Tuesday, August 26, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Chuck Norris: Missing In Action [Vitalsecurity.org - A Revolution is the Solution]

Posted: 26 Aug 2008 05:46 AM CDT

"Shortly after we posted the information about a Chuck Norris appearance we discovered that we were mislead by the Talent Agency that claimed to represent him. We are currently cooperating with Chuck Norris's real manager and his attorneys in their investigation." More

....it's going to be one of those weeks, isn't it?

Branding starts when you pick up your phone! [Roer.Com Information Security - Your source of Information Security]

Posted: 26 Aug 2008 01:15 AM CDT

Wow. I am amazed.

I just called a company - or so I thought. I was researching, looking for some particular information, and now just calling competitors of my client in order to gather intelligence.

And as I call around, the phone is answered (no surprise there) with:


The voice is female, and sounds like a housewife answering the phone of her husband, not sure if she is allowed to do so. You get the picture.

Me: "Have I reached ABC corp?"

Her (sounding unsure): "Yes..."

Me: "Am I talking to ...?"

Her (suspicious this time): "Yeees..."
Then: "Who am I talking to?"

I realize that I have made up my mind already in her first "Hello...?". This is not a company I would want to deal with.

Her: "Excuse me a second..." and the line goes on hold.

I start wondering what I am dealing with here. Obviously, this is no professional company. My mind wonders off, and I seriously consider just hanging up.

But, I brace myself, and continue - I am on a mission, after all:

Me: "So, listen...I was wondering, do you deal with ...?" (Insert the service/product name here).

Her (hesitating): "Yes, I could do that."

Wow. So, this company is her. No-one else, it seems. And obviously she is not used to customers rushing down her phone.

We continue our conversation, which continues to break up with "Please hold a sec..." every 30 seconds or so. As I have gathered the information I wanted, I start to wrap up. And now she has changed her approach, and starts to seem desperate.

Me: "So, let me get back to you."

Her: "Please do. I can do this. I really can, I assure you. Really."

I hung up.

Imagine, I wrote one third of this post while on hold - during the conversation - with this company. I posed as a potential client. I would pay. I would be a long term client of hers.

But it is all ruined by the first impression. The first "Hello...?". The lack of a presentation. The total lack of professionalism and commitment. It just makes me sick.

And this reminds me that branding is a full time commitment. Your company's public image is created by that first phone call. And if you drive potential clients away, you will end up with a broken back before you know it!


Continental Airlines, keep the turkey sandwich and give me my luggage! [StillSecure, After All These Years]

Posted: 26 Aug 2008 01:09 AM CDT

So this has turned into another classic Shimel road trip. In fact this post could actually be three different posts, but for the sake of sparing you all, I will condense it into one. I am scheduled to participate on a NAC panel tomorrow at the ITLA conference in Grapevine, Texas. I am on the panel with JJ and some other folks.  Not wanting to kill the week, I scheduled myself to fly in tonight and fly out tomorrow afternoon after the panel. 

Airfares are out of control, so instead of a non-stop I booked Continental through Houston out of Ft Lauderdale.  This is the third time I have flown Continental this year.  This is the second time they have lost my luggage!  For an airline who prides themselves on not skimping on service, they have not impressed me for sure. In fact I think they are the worst!  Frankly, I don't need their soggy turkey sandwiches.  How about just getting my luggage to where I need it.  Now, I have to speak at 11am tomorrow and am hoping my suit shows up on time.  Otherwise, I am appearing in shorts and a t-shirt.

But wait, if that is all that happened tonight, it wouldn't be that bad.  I go to pick up my rental car at Alamo/National. I purposely rented a mid-size car, so I don't have to pay for some gas guzzling monster.  They charge me for a mid-size and want to upgrade me to an SUV for free. I say thanks but no thanks, at which point the counter person comes clean and tells me that they only have SUVs left.  I felt like I was talking to a GM or Ford exec. Isn't it the same problem.  We want cars that will not leave me listening to a giant sucking sound as they guzzle gas and all they have for me are SUVs. If I wanted to rent an SUV, I would have rented one! 

I am not done yet though.  This is a Shimel story after all.  I get lost on the way to the hotel and what is supposed to be a 15 minute drive turns into 45 minutes of driving around.  It stops when I see flashing lights behind me and a spotlight shining in my eyes.  The friendly, considerate Grapevine police officer after hearing about my luggage, being lost and an out of town businessman was kind enough to give me a speeding ticket for doing 58 in a 45.  Great!

I finally get to the hotel and when the clerk asks me how things are going. I tell him don't ask.  I request some toothpaste and stuff.  He gives me a package and hopes I don't mind using woman's deodorant as that is all they have.  At this point, I am just done, stick a fork in me.

What to do? I am in Texas, it is almost midnight.  I think of my friend Ed Cavazos.  Ed is an attorney who I worked with at Interliant. He reads my blog and occasionally even comments.  Ed is a life long Houston guy, but had to move to NY for Interliant.  When I would come back to Texas with him, he would take me to What-a-burger.  It really made him feel like home.  Ed would even sing the What-a-burger theme song when we pulled into one of these joints.  So, I went to What-a-burger and drowned my frustrations and sorrow in a patty melt.  Now I am sorry I did, the grease is just too much for me!

Ah, the life of a road warrior.  Why the heck am I even speaking at the ITLA conference anyway?

Links for 2008-08-25 [del.icio.us] [Anton Chuvakin Blog - "Security Warrior"]

Posted: 26 Aug 2008 12:00 AM CDT

Expectations and Preparedness are important but have to be coupled with Knowledge and Flexibility [An Information Security Place]

Posted: 25 Aug 2008 10:52 PM CDT

I have learned a lot in the last week about how not setting expectations and not being prepared can have a huge negative affect on a project.  I know that sounds really logical and obvious.  I have seen how being unprepared can slow projects.  I have seen how not setting expectations can cause a project to totally derail.  But the complexity and importance of a project affects proportionately the level of preparedness and the level of expectations that need to be set.  You can’t walk into a large and very important project with confidence unless you have spent a major amount of time and effort.  And you can’t go into a project without knowing what is expected and making damn sure the customer understands those expectations.  It is essentially asking for disaster to strike if you do that.

That is exactly what I have experienced on two different projects last week and this week.  One was a wireless technology demonstration that is the first step into wireless for a very large enterprise company in Houston (I won’t discuss the other for fear of someone there reading this post).  The project is easily over $1 million in equipment and services, and is likely going to get close to $2 million.  With that kind of dinero  in play, and with the possibility of even more on the far back end, you have to come loaded for bear.  You have to be organized, and you have to test.  That didn’t happen (there were multiple issues and people in play, but I blame myself for a lot of it).  We had one day to prepare for a three day demo, and we didn’t make it happen.  Consequently, the first 1 1/2 days were disastrous. 

A major issue with the project was that expectations were not set adequately with the client.  They had a process for gauging technologies, and unfortunately that was kept mostly hidden from the team trying to setup the demo.  Another contributor to the problem (don’t want to call it a failure yet) was a lack of preparedness.  Under advisement from one of our wireless consultants, we had the technical team come into our local Houston offices the day before the demo was scheduled so we could do a dry run.  Though we spent several hours on that, we still were not comfortable with the results.  But we really had no choice but to move ahead because this was our one shot at the project.  Put all of that together, mix well, and bake for 20 minutes on 450 degrees, and you have a disaster pie waiting for you at the end.

But what about knowledge and flexibility, Michael??  Those words are in your title?  Well, here’s what I have to say about that.  The missing factors that would have allowed us to be successful from day one in that demo were knowledge and flexibility.  We had to end up calling in a big gun from the wireless company that had both of those factors after the original resource starting losing it.  The original engineer on the job had a good degree of knowledge (though he was still fairly new), but was severely lacking in flexibility.  When the customer went on a tangent and asked for something even slightly outside the scope of the original demo, he locked up and started making excuses (I hope he doesn’t read this, but oh well).  That did not go over well with the customer.  But when the big gun walked in a took over, that went out the window.  He knew the product well, and he was flexible.  Thus, he was able to meet whatever the client threw at him.

The other things that chaps is that if the big gun had been engaged on day one, the original problems would not have appeared.  Oh well.

So summary, you have to prepare, and you have to set expectations.  But if those turn out to be too light, or if you just run into a customer who likes to stroll down tangent lane, then you have to have a high degree of knowledge, and you have to be flexible.  They ARE the customer, after all.


BTW, the second 1 1/2 days were much, much better.  Actually, it was extremely successful.  But by then a lot of damage had been done.  And to top it off, the project lead got called on emergency meetings during the successful part of the demo, so the bad taste stayed in her mouth.  Not good.  I’ll let you know what happens.  I also plan on podcasting about this when Jim and I next get together.


Google Calendar goes CalDAV [Random Thoughts from Joel's World]

Posted: 25 Aug 2008 10:21 PM CDT

Okay, so in Apple fashion (read: Not Google fashion) Google Calendar rolled out a new feature of it's product. The ability to use your iCal (or other CalDAV supported Calendar) to use Google Calendar.

Finally, two way sync for Google Calendar with iCal! And it's not really even a "sync". When you put events on Google Calendar in your iCal, you are actually putting the events on the Google Calendar ITSELF.

It's syncs instantly. Anyway, for more information hit up this link, and let's all give a hand for Google for helping us out!

Subscribe in a reader

Podcast Episode X Record Notice [Random Thoughts from Joel's World]

Posted: 25 Aug 2008 10:05 PM CDT

Tomorrow night at 7:30 EDT (Eastern Daylight Savings Time) Johannes, John, and I will be recording Episode X of the Internet Storm Center Podcast.

We'll be broadcasting live at http://www.stickam.com/joelesler

Please come and join! We love live feedback, talk with us in the stickam interface or via IRC in #dshield on irc.freenode.net.


Subscribe in a reader

Q3 Website Security Statistics Report [Jeremiah Grossman]

Posted: 25 Aug 2008 04:16 PM CDT

For the last month I've been compiling our third quarter 2008 Website Security Statistics Report, which contains a comprehensive vulnerability analysis of over 600 real live websites. We're talking 11,000 verified vulnerabilities collected from typically weekly assessments. This type of data is not available from reports by Symantec, Mitre (CVE), IBM X-Force, SANS, or anywhere else and we're excited to be able to share it.

We put a ton of work into this report and there is a massive amount of data. Highlights include a revised Top Ten list of vulnerabilities, updated Time-to-Fix metrics, vulnerability remediation percentages showing progress, vertical market comparison, and so on. The information is really valuable because it provides visibility into the future trends, trouble spots, and what action items should be considered.

On Wednesday, August 27th, 11:00 AM PDT I'll be hosting an hour-long webinar to go over the results. Attendees will be given the opportunity to be the first to see the results and ask questions. Registration is free, but space is limited. If you are interested in attending, now is the time to register.

Getting A Perspective On Man In Middle Attacks [Articles by MIKE FRATTO]

Posted: 25 Aug 2008 03:57 PM CDT

Researchers at Carnegie Mellon University have proposed a system whereby you can ensure that when you attach to a server that uses SSH or a self-signed digital certificate and you havent verified the authenticity of the host identity before hand, you ...

Back at my Desk [Jeremiah Grossman]

Posted: 25 Aug 2008 03:48 PM CDT

I'm finally home from a 3-city in 3 days tour covering Atlanta, New York, and Chicago. Beyond the excellent turn out for the WH/F5 lunch and learn presentations, I'm always fond of the extracurricular activity. Since I'm still injured, visiting new BJJ academies was out of the question, so instead I substituted the time with food. Fortunately I was able to do so with meals that fit within my high protein low-carb diet (208 lbs is the goal). 30lbs to go!

In Atlanta there was Fogo de Chão, a stellar upscale all-you-can-eat Brazilian BBQ restaurant, that served 15 types of fire-roasted meats brought to your table sizzling on skewers. Now that's hard to beat. In New York we stopped by my all-time favorite steak place, Smith & Wollensky, for a Colorado bone-in ribeye. The waiter said it was the most flavorful meat in the world, I'm thinking he was right.

Chicago, I left the venue selection to the OWASP Chicago Chapter locals. But before that Cory Scott and Jason Witty invited me deliver an encore performance of "Get Rich or Die Trying" at the recommendation of Ed Bellis (Thank you). The cool thing about that particular talk is afterwards people always clue me into other business logic flaws they've encountered. It's really good content to add, especially if it involves money. For me I was excited to see the presentations by Mike Zussman and Nate McFeters since I didn't get to see either talk at Black Hat. 

Afterwards we went out for drinks with several people including Nate McFeters, Thomas Ptacek, Shrikant Raman, and a dozen others. The appetizers were decent, but I think the chose the place more for the beer than anything else. Chicago probably has one of the more friendly and vibrant chapters around. Anyway, it's good to be back home. I got to do some modest BJJ training over the weekend, play in the GGAFL finals (we got spanked badly), and hit some rides with the kids at Great America. Now off to do the expense reports. Yay! ;)

MBTA Hack shows security hasn’t improved in 10 years [Zero in a bit]

Posted: 25 Aug 2008 03:46 PM CDT

One of my old L0pht collegues, Peiter “Mudge” Zatko, is featured in Mass High Tech today in an article titled Bay State hackers find security holes in defibrillators, RFID.

Hackers getting a free T pass may be the least of our worries — local hackers-turned-security experts suggest RFID keycards, wireless networks and medical devices implanted in the body are also vulnerable to hacks.

At last week's Defcon hacker convention in Las Vegas, a team of researchers showed it was possible to get information such as Social Security numbers and medical diagnoses, and change the settings on an implantable defibrillator by impersonating the computer it communicates with wirelessly. By doing so, a hacker could send a fatal shock to a patient's heart, said William Maisel of the Beth Israel Deaconess Medical Center.

It is almost like things haven’t changed since the 90’s when the L0pht worked to change the mindset of security:

  1. Don’t trust vendor claims around security
  2. Attacks aren’t “theoretical”
  3. Security by obscurity is no security

The L0pht worked as an independent security research think tank.  For us it was non-profit side job researching and publishing vulnerabilities in software and hardware.  We did it for our love of technology and published what we found out because purchasers and users of the vulnerable systems deserve to know.

It’s 10 years later and the situation hasn’t improved much.  Mudge talks about the vulnerabilities the L0pht found in highway transponder systems that are still in systems being fielded today.  But more important than the vulnerabilities themselves is the nature of how these vulnerabilities are coming to light.  They are being found by hobbyists, students, and IT people working in their spare time.  How can something as important as the security of public fare collection systems and medical equipment not have a standard process for security acceptance testing? 

As we become more reliant on digital systems, with some even keeping us alive, it is high time for security testing to move beyond student papers and part time IT work.  Security testing needs to become a formal part of the process of purchasing and fielding digital systems.  Our lives are starting to depend on it.

Aaaaaand....................... [Vitalsecurity.org - A Revolution is the Solution]

Posted: 25 Aug 2008 02:56 PM CDT

....................I'm back. Tomorrow, security stuff. Probably. Or I might watch Dark Knight again, who knows.

Anton Security Tip of the Day #16: Virtually There - Journey Into VMWare ESX Log Analysis [Anton Chuvakin Blog - "Security Warrior"]

Posted: 25 Aug 2008 02:11 PM CDT

Following the new "tradition" of posting a security tip of the week (mentioned here, here ; SANS jumped in as well), I decided to follow along and join the initiative. One of the bloggers called it "pay it forward" to the community.

So, Anton Security Tip of the Day #16: Virtually Screwed - Journey Into VMWare ESX Log Analysis

CISecurty guide for VMWare (here) and DISA STIG for virtual machines (here) both mandate collection and analysis of VM platform logs; none goes into enough details on what to look for in logs. Let's try to shed some light on security-focused log analysis of VMWare ESX v. 3.x logs.

First, at least until ESXi becomes the default choice, one needs to keep in mind that ESX as "Linux-inside" and thus diving into /var/log will not reveal any "alien technology" (well, not much :-)). However, one of the most useful logs is /var/log/hostd.N which is not a descendant of Linux standard logs. Extensive VM event records are written into this file.

Let's focus on various types of logins to the ESX platform and identify logs that indicate a successful and failed attempts to log in. Here are a few useful examples to analyze:

Successful logins:

  • May 30 09:20:42 esx2 su(pam_unix)[9405]: session opened for user root by jhonny(uid=1626)

This is a classic Linux root login message; you can watch for these by searching VMWare ESX logs for "session AND opened AND user AND root."  Notice the user name of the user who switched to root.

  • May 30 09:20:34 esx2 sshd(pam_unix)[9364]: session opened for user jhonny by (uid=0)

This is also a classic Linux message for a normal (non-root) user login.

  • [2008-05-25 06:57:48.774 'ha-eventmgr' 111639472 info] Event 40645 : User jhonny@ logged in

This is a VMWare -specific application login to ESX. You can track such events by username, by event ID or by keywords "event AND logged AND user" (if you are using search)

Failed logins:

  • May 30 09:20:31 esx2 sshd[9356]: Failed password for jhonny from port 54773 ssh2

Another classic Linux message from the ESX system; a failure to login due to incorrect password.

  • May 27 12:06:59 esx2 sshd[4756]: Failed password for illegal user jonny from port 30594 ssh2

A message indicating a failure to login due to incorrect username (note a typo).

  • May 25 07:03:48 esx1 sudo:     jhonny : 3 incorrect password attempts ; TTY=pts/0 ; PWD=/var/log ; USER=root ; COMMAND=/bin/bash

This ESX Linux platform message should also be familiar to Linux/Unix admins: it indicates multiple sudo password failures; look for such messages in the logs.

BTW, do you need to be reminded to track NOT only failed, but also successful login events?!

Overall, you must prepare for the future by learning to analyze  VMWare logs, just like you handled "legacy OS", such as Linux/Unix and Windows.

As I said before, I am tagging all the tips on my del.icio.us feed; here is the link: All Security Tips of the Day.

Technorati tags: , , ,

The Blame Game [Branden Williams' Security Convergence Blog]

Posted: 25 Aug 2008 11:12 AM CDT

First off, I want to apologize for the lack of posting. Travel across the date line is one of those things that looks like a productivity enhancer, at FIRST. Then the realization slowly sets in.

One of the articles I wanted to post on was Bill Hume, the former CIO of Hannaford, who is changing his tune a little bit. Apparently, the PCI Standard is not his problem, but now he blames Microsoft for the breach that occurred on his watch.

I don't know if you are like me, but I can't wait for the lawsuits to start flying so that all of the speculation on this incident can end. Legal discovery can be a beautiful thing. As with most major breaches, there is not one giant big goof that you can point your finger to, there tends to be a series of events that lead to the breach.

Maybe Bill can hook up with Dave Hogan from the NRF and they can practice playing the blame game together? I imagine it would go something like this.

"I blame PCI! It's too hard to comply to!" (Dave)

"No, it's not strong enough! If they would have required internal encryption, things would be different!" (Bill)

"Wait, what? Dude, I'm going to have a lot of pissed off members if I say what you said." (Dave)

"Call me dude again, and see what happens!" (Bill)

"I blame PCI! It's not strict enough!" (Dave)

"That's more like it." (Bill)

"No one is listening to me anymore... you try." (Dave)

"I blame Microsoft!" (Bill)

"Ooo, nice one." (Dave)

It's all fun and games right now, until the currently confidential documents become public record.

Or maybe THEN the fun and games can start?

Authenticating Alan Shimel is Certifiably Hard [Emergent Chaos]

Posted: 25 Aug 2008 10:47 AM CDT

Alan-Shimel.jpgAlan Shimel got hacked, and he's blogging about it, in posts like "I'm back." It sounds like an awful experience, and I want to use it to look at authentication and certificates. None of this is intended to attack Alan in any way: it could happen to any of us.

One of the themes of these posts is the difficulty of resolving the cases, especially when your password has been changed and your email accounts have been compromised. Alan's spent a lot of time on the phone getting stuff cleaned up, and I'd like to look at that process a little.

Alan has various business relationships with organizations who know him only via email and credit cards, or perhaps with a PO. How should they handle a claim that an account has been hacked? How are they supposed to authenticate someone calling who doesn't know the password, and wants to tie a new email account into the system? Doesn't that sound like fraud? These organizations likely don't know Alan's driver's license # or passport.

This problem isn't hard because we lack technology, it's hard because a networked system has emerged which makes it easy to do business all around the world with people you don't really know. If Alan had a client cert, maybe that would have been stolen, too. If he had a smartcard, maybe that would have been attacked via a client-side trojan. He ran into these troubles, and documents them at Yahoo, in "Why Google is now my homepage instead of Yahoo:"

I have written and called to every address you can think of. They have asked for copies of my drivers license. They wanted all of my information when I first applied for an account (yes from 12 years ago). I have had to give them every email address I ever had (anytime you fill out information for a new account you should make a record of it and keep it somewhere safe. Don't ask me where, but somewhere safe). Every mail address and zip code I have had. I sent them the answer to every secret question I can think of, but they won't give me the question they want to answer. I sent them the hackers post bragging about getting my email account.
There may well be multiple guys named Alan Shimel out there-just seeing a faxed copy of a license isn't very good authentication.

All we have in distant and simple relationships is persistence and that's not that strong. We also have what Alan used, which is webs of trust. He called people who knew him and had them call people he knew:

As I have written earlier, I was lucky in that I was able to call on people to help me out. For instance my friends at FeedBurner/Google, Matt Shobe and Dick Costollo, quickly took control of my FeedBurner accounts, including the SBN feed. They were also to get someone live at Typepad to allow me to take back the blog. This took more time than it should have though. Until the Feedburner reached out to someone, the Typepad support team just kept sending a new password to mailboxes that the attackers controlled, even though I was mailing them from my stillsecure mail box! You could not get any of these people on a phone. Very frustrating! ("Our web infrastructure needs to be at public utility levels")
Now, persistence and webs of trust seem like bad business models. They're not easy to manage with regards to liability and contracts, but they are a great representation of how the world really works.

Closely related: "Certifiably Silly," and "I'm certifiably wrong."

Always keep your wireless off on the iPhone 3G until you need to use it [StillSecure, After All These Years]

Posted: 25 Aug 2008 10:17 AM CDT

Image representing IPhone as depicted in Crunc...

I came across a very poor security feature of the iPhone 3g this week.  Like many of you, unless I actually turn wireless networking off, by default it is on.  The caveat is that many of you have set the phone to "warn you before connecting".  I thought that this would mean that before my phone connected on to a wireless network, it would ask my permission.  In fact that is what happens the first time you connect to a named wireless network. But after you have connected to a particular SSID before, in the future the phone will connect to that network automatically without asking!  On top of this networks like ATTWireless seemed to be already pre-approved and the phone does not ask you permission. To be fair, Apple does warn in the fine print that "known networks will be joined automatically".  But how hard is it to change an SSID today?

So what does this mean?  Lets say you go to a friends house or some other location that is using a default SSID like Linksys.  You want to use the network while at that location and give it permission.  After that you are at an airport or other public place and your phone picks up a wireless network named linksys.  Guess what, your phone just connected and didn't ask you a thing.  Lets say some bad guys set up a network to gather your data.  They name the network ATTWireless or Linksys or some other common name.  If you have wireless on your phone turned on, even if you have the "warn me and ask permission" set, you will still connect to that network without notice to you.  I am sorry, but this is just terrible design by Apple!  I want to be asked before I connect to any network every time I connect.

Could this be how my log on information was stolen in Vegas?  I don't know, I actually had wireless shut down entirely for most of the time in Vegas.  But I have been racking my brain to remember if there was a time I turned wireless on for a short time.

In the meantime, I now keep my iPhone's wireless network settings to off at all times.  You should too! Of course Apple designed many of the programs to be optimized for high speed connections like wireless network connections, so there might be some trade-offs there.


2. Be careful of the Free Public Wifi SSID. I see it always as an ad hoc network and though I have never tried to connect and I don't know for sure what it is, I know that it is probably not good.

Reblog this post [with Zemanta]

It’s a bad idea to encourage Amrit [Network Security Blog]

Posted: 25 Aug 2008 08:58 AM CDT

Amrit Williams has a snarky little piece called “The 11 Worst Ideas in Security“. I haven’t read Ranum’s article yet, but I can guess at the content given some of Ranum’s previous writings. Amrit’s comment on WEP is worth reading the article by itself.

I’d actually forgotten about Microsoft Central Point Anti-virus, or I’d never really paid attention at the time. The former is more likely. I probably would have moved security analysts up the chart, but Amrit was once an analysts and still has a soft spot for them in his heart.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

Non-denominational political joke [StillSecure, After All These Years]

Posted: 25 Aug 2008 08:43 AM CDT

With the Democratic convention about to start I thought I would share this non-denominational political joke that I heard today:

While walking down the street one day, a US senator is tragically hit by a truck and dies. His soul arrives in heaven and is met by St. Peter at the entrance.

"Welcome to heaven," says St. Pete. "Before you settle in, it seems there is a problem. We seldom see a high official around these parts, you see, so we're not sure what to do with you."

"No problem, just let me in," says the senator.

"Well, I'd like to, but I have orders from higher up. What we'll do is have you spend one day in hell and one day in heaven. Then you can choose where to spend eternity."

Really, I've made up my mind. I want to be in heaven," says the senator.

"I'm sorry, but we have our rules."

And with that, St. Pete escorts him to the elevator and he goes down, down, down to hell. The doors open and he finds himself in the middle of a green golf course. In the distance is a clubhouse and standing in front of it are all his friends and other politicians who had worked with him.

Everyone is very happy and in evening dress. They run to greet him, shake his hand and reminisce about the good times they had while getting rich at the expense of the common people.

They play a friendly game of golf and then dine on lobster, caviar and champagne.

Also present is the devil - really a very friendly guy who has a good time dancing and telling jokes. They are having such a good time that before he realizes it, it is time to go.

Everyone gives him a hearty farewell and waves while the elevator rises....

The elevator goes up, up, up and the door reopens on heaven where St. Pete is waiting for him.

"Now it's time to visit heaven."

So, 24 hours pass with the senator joining a group of contented souls floating from cloud to cloud, playing the harp and singing. They have a good time, and, before he realizes it, the 24 hour have gone by and St. Peter returns.

"Well, then, you've spent a day in hell and another in heaven. Now choose your eternity."

The senator reflects for a minute, then answers: "Well, I would never have said it before, I mean heaven has been delightful and all, but I think I would be happier in hell."

So St. Peter escorts him down to the elevator and he goes down, down, down to hell.

Now the doors of the elevator open and he's in the middle of a barren land covered with waste and garbage.

He sees all his friends dressed in rags picking up the trash and putting it in black bags as more trash falls from above ...

The devil comes over to him and puts his arm around his shoulder. "I don't understand," stammers the senator. "Yesterday I was here and there was a golf course and clubhouse, and we ate lobster and caviar, drank champagne and danced and had a great time. Now there's nothing but a wasteland full of garbage and all of my friends look miserable. What happened?"

The devil looks at him, smiles and says .................

"Yesterday we were campaigning. Today you voted!!"

BlackHat/DefCon 2008 - Tool Release(s) [extern blog SensePost;]

Posted: 25 Aug 2008 08:09 AM CDT

Hey guys..

Our BlackHat/Defcon talk this year featured a few tools that we promised to release.. The first tool, or set of tools is reDuh which can be found [here]. reDuh is made up of 2 parts, a local proxy and a server component (which is jsp, php or asp). If you run the local proxy on your machine while pointing it to the server component, you are able to make TCP connections clean through the web-server. This comes in surprisingly helpful (and if nothing else is really cute!). You can read more about reDuh (with pretty pictures) by checking out the [reduh page] or by checking out our [Vegas slides].

[Squeeza] also had some tweaks, and now incorporates some SQL Server OLE goodness. Grab [v0.22 here], and read more about it in the [slides].

Have fun, play responsibly and please post feedback or comments here or to research@sensepost.com

Cloud Computing: More Storms Ahead [ARCHIMEDIUS]

Posted: 24 Aug 2008 11:59 PM CDT

The biggest threat to the promise of cloud computing to appear this summer wasn't the failed trademark attempt by Dell, but rather brilliant research by a leading white hat security researcher.  Dan Kaminsky discovered how a well-known and widespread vulnerability in DNS servers could be exploited in seconds and turn any one of millions of [...]

Follow Us on Twitter - NovaInfosec [NovaInfosecPortal.com]

Posted: 24 Aug 2008 11:18 PM CDT

We finally started incorporating some social networking features into the site. As a previous blog post stated, we added the Share This button to our posts and pages. And just this weekend we finally incorporated our novainfosec Twitter account into the site. By following this account you’ll get tweets of new blog posts. Additionally, this works in reverse … so anything we tweet to the Twitter novainfosec account will show up as a blog post. We promise that this reverse capability isn’t going to get overloaded with what we’re eating for breakfast :) (for stuff like that you can follow my personal infosec Twitter account - grecs). We plan on using the novainfosec tweets for posting on-the-fly important updates when we don’t have access to a computer. We’re all sort of new to this Twitter thing so if you have any suggestions please let us know in the comments below.

Diebold/Premier vote dropping [Emergent Chaos]

Posted: 24 Aug 2008 08:26 PM CDT

A voting system used in 34 states contains a critical programming error that can cause votes to be dropped while being electronically transferred from memory cards to a central tallying point, the manufacturer acknowledges.

The problem was identified after complaints from Ohio elections officials following the March primary there, but the logic error that is the root of the problem has been part of the software for 10 years, said Chris Riggall, a spokesman for Premier Election Solutions, formerly known as Diebold.

So reports the Washington Post. Wow.

When Congress acts in haste, a la the HAVA fiasco, we all repent at leisure.


Posted: 24 Aug 2008 02:43 PM CDT

This is a quick post just to let you know that we are currently introducing a lot of changes around this website and our infrastructure in general. If you are a regular visitor, you should have spotted a few problems in the last couple of days. We are working on them and we are also adding some awesome security features to Wordpress, which will be released as a plugin soon. The stuff are really good and I am sure that many will love them and perhaps use them in your setups!

Waiting on the World to Change

Our motivation is to improve the quality and increase the manageability of our platform. The bigger we grow the more challenges we face and today it is getting significantly harder to do even simple things. That is why we had to think creatively about our problems and find a suitable solution which must not take a lot of time to implement and at the same time must deliver the desired results. I think that we’ve got it, and I have been working on it for some time now.

A significant change to this site is the implementation of a security plugin for Wordpress, as I’ve mentioned earlier. I think that I’ve managed to make Wordpress a lot more secure (session-wise). Still, the solution is far from being perfect. Also, we’ve merged the projects and blog sections into one (just blog from now on). Soon, we will have a portfolio page that will summarize all of our stuff. I think that this is much better as some projects become quite big and as such they often aggregate the work from people outside GNUCITIZEN. Also, our work far exceeds what we’ve blogged about online, so it will be nice to have a good summary page for that too.

Anyway, I hope that we will finish with the maintenance work soon. If you spot any problems, please do not hesitate to contact us. We appreciate your feedback and support.

This just in, someone steals another Apple idea [Random Thoughts from Joel's World]

Posted: 24 Aug 2008 01:54 PM CDT

Okay, so could someone please rip Apple off? I mean, it hasn't been done in a couple days. Watch this video. Blackberry Bold unboxing. Tell me that's not almost the exact design of how the iPhone unboxing is? Please.

Subscribe in a reader

Spam fun [Random Thoughts from Joel's World]

Posted: 24 Aug 2008 01:35 PM CDT

My name is Sgt Jeff Frawley I am an American soldier in peace keeping force in Iraq,

No you're not.

I am serving in the military of the 1st Armored Division in Iraq, as you know insurgents everyday and car bombs are attacking us.

You mean insurgents and car bombs are attacking us everyday? Do they teach grammar anymore?

We managed to move funds belonging to Saddam Hussein's family.

No, you didn't.

The total amount is US$ 12 Million dollars in cash. We want to move this money to you, so that you may keep our share for us till when we will come over to meet you.

No, you don't. You didn't find the money, you wouldn't just email someone out of the blue, you'd try and smuggle that stuff in your pants. Besides, sew it into the spaces in your ruck sack. Come on, get inventive.

We will take 60%, my partner and I.You take 40%.

Actually, if I am moving your money, I'll take 90, you take 10. How about that? Since I am pretty much taking all the risk, I'll take the majority of the money. And since you pretty much have no alternatives because you are apparently stupid and just email me out of the blue on the Internet, you have no alternatives!

No strings attached, just help us move it out of Iraq, Iraq is a war zone.

No kidding? I thought it was the McDonald's Play area.

We plan on using diplomatic courier and shipping the money out in two large boxes, using diplomatic immunity.

So what do you need me for?

If you are interested I will send you the full details, my job is to find a good partner that we can trust and that will assist us. Can I trust you?

Sure, if your terms are in line with mine, above. 90-10.

If you are capable of handling this with me, kindly send me an e-mail signifying your interest including your most confidential telephone/fax numbers for quick communication also your contact details. This business is risk free the boxes can be shipped out in 48hrs.

My "Most" confidential telephone and fax numbers? Really? Is there such a thing? (oh yeah, because the NSA isn't monitoring communications...

BTW -- don't believe scams like this. Come on! You KNOW this is false, and I know you probably are reading my website because you Googled this same email if you got it. Don't fall victim to this kind of thing, of course it's fake!

Subscribe in a reader

Switching to random passwords [Network Security Blog]

Posted: 24 Aug 2008 09:23 AM CDT

After some of what happened at Defcon and just to combat my general laziness when it comes to passwords, I purchased 1Password for my Mac Book Pro and iPhone several weeks ago. Actually, the OS X version is $34.95 while the iPhone version is currently free. The main feature that finalized my decision to purchase it was the ability to sync between the iPhone and the Mac Book Pro. I’m the only one in the house with a Mac, otherwise I would have purchased a 5-seat license for the house, which I think is only $20 more.

I’ve been using 1Password on both the iPhone and the MBP for several weeks now and I’m impressed. The sync works great, which I was especially greatful of when I had to reinstall 2.0.2 software on my iPhone after an aborted jailbreak attempt. I’ve been using the password creation portion of the program to replace the memorized passwords I’ve been using. I allow Firefox to memorize some passwords, but the most sensitive ones are still only going to be in 1Password or my head. Having the ability to quickly look up the password means they can be strong and I don’t have to keep them in my head.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

Fedora Live USB Creator [Network Security Blog]

Posted: 24 Aug 2008 09:10 AM CDT

I’ve had this article flagged on Lifehacker for over 4 months, waiting for the right time to use it. When a friend brought over his computer for repair, I took one look at the running system and realized it needs to be rebuilt from scratch. His hardware’s good, but the OS is infected beyond trusting. I’m hoping I can save a few pictures for him, but that’s about it. In the mean time, I decided his computer would make a good guinea pig for playing with a few LiveCD’s and the Fedora 9 Live USB Creator.

I have a 2 gig USB thumb drive I picked up at RSA this year courtesy of Secunia, which is more then enough room for a Linux installation. It took about 20 minutes to create the intial Fedora 9 Desktop installation on the thumb drive, but most of that time was the downloading of the ISO file. The boot up on the target system went well, but Fedora 9 doesn’t recognize the Linksys wireless card in the system and I don’t have the inclination to fight with an installation that much. I tried older versions of Knoppix and a Damn Small Linux I had lying around, but they didn’t like a lot of what they saw on the system, mainly the video and the wireless.

As an experiment I hit the “Use existing Live CD” button and pointed the Live USB at an ISO of Ubuntu LTS (Hardy Heron), and it worked flawlessly. USB Creator had verified the Fedora 9 ISO, but it simply trusted the Ubuntu ISO and 4 minutes later I had an Ubuntu Live USB. Ubuntu at least recognizes the wireless card is there and even suggests some drivers, but I’ll have to hook it up in my office wired LAN to get the system on the Internet. Not an insurmountable problem, just one I’m too lazy to do yet.

I’ll probably wimp out and put Windows 2000 back on the system along with some additional safeguards. This is because I doubt my friend can adjust to Linux, even if all he does is surf the Web. In the mean time, I’ve got a decent little test system. Next up for a quick test run is Helix. Anyone have suggestions for a *nix live distro that I can test out fairly quickly to place on an non-computer savvy friends system?

PS. I hate being desktop support.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

CapSecDC Infosec Meetup Event - Wednesday, 08-27: Normal Meeting [NovaInfosecPortal.com]

Posted: 23 Aug 2008 10:16 PM CDT

Here is some information regarding this week’s Wednesday CapSecDC infosec meetup event.

For more information on CapSecDC, see its description in our NoVA Meetups section. See our Calendar for a complete list of infosec events in and around the NoVA area. Here is a link to the post about this meetup.

MBTA and responsible disclosure [Andy, ITGuy]

Posted: 23 Aug 2008 04:45 PM CDT

What is responsible disclosure? That is a question that has not and will not be answered. It all depends on who you ask. One researcher will give one answer and another will give another answer. The same goes for those who work in other areas of information technology and information security. Networkers and developers, security pros and server admins. All will give different answers depending on their view of information security and the importance of discovering flaws and disclosing them.

The key word in this discussion is "responsible". Unfortunately even responsible doesn't mean the same thing to everyone. I guess in reality the word responsible can/does have a moving definition. If you find a vulnerability and it will take lots of skill, special tools and lots of money to exploit it on a wide scale then the risk of it being exploited is pretty low and disclosing it w/o going to the vendor is not as big a deal. On the other hand if you take the opposite of those things and you disclose without giving the vendor a chance to fix it is irresponsible. Those are the two extreme sides of the debate. It's all the stuff in the middle that causes the masses to argue over what is responsible and what isn't.

Here is my take on this with some comments on the MBTA debacle thrown in.
  1. As Information Security Professionals it is our responsibility to act in a professional manner and to do all in our power to protect the company that we work for.
  2. If you are doing research on your own or for a company then you have a responsibility to protect your client or the company/vendor that you are researching.
  3. If you call yourself a White Hat researcher then you have a responsibility to act in responsible manner for all computer users.
  4. Responsible disclosure means that you give the vendor/company time to fix the issue before going public with it.
  5. The argument that vendors are not responsive a vulnerability is given to them is flawed because this is not the case most times.
In this instance the MIT students didn't act responsibly in several of these areas. #2, 3, 4 were all ignored for the most part. Giving a company 4 days advance notice is hardly responsible. Although there is some rumor floating around that the MBTA did have notice of some of the issues several months ago. Which if you think about it is true. They may not have known about this particular research from MIT but it has been public knowledge of the Mifare RFID chip being vulnerable since the Dutch researchers wrote their paper about a year ago. Not to mention the fact that the London Oyster Card also used the same chip and it was announced a few months back that it had been hacked.

If anyone would expect that the MBTA would be able to fix this in a short period of time then they are sadly mistaken. An issue such as this involves much more than just changing the encryption on the card. The software and firmware used in the readers and encoders have to be changed. The database has to has to be modified as well as the code in the vending machines that sell the tickets and much more. There has to be testing and QA before it can be rolled out into production. Not to mention that getting new cards is not something that you can just run down to Wal-Mart and pick up. Especially when you are dealing with something as big as this. There are specs that have to be figured out and agreed upon between the MBTA and their Fare collection vendor. Then they probably have to put out a bid on the new cards and give the card vendors time to submit proposals. Then they have to go through a selection process and then wait on a PO to be approved via their procurement process. Then they can place the order. Even at that point they are still not ready to go live. The vendor has to fill the order and once the new cards are in there is still the whole process of replacing the old cards. This means that the new specs will have to be backward compatable with the old ones because they can't just cut the old cards off and make everyone migrate to the new ones all in a day.

As things such as this and the DNS Metasploit exploit continue to happen it makes me less and less of a fan of disclosure until after vendors have released a patch and adequate time for the patch to be installed has passed. I'm not there yet. I still think that there is a place for researchers to find flaws and get the word to the vendor so they can be fixed. I'm even in favor of researchers releasing exploits prior to a patch if the vendor is ignoring the issue AND the issue is not of a nature that can cause serious widespread pwnage.

I have to admit that one thing that I recently read makes a lot of sense. I don't remember where I read it or who said it so if you know let me know so I can give them credit. Basically they said that instead of spending so much time looking for and focusing on vulnerabilities that have a very low risk to the public lets focus on fixing the ones we know about that do have the potential to cause serious problems. Let's also focus on writing better code and deploying more secure applications and infrastructures. This is where we can make a difference. Lets quit trying to make a name for ourselves by being the first to find something and make a name by being the ones who are willing to work together to make things better.

No comments: