I’ve updated the perl code used to archive the IEEE registry files for OUI’s (now relabeled by IEEE but that’s soley for branding purposes so I’m not going to bother to switch my own terminology). The changes were mostly to deal with the new size offered (OUI 28-bit) and some minor formatting changes. Only other change was to move to a recursive directory storage for storing the files to keep things neater.
The real work has ben on all-new code written in Python to support a new approach for storing DeepMac metadata. The classes I’m working on will eventually allow for adding, deleting and changing data in the repository in a journaling style, where all changes are recorded. So even if something is “deleted” there’s still a record of it having existed. This will be quite handy in the future.
Once the code is actually working with an initial filesystem prototype there will eventually be a Web-based and database-based connection supported. My plan is to have ultimately have an API that will make it programatically simple to be able to add new data to the repository, either manually or in an automated way.
The final step will be to have the current web-based search system moved to using the new repository on the backend (it’s still using the old MySQL database I originally created in the early alphas). The search engine will let you see the “current” snapshot of all the metadata but also allow a view of historical data.
Yesterday (May 28th, 2014) the truecrypt.org website suddenly started redirecting to the project page on SourceForge. The redirected webpage claims TrueCrypt is insecure and won’t be fixed, and urges people to migrate to Microsoft’s proprietary, windows-only BitLocker solution (TrueCrypt is multi-platform and supports multiple Linux OS’s as well as Windows).
As of right now (5/29/14 at 10:00 EST), there is no further information available. There is however quite a bit of Internet echo-chamber effect and a rising tide of hysteria from many corners (a lot of Fear, Uncertainty and Doubt aka FUD). Even Brian Krebs is reporting the sudden change at face value (http://krebsonsecurity.com/2014/05/true-goodbye-using-truecrypt-is-not-secure/).
There are many scenarios that would explain this very sudden switch over. I’m going to try and avoid those and focus on some facts here:
- TrueCrypt is open source software. The source code is still available, including the code before the most recent changes. If there are security holes in it, they could be fixed (though at what resource cost would be pointless conjecture).
- TrueCrypt is cross-platform. It’s not just Microsoft Windows but also Linux and Mac OS X as well. However, the current SourceForge page for the TrueCrypt project makes only a glancing reference to those and focuses entirely on migrating to BitLocker on Windows. There’s a sub-page that mentions other platforms, but even for Linux it only tells you to use the TrueCrypt 7.2 binaries (there are *nix programs besides TrueCrypt that can at least read TrueCrypt containers).
- While it is true the current binaries on the TrueCrypt webpage are signed with the same keys as earlier binaries, and the truecrypt.org domain registration still continues to use the same nameservers, the original static webpage for TrueCrypt.org has been removed and replaced with a re-direct to the SourceForge project page. Sub-pages of any sort use a meta-refresh technique however, indicative of the entire website directory having been moved aside and a new webserver config put in place.
- Since the TrueCrypt announcement does not stipulate any details on the supposed insecurity of TrueCrypt, it’s unknown if the problem would be in the code, the container format, the encryption algorithms or some combination thereof. Note that lack of WinXP support from Microsoft is not a hard barrier to continued TrueCrypt development though.
What do these facts mean? There is no reason to do anything immediately. There are alternatives to access TrueCrypt containers that do not require unencrypting TC containers wholesale. Many trustworthy individuals will probably have untainted, archived binaries. The source code can be forked and new projects spun-up around it (FOSS shows it’s greatest resliance and strength in times like this). And lastly but most importantly: We do not have any sort of out-of-band verification of this announcement.
At this point I see no reason to abandon use of TrueCrypt. Planning for the possibility is not unreasonable, but rushed implementation without all the questions answered could seriously risk the secrecy of your data. It will not take long for more concrete details to emerge, or a successful fork of the code to be established by trustworthy individuals.
(Meanwhile, 6 years later…)
I’ve been very busy the last four years, mostly with the classic combination of work, school and family. I decided that in 2014 I’d do a major new push on the DeepMac project. This has been inspired in part with recent changes at IEEE on how MAC space is being sold and just the over-whelming need to get on with it already!
I’ve actually been working in part the fast few months on a “reboot” of the DeepMac project. Part of that was updating my archival system of the OUI data from IEEE. Mostly it’s focused on a redesign of how the data will be stored and manipulated though. I’ve already got some Python code hammered out and will be doing more over the coming months.
So stay tuned for more updates as they happen.
I probably should have posted this sooner but I was too busy trying to get something (mostly) functional to talk about.
I will be doing an informal, ad-hoc presentation on DeepMac at Evil Robot Con on Saturday, September 12th. See the Evil Robot Con website for details on the conference, schedule, location, etc.
And the good news is I have a pretty functional DB up and running that people can actually query. I’ll be making it public after the conference, during which I hope I’ll discover any horrific problems or gotchas and be able to fix them, :)
I’ve uploaded a text file giving detailed instructions on how to set-up a development environment under Windows for compiling the NessusWX client software. The document explains everything in excruciating detail and can be found in the files section. Have fun!
Once again, Microsoft has decided that when you install a “critical” security patch via their Update service, they can add unrequested software silently and it’s not only OK, but no one will notice.
This time around it’s the release of the .NET v3.5 Service Pack 1, which will also silently add a Firefox extension (even if you don’t have Firefox installed, and yes that’s possible). You will never be prompted if this is OK, and what’s more, you can’t easily uninstall it.
Yeah. Real cute.
So here’s how they do it. Here is how to remove the offending extension if you are so inclined. And here’s someone else who discovered the same thing, so props to him.
So what has Microsoft done wrong with this? Simply:
- Modified a user’s third-party application without permission, from either the user or the third-party vendor (Mozilla)
- Created yet another potential channel for unsolicited software installs (ClickOnce)
- Prevented the average end-user from being able to uninstall the unsolicited extension
- Deceived users by implying this was a critical security patch when in reality it is much more
Anyone who has any version of .NET installed will be offered v3.5 as a critical security patch when they use Windows Update. If you have Windows Update set to automatically update then you’ve just been given a new Firefox extension.
It does not appear that this is the case with Vista users, though that is not fully confirmed yet.
I’ve updated my article on performing an Annual Identity Check. It now includes details on requesting credit reports from Innovis, TeleCheck and more. And I re-verified all the phone numbers and website links. You can read the article here.
This Christmas my daughter got a Fisher-Price Kid Tough digital camera from a relative. It’s an adorable pink camera of modest resolution with a USB cable to use for downloading the pictures to your computer.
And it comes with a free virus! Yay!
Fortunately, my anti-virus software instantly detected the malware and quarantined it. And I long ago disabled all Auto Run support in Windows. If I hadn’t, the virus may have actually been able to run briefly. Malware needs only seconds to wreak havoc. In this case, it was a worm that installs backdoors, probably to open up a PC for eventual induction into a botnet.
Attempts to contact Fisher-Price (or rather Mattel) have been fruitless, but I suspect this is a case of the factory where they were being made using a crappy, infected PC for doing quality assurance checks. Other possibilities that come to mind are disgruntled factory workers, or even an organized attempt to increase the size of a botnet. It’s not beyond the realms of possibility a criminal organization is paying off workers in factories to infect the devices being distributed.
Fortunately, all I had to do was format the flash drive and my daughter can go back to taking insanely large number of pictures of her toys.
SANS will be teaching a high-level security course in Raleigh, NC this December. For anyone in the state, this is an excellent opportunity to get hands-on, detailed experience and knowledge about how to hack your own network, perform security assessments and learn to stay-ahead of the bad guys.
[ Community SANS Raleigh Durham Winter 2008 ]