Digital Soapbox - Down the Security Rabbithole!

The Hype Over Epsilon ...Baby in the Bath Water?

noreply@blogger.com (Raf) — Wed, 06 Apr 2011 16:53:00 +0000

You've heard the expression "don't throw out the baby with the bath water" right? The reference is to discarding something important in the mess of something unwanted ...makes me think a little about this big in-your-face headline on USA Today's "Money" section ...from Tuesday April 5th.

"Epsilon hack triggers phishing fears" with the subtitle 'So be careful where you click'.

Is this a good thing, or a bad thing? Clearly such hype, at least from a security perspective, warrants temperance and sanity for our own credibility ...but could there be a silver lining here?

The fact that this headline is on the front page of Tuesday's USA Today Money section says something ... it says that this is a big story, sure. But there's a more subtle benefit here ... given the readership of the USA Today, and who's going to read that front page headline and sub-headline ...maybe this is a good thing?

Maybe more people, more of the 'common users' we see as constant phishing victims, will read this and think twice about clicking that email that show up in their mailbox unsolicited?

Or maybe not.

But I can tell you with certainty that even if 10% of the readers of this interestingly written (using a quote from a competitor to the company that just got hacked? uncool) article think twice and don't fall for a phishing scam I'll be thrilled.

Information Security Comedy Genius

noreply@blogger.com (Raf) — Fri, 01 Apr 2011 19:40:00 +0000

You just can't make this stuff up ... I don't know if you follow the Bugtraq mailing listor not, but as I read this today I first thought that hey, it's April Fools' ...but when I realized it was a serious post I read on and the result was a serious LOL ...and projectile coffee all over my monitor/keyboard as a result of Thor's reply.

So here's what happened ...

An email came in with a disclosure..."Microsoft VISTA TCP/IP heap buffer underflow"

...which had this gem of a paragraph in it (for a little context, the person is referring to a PoC he wrote as the program):

"To execute either the sample program or any other system command, the user has to be either the admin, in the admin group or the Administrators group. Since this buffer underflow never makes it to kernel memory, it could be possible that propping up the underflow will make it overflow and take control over the operating system without any restriction."

...which I figured for an April Fools' gag, until I realized it was serious.

Then ...came the LOLs ...because in proper form "Thor" (Hammer of God) had this brilliant rebuttal:

"Just so that I understand correctly, are you reporting that if one is logged on as the administrator, it may be possible to execute this exploit in order to take over the machine? t"

You just can't make this shit up folks ...welcome to Information Security.

Breaking Your AT&T Broadband Neighbor's Bank

noreply@blogger.com (Raf) — Mon, 14 Mar 2011 00:09:00 +0000

A few weeks ago when Canada's major Internet providers announced they were going to be capping Internet transfer on a monthly basis, some of us here in the 'States chuckled. Guess we're in for a dose of that now too as AT&T just announced they're doing the same starting in May.

What's really interesting to me from a security perspective is this - how many AT&T customers do you think have a relatively easy-to-break-into WiFi network that ties right into their AT&T home DSL or uVerse?

So, here's an interesting scenario. A home user goes over the 150Gb threshold, by many gigabytes. Month after month ... how does that user then go about proving that it wasn't their activity but the result of someone breaking into their wireless and soaking up lots of bits?

Having a transfer cap sure makes the case for having more security on your wireless, do it not? The problem with many home wireless still being easily breakable is going to collide with broadband charges and caps ...real soon. The question is - what will be the result, and how will the courts treat it? How will AT&T treat it if I spike to 400Gb one month? Can I claim that it wasn't me? I suspect it would be interesting to see how the home DSL w/WiFi that AT&T is giving out is going to provide protection against these types of bandwidth-stealing attacks.

This AT&T strategy is easily at odds with the distributed nature of BitTorrent, vast amounts of streaming media -and oh yea ...pirates. This is an interesting tactic in AT&Ts ongoing war against pirated content, and various other forms of wrong-doing. It's an interesting tactic ...because if you can choke off the means to distribute illegal content (and let's face it, this is how pirates distribute illegal content) or at least make it very, very expensive to aid the pirates -maybe they (whoever "they" are) have a chance of winning the war.

I can't wait to see how this shakes out...

Cool Things I Learned About Security From Watching Spy Movies...

noreply@blogger.com (Raf) — Thu, 24 Feb 2011 16:28:00 +0000

I love spy movies, I've watched every single one I can find from "Spies Like Us" to the "Mission: Impossible" series and everything in between (including the really, really bad ones too). Spy movies teach us a lot about real security, how it can be defeated and some of the Hollywood truisms (and "bending the rules") demonstrate what we're all already thinking, and probably now to be true anyway. I've learned a lot, and I see a great many applications to real life InfoSecurity so I thought I'd share them with you here ...

You're being attacked. Right now... and now... and now.
Computers are easy to manipulate
People are even easier to manipulate
Your 'perimeter' is only as strong as the guy holding that USB stick walking in your office door
Encryption is breakable ...actually - "encryption" you build yourself is breakable
The common denominator amongst the thousands of daily use social media, financial, and other high traffic sites is one set of credentials
If you want to break military-grade encryption to steal intellectual property or state secrets, use a $15 hammer applied to the owner's open palm
Knowing where your target is located at all times is critical. Spies use expensive equipment like satellites, GPS, and other gadgets, in lieu of expensive gadgetry I suggest FaceBook or FourSquare.
Remember when it was cool to watch a movie spy 'tap in' and listen in on a person's cell phone call from another part of the world? Yea, that's possible.
By the time you've gotten down to here, I've utilized the exploit you don't know about in that browser you're using to gain access to your machine. You really shouldn't keep pictures like that in that 'hidden' folder in "My Documents" ...HR would be unhappy with you.

Hooray for Accountability (ZDI Drops 22 0day)

noreply@blogger.com (Raf) — Wed, 09 Feb 2011 14:48:00 +0000

Well, it's February 2011, and the year is flying by already. Quite frankly, I'm thrilled to see this story run and made a big deal out of -because if you're anything like me you're sick to your stomach from all the large software vendors that have been non-accountable for the crap they release.

The Register is running a story about how the ZDI has "spilled the beans" on 22 advisories, and some of the juicy details of the bugs. Rather than waiting indefinitely for the vendor to decide whether they care to take the time to patch their software or not - ZDI has taken a stand and published the bugs just 180 days after confirming the vulnerability with the vendor. I think that's fair, don't you? 6 months to analyze, identify, strategize and release a patch is plenty of time -even if you're a monster Fortune 100 corporation.

What I think is the bigger story, bigger than the 22 bugs released (one of which is of an unpatched flaw in the parent company, HP ...oh noes!) is that the ZDI changed their policy a while back so as not to wait indefinitely for a patch from the vendor before publishing the bugs. Now, it's 180 days, and time to pay the piper... and you have to hold them in high regard for that.

If you'd like to see the disclosure on the ZDI blog, check it out here ...companies include EMC, Novell, CA, SCO, HP and of course IBM.

In all the buzz and press around this release, I think it's critical to remember one thing - accountability is paramount. If you don't hold yourself accountable ...the ZDI boys and girls will.

Hackers "Borrow" Excess Server Capacity, Play CoD: Black Ops

noreply@blogger.com (Raf) — Sun, 16 Jan 2011 19:42:00 +0000

[Cross-posted from Following the Wh1t3 Rabbit]

"For Satan always finds some mischief still for idle hands to do." --Isaac Watts

Those pesky hax0rz.

They just want to hack in, steal your data, plant trojans and spread evil. ...sometimes not though.

Stories like this just don't get enough coverage because it's more funny than sinister - but apparently on November 12th, around 2:00am local time someone broke into the Seacoast Radiology of Rochester, NY server and didn't try and download their 232Gb of database ...nope, they just borrowed the server to play "Call of Duty: Black Ops". For 4.5hrs that night someone was using the radiology center's server capacity to play a video game.

You can just tell when someone is giving a quote that they don't know what they're really saying which is evident in lines like this one:

"Our server is 232 gigabytes,” Wood told SecurityNewsDaily. “If somebody tried to download it with the speed that we have, it would take them 27 days. We don’t think there’s someone out there with a huge database trying to pick and choose who they’re going to attack" (Source: MSNBC)

Well ... I for one am glad this person has a crystal ball, because I'm not sure I would make a statement like this one:

"Wood said Seacoast has not received any reports of identity theft related to the incident. He believes the hackers took advantage of the server’s size simply to play the massively popular video game and nothing more."

Mischief ...or something more sinister? I certainly have no idea ...but it's certainly not your typical hacking story.

The Invisible Line Between "Error" and "Data Breach" ...

noreply@blogger.com (Raf) — Fri, 24 Dec 2010 17:52:00 +0000

Just catching up on a quick story that's circulating (if you read the news like I do) on what is being called a data breach ...but is it?

The headline is "Santander Leaks 22,600 Account Details [source: computing.co.uk]" - but at what point does the line between accidental disclosure (or an "error") turn into a data breach?

I think the discussion needs to be had, and while Santander is doing the responsible thing here, when it comes to data breach laws in the US, how do we treat this? Where is the line drawn between "accidental disclosure" which is just that, accidental, and a data breach which is the result of negligence?

It would seem the entire discussion is based on cause, and whether the cause was "an accident in spite of due diligence" or rather "a result of a lack of appropriate measures" ...what concerns me is this text from the article-

The ICO confirmed that it will be investigating the breach.
"We have recently been informed of a data breach involving Santander. We will be making enquiries into the circumstances of the apparent breach of the Data Protection Act before deciding what action, if any, needs to be taken," said an ICO spokesperson.
"Under the Data Protection Act, organisations that process personal information have an obligation to keep it secure; therefore, it is a matter of concern if information such as account details have been incorrectly provided to the wrong recipient," they added.

So we turn to trying to figure out how to draw a line on intent ...and that's a very difficult thing.

DDoS'ing into Oblivion

noreply@blogger.com (Raf) — Sat, 11 Dec 2010 02:32:00 +0000

I don't know if you've noticed, but Distributed Denial of Service (DDoS) has taken the spotlight on center stage of this 3-ring circus we call the Internet.

If you don't know what a DDoS is, I suggest you go give Wikipedia a quick read, and maybe get WiFi in the cave.

What used to be a nuisance, and let's face it DDoS started out as a nuisance, has turned into an interesting and powerful weapon. Tools like LOIC which is released by "Anonymous" and the OWASP tool that essentially does a similar task against web servers using slow header payloads are brutal. These can cause serious outages and down web servers and entire sites, or even web farms.

Let's talk impact

Full pipe - a DDoS can fill your network pipe with junk traffic and effectively cut you off from the rest of the Internet
Overloaded server - a DDoS can actually completely overwhelm a piece of hardware, and cause the machine to die
Overloaded server - a DDoS can also overwhelm poorly (actually even no-so poorly) written software to completely stop responding and die
Software zombie - an interesting condition recently uncovered where a server is still completely responsive to other requests except that legitimate requests for targeted sites returning nothing at all
Huge bill - That's right, imagine paying for your Internet pipe by the megabyte... then you get a 100Mbit/sec flood for 12 straight hours ... you could go broke trying to pay that bill!
Bad PR - Imagine if you're launching a super-cool online game that some kid gets mad at and takes down your servers ...ouch!

Perfect example, Al-Akhbar's website has been decimated (and is still down) for a while now... interesting use of internet bandwidth.

So DDoS is a very versatile tool - and with literally millions and millions of zombie machines out there - maybe even YOURS - the attacker agents are plentiful. I wonder what the horizon holds for DDoS attacks ...it could be interesting.

The TSA Now Makes Fortune Cookies

noreply@blogger.com (Raf) — Tue, 23 Nov 2010 18:26:00 +0000

This is how you know you're going to get the "blue glover treatment" ...when the cosmos is trying to tell you something.

Oh crap...

Worried About Your Children Online? You Should Be...

noreply@blogger.com (Raf) — Wed, 17 Nov 2010 08:03:00 +0000

Fair warning - this will make you sick.

The headline on MonstersAndCritics.com reads:
"Germany indicts man who hacked webcams to film children"

The reality is that child predators have a much easier time on the Internet than they would in the real world ...and in this virtual world where they can be anyone they want to be the predator can be any age, sex, or personality to convince a child to put stuff onto their computer. What happens next is an all-too-real sad fact of modern life.

The question then becomes ...what do we do about this? Besides putting a needle into the arm of this bastard so he never hurts another child again ...what do we do? Is better control the solution? Anti-malware protection?

I think that ultimately the ownership of protecting your children is the parent's responsibility...and in the ever-increasingly connected world of the Internet parents need to arm themselves with as much knowledge as their children. Your 9 year old shouldn't be better at the computer than you are... plain and simple.

While you can't control every minute of every day of your child's life, we can certainly teach them from a young age that security "best practice" like not accepting unknown files from people they don't know or trust, or other things we have been trying to teach our corporate users for years, should be followed or there could be dire consequences. The notion of "stranger danger" applies to EVERYONE on the Internet... there are no "real people" unless mom or dad says so...unless mom or dad doesn't know better either?

Ultimately, parents, protect your children. Teach them well, and put in as many safeguards as you can technologically to ensure that these types of predators can't get at them online. It's just sick that human trash like this is allowed to exist... if I had my way justice for these animals would be swift...preferably with a large caliber to the skull.

Not Another TSA Rant

noreply@blogger.com (Raf) — Mon, 15 Nov 2010 16:21:00 +0000

Hold on to something ...I just had a very intelligent discussion with a manager (I will keep her name anonymous, I'd like her not to lose her job for talking to me) of the TSA shift here at O'Hare airport.

While you catch your breath ... let me reiterate how much I loathe the invasion of privacy and the scales of privacy vs. (actual) security being tipped way askew...

So here's what happened...

I was given the "sir, step over here into this machine" line from a woman who had the demeanor of a rabid coyote, to which I replied "No thanks, I'll opt-out".

After the customary 10 people screamed back and forth "We have an opt-out!" ... they told me to wait in the middle of the screening area, and since I insisted on keeping an eye on my bags (I reminded them of the public announcement playing on infinite loop) they had one of the gentlemen (clearly a very nice guy) take my stuff, put it aside and stand over it while I was frisked. This was interesting...

The guy giving me the "pat down" told me he was going to use the back of his hand in certain areas but never mentioned the "dirty uncle" treatment (front of hand on your junk) ... so I was left wondering. He performed what I actually felt was a rather thorough pat-down, checking inside my belt loops, my armpits, and all the other usual places a wacko would try and hide something illegal.

He did not do the "dirty uncle" ... and when he was done, was polite and said "We're done, thanks" and walked away.

I gathered up my stuff and walked off but I did feel compelled to walk over to the shift supervisor and ask her why it was that when I opted out of the strip-search machine I didn't even have to go through the metal detector. She didn't know, and even told me that "Yes, that is a little weird, but I don't have the authority to question the all-powerful policy." I sensed sarcasm in her voice... I liked that she was skeptical and a bit of a cynic.

We had a great conversation for a couple of fleeting minutes about the process that they go through here at O'Hare and how they actively avoid doing the dirty uncle pat-down ... and don't actually use the strip-search machine on everyone ...only the equivalent of the "random additional screening" that we used to see - remember that?

Then we talked about National Opt-Out Day (Nov. 24th) and she acknowledged that while it wasn't necessarily something she objected to (whaaaa?) it would muck up air travel and snag long lines and cause delays if enough people did it. We did come to an agreement that the balance between trying to keep the passengers secure and being totally invasive has gone too far into the invasive zone. Odd for a TSA Manager - wouldn't you say? I mean, this woman was intelligent, cynical and even questioned authority!

All in all, a positive experience. For all the shit we give O'Hare Int'l airport about the countless delays and other crap ... the TSA here isn't too brutally invasive - and we know they could be.

Good luck, share your experiences ...and don't submit to thuggery!

The Great Internet Kill Switch

noreply@blogger.com (Raf) — Wed, 03 Nov 2010 13:00:00 +0000

I stunned. Apparently I live in a country of scared lemmings. Check this out... this piece on the "Internet Kill Switch" by Fierce Government makes me want to cry.

Apparently 61% of the lemmings they called in this poll support the American President having an "Internet Kill Switch" in case we are attacked by a foreign nation.

"A clear majority of Americans would support giving the president authority to shut down portions of the Internet should there be "clear evidence" of a cyber attack by a foreign government, according to the results of a biannual poll of U.S. attitudes toward security."

I want to know who they called because clearly they didn't call anyone I know. Can you imagine the misunderstanding and paranoia that must be gripping the average user to have answered like that?

Anyone who has the slightest clue about how the Internet operates knows this isn't possible. The amount of work that would go into an "Internet Kill Switch" is insane - effectively hooking into every single ingress and egress point to/from the United States. Because the Internet itself was designed to be resilient to attack, and our internet service providers work hard on this principle - it would be impossible to build in a single kill-switch that would "turn off Internet access" to the rest of the world. Look at China! They've tried ...and are currently failing at doing this exact thing. China tried to build a choke-point through which "all Internet traffic in/out of China must pass" ...that's a big, fat FAIL there, Chief.

It's just insane to imaging how much re-engineering would have to be done to patch the "Big Red Button" (the kill switch) into every single possible path a packet could take in or out of this country.

Lunacy. What the hell is going on out there?!

Cyber War - Why It's Idiotic

noreply@blogger.com (Raf) — Tue, 02 Nov 2010 18:34:00 +0000

Let me first say that I'm overwhelmingly annoyed by all the "Cyber War" topic being Tweeted, blogged, and written about in the media. Please stop.

I had a very intelligent conversation a little while ago with Marcus Ranum at the ISSA Louisville Metro InfoSec Conference where him and I were both speakers - and much to my surprise we were on the same page regarding this whole "Cyber War" stupidity. War, by its very nature, is a destruction. The goal is to cause damage so that one group (presumably a nation-state) can take over another. This most often requires bloodshed, large amounts of resources, and most importantly - physical invasion. This is where the whole "Cyber War" silliness breaks down for anyone that understands anything.

The people I've seen and read spouting off about "Cyber War" and "Cyber Terrorism" and all that related cyber-whatever just don't get the main point. You can't take over another nation-state by "DDoS'ing" it off the face of the Internet. Cutting off my Internet, shutting down a power grid, or causing a possibly catastrophic event at the other end of an IP connection simply doesn't constitute a war. Now, if one nation-state were to openly attack the infrastructure of another, and cause, say, a nuclear meltdown killing millions - that could be an act of war ...but you'd have to make a stretch even to get that accepted.

You can't tell me that if tomorrow morning we woke up and there were billions of IP packets shooting off from Chinese Internet-space at our critical infrastructure components (wait, that's happening already isn't it?) we the United States of America would declare "Cyber War" ...and if you tried to tell me that I'd make a case to have you committed. In the virtual world, where packets buzz around, there are on bullets. There are no full-scale invasions. There isn't a displacement of cultural values by a military presence.

On a slightly different view - if Switzerland hired a bunch of hackers and completely took over the entire US Internet-connected presence - and I mean anything connected to an Ethernet cable - what would that mean? Would that mean that they then could "declare war on" the US and take over? I'd love to see them show up no our shores with their laptops and try... even if our defenses were crippled there is a sizable military presence here that would blow them to kingdom come once they were within reach of our shores. See my point?

So once again - "Cyber War" falls on its face as just a piece of hype that someone started and other clueless lemmings jumped on to make themselves look smart. Let me clarify for you - if you're talking about Cyber War as our biggest threat right now - you're an IDIOT.

Go Follow the Wh1t3 Rabbit

noreply@blogger.com (Raf) — Fri, 29 Oct 2010 04:10:00 +0000

Hey readers - if you haven't figure it out yet, I'm not updating this blog as often as I'd like to due to the day-job taking up most of my time. I still post here but it's not every day like it used to be ...

So if you're looking for content ...go and Follow the Wh1t3 Rabbit on my HP Web Application Security blog:

Following the Wh1t3 Rabbit - HP.com/go/white-rabbit

Thanks for reading ...keep it here, I'll keep posting!

"Not Valid Until Signed"

noreply@blogger.com (Raf) — Sat, 23 Oct 2010 15:42:00 +0000

I feel the need to blog this because it has everything to do with the state of security these days...

I went to my local post office the other day, and along with the normally grumpy man at the window in this one-room shanty I got a little extra attitude. As many of you reading this, I never sign the backs of my credit cards as a rule. I know it's really not buying me all that much in terms of security or fraud protection - but I figure if I lose my card I really don't want the jackass who tries to use it to also have my signature to copy later.

That being said, I bought a small book of stamps because there are still companies that require you to mail things in the post and went up to the window to pay with my credit card. The man at the window takes my card, swipes it, and then looks at the back of the card where instead of a signature it says "Require Photo ID" ... then hands the card back to me and says "Sign this or I can't take it".

I looked back at him curiously for a moment, then said in a polite tone "no". His answer to me was to hand me back the card and ask for a different form of payment. When I asked why - he told me it's because the "law requires me to sign my credit card ...see, it says so right there". Actually, he's wrong, there is no such law that I know of, and I've used that card a million times without ever being told to sign it.

So I took the card back, paid cash and left ... but now I have this burning question in my brain - can a merchant really refuse my card because it's not signed?

The answer, according to my Bank of America rep ... is absolutely NO. For the record, as far as I can tell, you are NOT required to sign the back of that card, and there is nothing that legally says you must ...

Of course, my local mailperson was just following the rules ...or trying to be the grumpy bastard he normally is ... or just doesn't know better. I don't know which of those (or all?) are true but the bottom line is I'm not going to sign my card, and you shouldn't either.

Paranoia: Everything is broken, revert to text

noreply@blogger.com (Raf) — Thu, 14 Oct 2010 19:38:00 +0000

I had to blog this, since I saw a post come across Twitter earlier from a friend of mine commenting on how some PR people are sending around press releases on PDFs to him.

So?

Oh, that's right ... PDFs are now considered tainted or potentially malicious attachments. So that means that you shouldn't ever open a PDF again? Or you COULD just run it through one of these online PDF conversion services, such as this one (http://view.samurajdata.se/) ...right?

But my point is a little deeper. Has the pendulum gone so far to the highly complex technologies side that we're now seeing a backlash against things like PDFs? Are PDFs now inherently untrusted attachments? If so ... do we revert back to text-only email?

Where does this end? What do you consider malicious attachments or technologies ...such that you'll avoid their use altogether?

Data Breaches - Who Really Loses

noreply@blogger.com (Raf) — Tue, 21 Sep 2010 02:28:00 +0000

It's unfortunate that when a data breach happens the real losers are those who have no stake in the matter whatsoever. In fact, the real losers in a case like that of the Lucile Salter Packard Children's Hospital at Stanford University are likely patients who have had nothing to do with this data breach.

When information is lost, the first thought often is to fine, fine, and fine again these institutions we find to be negligent in either securing their patient's data, or reporting the breaches. The problem comes in when the fines actually start hitting, and you come to realize who's really paying them. I'm all for levying large fines against institutions who neglectfully lose my patient health records, but is it really in my interest to fine the institution large sums when the costs will most likely simply be passed along back to me as the patient?

Think about it. Really think about who's paying the costs for the fines being levied against hospitals, doctors and other practices when patient data walks out the door with a computer like in this case. This $250,000.00 fine isn't coming out of the hospital administrator's salary. It's probably not coming out of the pool of money that gets paid to the hospital's top administrative team as a yearly performance bonus. Nope, it likely gets absorbed as an operating cost, and passed on either through higher rates or some other crap to the patients that end up there looking for care.

Let's forget the Lucile Packard Hospital case and take any particular medical establishment that has data breach issues. As yourself who makes the decisions to skimp on security and then who gets to face the media when it comes to being the scapegoat. It's interesting that I've never seen a clause that comes with these types of fines that says something to the effect of "fine must be paid out of hospital administrator's salary" or something like that. Of course, it'll never happen with the amount of money the medical industry spends lobbying our dear members of the government...

By the way, let's go back to this Children's Hospital for a second. If you read the article I reference you could almost be convinced the hospital did everything right, including launch its own investigation and determine that the patient information was in no way compromised, etc, etc, etc ...(wait ...what?). The incident centers around an employee who used a computer which had access to patient information (so the data access is computer-based, not user-based ...interesting access model, wouldn't you say?), and was allowed to walk off premises with the computer (how does something like this happen, in real life?)... and they're surprised that the computer was not recoverable?!

There are two stellar quotes in this article I referenced... one from Susan Flanaga, RN, COO, which reads

"The privacy and security safeguards we employ are some of the most advanced technologies and controls available to hospitals today."

I chuckled when I read that. These supposed advanced safeguards couldn't prevent a person who shouldn't walk out with a computer from taking it home with them? The other awesome quote is this one:

"Even though the investigation revealed that no patients were harmed and apparently no patient information was compromised..."

Wait ...how did he [Ed Kopetsky, the CIO] determine that? Since they could not recover the computer, how exactly did they know that none of the information was compromised? Isn't that the whole point?

I'm sure they could have been using full-disk encryption, combined with software that prevented the machine from booting off-site, combined with an automatic-self-destruction program ... but then the story would have been much less exciting and the fine probably wouldn't have happened. Right?

Oh well, I guess the costs get passed onto the patients, they throw on another "agent" to every one of the machines or have every employee sign yet another affidavit saying they won't steal data and life goes on...

100 Years of Credit Monitoring

noreply@blogger.com (Raf) — Sun, 12 Sep 2010 20:50:00 +0000

[steps on soapbox]

I don't know if you've noticed, and you probably have, but there have been a lot of data breaches lately. Every single silly one of them works just like this:

Company is negligent* with customers' data
Company gets breached
Company tries to sweep the incident under the rug
Company gets caught/noticed/outed
Company send "Sorry" letters and 1 years' worth of credit monitoring to customers

Now, if you have gotten one of these "We're [not really] sorry" letters you probably have found comfort in the fact that the company who just lost your data to an attacker who will use it against you is going to pay for credit monitoring for you.

Probably not though, since you already have gotten 4-5 other letters like this in the past year or so and you've already got all the credit monitoring you can possibly need, want or even stand. See, there is a key here that is lost on most people who happily accept this resolution and move on. The attacker who just took your data will use it for their own financial gain. Period. End of story. Full stop. These bad people don't raid databases and mass-compromise millions of machines because it's fun (although admittedly it can be- not that I would know) but because your pain is their gain. I hope that's crystal clear.

So this leads me to the next question my mind logically jumps to ...what if you sustain monetary or personal damages from one of these many data breaches. Obviously it's next to impossible (usually) to prove which one of the many, many breaches your data was a part of but even if you do ...what then?

Well, there are a few options you have:

Hope you've bought identity theft insurance and you can get your life on track
Hope your bank gives back all the money that was stolen (unless you're a business this is actually still fairly likely)
Cry
Sue someone
Be like 99% of the victims and do nothing...

So then. We've got a bit of a problem. Namely - you the consumer are screwed.

Here are several sad facts we're facing in the immediate future (if you've not already experienced these):

You will get several "We're [not really] sorry" letters from organizations who have your private data; many of which you shouldn't have given it to
You will have your identity compromised, and receive bills or collections notices for items you never actually purchased (well "you" did, but not you...you know what I mean)
These same organizations will not improve their overall security, many of whom see data breaches as a calculated financial risk and are willing to just deal with them
The same organizations will continue to be industry-regulation compliant (*cough* PCI DSS *cough*) and hide behind that when you try and legislate against them

So then... you have 100 concurrent years of credit monitoring, no one to pay for the actual damages poor security of your data causes you -leaving you stuck with the bill (this is the criminal's money now), and nothing changes.

I really wish someone would legislate a bill that would make the victim (interesting word to call the organization which just made you the victim) of a data breach financially and legally responsible for how that affects each and every single person in their compromised pool. Of course there are the difficulties proving that your difficulties came from any specific breach, etc, etc, etc - but at least this type of action would start to put the fear of God into these irresponsible organizations...and then I woke up, right?

[steps off soapbox]

Ambition Over Intelligence - Twitter, OAuth, and Wrong

noreply@blogger.com (Raf) — Sat, 04 Sep 2010 03:54:00 +0000

If you're using Twitter, and most of you are, you've probably had your client break in the last day or few? If you haven't it's because your client is either written by the folks over at Twitter themselves, or you've updated your client very very recently.

If you do a web search for "hacked twitter account" you'll get thousands upon thousands of entries. Most of them are from celebrities crying that their Twitter account was hacked when in fact someone guessed or deduced their lame password and used it to post even more insane things (or less insane?) than the celebrity would post themselves. At any rate ... all this craziness about hacked accounts has no doubt prompted Twitter to do something to increase security.

Unfortunately, as with many things so far in its short life, Twitter got it wrong.

The Ars Technica piece here [Titled: "Compromising Twitter's OAuth Security System"] probably says it much better than I can - so I urge you to go read this brilliant piece of technical writing. Ryan does a masterful job breaking down the issues with OAuth, the problems Twitter has with their specific implementation, and some of the reason why hacking Twitter "consumer keys" will be a hobby for bored school-kids for the foreseeable future. I will, however, add my own commentary as I always do.

By the way, Ryan also wrote an OAuth primer (dealing with OAuth and OAuth WRAP) which you should probably read if you haven't already... it explains some of the OAuth details and behind-the-curtains issues that make it a flawed setup from the word go. Seriously, mega-kudos Ryan, great chunk of writing there.

So as the title of the post says, ambition got the better of Twitter it seems. While I'm ordinarily on the other end of this conversation urging technology to leave laggards behind, a technology socially rooted in its 3rd party applications like Twitter will suffer for their ambition, unfortunately. Choosing to pull the trigger and disable basic authentication was a big move - but using their own version of OAuth (filling in some of OAuth's inherent holes) is a big mistake.

You see, we're back to a function vs. security conversation. What do you really care about? Do you want your social medium to be explosively adopted by virtually any 3rd party... or do you want to provide the illusion of better security? A tough call right?

Twitter's biggest misstep in my humble opinion is threatening to invalidate secret consumer keys once they're discovered and published. I think this is a major flaw in OAuth to begin with - but completely invalidating keys that are embedded in software particularly when it could cause a very interesting effect such as developers knocking each others' products off of Twitter's good graces. Can you imagine the carnage?

I think it'll be interesting to see what transpires. I'm just angry I guess that my 2 favorite Twitter clients haven't worked (and still don't work today...although I guess I need to blame the app developers more than Twitter, right?) and it's making me cranky.

Oh well ...maybe I'll actually be productive and be forcibly social, in real life.

Dinosaurs [in the county court]

noreply@blogger.com (Raf) — Wed, 21 Jul 2010 03:11:00 +0000

So ... I was in the Cook County Court in Rolling Meadows, IL Monday morning.

The reason doesn't matter ... OK, I had a "great driver" citation I had to take care of ... but as I was called up to the counter I started getting that sinking feeling in the pit of my stomach.

As I glanced over to my left, as she was typing, I noticed a few things. First, her machine was running Windows XP, which I guess isn't all that bad considering the pace of change in local government and technology. I mean, didn't they just get off of rotary phones like last year?

Next, I noticed that the screen she was typing into was one of those emulated VT100 screens, running some proprietary terminal application connected to a server at 10.100.101.98 on port ...*facepalm*... port 23.

That's right kids, this was my vehicle and drivers history all at her fingertips over telnet.

Now - before I freaked out I reminded myself that this was a closed-ended network ...and that it was probably pretty hard to get onto their network... that is until curiosity got the best of me and I turned my iPhone's WiFi antenna on... and found that there were 4 networks in range, one appropriately titled "Clerk_Gen" running ...wait for it ... WEP encryption.

Alright, I stopped short of hopping onto their network and connecting to that VT100 terminal to find anything I could ... but how hard would that be? I mean, seriously? They're using telnet obviously clear-text and they're using WEP encryption for their wireless access points?

I give up.

Is It Even A Question?

noreply@blogger.com (Raf) — Thu, 15 Jul 2010 01:31:00 +0000

So, what you're saying is by installing this plug-in to Chrome, which I haven't seen or vetted the source code for, I'm giving it access to my data on all websites and my browsing history?

Why would a paste-bin tool need access to my browsing history? Shouldn't this plug-in be enabled on a per-site basis, where I want to use it rather than give it global access to everything I browse?!

Why would anyone in their right mind click the Install button!? Or am I just that paranoid?

When All Else Fails ... Sue

noreply@blogger.com (Raf) — Tue, 13 Jul 2010 02:53:00 +0000

Just a quick note because I can't believe what I'm reading this morning. It's been all over Twitter, and now it's written up in Forbes Online ...

Headline Reads:

"LIGATT Security International and Gregory Evans Sue Alleged Stock Bashers Chris Riley, Nisha ..."

Wowza. I almost spit my coffee through my nose this morning when I read that! There are so many things that I want to say in comment - but I will limit them to the (mostly) factoid-based thoughts...

Maybe I'm missing something ...but looking up this pink-sheet stock (LGTT.PK) shows a healthy $0.00 value ...which is about right
How is LIGATT's legal team going to prove that Chris and the others manipulated a stock that has zero value?
What lies were these people spreading? I seem to recall many non-truths that Greg and his thinly veiled personas were spreading via Twitter ...

The best is this quote ... from Greg Evans himself:

"Evans explains that he hopes to set a trend by starting these investigations. "Once we begin suing bashers, other OTC companies will follow. 99% of these people who are bashing the company's stock have never ran a business, or know anything about business. They think that they can spread lies about a company with no repercussions, and that will not happen with LIGATT," says Evans."

Gotta love wishful thinking right?

Hey, he is the world's #1 Hacker ...and he did take Kevin Mittnick "under his wing" (which Kevin completely denies), and he is a CISSP ...or maybe he just made everything up.

Hotel Maid = Security?

noreply@blogger.com (Raf) — Thu, 08 Jul 2010 13:28:00 +0000

I'm not easily impressed anymore.

That being said, I can't tell you how many times over the years, given the number of hotel rooms I've been in, I've walked back to my room only to find that it was being cleaned ...door propped wide open, maid inside happily cleaning away - and I walked right in.

So this morning I felt like I had to give some kudos where it's very rightfully deserved, because I'm impressed.

I'm staying in the Delta Beausejour Hotel here in Moncton, N.B. Canada, so for a boutique hotel in a small northeast Canadian city I wasn't expecting much in the way of security. Boy was I wrong!

Big kudos to the maid who was cleaning my room, because when I tried to just barge right in, she quickly yelled "Wait, stop!", then jumped in front of me, slammed the door shut and waited for me to use my room key card to get in.

I've been in several different countries, hundreds of different hotels throughout the world ...and this is the first time this has happened. Typically the maids will just say hello and politely step aside as you walk into the room - whether it's really yours or not! Not this time, not here in Moncton.

Bravo! Now, if every hotel could be like this, I would feel the need to carry everything valuable with me when I walk out of my room. Bravo indeed.

All Your Metrics Are Belong To Us

noreply@blogger.com (Raf) — Fri, 25 Jun 2010 16:09:00 +0000

Just a quick note to help out the greater InfoSec community - Securosis via Rich Mogull is doing a big survey - and I know you guys love surveys - which you may win an iPad for if you particpate. I mean, seriously, who doesn't want a free iPad?

When you go to fill ie out, use the Registration Code: Whabbit so I can track who fills it out from my readers.

Thanks you guys - I know we all whine about how security never has enough metrics - well now if your chance to fix that. Let's GET CLICKING!

Click HERE TO FILL OUT THE SECUROSIS SURVEY!

/Raf

LIGATT, Goatse Security, and Common Freakin' Sense...

noreply@blogger.com (Raf) — Mon, 21 Jun 2010 22:17:00 +0000

Well - it's been an eventful few weeks - and as most of you have noticed I haven't been writing as much. There is a reason for this: I am spending a good deal of time blogging for the primary blog of my employer (link at the bottom) where I am adding significantly more value to the community than my rants here have of late.

That being said - let's make no mistake - I'm still going to blog here and express opinions and clue you guys in on stuff that I think you should read ...so here we go.

LIGATT - Congratulations, Gregory Evans, you've now officially become a household word in the security community... although I'm sure it's not the way you intended. Today on Twitter a new definition of a "ligatt" was born ...and it's a verb meaning "to make up something so far fetched that when examined, it unravels. For example, 'I drove my car to the moon today' ". That little nugget comes from @dicipulus on Twitter folks - brilliant. I know many of you have had a good time bashing these people - but I swear I'm still waiting for someone to pop up and yell "April Fools!"...
Goatse - You, dear iPad email enumeration-script-builder, get the SuperPwn award. You've not only shown a pretty clever little hack (ok, this really isn't a hack but whatever) - and at the same time made millions of people go Google goatse ... you win, twice. Enjoy the prison sex.
Common Sense - Currently apparently stuck on the tarmac awaiting extradition back to the land of reality. What the hell is the world coming to when we can't even get the concept of vulnerability research disclosure down to a reasonable amount of circus? This is sickening. I refuse to perpetuate the stupidity others have already pointed out but what I'm going to instead point out is this - how much control over your private time does your employer have? What can you do on your private time that your company/employer cannot fault you for? I guess that all depends on the paperwork you signed when you joined right? Where does the line of employer-employee relationship end and someone's private life begin? This goes way beyond the fact that the media "journalists" in technology are obviously bored and need something to stir up controversy so they pick this Google vs. Microsoft sore to poke at ...really? I think there's more to it than that ... my private life is my private life - and whether I choose to publicly blast a company's stupidity or not on the Internet should be of no concern to my employer as long as I make it clear the opinions are mine only and I do it on my own time. Right?

Anyway ... it's just sad what passes for news lately, and how pathetic things have gotten. I guess I'm thankful that I have an employer who can still tell the difference between my private time and private life and my job. Anyway ... love to hear your comments as always via Twitter or here over over email.

Don't forget, the Following the White Rabbit blog has a new platform, and can be reached here [ http://www.hp.com/go/white-rabbit ]... please check and update your RSS readers and let me know if something's broken!

...and yes, the opinions and thoughts expressed here ARE my very own, on my own time. That is all.