Matt Johansen

New Blog Location

noreply@blogger.com (Matt Johansen) — Mon, 28 Sep 2009 19:42:00 +0000

My new blog location in case any of you are wondering where I went.

Gmail Spam Folder Fail

noreply@blogger.com (Matt Johansen) — Thu, 23 Apr 2009 23:09:00 +0000

As far as I can remember this is the first email I've had slip past Gmail's spam filters. I got a good laugh out of this when I woke up this morning. My first Nigerian cry for help with promise of fortune.

Just thought I'd throw it up for all to enjoy since I got a good laugh out of it.

from asiya bare
reply-to asiya.bare@gmail.com
to
date Thu, Apr 23, 2009 at 10:46 AM
subject Dearest,

Dearest,
My dear I am writing this mail with tears and sadness and pains. I know it will come to you as a suprise since we haven't known or come across each other before, but kindly bear with me at this moment. I have a special reason why I decided to contact you. My situation at hand is miserable but I trust in God and hope you will be of my help. My name is Asiya Ibrahim Bare 25years old girl and I held from Republic of Niger the daughter of Late General Ibrahim Bare Ma?nassara the former President of the Republic of Niger who was ambushed and killed by dissident soldiers at the military airport in the capital, Niamey with his driver and a former Prefect. You can see more detail about my late father here http://news.bbc.co.uk/onthisday/hi/dates/stories/april/9/newsid_2463000/2463927.stm

I am constrained to contact you because of the maltreatment which I am receiving from my step mother. She planned to take away all my late father's treasury and properties from me since the unexpected death of my beloved Father. Meanwhile I wanted to travel to Europe, but she hide away my international passport and other valuable documents. Luckily she did not discover where I kept my father's File which contained important documents. I am presently staying in the Mission camp in Burkina Faso.

I am seeking for longterm relationship and investment assistance. My father of blessed memory deposited the sum of US$11.7 Million in one bank in Burkina Faso with my name as the next of kin. I had contacted the Bank to clear the deposit but the Branch Manager told me that being a refugee, my status according to the local law does not authorize me to carry out the operation. However, he advised me to provide a trustee who will stand on my behalf. I had wanted to inform my stepmother about this deposit but I am affraid that she will not offer me anything after the release of the money. Therefore, I decide to seek for your help in transferring the money into your bank account while I will relocate to your country and settle down with you. I have my fathers death certificate and the account number which I will give you as soon as you indicated your interest to help me.

It is my intention to compensate you with 20% of the total money for your assitance and the balance shall be my investment in any profitable venture which you will recommend to me as have no any idea about foreign investment. Please all communications should be through this email address only for confidential purposes.

Thanking you alot in anticipation of your quick response. I will send you my photos in my next email.
Yours Sincerely
Asiya Ibrahim Bare

Poor Mr. Ma?nassara

Cyber Cobra Command

noreply@blogger.com (Matt Johansen) — Wed, 22 Apr 2009 08:22:00 +0000

My latest post over at Liquidmatrix Security Digest:

Just really couldn't avoid doing a write-up on this story for LSD. This one goes out to anybody who got one of our glorious shwag pieces illustrating our favorite word here at the digest, CYBERDOUCHERY.

I know what the reaction from my fellow liquidmatrix folk will be on this but I hope the rest of you can at least keeps your heads from exploding.

The all powerful and knowing Wall Street Journal announced today that the Obama administration is putting together a "new military command to coordinate the defense of Pentagon computer networks and improve U.S. offensive capabilities in cyberwarfare." Before I continue let me state that I am not trying to be a sarcastic punk and don't think it is a bad idea for the U.S. government to catch up on technology in a security sense. How I feel about the media is a different story.

Anyway, the article goes on to state that this "new military command" is the result of the proverbial straw on the camel from earlier this week when the (again all powerful and knowing) Wall Street Journal published the story amply titled "Computer Spies Breach Figher-Jet Project". Which, in my opinion, based on the title would warrant some government action. However, watch some awesome back peddling:

The move comes amid growing evidence that sophisticated cyberspies are attacking the U.S. electric grid and key defense programs. A page-one story in The Wall Street Journal on Tuesday reported that hackers breached the Pentagon's biggest weapons program, the $300 billion Joint Strike Fighter, and stole data. Lawmakers on the House Oversight and Government Reform Committee wrote to the defense secretary Tuesday requesting a briefing on the matter.

Lockheed Martin Corp., the project's lead contractor, said in a statement Tuesday that it believed the article "was incorrect in its representation of successful cyber attacks" on the F-35 program. "To our knowledge, there has never been any classified information breach," the statement said. The Journal story didn't say the stolen information was classified.

Well that is just impressive work that demonstrates media experience beyond my years.

But wait! I smell a new cyber buzzword!

A draft of the White House review steps gingerly around the question of how to improve computer security in the private sector, especially key infrastructure such as telecommunications and the electricity grid. The document stresses the importance of working with the private sector and civil-liberties groups to craft a solution, but doesn't call for a specific government role, according to a person familiar with the draft.

Defense Secretary Robert Gates plans to announce the creation of a new military "cyber command" after the rollout of the White House review, according to military officials familiar with the plan.

The article goes on to use my new favorite buzzword cyber command some more in detail. Read on if you dare.

Amazonaphobia

noreply@blogger.com (Matt Johansen) — Mon, 13 Apr 2009 20:26:00 +0000

My latest post over at Liquidmatrix Security Digest:

It seems that Amazon has had some interesting going ons recently, and by interesting I of course mean interesting.

I started to write this article last night but the Easter dinner/dessert food coma won the battle and I'm glad it did. As it turns out what was going to be an article solely about censorship in a major online community as transformed into a perfect security article overnight :).

I suppose a brief recap is in order. Long story short this past Friday some homosexual themed romance novels started disappearing from the site's sale's rankings. Amazon first claimed that they were "excluding adult material from appearing in some searches and best seller lists." Well it just so turns out that these lists and searches are generated using user sale's ranks.

Step two in this story is of course a Twitter explosion of hash-tag anger which is self explanatory #amazonfail. Step three? You guessed it, an announcement from Amazon PR that claimed a glitch in the system. First I've heard of a homophobic glitch but I entertained the idea as plausible.

Well that's where the news stopped on my radar last night until a very interesting turn of events this morning. A hacker known as Weev stepped forward claiming responsibility for the #amazonfail stating an exploitation of an Amazon product rating vulnerability. Apparently after a product is flagged as inappropriate enough times it is stripped from the sales rankings lists auto-magically. With some help from some Nigerian friends who registered Amazon accounts and flagged books for him, Weev systematically picked off whichever books he pleased. (Whats with hackers stepping forward lately??)

In case your interested here is the hacker's "confession" that he posted on his LiveJournal:

Hay dude. Amazon removed its customer-based reporting of adult books yesterday. I guess my game is up! Here's a nice piece I like to call "how to cause moral outrage from the entire Internet in ten lines of code".

I really hate reputation systems based on user input. This started a while back on Craigslist, when I was trying to score chicks to do heroin with. My listings like "looking to get tarred and pleasured" and "Searching for a heroine to do the paronym of this sentence's lexical subject" kept getting flagged. The audacity of the San Francisco gay community disgusted me. They would flag my ads down but searching craigslist for "pnp" or "tina" reveals tons of hairy dudes searching for other hairy dudes to do meth with. So I decided to get them back, and cause a few hundred thousand queers some outrage.

I'm logged into Amazon at the time and see it has a "report as inappropriate" feature at the bottom of a page. I do a quick test on a few sets of gay books. I see that I can get them removed from search rankings with an insignificant number of votes.

I do this for a while, but never really get off my ass to scale it until recently.

So I script some quick bash.
#!/bin/bash
let count = 1
while true; do
links -dump 'http://www.amazon.com/s/qid=0/?ie=ASCII&rs=1000&keywords=Gay_and_Lesbian&rh=n%3A!1000%2Ci%3Astripbooks%2Ck%3AHomosexuality&page='`echo $count`|grep \/dp\/ >> /tmp/amazon
((count++))
done

There's some quick code to grab all the Gay and Lesbian metadata-tagged books on amazon. Then I pull out all the IDs of the given books from those URLs:

cat /tmp/amazon |sed s/.*dp\\/// |sed s/\\/ref.*//

and I have a neat little list of the internal product ID of every fag book on Amazon.

Now from here it was a matter of getting a lot of people to vote for the books. The thing about the adult reporting function of Amazon was that it was vulnerable to something called "Cross-site request forgery'. This means if I referred someone to the URL of the successful complaint, it would register as a complaint if they were logged in. So now it is a numbers game.

I know some people who run some extremely high traffic (Alexa top 1000) websites. I show them my idea, and we all agree that it is pretty funny. They put an invisible iframe in their websites to refer people to the complaint URLs which caused huge numbers of visitors to report gay and lesbian items as inappropriate without their knowledge.

I also hired third worlders to register accounts for me en masse. If you ever need a service like that, you can find them in a post like this advertising in the comments:
http://ha.ckers.org/blog/20070427/solving-captchas-for-cash/

Then they would log into the accounts, save the cookies in a cookie file and send it to me.

Then I used the cookie files like so to automated-report all the books:

for i in `cat /tmp/amazon |sed s/.*dp\\/// |sed s/\\/ref.*//`; do lynx -cookie_file=/home/avex/cookie1 http://www.amazon.com/ri/product-listing/`echo $i`/;done

The combination of these two actions resulted in a mass delisting of queer books being delisted from the rankings at Amazon.

I guess my game is up, but 300+ hits on google news for amazon gay
and outrage across the blogosphere
ain't so bad.

Not sure if this is actually true but it certainly is interesting.

UPDATE: Some conflicting responses.. Amazon has come up with some stats to back the before-mentioned glitch.
Here's a statement from Amazon spokesman Drew Herdener:

This is an embarrassing and ham-fisted cataloging error for a company that prides itself on offering complete selection.

It has been misreported that the issue was limited to Gay & Lesbian themed titles – in fact, it impacted 57,310 books in a number of broad categories such as Health, Mind & Body, Reproductive & Sexual Medicine, and Erotica. This problem impacted books not just in the United States but globally. It affected not just sales rank but also had the effect of removing the books from Amazon’s main product search.

Many books have now been fixed and we’re in the process of fixing the remainder as quickly as possible, and we intend to implement new measures to make this kind of accident less likely to occur in the future.

How Smart is Your Grid?

noreply@blogger.com (Matt Johansen) — Mon, 23 Mar 2009 06:33:00 +0000

My latest post over at Liquidmatrix Security Digest:

So in an utter disregard for buzzwords, CNN Homeland Security Correspondent Jeanne Meserve has dwelled into James' land of cyberdouchery. The article entitled "Smart Grid may be vulnerable to hackers" briefly discusses the United States and it's respective power companies anxiously deploying a high-tech power grid while simultaneously raping the words "cyber" and "smart".

Power companies are installing new automated meters at an astonishing rate which seems to be the first step in the roll out. The eventual goal is to improve electricity efficiency and reliability using sensors on your home meters that talk back to the power grid. President Obama is on board dishing out $4.5 billion towards all this.

So where does the problem lie?

Well some interesting quotes throughout the article define the issue very clearly. One of our friends at InGuardians, Ed Skoudis chimed in stating,

"I think we are putting the cart before the horse here to get this stuff rolled out very fast."

Also, Matt Spaur, a product marketing analyst added my favorite tidbit,

"Any network can be hacked."

All in all, this is obviously a huge security issue and if you even remotely (no pun intended) glanced at Live Free or Die Hard you'd get the picture. Electric grids are all ready "hackable" you just have to not be afraid of heights and be a huge fan of rubber. The automation wouldn't necessarily create many new vulnerabilities, it would most definitely increase the risk by increasing the likelihood and severity of exploitation.

With this system in place there really is no room for "roll it out and patch it later." We can all hope that the money makers take their time on this one and do it right.

Article Link

Comcast

noreply@blogger.com (Matt Johansen) — Wed, 18 Mar 2009 21:54:00 +0000

My latest post over at Liquidmatrix Security Digest:

Earlier this week it was reported that a list of Comcast customers usernames and passwords, 8,000 entries long, was exposed on a public website for at least two months. A man by the name of Kevin Andreyo who works as a professor at Wilkes University came across the list while performing a search for his own personal e-mail address. The search dug up a website called Scribd which is a document sharing site that housed the list of 8,000 user names and passwords including Mr. Andreyo's.

Reportedly the list had been viewed "over 345 times and downloaded 27 times." This in it of itself is a relatively small number but means that the list is still out there and can be shared again or even added to.

A spokesperson for Comcast commented stating that the list contained only 700 active accounts and that the rest were either dead or not Comcast customers. She also stated she does not believe the breach came from within the company because the manner in which the list was created was sloppy.

Comcast can downplay this as much as they'd like but it sounds to me like, at least, 345 people got their hands on a seriously dangerous resource. At the safest end of the spectrum of what could happen with this, people can add to their lists of known usernames and more importantly list of known passwords. I've seen what a wordlist compiled of actual passwords can do and 8,000 attempts would fly by in less than 3 or 4 seconds.

Also if only a fraction of items on the list were Comcast customers, what were the other items customers of? Chase? Bank of America? AIG executives?

I guess it’s just a good thing that it was only up for two months, as far as we know, even though that is two months too long.

Artcile Link

Google Rains on Cloud Users..

noreply@blogger.com (Matt Johansen) — Mon, 16 Mar 2009 04:43:00 +0000

My latest post over at Liquidmatrix Security Digest:

I came across some interesting stories about the all mighty Google cloud features in the past couple of days. The first was about Gdrive, a specific example of a broader idea of online storage space. This idea is growing ever more popular now that the "cloud" is becoming a buzz word in the community and Google is taking another step towards being the all mighty one. This is an old idea done a new way with most likely lots of Google flare such as booting from an online hard drive and automated backups.

Very interesting ideas that of course people are very excited about but leave it to the security people to kill the hype.

If done right this would be a great service just as network share drives with group or personal permission folders are great on closed networks. But an interesting point was discussed on a recent episode of Diggnation when Kevin Rose spoke of a certain targeting problem. In general the everyday user of this service would most likely be left alone but what about people more under a public spotlight. Kevin referred specifically to him or his co-host Alex putting up personal photos that some hacker savvy fan would love to get their hands on. Even without the ability to gain access to the drive a MITM attack would be very feasible as demonstrated on Gmail with The Middler at Shmoocon .

As for the confidence in Google and its ability to protect your privacy, I stumbled across another article about a Google Docs sharing bug. Google has sent a letter to users who have been effected by this bug explaining that some of their documents were shared with previous collaborators without you knowing it.

Alice: "Honey, who is this Eve woman and why are we working on a list of gifts for her?"

Bob: "..."

Actual letter sent by Google:

Dear Google Docs user,

We wanted to let you know about a recent issue with your Google Docs account. We’ve identified and fixed a bug which may have caused you to share some of your documents without your knowledge. This inadvertent sharing was limited to people with whom you, or a collaborator with sharing rights, had previously shared a document. The issue only occurred if you, or a collaborator with sharing rights, selected multiple documents and presentations from the documents list and changed the sharing permissions. This issue affected documents and presentations, but not spreadsheets.

To help remedy this issue, we have used an automated process to remove collaborators and viewers from the documents that we identified as being affected. Since the impacted documents are now accessible only to you, you will need to re-share the documents manually. For your reference, we’ve listed below the documents identified as being affected.

We apologize for the inconvenience that this issue may have caused. We want to assure you that we are treating this issue with the highest priority.

The Google Docs Team

It has been reported to have effected around .05% of Google Doc users which could still be a pretty large number but isn't a major leak. This still raises a few questions especially when it comes to your confidence in upcoming services such as Gdrive and other people's ability to access your data.

Just some food for thought!

-Matt Johansen

Google Docs Article

Gdrive Article

Tuesday Bloody Tuesday

noreply@blogger.com (Matt Johansen) — Mon, 16 Mar 2009 04:40:00 +0000

My latest post over at Liquidmatrix Security Digest:

Tuesday March 10th and it's once again Patch Tuesday for all you Microsoft users. Yesterday's release was a very straightforward and light load of fixes but spanned all supported versions of Windows. Some specific updates pushed out are MS09-006, MS09-007, and MS09-008. MS09-006 is a update for the Windows kernel vulnerability that is labeled critical for Windows 2000 SP4 all the way up to Vista SP1. The other two updates fix vulnerabilities in SChannel and DNS/WINS Server respectively and is important for Windows 2000 SP4 up to XP SP3 and Server 2003. Other than that the only things to look out for are the ordinary Malicious Software Removal Tool and Windows Mail spam filter. Full write up.

Possibly more interesting than that is the fact that Symantec and Adobe released updates on the same day under unusual circumstances. George Hulme has a good write up of the situation the he posted this afternoon. To sum it up Adobe has been working on a fix for their recent zero-day and announced it would be released March 11th. They decided to release it yesterday, March 10th, which happened to be Patch Tuesday which can be commended for getting it out early but for most working in the trenches that are operations probably wasn't appreciated.

On top of that Symantec released a patch with the filename PIFTS.exe, which looks up the Symantec product and version on a system and reports it back. Well this report back happened to not be signed because of human error and sent up some firewall flares for most users. This must have been a Help Desk nightmare along with the Adobe issue on Patch Tuesday. Not only a Help Desk problem, if the users decided to search what PIFTS.exe was on their own it is reported that malicious sites recognized this and made their sites appear at the top of those searches. Good write up on the PIFTS.exe and malicious site issue on SC Magazine found here.

This onslaught of patches and patch mishaps must have really affected a lot of companies big and small as they had their time allotted for the Microsoft patches to be pushed. Anybody who works in operations and is part of the team responsible for patch management knows the trials of Patch Tuesday when that is the only issue to deal with. The fact that Adobe pushed their release up and Symantec had an inexcusable mistake all on the same day can really bring things down. Not only can this cause a headache for the people on the team responsible for pushing these patches but if the team required more than one patch in the same day at 3 separate times you are going to have some angry users who aren't going to restart their machines for you. Heat will be felt all along the food chain and $DIETY forbid if somebody clicked on a site taking advantage of the PIFTS.exe curiosity. Productivity won't be the only issue that companies will have to deal with this Patch Tuesday or for the rest of the week for that matter.

[tags]microsoft, security, patch tuesday, ms09-006, ms09-007, ms09-008, symantec, adobe, pifts.exe, patch hell[/tags]

Computer Security Week 1

noreply@blogger.com (Matt Johansen) — Fri, 02 Jan 2009 00:22:00 +0000

In the the very first week of my Computer Security class we were presented with a broad overview of the upcoming semester. We touched everything from the CIA triad (Confidentiality, Integrity, and Availability) to discussing the more public view of security (i.e. the cyber section of the FBI and Secret Service, identity theft, etc.).

We were also presented with the following video of Richard Clarke who is the Chairman of Good Harbor Consulting, senior White House Advisor to the last three presidents and an expert in security including cyber security and counterterrorism. If you would like to watch it you can skip the first 7:30 minutes which is just PR stuff and an introduction.

"Richard A. Clarke is an internationally recognized expert on security, including homeland security, national security, cyber security, and counterterrorism. He is currently Chairman of Good Harbor Consulting and an on-air consultant for ABC News. Clarke served the last three Presidents as a senior White House Advisor. Over the course of an unprecedented 11 consecutive years of White House service, he held the titles of Special Assistant to the President for Global Affairs, National Coordinator for Security and Counterterrorism, and Special Advisor to the President for Cyber Security. His published works include the New York Times #1 bestseller Against All Enemies, Scorpion's Gate, and Breakpoint. Mr. Clarke will be discussing the current state of the war on terrorism and what it means for homeland security and technology."

The class was presented with the following.

"Week 1

The objectives for this week are to outline what expectations the students may have from the teacher, and what expectation the teacher has from the students. A brief preview for the semester will be provided. At the end of the week, the following topics will have been covered.

Fundamental concepts of information security
Common forms of malware
Information Security Life Cycle

Assignment 1
Watch this movie and comment on it in your course blog. You can skip over the first 7:30 minutes, as they are just public relations.

Can you relate to this clip? Do you see any effects of computer security controls in your daily life? What kind of controls do you see? How do they affect you?"

If you'd like, I'd be interested to see a few responses from other people who wish to leave comments.

In the next few weeks of our meetings we covered respectively Laws and Ethics, Authentication, and Access Control. My next post or two will cover these topics and then we move on to the Defender and Attacker life cycle and break down each step along the way of each.

Embarking on my Blog

noreply@blogger.com (Matt Johansen) — Sat, 27 Dec 2008 02:05:00 +0000

I struggled a bit in deciding how I wanted to approach my first attempt at blogging before finally pulling the trigger. Considering I wanted to make this a security oriented blog I hit a somewhat important obstacle, experience. After I mulled it over for a while I decided that was more of a mental obstacle than anything and decided to contribute in whatever way I can and map out the beginning of my journey into a young and exciting new field.

This being said I should probably introduce myself. My name is Matt Johansen and I'm 21 years old and just graduated from Adelphi University in Garden City New York with a BS in Computer Science and a minor in Mathematics. I am an only child born and raised on Long Island who has as much IT experience as a 21 year old can have as my first job was the sole student tech for my high school's school district. From there I worked at Adelphi University, also as a student tech, and soon was promoted to one of four head student techs and received a ton of customer service experience as I was the guy everybody that lived on campus recognized as the "computer guy" who helped them in their dorms. This past summer I worked at Arrow Electronics as a Data Security Analyst on a team of 5 managing an Active Directory environment of over 12,000 employees internationally. During that summer internship I proved myself enough for them to ask me to come on part time while finishing my final semester at school and hopefully brought on full time when I graduated. Unfortunately, the economy hit home and Arrow Electronics was forced to lay off over 70 IT employees in a very short period of time, a group I was included in.

Okay that is my brief synopsis of my brief career. To start off on my blogging adventure I decided to discuss part of the reason my interest in entering this field was reinvigorated, a semester long special topics senior seminar with Kees Leune on Computer Security. Over the next few weeks I will be summing up my experiences in this class which were very exciting and while some of the information might not be new to all of you hopefully I will make it an interesting read in how the class was organized and what topics we covered. Stay tuned!