NP-Incomplete

ZDNet

Mon, 08 Sep 2008 13:46:55 -0800

Recent sightings of friends in the media.

Thu, 14 Aug 2008 13:13:19 -0800

Joe and Zoz's show, Prototype This!, has been finally announced! Look for it on Discovery this fall.
Nate Lawson was interviewed by the bay area ABC affiliate for his work on the FasTrack flaws.
Raffael Marty's Applied Security Visualization is now available!

Twitter "Following" Limits: Smart.

Tue, 12 Aug 2008 17:49:37 -0800

The web has started commenting on twitter's decision to limit the number of accounts that a given user can follow. Having a hard limit is a smart move for multiple reasons. Not only does it allow you to more finely bound the computational load of the message passing architecture, it negatively impacts only two groups, namely spammers and the obsessive-compulsive. This is a good first step that I have pointed out in an interview once before. I suspect that Twitter will also be working on a throttling policy as well as an IP and content blacklisting technology as follow-on mechanisms to continue to battle spam.

What a difference a word makes.

Mon, 11 Aug 2008 09:29:25 -0800

I enjoy talking with reporters, and I do so quite frequently. It is part of my responsibilities at Cloudmark. Thankfully, most of the guys I talk to on a regular basis are extremely responsible, detail oriented, and diligent about the facts; a single omitted word can radically alter the meaning of a phrase. Chris Hoff, a very well seasoned speaker and media contact, is now experiencing the repercussions of such an error. By dropping the word "security" from the phrase "Virtualizing security will not save you money, it will cost you more.", a reporter changed Hoff's statement from a negative statement about the security to a negative statement about his employer. As you can imagine, this has caused a massive headache for Hoff and his employer. The only way to fix any misquote in the current media climate is to generate corrective content early and often, as I am doing with this post.

Dispatches from Blackhat/Defcon: PayPal Token

Sun, 10 Aug 2008 20:10:03 -0800

PayPal token
Originally uploaded by Adam J. O'Donnell

Paypal placed this item in everyone's BlackHat backpack. This second-factor authentication token, which really should be far more common for consumer websites, has to be the best piece of swag I have ever received in the conference fun bag.

Dispatches from Blackhat/Defcon: Facebook/MySpace "Worm"

Sat, 09 Aug 2008 18:15:06 -0800

I have been at BlackHat/DefCon since Tuesday, and I have been slightly out of the loop on some recent security events. Coincident with the presentations on social network security and new XSS attacks against MySpace, reports of a worm hitting MySpace and Facebook started trickling in via SMS messages from our team back at the office. My initial concern was that this was a full-blown Samy-style worm hitting both social network sites, and some of my comments were oriented towards this threat. It turns out that the MySpace/Facebook worm was less a worm and more a standard malware-push technique. Rather than having malware infect a system to send spam to other users that enticed them to install the same malware, the authors had the malware hijack MySpace and Facebook profiles on login by the user, spamming their friends with a malware download pitch. Basically this ends up being a hybrid worm, that requires more than just pure browser support, like XSS and CSRF attacks, to propagate. Good show, spammers. The interesting part of this incident is that attackers, the media, end users, and vendors are focusing on this as a social networking story and not a desktop malware story, when it is equal parts of both. It is further evidence to me that desktops are being considered by home users to be nothing more than browser containers, with their activities being almost completely focused around a handful of major (social) web properties.

Defcon TCP/IP Drinking Game

Tue, 05 Aug 2008 09:50:14 -0800

I will be hosting the Defcon TCP/IP Drinking Game again this year. Drop by Friday night to see your favorite information security experts make fools of themselves.

Vegas

Tue, 05 Aug 2008 09:45:43 -0800

I will be in Las Vegas for the Blackhat and Defcon conferences this week. I hope to see you all there!

Jack Newsham

Sun, 27 Jul 2008 16:24:57 -0800

John Nikola Newsham was born on Friday, July 25th to Tim and Aailyah Newsham. Congratulations guys!

Attackers hit close to home.

Mon, 14 Jul 2008 23:35:04 -0800

My wife Sophy's gmail account started spewing spam this morning to everyone in her sent mail folder. Given that my wife has been working in technology for about as long as I have been in information security, and specifically three years in anti-spam, I was both slightly intrigued and rather miffed when I received the following message in my inbox: If this were a PC laptop, I would chalk this up to a desktop compromise. There has not been a significant number of reports of OSX malware that does address book scraping, making this possibility rather remote. I had Sophy immediately rotate her gmail password, log in, and pass over a screenshot of her access history: If we take a closer look at 123.12.254.155, we can see the IP doesn't exactly reside in San Francisco:

route:        123.8.0.0/13
descr:        CNC Group CHINA169 Henan Province Network
country:      CN
origin:       AS4837
mnt-by:       MAINT-CNCGROUP-RR
changed:      abuse@cnc-noc.net 20070111
source:       APNIC

I am pretty certain that neither of us were in China this morning, and at this point I was certain that her desktop was safe as the compromise likely affected her webmail account only. I later discovered that Sophy had used similar passwords on multiple websites, leading me to believe that one of the many websites she accessed was compromised, handing the attacker a legitimate Gmail login (her e-mail address) and password. The moral of the story is that you absolutely have to use a different password for each and every website you use, or at least cluster your accounts based upon attack propagation tolerance. In other words, you can use the same password across multiple junk message boards, but doing the same across multiple financial websites would be Bad. Oh, and the attackers didn't just send spam from her mail account, they also deleted all her mail on Gmail. Because Sophy maintains backups of her mail, a potentially stressful day was avoided. Oh yeah, thats the other moral of the story: maintain good backups, please.

CoverItLive Event on Social Networking Security

Mon, 14 Jul 2008 15:12:38 -0800

I will be co-hosting a live blogging event on social networking security tonight with Jennifer Leggio on CoverItLive. You should be able to view the content in the horrifying iframe below here: Thanks go to Plurk's Plurkshops for sponsoring the event.

Westside!

Thu, 10 Jul 2008 13:42:13 -0800

I was interviewed by SC Magazine's Dan Kaplan on the value of education in the security industry and its associated interpretation on both the west and east coast.

Anti-spam company employee spamming on twitter.

Wed, 09 Jul 2008 22:34:04 -0800

Hilarious. Oh yeah, this is the company in question.

reCAPTCHA launches free mail address hider.

Tue, 08 Jul 2008 14:04:46 -0800

I guess this is easier than making a little graphic of your e-mail address. The attack surface for reCAPTCHA is pretty large at this point, and web page scraping is not the only means by which a spammer can grab your address, leading me to question how effective this will be for keeping your inbox clean. Thanks to Jennifer for the heads up.

@twitterspammers.

Sun, 06 Jul 2008 21:17:39 -0800

Spammers went after Twitter pretty hard this holiday weekend using the "friend invite" model that was first developed against other social networking services. Briefly, the attack involves creating a large number of spammy profiles and then inviting people to view the spam by performing a friend request, or in twitters case, "following" the spam target. I have included screenshots of a few of these attacks.
An individual can remediate this attack in the short term by disabling e-mail notifications of people following you. This is by no means an optimal solution. The only people who can really address the situation is twitter, through a combination of blacklisting, throttling, CAPTCHAs, and content analysis.