Posted: 06 Aug 2008 08:21 AM CDT
Posted: 06 Aug 2008 03:02 AM CDT
Chris Pirillo made an update regarding his loosing US$450,- from his PayPal account.
The post of his includes some tips (known to most of us, but no harm in repeating) on how to stay (more) secure when it comes to PayPal and online shopping:
(cut'n'pasted from Chris' post)
He explains the case here:
Do You Have a Problem with PayPal?
Posted: 06 Aug 2008 02:43 AM CDT
This adds up to a nice round €100 billion. The Telegraph didn't say whether that is American billions (thousand million, 109) or English billions (million million, 1012), and given that the Templars were The World Bank of the turn of the previous millennium and there's 700 years of interest involved, it's not obvious how many zeroes need to go at the end.
Last October, the Vatican released copies of the parchments documenting the Templar Trials after having them been "misfiled" for over three hundred years. (My house has nearly as many books as the Vatican, squished into a much smaller space, so I completely understand how that could happen.)
These parchments reveal that in fact the Templars were found to be not guilty of heresy at the time, but Pope Clement V let them be disbanded and burned at the stake anyway because King Philip IV of France was being really cranky about it. (If you follow US foreign policy, you should completely understand how that could happen, as well.)
The major dodgy thing about the suit is that the Spanish group claims that their suit is not to reclaim damages but only to restore the good name of the Templars. Yeah, uh huh, sure. Then why aren't you suing for a single Euro?
Perhaps the Freemasons will weigh in on this. Among the many Fun Templar Facts, there's a surprisingly good theory that they're founded by escaped Templars. Other Fun Templar Facts include that Friday the 13th is considered unlucky because that's when they were all rounded up; that the burned Templar Grand Master, Jacques de Molay, was the 23rd Grand Master; and that Jacques de Molay was the inventor of Molé sauce.
Photo is of Jacques de Molay being sent to burn at the stake, via the GETTY and the Daily Telegraph web site.
Posted: 06 Aug 2008 02:24 AM CDT
Vendor parties during Black Hat USA is always interesting, because the conference is in Las Vegas. Here is a list of vendors that I know of that are throwing parties this year at Black Hat USA 2008.
Tuesday, August 5th
Wednesday, August 6th
Thursday, August 7th
Saturday, August 9th
Know of any other parties that aren’t on the list? Post a comment or send us an email and we can share the joy.
Posted: 06 Aug 2008 02:01 AM CDT
This years’ SWAG bag for Black Hat USA 2008 is pretty cool. Included in the bag is a Moleskine like notebook, Paypal OTP token, Black Hat pen/highlighter, Black Hat sticker and of course all the presentations from the conference. The shoulder bag is actually useable, which is somewhat rare for conference bags. Thanks Black Hat!
Posted: 05 Aug 2008 10:59 PM CDT
Posted: 05 Aug 2008 10:54 PM CDT
By JOHN MARKOFF
A criminal gang is using software tools normally reserved for computer network administrators to infect thousands of PCs in corporate and government networks with programs that steal passwords and other information, a security researcher has found.
The new form of attack indicates that little progress has been made in defusing the threat of botnets, networks of infected computers that criminals use to send spam, steal passwords and do other forms of damage, according to computer security investigators.
Posted: 05 Aug 2008 03:44 PM CDT
Verified Identity Pass, Inc., who run the Clear service have lost a laptop containing information of 33,000 customers. According to KPIX in "Laptop Discovery May End SFO Security Scare" the "alleged theft of the unencrypted laptop" lost information including
We are also told:
Two levels of passwords. Wow. I guess you don't need to encrypt if you have two levels of passwords.
The TSA suspended enrollment of new customers, but existing customers can still use the service. So if you stole the data and can use it, you're Clear.
Posted: 05 Aug 2008 02:08 PM CDT
Well, I'm leaving shortly for Blackhat and Defcon. For half the time at Blackhat I'll be working the nCircle booth, feel free to say 'Hey'. Look me up while you're there, or message / email me and I'll pass along my cell so that we can text. I'll also be updating twitter as much as I can and blogging when I can.
This is my first time heading down to Vegas so I'm looking forward to having quite a bit of fun.
Posted: 05 Aug 2008 01:55 PM CDT
Black Hat has embraced the social networking site Twitter for this year’s Black Hat Briefings USA 2008. Follow the official Black Hat USA 2008 account on Twitter and get live updates from the conference. There are also a bunch of "Security Twits" attending this year’s event and the best way to track all the chatter is to monitor #blackhat on twitter.
Posted: 05 Aug 2008 01:49 PM CDT
Posted: 05 Aug 2008 01:36 PM CDT
I just posted over at my CW blog about the lost laptop from the company running the Clear program. Whiskey Tango Foxtrot, over?
When you read, take a look at the quotes I found from their website. Friggin’ classic.
Posted: 05 Aug 2008 12:03 PM CDT
Posted: 05 Aug 2008 11:36 AM CDT
It’s that time again. It’s 110 degrees in Las Vegas and if that wasn’t causing the locals enough worry, the yearly invasion of hackers this week certainly will. Expect to see more humungous LCD displays blue screen and guys walking around in the heat wearing black leather trenchcoats (that’s dedication!).
Anyway, it looks like there will be a lot of cool stuff happening at BlackHat, and here are some of the talks and events that I am looking forward to on Day 1:
Anyway, if anyone is trying to hunt me down, DM me on Twitter.
Posted: 05 Aug 2008 04:57 AM CDT
I could ramble on about Mylol for pages and pages, but let's face it - there's no need to. We all know it is one gigantic train-wreck of biblical proportions.
I still don't know who could come up with the idea of a "teen dating site" without immediately thinking this might be the worst idea ever, but oh well. I've already drilled down into the site previously, so this time round let's go with some general observations. Checking the email account I used to sign up, I can see I've become pretty popular in my absence:
Can you guess what kind of content is in every single message I opened up? No prizes, but...
Well fancy that, hot chicks from Africa wanting to be my wife. Roll up, roll up kids, it's time to get scammed! If you try and register on the site, it won't let you if you're under 13:
However, you can still go trawling through the profiles and go hunting for 13 year old girls, a good slice of which have pictures and personal info readily available like phone numbers or whatever:
Yeah, 3000+ of them! 3000+ slices of hot teeny action to get all excited about! Woo! Hooray for creepy old guys with stunningly easy access to teenage kids handing out their phone numbers and names left, right and center! I cannot believe the ability to search for 13 year old kids on this digital trainwreck has NOT been switched off.
Then again, their terms of service are completely nonsensical anyway. Here's a random example of "stuff not to do":
(h) provides material that exploits people under the age of 18 in a sexual or violent manner, or solicits personal information from anyone under 18;
How are they supposed to prevent anyone soliciting personal information from anyone under 18 when they offer membership to anyone 13 years of age or older in the first place?
Trawling through the profiles themselves is an exercise in extreme creepiness. Apart from the weird-assed pics of young girls posing in their underwear, you keep seeing exchanges like the following. It starts off (sort of) innocently enough, but see if you can spot where it all goes horribly wrong:
...ick. Anyway, here's a comment left on her page:
....actually, it's probably a really good thing she's not in the UK. Why?
Oh, perhaps because Davy Boy is TWENTY YEARS OLD AND TELLS 13 YEAR OLDS THEY LOOK SEXY. Do I hear the Party Van rolling in to town?
Jeez. If ever there was a time I would pray to God and ask him to bless me with the ability to punch people in the face over a standard TCP/IP Protocol, now would be it. Don't even get me started on this guy, who claims to be a sexy 14 year old boy looking for a 13 to 18(!) year old girl to text and meet. Fourteen? This guy is never, ever fourteen, is he? Incidentally, his Mylol profile (which I'm not linking to) has someone on his friends list who looks like an extremely young girl in some kind of underwear / hotpants setup posing for the camera. It is, as you might have guessed, extremely freaking creepy.
/ Edit - publishing a newer entry appears to have screwed up this post, I think I got most of it back though.
Posted: 05 Aug 2008 12:05 AM CDT
Steven Murdoch and Robert Watson have some really interesting results about how to model the Tor network in Metrics for Security and Performance in Low-Latency Anonymity Systems (or slides). This is a really good paper, but what jumped out at me was their result, which is that the right security tradeoff is dependent on how you believe attackers will behave. This is somewhat unusual in two ways: first, it implies the need for a dynamic analysis, and second, that analysis will only function if we have data.
We often apply a very static analysis to attackers: they have these capabilities and motivations, and they will stick with their actions. This paper shows a real world example of a place where as attackers get more resources, they will behave differently, rather than doing more of what they did before. So actually operating a secure Tor system requires an understanding of how certain attackers are behaving, and how they choose to attack the system at any given time.
There's a sense in which this is not surprising, but these dynamic models rarely show up in analysis.
Bonus snark to the Colorado team: why don't you buy a botnet and see what you can break? (The Colorado team is the people Chris blogged about in "Ethics, Information Security Research, and Institutional Review Boards.")
Posted: 04 Aug 2008 09:56 PM CDT
Posted: 04 Aug 2008 09:48 PM CDT
Posted: 04 Aug 2008 07:05 PM CDT
When I saw the claim that a new, cheap means of energy storage had been found, my first response was 'says who'.
Then I discover that the claim comes from MIT, which makes something of a difference. Claims of this sort tend to fall short of reality. When the claim comes from the MIT press office it is rather more credible than when it comes from Fred Blogs working out of his garden shed.
While I was at Oxford the 'discovery' of cold fusion was the daily topic of conversation in the Nuclear Physics Lab coffee room for months as news came in from the nearby Rutherford labs attempts to duplicate the result.
The first computer security related angle to the story is: provenance matters, especially on the Internet where anyone can join the conversation.
But the second angle is that energy management is trickiest problems in data center design. In the case of a mission critical data center, energy security is part of the total security consideration. As a well known security expert put it to me, the electricity grid is the ultimate 'just in time' system. There is very little storage in the system and what little there is tends to be far from the places where it is used.
Posted: 04 Aug 2008 03:18 PM CDT
Posted: 04 Aug 2008 11:08 AM CDT
Last year Didier Stevens wrote up some of the precautions he took for Black Hat Europe 2007. My work laptop is already using whole disk encryption, so I’m not worried about that and I’ve never put any sensitive information on my Mac Book Pro. I’d say updating your OS and making backups before heading out are very high on my to-do list. I have Time Machine working on the MBP right now.
Posted: 04 Aug 2008 10:43 AM CDT
Dan Solove sent me a review copy of his new book, "Understanding Privacy." If you work in privacy or data protection either from a technology or policy perspective, you need to read this book and understand Solove's approach. That's not to say it's perfect or complete, but I think it's an important intellectual step forward, and perhaps a practical one as well.
I'm going to walk through the chapters, and then bring up some of my responses and the reasons I'm being guarded.
Chapter 1 is "Privacy: A Concept in Disarray." It lays out how broad and complex a topic privacy is, and some of the struggles that people have in defining and approaching it as a legal or social science concept. Chapter 2, "Theories of Privacy and Their Shortcomings" lays out, as the title implies, prior theories of privacy. Having thus set the stage, chapter 3 "Reconstructing Privacy"is where the book transitions from a review of what's come before to new analysis. Solove uses Wittgenstein's concept of 'family resemblances' as a way of approaching the ways people use the word. Privacy (as I've commented) has many meanings. You can't simplify it into, say, identity theft. Solove uses family resemblances to say that they're all related, even if they have very different personalities. Chapter 4, "The Value of Privacy" points out that one of the reasons we're losing privacy is that it's often portrayed as an individual right, based on hiding something. In policy fights, society tends to trump individualism. (Which is one reason the Bill of Rights in the US protects the individual.) Rather than calling for better protection of the individual, this chapter explores the many social values which privacy supports, bringing it closer to equal footing, and providing a policy basis for the defense and enhancement of privacy because it makes us all better off.
Chapter 5, "A Taxonomy of Privacy" is the core of the book. The taxonomy is rich. Solove devotes seventy pages to expounding on the harms done in not respecting privacy, and discussing a balance between societal interests of privacy and the reason for the invasion. In brief, the taxonomy is currently:
I'm also concerned that perhaps this isn't a taxonomy. If you read the old posts in my taxonomies category, you'll see that I spent a bunch of time digging fairly deeply into what taxonomies are, how they come about, how they're used and abused. I don't think that Solove's taxonomy really fits into the core of a taxonomy: a deterministic way to classify things which we find, which various practitioners can reliably use. As in my example of the call centers, the flaws are legion, and some of my classification may be wrong.
At Microsoft, we use STRIDE as a "taxonomy" of security issues (STRIDE is Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege) I think, as a taxonomy, STRIDE is lousy. If you know about an issue, it's hard to classify using STRIDE. The categories overlap. On the other hand, it's very useful as an evocation of issues that you might worry about, and the same may be said of Solove's taxonomy. I also don't have a superior replacement on hand, and so I use it and teach it. Taxonomy-ness is not next to godliness.
My other issue with Solove's taxonomy is that it doesn't recognize the issuance of identifiers, in and of itself, as a privacy issue. I believe that, even before the abuses start, there are forseeable issues that arise from issuing identification numbers to people, like the Social Security Number. The act of enumeration was clearly seen by as an invasion by Englishmen who named the Doomsday book. The ability of the US government to even take a census is tied directly to the specified purpose of allocating legislative seats. I see it as self-evident, and haven't been able to find the arguments to convince Solove. (Solove and I have discussed this in email now and then; I haven't convinced him.)
Chapter 6 Privacy: A New Understanding closes the book with a summation and a brief discussion of the future.
The book has a strong policy focus. I am very interested in understanding how this new understanding intersects both broad laws and legal principles (such as the Fair Information Practices) and specific law (for example, HIPAA). The FIP, the OECD privacy statements, and Canada's PIPED act all show up in the discussion of secondary use. I'm also interested in knowing if an organization could practically adopt it as a basis for building products and services with good privacy. I think there's very interesting follow-on work in both of these areas for someone to pick up.
I also worry that privacy as individual right is important. Even though Solove makes a convincing case that that's a weaker policy basis than the one he lays out, that doesn't mean it's not to be cherished as a social value, and I feel that the view of privacy which Solove presents is weaker to the extent that it fails to embrace this.
In closing, there are three major elements to the book: the first is to take us past the definitional games of "what is privacy." The second is a serious attempt to address the "what do you have to hide" approach to privacy. The third is the taxonomy. Two of these would have been a pretty good book. Three are impressive, even as I disagree with parts of it. Again, this is an important book and worth reading if you work in or around privacy.
Posted: 04 Aug 2008 09:55 AM CDT
Let me run with the pack and put up my own "off to Black Hat" post. I leave Tuesday actually and won't get there until Tuesday evening. I will be on a red eye home Thursday night/Friday morning. In this way I don't break my own three day rule on Vegas. What is my three day rule? Suffice to say that it prevents me from spiraling down into the bowels of degeneracy.
So what am I looking forward to at Black Hat? The Dan K / DNS stuff should be fun. I will be cheering on my boy Hoff and I always sit in on Jeremiah. But lets face it, I am there for the party and catching up. I am looking forward to throwing a few back with Rothman. Seeing Martin, Mogul and the rest of the bunch. There are always good parties of course and free drinks and food never hurts.
Of course I will also spend some time at the StillSecure booth shaking hands and kissing babies. If you would like to say hello feel free to stop on by.
Also, a quick thanks to all of the members of the SBN for their support on our Black Hat affiliation. The last few weeks have seen a bunch of blogs raising the buzz on the conference.
Posted: 04 Aug 2008 07:37 AM CDT
A while back, I helped facilitate a group of parents to develop their knowledge and awareness related to their own and their children's use of the Internet.
This posting includes an audio/video/photo media file: Download Now
Posted: 04 Aug 2008 05:32 AM CDT
For my Black Hat talk I had to come up with some made-up terms in order to find sensible enough categories in which my material actually fits. So, I will put them all up here for feedback from the audience.
Cross-context Request Forgery
CCRF (Cross-context Request Forgery) is the generalized form of CSRF (Cross-site Request Forgery). Although, the general notation is that CSRF only applies to site-to-site types of attacks, the reality is very different. CSRF attacks can be applied also to application-to-application attacks and many other forms. I find that the word
In a similar fashion to CCRF, Cross-context Scripting (XCS) is the generalized form of Cross-site Scripting (XSS). Many people are very ignorant when it comes to XSS attacks. They believe that they are only present within Websites. Well, in reality they are everywhere. This category will summarize all CCS attacks including vulnerabilities that affect Websites and other Client-side Web-based technologies.
Command Fixation Attacks
There is a growing trend of using features built in into client-side technologies which allow attackers to execute commands on behalf of the user without authorization. I call them Command Fixation Attacks and even in some cases Parameter Fixation Attacks as they are very similar to Session Fixation Attacks well known in the Web security world. This section will describe numerous study cases within this category.
Needless to say, the talk will include a wide range of design bugs some of which you might be already familiar with due to the fact that I’ve already blogged about them on GNUCITIZEN. There will be several new exploits and design conditions which haven’t been discussed in the public yet.
Posted: 04 Aug 2008 12:23 AM CDT
Black Hat USA is only a few days away, and I think the conference gets bigger each year. There are eight different tracks during the Black Hat Briefings, and many of the presentations sound interesting. Because there are so many choices, we decided to gather our top give picks for sessions you can’t afford to miss:
1) Black Ops 2008: Its The End Of The Cache As We Know It by Dan Kaminsky
DNS is at the heart of every network — when a web site is browsed to, it says where the site is, and when an email is sent, DNS says where to. The answer is usually correct — but not always. Six months ago, it became clear that there was an ancient design flaw, present in the original 1983 specification for DNS, that would allow any attacker to insert their own addresses for DNS names. An industry wide bug hunt commenced, culminating in a simultaneous release date of patches for virtually all platforms. We will talk about the issue, and about how a partnership between industry competitors and researchers helped protect all our customers.
2) Xploiting Google Gadgets: Gmalware and Beyond by Tom Stracener and Robert Hansen
3) MetaPost Exploitation by Val Smith
When penetration testing large environments, testers require the ability to maintain persistent access to systems they have exploited, leverage trusts to access other systems, and increase their foothold into the target. Post exploitation activities are some of the most labor intensive aspects of pen testing. These include password management, persistant host access, priviledge escalation, trust relationships, aquiring GUI access, etc. Penetration testers acquire hashes, crack them, keep track of which passwords go with which usernames / systems and finally reuse this information to penetrate further systems.
This paper will first cover the technical details of these topics as well as some examples of manual methods currently in use during penetration tests. Next we will present some improvements to these techniques and demonstrate some tools we have developed which can be integrated with other popular applications such as Metasploit. We will also demonstrate automated methods for using collected password intelligence to penetrate massive numbers of systems. Finally we will suggest some future directions for this area.
4) The Internet is Broken: Beyond Document.Cookie - Extreme Client Side Exploitation by Nathan McFeters, John Heasman, and Rob Carter
The dangers of client-side threats such as XSS and CSRF are well understood in the context of vulnerable web applications. Furthermore, the dangers of malicious script as a vehicle for exploiting browsers flaws and reconnoitering the Intranet have been discussed at length. Now what if XSS and CSRF could be leveraged to directly to compromise the host… by design?
This double session presentation combines the research of four notable Black Hat presenters who have previously discussed client side exploitation from browser to rootkit. This combined with a rapidly increasing corporate interest in "outsourcing" applications to the browsers, this fast paced, entertaining, and novel presentation answers the question: should we really be building next generation applications on the shaky foundations of the browser?
This is NOT another talk focused on XSS or CSRF, it’s about issues and vulnerability classes that have not been discussed anywhere else. You get all of this from some legit, good looking security researchers, what more could you ask for?
5) Pushing the Camel Through the Eye of a Needle by SensePost
In 2007 SensePost demonstrated the how DNS and Timing attacks could be used for a variety of attacks. This year we take those attacks further and show how small footholds in a target network can be converted into portals we can (and do) drive trucks through! With some updated SensePost tools, and some brand new ones, we will demonstrate how to convert your simple SQL Injection attacks (against well hardened environments) into point and click (well, type and click) ownage, how the framework management pages you never knew you had, can double as our network proxies and why despite all of the hype around SQL Server 2005, we still enjoy finding it behind vulnerable web applications. The talk is fairly technical and expects that the attendees understand the basics of Web Application and Web Browser based attacks. Attendees will leave with new attack vectors, a couple of new tools and some thoughts on future directions of these attacks.
We will be posting our picks for each time slot soon, and stay tuned for our coverage!
|You are subscribed to email updates from Black Hat Security Bloggers Network |
To stop receiving these emails, you may unsubscribe now.
|Email Delivery powered by FeedBurner|
|Inbox too full? Subscribe to the feed version of Black Hat Security Bloggers Network in a feed reader.|
|If you prefer to unsubscribe via postal mail, write to: Black Hat Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610|