Security Idiot

Bring on the Hotness: Alex Sotirov

noreply@blogger.com (Security Idiot) — Tue, 13 Jan 2009 20:05:00 +0000

It gives us great pride and deep stirrings to draw your attention to a recent (ish) tweet by Alex Sotirov - formerly VMware playboy, now Independent Exploiter (watch out ladies) and www 0wner (now do it for SHA1 ;-).

Rarely does Tinyurl instill this much anticipation...

Lo and behold...sure enough at no. 00000110:

We promise there was no Photoshop action involved here - and that doesn't look like the Alex that we've seen steaming up the Infosec conventions but hell, he made in the top 10 and you and me didn't.

What a modest Twit!

Security Idiot Welcomes Kevin Mitnick!

noreply@blogger.com (Security Idiot) — Tue, 14 Oct 2008 07:46:00 +0000

Kevin was recently travelling to a security conference where he was due to demonstrate his lock-picking equipment...ahem..."moderate a panel at a security conference sponsored by the American Society for Industrial Security (ASIS)" when his number came up. As he arrived in Atlanta he was stopped by border security and invited to give a guided tour of his belongings.

The highlight of the 'consultation' came when he was asked to provide evidence of his ASIS attendance. Instead of travelling with a pre-printed itinerary and handing that to the border inspectors he had to pull his laptop and then right in front of the officials he...

1. Deleted his firefox private data...("Just say Yes")
2. Promptly hit the power off button as the officials grabbed the laptop suspecting he was erasing evidence.

This tale could be called 'How To Freak Out Border Inspectors Who Already Suspect You Are Shady'.

Nevertheless, Mitnick was keen to point out that client data was not exposed in any way (Ed: just copied) and that in future he plans to clone himself and travel as a Mitnick swarm in order to conduct birthday attacks on random border guards ("Is it me? Is it me?).

We admire Kevin as he spoke with a CNet reporter:

"There was uncertainty, fear, and panic because I didn't know what was going on, and I didn't do anything wrong," he said in a recent telephone interview with CNET News. "In my mind, I thought I was being set up for something."

If you want to read the rest of the story, including the part about "his package" discovered to have traces of cocaine you won't find us talking about that here. You'll have to go here instead.

Thomas Ptacek: Too Quick By Far!

noreply@blogger.com (Security Idiot) — Sun, 27 Jul 2008 16:02:00 +0000

This weeks nomination for SecurityIdiot (TM) goes to Thomas Ptacek.

In fact, we think he nominated himself.

Summary:
- Dan finds big DNS bug
- co-ordinates with Vixie, CERT et al - fixes get prepared
- Dan announces to world + dog: "patch now, I'll disclose in 4 weeks at BlackHat"
- Doubting Thomas proclaims the bug can't be all that serious
- Dan confides in Thomas, who does an about turn and announces 'Its the real deal'
- Mucho guessing on DailyDave mailing list
- Halvar - who really should have been studying for his exams - chimes in with his theory
- Thomas tells Halvar - via the Matasano blog - 'By jove, you've gone and guessed what that Kaminsky fella told me down the pub about his DNS sploit'.
- Story catches fire, exploits are written
- Thomas goes 'Duh' and publishes below apology...

Earlier today, a security researcher posted their hypothesis regarding Dan Kaminsky’s DNS finding. Shortly afterwards, when the story began getting traction, a post appeared on our blog about that hypothesis. It was posted in error. We regret that it ran. We removed it from the blog as soon as we saw it. Unfortunately, it takes only seconds for Internet publications to spread.

We dropped the ball here....

Continues at the Matasano Chargen Blog

Future Vulnerability Researcher?

noreply@blogger.com (Security Idiot) — Wed, 23 Jul 2008 19:31:00 +0000

Grasping the linga franca of your mother tongue is sometimes a waste of neurons.

If you want to be a kick-ass vulnerability researcher, less is sometimes more.

Your formative years could be better spent studying Intel developer manuals.

Watch this video to determine if you may be harbouring someone in your family that has haxxor tendancies...

Courtesy of Beast or Bhudda

Pwnie Awards: Keepin' It Real

noreply@blogger.com (Security Idiot) — Wed, 23 Jul 2008 14:20:00 +0000

Back again at Black Hat this year, the Pwnie awards...

"An annual awards ceremony celebrating and making fun of the achievements and failures of security researchers and the wider security community".

Look what you could have been nominated for:

Best Server-Side Bug
Best Client-Side Bug
Mass 0wnage
Most Innovative Research
Lamest Vendor Response
Most Overhyped Bug
Best Song
Most Epic FAIL
Lifetime Achievement Award

Obviously here at securityidiot.com, we're most interested in the 'Most Epic FAIL' category (although Best Song could swing it). Lamest Vendor Response may feature but then we'd get lost in Press Release clippings.

Stay tuned for further updates!

Source

Impress Your Peers With Your Grasp of IT Security Terminology

noreply@blogger.com (Security Idiot) — Thu, 17 Jul 2008 07:59:00 +0000

To truly dominate in the IT security field, its vital to be able to 'talk the talk' - the rest can come later.

What follows is an insiders guide to help you apply the right terminology at the right time. Many people tie themselves up in knots with poor use of IT security terminology. Frankly, there's a lot of misunderstanding out there.

Cut through the fog with this helping list. Impress you peers!

24/7
The window of time in which systems are most vulnerable to attack.

BC/DR (Business Continuity/Disaster Recovery Planning)
An alternate spelling for "CISO".

Biometrics
Strong authentication mechanism that streamlines insider attacks.

Business case
A creative writing project, the quality of which is directly proportional to your security budget.

Confidentiality, integrity and availability
The three great myths of the Internet Age.

Cryptography
The science of applying a complex set of mathematical algorithms to sensitive data with the aim of making Bruce Schneier exceedingly rich.

Cybercrime
Crime.

Downtime
Refers to computer systems' natural state; the opposite of anticipated downtime.

E-Commerce
A historical fad (fashion) from the late '90s meant to generate hundreds of billions of dollars in new profits; the inciting factor that generated hundreds of billions of dollars being spent on security products.

Firewalls
Speed bumps.

Hackers
Self-righteous crackers.

Help desk
A place where rude people read instruction manuals to confused people over the phone, for a fee.

Identity theft
The transfer of your personally identifying information from corporations that want to exploit it to hackers who want to exploit it.

Intrusion Detection Systems (IDS)
Log file generators.

JOOTT ("jute")
Acronym for Just One Of Those Things; the primary explanation for most information security problems.

Laptop
A computer designed to allow employees to easily store vast amounts of customer data in the backseat of a taxicab.

Logging
The practice of filling shelves with printouts.

Logical security
A goal; also, an oxymoron (contradition).

Mission critical
Term used to help hackers identify their targets.

Non-repudiation
The opposite of repudiation; repudiation, only not.

O.S. hardening
An attempt to secure your operating system against the next hack by closing the hole used by the previous one

Passwords
Authentication tool that, when properly implemented, drives growth at the help desk

Patching
A mandatory fool's errand.

Pharming and phishing
Ways to obtain phood (i. e. food).

PKI (Public-Key Infrastructure)
A system designed to transfer all of the complexities of strong authentication onto end users.

Regression testing
The process by which you learn how the patches that fixed your system also broke your system.

Road warriors
Traveling employees responsible for delivering malicious code back to headquarters.

Scope creep
Stage three of the standard software development model.

Security administrator
Firefighter.

Security officer
Fall guy.

Total Cost of Ownership (TCO)
In security, an incalculable number always equal to or greater than the budget.

Upgrade
The process by which you introduce new vulnerabilities into software.

Virus
Sort of like a worm, but not exactly.

Worm
Similar to a virus, but different.

Zombie
See "Distributed Denial of Service".

From Comunidade ISMS PT

Stop Following Me on Twitter: Hoff Launches Unprovoked Simile Attack On His Twitiples

noreply@blogger.com (Security Idiot) — Tue, 15 Jul 2008 07:12:00 +0000

Security is like Escargot. It's crunchy on the outside, chewy on the inside, and like everything else, should be blamed on the French!
Security is like Kimchee...to make it you have to slap it together, bury it and then dig it up when it smells to explain how special it is..
Security is like Durian: It's lousy in airports, stinks when exposed and looks oddly out of place no matter how you slice it...
Security is like fertilizer, the more shit you spread around the worse it gets and watering it down only makes it worse
Security is like a vibrator...

Continued at Rational Survivability

How I Lost a Contest Involving Chihuahuas

noreply@blogger.com (Security Idiot) — Fri, 11 Jul 2008 21:24:00 +0000

"So my lovely gfnd’s co-worker enrolled her pet Chihuahua into a contest to rate the dog against others of the same breed in the local area. Vaguely amused, I took a look at the web application and sure enough, it pretty much sucked.

The developers had used a client side code in Flash to make it so that you couldn’t submit twice, but in re-loading the app you could (and that’s how the newbs in her office were cheating). I, however, looked at what data it was sending and sure enough I could send votes by bypassing the client side app entirely. I took the cheating to a whole new level...."

Continued here

[kudos to the anonymous reader for the tip]

Is It Easier To Get Fired in IT Security As Say A Security Officer on a USAF Installation?

noreply@blogger.com (Security Idiot) — Fri, 11 Jul 2008 11:30:00 +0000

Or, what about getting fired on your day off?

You drop your wife at the hairdressers and you need to find something to do. What could possibly go wrong?

Favorite quote:

“Hell no, we’re not conducting a sting operation in that area or any
area for that matter.” He then ended the conversation with, “Arrest
his ass, and confiscate his badge!”

Source

Are You A Security Idiot?

noreply@blogger.com (Security Idiot) — Thu, 10 Jul 2008 17:21:00 +0000

You Are "A Security Idiot" If you...

Misspell both HIPAA and SOX (how the f does one misspell SOX?)
Confuse "risks" and "threats"
Think that "Trojan is a vulnerability" AND "DoS is a vulnerability"
Quote "Insiders are 80%" without thinking for one darn second
Think that a loss of "$20 million is catastrophic to any company"
Talk about "NIST compliance"
Consider IDS a network security control
Shout that "perimeter is dead"

Please add your faves to the list and we can create an official list to be used to expose fake experts. If you think that nobody in our industry is that stupid ... think again. F*ck!

Source (with permission)

[update] More Stupidity from Anton :P

Blog Launch

noreply@blogger.com (Security Idiot) — Thu, 10 Jul 2008 15:22:00 +0000

Greetings!

This blog is dedicated to IT Security Professionals that do stupid, idiotic, brain-dead security things. These could be operational mishaps, dumb technology decisions or strategy decisions that leave an org more vulnerable (and poorer) than when the IT Pro walked in the door.

A few examples to whet the appetite:

misconfiguring routing tables on mission critical firewalls to bring production networks to a screaching halt
implementing a non-SSL aware NIDS on a segment that only has HTTPS traffic
declaring to management that secure email best practices require selecting a white font color on a white background when sending sensitive messages
screwing up an arpspoof attack during a pen-test, becoming "man-on-the-end" and downing a production network
spending all the security budget on the latest network security gizmo when the outside door to the data center doesn't shut properly.

It is *not* about non-IT Security Professionals that do stupid, idiotic, brain-dead security things. This is assumed (no offense lusers!).

The site is powered by you, the reader. You submit stories and if they're funny enough we'll post 'em.

If you have witnessed a truly idiotic action by someone that claims to be an IT Security Professional, email us at securityidiot@gmail.com. No need to name names - in fact, if you do, we can't post it - sorry.

All postings will be strictly anonymous.

Send us your "over beer" stories, we'll figure out what works as we go along...

The SecurityIdiot team.

P.S Curious about the origin of "Security Idiot"?