impact on data security.

Should employees be allowed access to systems using their personal smartphones? Should the company provide separate smartphones to its employees for business purposes? If so, can we and should we allow employees to use these smartphones for personal use as well, without compromising data security?

Several factors need to be analysed in order to make such decisions, such as:

What type of smartphones/platforms can the IT department manage? iOS? Android?  Windows Phone? Blackberry? Even though other mobile platforms exist, the trend leans clearly to these market leaders. Even if Microsoft is a little behind at the moment, the teams in Richmond are working hard to catch up.

What kind of devices are your employees using already? Adoption is a key factor. The mobile trend is completely driven by consumer behaviour.

The choice of a mobile fleet management tool also has a huge impact on the choice of devices. I’ve gone into more details in the next point..

2.      Mobile Device Management

Commonly known as MDM, this is the corner stone of a corporate mobile policy. It’s through this solution that we can manage users, access to application, configuration, loss, theft, etc.

How to make the choice?

Go through a proper analysis phase. There are a few major players in this domain, as well as some very interesting niche solutions (refer to Gartner’s Magic Quadrant). In seeing the numbers of big players who are racing to offer these solutions, there is no doubt that the future of MDM is looking bright, and choices will open up even more.

 3.      Developing Applications

The move to mobile in the enterprise will be boosted by the use of tablets,  and users will want an increasing number of business applications to run on these devices. Will you develop web applications or native applications?

How will you develop a corporate strategy that dictates the choice of development tools?

From my perspective, companies should be pragmatic:

• What kind of resources do you have internally to manage the development life-cycle? How will you train them?
• How do you choose suppliers who have mastered this domain?
• How to deal with the pro/perso concern?

  In conclusion, defining a mobile policy should be taken seriously, as it will have a real daily impact on life within your company. Enterprise mobility is the biggest single trend across tech industry investment and innovation, even outpacing the cloud computing trend, states the Forrester report entitled, “Another Year of Outperformance for the Tech Industry — Forrester’s 2011 Tech Industry Predictions.” Analysts predict that by 2014, the primary method of accessing the internet will be through mobile devices, which will increasingly replace the traditional desktop.

The risk of not having a solid corporate strategy could be costly:

• Disruption of business processes: The functional failure of  IT systems—of which mobile apps are now solidly included.
• High cost: An ad hoc approach to building out the mobile application architecture will eventually result in time-consuming, manual intervention to maintain.
• Lack of business agility: A poorly planned mobile architecture that cannot support dynamic business strategy shifts can hold the entire business back.

The competition

Jurackerfest.ch, which took place on August 27th, was part of the first edition of Jura Security Days. This event was organized by BIMO (www.bimo.ch), whose aim is to promote quality software development, and featured conferences running throughout Friday and Saturday. The white-hat hacking competition was organized by SCRT (www.scrt.ch) who are the organizers of the renowned Insomni’Hack.

In the morning we practiced on specially crafted websites designed with specific errors to give participants an idea of what they would be facing during the contest. After a brief lunch break, we were given two hours to solve a set of 10 varied problems, ranging from a (fairly simple) protocol hack, to an exercise in steganography which no team managed to solve in the timeframe given.

The atmosphere

Arriving early, the competition room was fairly empty and quiet, but as the starting time neared, it quickly becamecrowded and lively. Participants came from an array of different backgrounds; there was a technical school teacher with about fifteen of his pupils, quite a few qualified and experienced developers, a few security experts and lambda citizens interested to pick up a few things along the way…

The buzzing of laptop fans and the smell of energy drinks was overpowering!

The funniest part of it all was that in order to prove that one had indeed found a solution; one had to explain how it was found. And as the solutions themselves usually consisted of random characters, people were constantly running to the referee table with their laptops in their hands, to be able to show both the solution and how they had found it!

The team

Competing with me was Nicolas Heiniger, currently working in IT security for the Hôpital du Jura. We studied at the EPFL together and spent many exercise sessions tuning our brains to work together (along with three more classmates, who could unfortunately not make it). Knowing each other’s strengths allowed us to split the challenges efficiently.

Nicolas was running a Linux Backtrack distribution (a dedicated penetration testing OS), while I was running Ubuntu Natty almost out-of-the-box (with zsh and vim added to it).

A sample challenge

Out of the ten challenges:

• One was a cypher to decode (a variation on a Cesar cypher)
• Two were oriented towards reverse engineering
• Two were so-called “trivia” challenges (steganography concepts actually)
• And the last five were web oriented (e.g. hacking a JavaScript authentication, overriding a htaccess authentication, a SQLi hack for a database authentication…)

One of the reverse engineering challenges consisted of finding the password verified by a python function.

The source file, which we were given, wasn’t too complex (remember we only had two hours to solve ten challenges):

• When run, it checked that the number of arguments was correct and if so, started verifying the user input – if not, it printed usage instructions.
• The verification consisted of a series of tests, based (amongst others) on comparisons between the value of an internal variable and the position of one character of the input string in the ASCII table (i.e. the value of the corresponding byte).

One of the tests (the last one) checked that the length of the input was exactly seven. Working backwards from there (and with the help of an ASCII table), we were able to work out that the code was Jc4HAcK.

My conclusion

All in all, a very fun day and a thrilling experience (more in my league than extreme sports, admittedly). And a surprisingly satisfying outcome, since Nicolas and I were first-timers in an ethical hacking contest. Next time though (andyes, there WILL be a next time), I’ll make sure I have all the necessary tools installed before going, rather than lamenting not having Internet access from there!

 PS: How did we fare?

Well, we were proud 3^rd place winners… and got our pictures in the local papers! View the article (in French).

From now on, every company with an online presence can be the target of attacks

This article was written by Fabrice Perrin, a Practice Manager at blue-infinity, and was published in the April/May edition of Market magazine. The original French version can be viewed here.

Recently, the world saw a rise in the power of social networks in Middle Eastern countries, where the sites played a role in the coordination of demonstrators and the dissemination of information on the activities of the authorities. But this progression was also felt in Western countries, with a key example being the group ‘Anonymous’.

Read the rest of this entry »

For my last semester of studies in Fall 2009 / Winter 2010, I had the opportunity to spend a six month internship with CERN’s Computer Security Team.

The aim of the project assigned to me was to provide CERN developers with a set of simple tools to review their source code and improve the quality of their software, with a particular focus on security. To achieve this goal, I reviewed and compared a few dozen tools, using about 200 million lines of code retrieved from source controlling systems as a basis for the comparison.

Read the rest of this entry »

We live in an over-networked world where security becomes more and more important to protect us from information thefts, servers downtimes and other attacks.

Various solutions exist. I have recently given an  internal presentation to present  Prelude SIM (Security Information Management) System, a project I have contributed to. It’s an  OpenSource solution which allows you to monitor in real-time your infrastructure by correlating events from deployed sensors such as Snort (IDS), Samhain (FileSystem Integrity Checker) or Prelude-LML (Log analyzer) and  helps you react quickly to a potential attack.

Here are my slides : Prelude SIM Talk