Wednesday, August 20, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Google hacking the Olympics [The Dark Visitor]

Posted: 20 Aug 2008 06:08 AM CDT

Johny Long, the well-known Google search hacker linked to a very interesting blog post about the controversy over Chinese gymnast He Kexin. In it, he uses some Google hacks on Baidu (the most popular Chinese search portal) to come up with two cached spreadsheets that show He’s birth year as 1994 which would make her ineligible for the Olympics.

The documents were apparently removed from the government website where they were originally found. Then again - it could have been that the original government documents were wrong and her birth year has been 1992 all along. I can’t say for certain.


Network Security Podcast, Episode 116 (With A Lot Of Bad Words) []

Posted: 19 Aug 2008 11:19 PM CDT

A bit of a different episode this week. Since Martin is traveling, rather than a guest host this week we’re posting the last of the interviews recorded at DefCon- but this one is a doozy. David Mortman, Dave Maynor, Chris Hoff, Robert “Rsnake” Hanson, and Larry Pesce joined us immediately after we all finished our DefCon panel. Martin, as the sober one, interviews us as we record what is our first clearly explicit podcast. Yes folks, we hit all 7 dirty words plus a few bonuses. Not to worry, we do include some content as we discuss what we covered in the panel and whatever other topics flew into our adult-beverage-addled brains. We had a heck of a lot of fun putting the DefCon back into DefCon, and we hope you enjoy this little slice of the unfiltered.

Yes, this really is an explicit episode, so consider yourselves warned.

Network Security Podcast, Episode 116

Length: 24:00 (or so)

This posting includes an audio/video/photo media file: Download Now

Visual Forensic Analysis []

Posted: 19 Aug 2008 10:00 PM CDT

During the second day at Black Hat, somewhat depressed by yet another futile attempt to locate coffee, and fighting human gridlock, I decided that it was no longer worth the effort and simply sat down in the nearest conference room. And I am glad I did, as that random selection of presentations turned out to be one of my favorites of the week. The presentation was called Visual Forensic Analysis and Reverse Engineering, presented by Gregory Conti and Erik Dean. I would offer a link for you, but I have been unable to find the slide deck on line. It is on the CD that was included in the Black Hat goodie bag for those of you who attended, and some of the discussion points are located here.

The Conti & Dean presentation shows how to identify the contents, and even reverse engineer, binary files using different graphing techniques. By performing ‘dot plots’ and ‘byte plot’ examples of binary files, you can very quickly detect certain patterns within the binary file that tell you what is contained within it. Much like a human fingerprint, uuencoded content, text, Word documents, bit mapped images, JPEGs, compressed files, and encrypted files each have unique visual signatures. For files that may contain several items, it was easy to pick out the begining and ending points of blobs within the file, and then examine specific binary objects in more detail. They showed a couple examples of extracting image files from a huge binary file in less than 30 seconds.

You know you are a geek when …

I remember in the early 90’s that when I was debugging core dumps I was often just winging it. You really did not have a valid stack trace, so you were rummaging around memory looking for something unusual, or some pattern that gave you a clue to what went wrong. It was more art than science, and it was usually some visual clue or something that just did not look right when you found the root cause of the bug. Again in the mid-90s I can remember loading binary files into a text editor to attempt to, ahem, circumvent or ‘no-op’ out the licensing module which could often be located through a visual inspection (Of course, this was purely for academic purposes). This same technique was effective in hacking video game binaries and save files (slide 46 of the presentation shows a Neverwinter Nights database file as an example). And it was all based upon looking at the binary structure for patterns and experimenting with value substitutions to alter game functionality.

But the graphical tools take this to a whole new level. How do you know your PRNG is producing random numbers? During the presentation, the evolution from these early tools and methods was discussed, and then they showed off tools that provide different 3-dimensional graphical representation of what data looks like. One of the examples that I was most impressed with was the graphs showing a distribution for numbers. These are examples of PRNG output. Random? It is not particularly verify that your pseudo-random number generator is really producing sufficiently random numbers, or to confirm your random number generator’s entropy source is sufficiently random. But by graphing them in this way, you can very quickly see if you have reasonably good randomness, or rather, if you are not close at all.

Anyway, I thought this was a very cool forensic tool for binary files. Check out the graphs- they are quite impressive.


China hacker gang issues diplomas…goes to jail [The Dark Visitor]

Posted: 19 Aug 2008 09:20 PM CDT

Via Dancho Danchev

If you needed a university certificate in China during the last couple of months, there's a big chance that a group of ten people could have supplied with you such, going a step further and adding your details in more than ten government databases across different provinces in the country, making $300k in the process.

Shanghai Daily is reporting on this sophisticated group of local hackers who were selling "valid" educational certificates by modifying government databases.

Looking for higher education, read it here: China hacker gang busted


Georgia - Russo Conflict: First Cyberwar [Infosecurity.US]

Posted: 19 Aug 2008 07:47 PM CDT

via InfosecNews: The Independent reports the Georgian-Russo Armed Conflict (we believe, for all intents, a war over energy (oil), vis-a-vis the Caspian Sea Pipeline) is being considered (by Dr. David Betz of Kings’ College) as the worlds’ first full-fledged Cyberwar.

US District Judge Vacates MIT Students Restraining Order [Infosecurity.US]

Posted: 19 Aug 2008 06:24 PM CDT

United States District Judge George A. O’Toole, Jr., has ordered the restraining order lifted against the information security researchers/students which had been originally set for expiry today. The rationale for the order to vacate is predicated on the magistrate’s view that the Computer Fraud and Abuse Act (U.S.Code Title 18 § 1030) does not apply to speech with any specificity. You can download the referenced section of the United States Code from the Infosecurity.US Public Documents Repository.

PRC: Goverenment Databases Hacked [Infosecurity.US]

Posted: 19 Aug 2008 06:01 PM CDT

ZDNet’s Ryan Narraine and Dancho Danchev post news of a recently discovered, and broken hack ring in the People’s Republic of China.

Simple but dreadful, part 1 - Logon Scripts [Security Balance]

Posted: 19 Aug 2008 03:09 PM CDT

Now that I’m back to pen testing I’m having the chance to see the mistakes that admins are going into nowadays. There is something very interesting that Windows domain administrators sometimes forget and needs to be addressed as it brings serious security implications: login script files permissions.

Login scripts are those little batch scripts that run when the user is logging in. They’re usually stored in a share at the domain controllers called NETLOGON. The risk here is quite obvious; if I can modify your login script, I can run commands under your user account when you are logging on. This is usually not possible as the NETLOGON permissions are usually set accordingly, being writable only by domain admins.

The problem is that login scripts are one of those complexity beasts that grow together with the organization and its network. Big organizations usually have lots of servers, file servers, domains and other stuff. The admins struggle to keep user lives a little easier by automatically mapping network drives, cleaning temporary file transfer areas and other stuff, and the login scripts are a good tool to do that. When doing that they sometimes need include some different command line utilities, as the regular Windows shell doesn’t have all the features needed by those very creative admins. When doing that, they usually place those executables on network folders accessible by all users (of course, as they need those files during the login process :-)). What happens is that when doing that they often give too many rights for the users on those folders. Remember, when you create a folder and then share it on a Windows Server without changing any permissions there is a big chance that it will be a “Everybody - Full Control”.

If you are a domain admin in a organization that extensively uses login scripts, check them for external executable references. Tampering with login scripts is a easy way for a insider to steal credentials and information from other users without being detected.

US Department of Energy Inspector General: DOE IT Security Flawed [Infosecurity.US]

Posted: 19 Aug 2008 01:37 PM CDT

Federal Computer Weekly’s (FCN) Michael Hardy reports the United States Department of Energy’s Inspector General Gregory Friedman, has discovered significant security related flaws in the Departments Information Technology division (report (in pdf format). The report is also available for download in the Infosecurity.US Public Documents Repository.

GMail cuts threads at 61 emails [.:Computer Defense:.]

Posted: 19 Aug 2008 01:15 PM CDT

I thought this was interesting... I don't seldom have emails that are this long, but since every survey submission is seen as part of the same resonse, I've been seeing it. It appears as though every 61 messages, the thread is cut and a new one is started. Has anyone else seen this and possibly experienced a different number? If everyone else is indeed seeing 61, does anyone know why?

Does anyone from Google read this? If so, why cut the threads at 61?

Side Note; Anyone know when Google Apps will be getting the 'Always use SSL' checkbox?

Database Security Superheroes [Infosecurity.US]

Posted: 19 Aug 2008 12:55 PM CDT

Control Your Identity []

Posted: 19 Aug 2008 12:45 PM CDT

One of the sessions I enjoyed at DefCon was Nathan Hamiel and Shawn Moyer’s, “Satan is on My Friends List”. Aside from directly hacking the security of some of these sites, they experimented with creating fake profiles of known individuals and seeing who they could fool. Notably, they created a profile (with permission) for Marcus Ranum on LinkedIn, then tried to see how many people they could fool into connecting to it. Yes, folks, I fell for it.

In my case it wasn’t that big a deal- I only use LinkedIn as a rolodex, and always default to known email accounts before hopping into it. But that’s not how everyone sees it, and many people use it to ask questions, connect to people they want to be associated with but aren’t really connected to. Someone behind a fake profile could spoof all sorts of communications to either gather information or manipulate connections for nefarious reasons (pumping stock prices, getting fake references, disinformation campaigns, and so on). All social networks are vulnerable to manipulation, real world or virtual, but when you remove face to face interaction you eliminate the biggest barrier to spoofing.

I avoid some of this by only linking to people I know, have met, and have a reason to keep in contact with. If you’ve sent me a link request because you read the blog or listen to the podcast, and I haven’t responded, that’s why. Otherwise it loses any usefulness as a tool for me.

One of Shawn’s recommendations for protecting yourself is to build a profile, even if you don’t actively use it, on all the social networks. Thus I now have MySpace and Facebook pages under my real name, tied to a throwaway email account here at Securosis. WIll it help? Maybe not- it’s easy for someone to create another account with my name and a different email address, but after I tie in a few friends that should reasonably draw people to the real me, whatever that’s worth.

One unexpected aspect of this was a brief blast of mortality as Facebook splattered my high school graduating class on a signup page. I haven’t really stayed in touch with many people from high school days; in my mind’s eye they were frozen in the youth and vibrance of those few years we felt we ruled the world. Seeing them suddenly years later, long past the days of teenage hopes and dreams, was a visceral shock to the system. No, we’re not all that old, but at 37 we’re far past any reasonable definition of youth.

Damn you Mr. Moyer. I can forgive you for mildly pwning me in your presentation, but smashing open my vaulted teenage memories with a lance of reality? That sir, I can never forgive.

Is there an 802.1x in your future? [StillSecure, After All These Years]

Posted: 19 Aug 2008 10:13 AM CDT

Tim Greene's NAC column today goes back to the recent Gartner IT Security Conference. At Lawrence Oran's session on NAC, using the handheld voting machines he asked the audience if and when they planned on deploying an 892.1x capable network.  Of course answers are always dependant on how the question is framed.  But in this session about 50% of respondents said they were going to go .1x by 2011.  You know what they say, once you go .1x you don't go back.  That bodes well for NAC deployments.  802.1x remains the most secure and powerful way of implementing NAC.  However, .1x is also useful for other security and network functionality.  If you want to read more about .1x my friend JJ has a ton of good .1x stuff up on her blog.

A couple of interesting points though.  Gartner themselves as Tim points out estimates that .1x adoption will be closer to 70% by 2011.  The difference between the 50% in the survey and Gartner's estimates will be realized due to increasing ease of implementation of .1x networks. Perhaps, I know at StillSecure we are always looking for ways to make it easier to implement .1x and NAC.  However, lets be clear. Installing new supplicants because Cisco and Juniper say the Microsoft supplicant is not good enough is a red herring. Yes the Odyssey client is cool, but it is a nice to have in the .1x equation, not a must have.  The same goes for the Cisco/Meetinghouse supplicant. Also, not all .1x is created equal.  There are still enough differences between switch vendors in how and what they support in .1x to make it maddening.

Finally, like I have said before if you are going to do 802.1x just for NAC, don't bother.  But if you are going to go to 802.1x you should give NAC a good look.

Denial of Service Survey So Far… [.:Computer Defense:.]

Posted: 19 Aug 2008 09:34 AM CDT

Hey All,

Thanks to everyone who's filled it out, for those of you that haven't... you still can (survey). A large number of people are prefering to stay anonymous, but I have gotten some rather interesting comments. To date 169 people have filled out the survey. If all goes well, I'm hoping to start analyising the results after about a week or so.

To clarify, for anyone who reads this first... When I say Denial of Service, I'm not considering packet flooding (these days you essentially need DDoS for that)... I'm thinking single packets that cause servers to crash, or malformed pages that cause browsers to crash. That being said, I don't want to influence anyones answers... that's why I provided plenty of places for notes. Feel free to tell me what you really think.

Lastly, in the goal of making an interesting whitepaper out of this, I've started contacting vendors. Currently I've contacted Adobe, Apple, Google, Microsoft, Red Hat and Sun. I've asked them to answer the survey (and provide me with unique information via email that they will put in the name, email and url portions (for proper identification)) and I've passed on a few vendor specific questions. I've taken the route of contacting their PR agencies, so we'll see what happens.

Passwords, solved! [Phillip Hallam-Baker's Web Security Blog]

Posted: 19 Aug 2008 09:31 AM CDT

John Quiggin on crooked timber:

"#72 I just use my son's names as passwords for ease of memorization. But for security we call him r!t45Lpg Hbn6@34 8Hrtöes and we change his name every 60 days."

Why We Pay Attention To Aviv Raff [Infosecurity.US]

Posted: 19 Aug 2008 09:19 AM CDT

Aviv Raff’s recent post (focusing on information security best practice,) details his views that following best practice may not necessarily keep you safe, and in fact, may be a fundamental error in judgment. Good reading. Thoughtful. We also agree.

I see this behavior (blindly following a best practice) daily. Based on a distrust of internal decision making processes (and a belief that external sources have to know the right way), it is  just as apparent in the DBA realm, as well as SysAdmin worlds. The abrogation of the requirement to perform critical thinking, the inability to display adaptability, and a lack of healthy skepticism is a direct path to poorly deployed and implemented data delivery solutions.

Thank you Brisbane & Melbourne! [Branden Williams' Security Convergence Blog]

Posted: 19 Aug 2008 05:10 AM CDT

We've been true road warriors this week, and so far have done briefings in Brisbane and Melbourne, Australia! We are heading back to Sydney tonight to do our last PCI briefing of the trip tomorrow. Thanks for the hospitality Brisbane & Melbourne! I look forward to seeing you again soon!

Chinese online human hunting! Something to watch…and I don’t have a clue why. [The Dark Visitor]

Posted: 18 Aug 2008 11:57 PM CDT

“Chinese online human hunting” has been a subject that has fascinated me ever since I first read the story of the “Bronze Mustache” in 2006.  Somewhere in my gut, it left me with the impression that this was an important trend to watch.  Why you ask? Why not I answer! Yep, got nothing.

Does this fascination stem from the demonstrated ability to cyber-mobilize, combined with cyber-vigilante justice?  Okay, if that explanation works for you, it works for me. This really bugs me and I haven’t been able to put my finger on why this trend seems to be important to watch.  It could very well be the catalyst that launched the category of “Chinese Hacker Hunting” on this blog…but that gets way too much into the realm of self-analysis and could leave me screaming into my pillow. Moving on.

So what is “online human hunting?” I could try and summarize the whole social mechanism but it would probably cross the line of “fair use.”  China Supertrends gives an excellent explanation of “human flesh search engines.”

Finally, provides a current report on how this trend is progressing:

China: “Human Search” Invades Privacy
Over the past year or more, a concept known as “human search” (also referred to as an “Internet mob”) has grown in popularity in China. Unlike the more constructive pursuit known as “crowdsourcing,” where people worldwide connect to lend their creativity to some academic, artistic or business endeavor, human search involves people connecting via the Internet to track down information for one another, often to search for someone perceived as having done something wrong. A prime example of this came last week, when Chinese Internet users began a nationwide search for the father of Olympic air pistol gold medalist Guo Wenjun, who abandoned her 10 years ago and left her to the care of her coach. According to an August 12 Reuters story, although the search has not yet pinpointed the missing parent, tens of thousands of Web surfers and numerous chat rooms have reportedly joined the effort.

Any…FREE…insightful explanation on why my views makes sense would be greatly appreciated.


Massive botnet recruitment ahead of Georgia crisis [Phillip Hallam-Baker's Web Security Blog]

Posted: 18 Aug 2008 11:51 PM CDT

Several blogs are alight with speculation about the recruitment of bots ahead of the South Ossettia crisis. According to some of these stories there was a massive recruitment of bots on 4/5 August ahead of the Georgian action on the 7th and Russian Response on the 8th.

While it is highly likely that we will increasingly see cyber-attacks used in conjunction with conventional attacks as a force multiplier I have a very hard time believing that any military would ever want to engage the Internet criminal underground ahead of a military strike. Even more so if doing so might reveal the fact that the party had advance knowledge of an attack by the other side.

So is this just coincidence? Possibly, but another possibility is that both events have a common cause. The Olympics began on the 8th of August and it is quite possible that the Georgian action was timed to occur just before and create a fait acompli ahead of the traditional Olympic Truce.

Recruitment of large botnets ahead of major sporting events is hardly unexpected. Bookmakers stand to make huge sums taking bets on the Olympics, but only if their site is up to take the bets before the event. DDoS attacks before a major event are a regular occurrence.

BlackHat / DefCon 2008.... [extern blog SensePost;]

Posted: 18 Aug 2008 07:03 PM CDT

Hey guys..

Most of our BlackHat/Defcon team has arrived back home in one piece.. I landed with a fever and a lost voice (but to be honest i already caught something while in Vegas!)

We will post some post-Vegas thoughts as soon as the dust settles, but i also promised:

  1. The slides from our talk
  2. The tools we released...
A link to the slides is here: [Pushing a Camel through the eye of a Needle]

The final versions of the re-direction tools will be posted here by weekend (after some last minute documentation / cleanup)

(a quick overview of Glenn's reDuh tool is also posted to [the same location]

CNN’s angry Chinese hacker Xiao Chen returns [The Dark Visitor]

Posted: 18 Aug 2008 06:56 PM CDT

In March of this year, CNN ran a story about Xiao Chen and his organization of hackers, reporting that the group had broken into the Pentagon and received payments from the Chinese government.

Xiao Chen, in a subsequent interview with the Shanghai Post, refuted all of CNN’s allegations and tearfully explained how all of this controversy had caused him to close his website…he had struggled to create it…he had poured his heart and soul into it…and now was left with only had a handful of magic beans to show for his trouble.

I may be mixing my stories but he did elevate whining to an art form.

No need to worry, Xiao Chen pulled himself up, dusted himself off and managed to get back in the hacking game. Welcome to the new , decorated in Olympic themed swirls guaranteed to never go out of style:


Don’t Sell ‘Compliance’ If It Isn’t A Checkbox []

Posted: 18 Aug 2008 02:51 PM CDT

Perusing my blogs this morning I caught a post by Anton on DLP and compliance. That’s the blogging equivalent of chaining a nice fat bunny to a stake in the middle of coyote territory here in Phoenix (in other words, the park behind our house). I, as the rabid coyote of DLP-ness, am compelled to respond.

Anton starts by wondering why he doesn’t see compliance more in DLP vendor literature:

Today I was thinking about DLP again :-) (yes, I know that “content monitoring and protection” - CMF - is a better description) Specifically, I was thinking about DLP and compliance. At first, it was truly amazing to me that DLP vendors “under-utilize” compliance in their messaging. In other words, they don’t push the “C-word” as strongly as many other security companies. Compliance dog doesn’t snarl at you from their front pages and it doesn’t bite you in you ass when you read the whitepapers, etc. Sure, it is mentioned there, but, seemingly, as an after-thought.

Then, he nails the answer:

But you know what? I actually think that it is something different, much more sinister. It is the ominous checklist mentality (here too)! You know, DLP is newer than most regulations (PCI DSS, HIPAA, FISMA, etc) and - what a shock! - the documentation for these mandates just doesn’t mention DLP (or CMF) by name. Sure, they talk about data protection (e.g. PCI DSS Requirements 3 and 4), but mostly in terms of encryption, access control, logging (of course!).

Also, PCI DSS directly and explicitly says “get a firewall”, “deploy log management”, “get scanned”, “install and update AV” - but where is DLP? Ain’t there…

I’ve spent a heck of a lot of time working with DLP vendors and users, and this is a problem that affects technologies beyond just DLP. Early on, the DLP vendors all talked about how they’d make you SOX, HIPAA, or XXX compliant. Problem was, there isn’t a regulation out there that requires DLP. The customer conversations went like this:

Vendor: PCI compliance is bad. Buy DLP.

User: Okay, is that section 3.1 or 3.2 that requires DLP?

Vendor: It’s not in there yet, but… {sales guy monkey dance}

User: Ah. I see. Can you come back after we finish remediating our audit deficiencies? Say in 2012? Q3?

The truth is that DLP can help significantly with compliance with a variety of regulations, but none of them require it. As a result, vendors have softened their message and the good ones adjust it to show this value. I don’t know if I really influenced this, but it’s something I’ve spent a lot of time working on with my vendor clients over the years.

Other markets face this same challenge, and if you look back they almost always start by hitting compliance for the apparently easy cash, and are then forced to adjust messaging unless they are explicitly required. Users also face the same problem:

User: We need to do X for compliance with Y.

Money Guy/Boss: Okay, where is that on the audit report?

User: It’s not, but {monkey dance}.

Money Guy/Boss: Ah. I see. Maybe we can discuss this during your annual review.

Be it a vendor or an end user, the compliance sell is either the easiest or hardest you’ll ever face. If the regulation (or your auditor) explicitly requires something, there’s an immediate business justification. While there’s a *lot* more to compliance, if it isn’t on that list you can’t sell it with merely the C word.

Instead, evaluate the tool or process in the context of compliance and show the business benefits. Does it reduce compliance costs? Does it reduce your risk of an exposure? For example, DLP content discovery, by identifying where credit card data is stored, can reduce both audit costs and the risk of non-compliance. Database Activity Monitoring can reduce SOX audit costs and the cost of maintaining appropriate logging on financial databases. There are a ton of internal process changes that improve audit efficiency and reduce the burden of generating compliance reports last minute every year or quarter.

When something is on the checklist, sell it as compliance. When it’s off that list, sell it as cost or risk reduction. If it doesn’t hit those categories, buy a monkey to do the dance- it’s cuter than you are and more likely to get the banana.

Disaster Recovery Drills Aren't Just For IT [Emergent Chaos]

Posted: 18 Aug 2008 02:36 PM CDT

The Economist has a short but great overview on crisis management. The article is well worth reading completely, but there is one section that bears highlighting:

Be well prepared in advance. Potential members of a crisis management “team” should rehearse how they would manage the impact of an incident. It is a bit like learning the safety instructions on a plane before take-off: you hope you will never need them, but you know it would be unwise to miss the lesson. The team should include the chief executive and a representative of the press office. Thereafter, all external enquiries relating to a crisis should be answered by the team.

It's amazing how often this step gets left out of business continuity plans and it is probably the most important. I heartily encourage all executives to not just plan but practice practice practice. This is the sort of thing that can really bite you hard at just the wrong time.

No comments: