Sunday, August 31, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

VP Nominee Sarah Palin, Hacker? [Zero in a bit]

Posted: 30 Aug 2008 01:51 PM CDT

John McCain’s pick for VP, Sarah Palin, knows a thing or two about retrieving evidence from a computer. The mainstream reporting calls her a “hacker” because she is able to retrieve files from the Windows recycle bin.

The Anchorage Daily News reports back in September 2004:

Sarah Palin never thought of herself as an investigator. Yet there she was, hacking uncomfortably into Randy Ruedrich’s computer, looking for evidence that the state Republican Party boss had broken the state ethics law while a member of the Alaska Oil & Gas Conservation Commission.

The next week, when Palin went back to work at the AOGCC, she noticed that Ruedrich had removed his pictures from the walls and the personal effects from his desk. But as she and an AOGCC technician worked their way around his computer password at the behest of an assistant attorney general in Fairbanks, they found his cleanup had not extended to his electronic files.

The technician “said it looked like he tried to delete this, but she knew a way to go around and get some of the deleted stuff,” Palin said in an interview. “I didn’t know what I was looking for, but I was there.”

And this is how Salon reports the same incident:

“In a neat symbolic fit, the agent responsible for Alaska’s current moment of reform and modernization is a woman, a breed once nearly as rare in far Northwest politics as a Democrat. Sarah Palin, a libertarian and hockey mom from the fast-growing suburbs of Anchorage, began her political career — as an appointed member of the state’s Oil and Gas Commission — by hacking into the computer of another commissioner, Randy Ruedrich, chairman of the Alaska Republican Party. Palin was seeking the evidence that she would eventually use to charge him with an improper relationship with lobbyists. (Ruedrich would later settle state ethics charges against him by paying a $12,000 fine.)”

Is this where the McCain administration is going to get their computer security expertise? She’s not a security expert but it is nice to see someone at the level of state govenor who knows their way around a computer.

TSA's Brand [Emergent Chaos]

Posted: 30 Aug 2008 01:01 PM CDT

Passing through Portland's PDX Airport, I was struck by this ad for SeaPort Airlines:
No TSA.jpg
Things are pretty bad for TSA when right after "faster travel," a company lists "No TSA" as its second value proposition. (Bottom left corner.)

It's actually sort of impressive how much hate and resentment the TSA has built in the few long years of its existence.

Setting up my "slice" from slicehost [Carnal0wnage Blog]

Posted: 30 Aug 2008 11:30 AM CDT

If you are looking to have your own box and get your hands dirty with Linux administration then slicehost is a great option for you.

My last hosting company didn't allow me access to log files and were just an overall pain to work with. I can tell you that if Alan Shimel had had my hosting company the guys that took over his domain probably wouldn't have had the patience to wait out what it took me to move mine...anyway I digress.

Slicehost is great, here is a breakdown of their plans:


256 slice $20.00 10GB 100GB

512 slice $38.00 20GB 200GB

1GB slice $70.00 40GB 400GB

2GB slice $140.00 80GB 800GB

4GB slice $280.00 160GB 1600GB

You start with a slimmed down version of one of the following OS's"

Arch 2007.08
CentOS 5.2
Debian 4.0 (etch)
Fedora 9
Gentoo 2008.0
Ubuntu 7.10 (gutsy)
Ubuntu 8.04.1 LTS (hardy)

My Ubuntu install was only about half a gig, so I had plenty of space for the carnal0wnage site even though the blog really takes all the traffic. I'm not going to do a lockdown guide, there are so many on the net, but you basically SSH in (also has a web console if you get locked out) and start "apt-getting" what you need to set up your box they way YOU want it. You also have full reboot privileges or if you really hose up your install you can just reformat.

Things I did:

installed stuff I probably don't need :-)
locked down sshd
installed apache2 and modsecurity
configured DNS for web and google mail
installed and configured denyhosts
started tweaking iptables rules

You can't beat 20 bucks a month for an IP and root on your own box ;-)

They also have an API so you can script management and status tasks

Extra Help

Obama pr0n mail [An Information Security Place]

Posted: 30 Aug 2008 07:17 AM CDT

Actually, this is a legitimate email, but I just about had to laugh when I saw the subject.  Michelle, I really don’t want to know.  You and Obama keep that to yourselves…



Not the smartest... [The Security Shoggoth]

Posted: 29 Aug 2008 03:30 PM CDT

I was looking at a bot the other day I received though email. The "botmaster" (and I use that term loosely) was using mIRC-based bot, something I haven't seen in a long time. It wasn't packed, didn't perform any tricks to get installed, etc. Everything screamed amateur.

So, I ran it through my honeynet and just sat there and watched. Since it was mIRC I could open it up and just watch the channel. To my complete amazement, after confirming I was a bot (by asking me to echo some text back to him) the "botmaster" gave me admin access to the IRC channel. Huh!?!

(In the picture below the botmaster is @Gigi, my infection is @Childse.)

So, what is a self-respecting malware analyst like myself to do? Oh, I don't know. :)

There's Life In Space (Sort of) [ImperViews]

Posted: 29 Aug 2008 02:00 PM CDT

mythbusters.pngI'm reading the news and it's like watching Mythbusters. On one hand, NASA managed to find "life" in space. On the other hand, my myth of NASA's security is busted. For the sake of discussion, it does not matter how the virus got there and whether or not it is dangerous or just annoying.  The simple fact is that there are no more sanctuaries.

I hate to sound like I'm FUD-ing - and I hope that no one will Defudder me - however, there are some questions that should be asked.

The Power of Words [Security Incite Rants]

Posted: 29 Aug 2008 09:34 AM CDT

If you live in the US, and haven't had your head in the sand for the past week - you know it's convention season. This week was the Democrats, next week will be the Republicans. It's all about party unity and energizing the political base, preparing for the next 9 weeks of brutal slog leading up to the election.

Regardless of your political leanings (and I got soundly thrashed last time for even mentioning politics on my blog), you need to appreciate the power of words.

You see, most of what I've done in my career has been about words. Whether it's words I'm writing or words I'm speaking, it's really always been about the words. I also read A LOT, and that's all about the words. I've come to realize that I love words.

Words can (and do) inspire. If you lean Democrat, you were very likely inspired by the speeches of this week's convention. You got to see great speakers talk about their vision of the future.

Republicans will be likewise fired up when they see their candidates, who are also great speakers, get on the stage and talk about the better days to come. Words allow you to think about something else. Something better.

Maybe it's the words you read in a fiction book, which take you to a different place and allow you to be a different person. Maybe it's the words in your own diary or journal. Those are words you can't run away from because they represent the true you.

Maybe it's the words you hear. When you listen to a truly gifted orator, who has great passion for what they are saying, you are taken to a different place. You think about things in different terms. You expand your mind and believe you can do anything. And in fact you can.

Maybe it's your religious leader. Maybe it's a Tony Robbins-like motivation speaker or a Tom Peter's-type of business sage. Whoever it is, the next time you hear them speak. Go with it. See where you end up. Words are cheap. It won't cost you anything to indulge your imagination for a few minutes or hours.

We also have to keep in mind that words cut the other way. Words can be damaging and incite chaos, dissension and hate. Many of the wars and conflicts throughout history have been started with words. Not enough people really think about what they say before they say it or write it. Once words are out there, you can't take them back - no matter how hard you try.

Of course, words are not actions - but words lead to actions. For better or worse.

When my daughter asks me what my favorite book is, I have historically said, Dumas' "The Count of Monte Cristo." That story of faith, redemption and finding the emptiness of revenge is timeless to me. But now I see I was thinking too small.

In fact, now I see my favorite book is the dictionary. Whatever life has in store for me, I'm pretty sure my answer will be in the dictionary. I just have to figure out how to string the words together.

Have a great holiday weekend if you are in the US. See you on Tuesday.

Photo credit: "Dictionaries" originally uploaded by jovike

BGP Attack Vectors [Infosecurity.US]

Posted: 29 Aug 2008 07:44 AM CDT

Wired’s ThreatLevel blogger Kim Zetter posts an excellent piece on the purported BGP Attack vector. An update to this article has also been posted.

Friday News and Notes [Digital Bond]

Posted: 29 Aug 2008 07:27 AM CDT

  • The “news” that an attacker with network access could upload firmware to many controllers came out this week. This FOUO report has been floating around, and it seemed hard to believe it was FOUO. It is common knowledge in the control system space, not to diminish the fact it is another serious widespread control system security flaw. In fact, firmware uploads have been on the Quickdraw event list almost from the start because it sure would be nice to know when this has happened. If you want to read some of the leaked document and additional info check out the liquidmatrix blog entry.
  • DHS’s Control System Security Program issued a Recommended Practice for Creating Cyber Forensics Plans for Control Systems.
  • Joe Weiss wrote a white paper including recommendations for the Blue Ribbon Commission on Cyber Security. This Commission will be providing a set of recommendations for the next US President. The paper is available after registering on the Control site.

ISR-evilgrade - Inject Updates to Exploit Software [Darknet - The Darkside]

Posted: 29 Aug 2008 05:55 AM CDT

ISR-evilgrade is a modular framework that allow us to take advantage of poor upgrade implementations by injecting fake updates and exploiting the system or software. How does it work? It works with modules, each module implements the structure needed to emulate a false update of specific applications/systems. Evilgrade needs the manipulation of...

Read the full post at

Apple Acknowledges iPhone Passcode Bypass Vulnerability [Infosecurity.US]

Posted: 28 Aug 2008 07:22 PM CDT

Engadget’s Chris Ziegler posts a report detailing Apple’s (NasdaqGS: APPL) acknowledgment of an exploitable security flaw in the passcode appliction and functionality resident on their highly touted iPhone smartphone.

PCSF: Day Three, Thursday [Digital Bond]

Posted: 28 Aug 2008 05:26 PM CDT

UPDATE: 6:30PM, Dale

Final Thoughts

PCSF is not perfect, but it is my favorite event in the control system security space by far. One main reason is the number, variety and quality of attendees. The lunch, evening, break discussions were highly interesting and even three days had me scrambling to talk with all the people I’d like to. The venue and schedule helped maximize opportunities for these discussions.

The program was mixed. I was not a big fan of the all day plenary session on Tuesday. Some of the panels had format challenges. The quality of the sessions may have been down slightly, but that is subjective. There were some very strong sessions, and I even missed some of the more highly reviewed sessions, and the days when there were 3 or 4 tracks usually meant something interesting was going on. There may be a need to spice up the next events, more shorter presentations, perhaps PCSF classic presentations for newcomers, more livelier debate and discussion sessions, etc.

I believe it is essential that PCSF continue and grow mainly because there isn’t a good alternative and starting over would be difficult. The information exchange and education at PCSF is needed. 200 people from 17 countries with little notice the week before Labor Day is impressive. Four tracks on Wednesday; three tracks on Thursday that were easily filled as submissions exceeded time. Hopefully whatever issue prevented DHS from attending will be resolved, and whatever format PCSF ends up in the future can focus on how to make this annual event and other events even stronger.


The Vulnerability Disclosure Workshop followed up the panel. There is never a shortage of opinions on this subject. Not sure we made any progress. It was interesting that Daniel and I from Digital Bond were the only ones in the room that would disclose a vuln to anyone besides the vendor [we disclose to US-CERT and Core had left].

Back to the Plenary to wrap up. A report by PCSF Brazil - - not directly affiliated with PCSF, but there have been interesting discussions about PCSF Europe and other international locations.

Home stretch.

Jason Holcomb, Bandolier

I started the morning going to Jason’s Bandolier presentation at 8AM for support. Nice job and the presentation will be posted on our site shortly.

Included in the presentation is the updated list of planned Bandolier security audit files. It is great that we were able to add Areva, Emerson Ovation and others to the list. We will update the SCADApedia page shortly.

Vendor Panel

I moved over to the vendor panel in progress, interesting group with smart guys and gals from ABB, Emerson, Honeywell, Invensys, Siemens, Telvent, and Yokogawa. Doing a little liveblogging during the Q&A

- Love the point of needing to move by Secure by Default from the ABB rep
- The Honeywell rep indicated the lifecycle may need to be reduced from 15 years to 10 years.
- Maybe it is no longer realistic to expect to have a control system with equipment and applications from 20 different vendors, Invensys rep.
- Don’t touch your switches, update IOS after installed and working??? Hello, McFly, won’t attribute that comment.
- Interesting comment from Telvent that some of the customers have them physically disable, burn out, the USB ports and other unused ports so they can never be used even if enabled in software.
- Discussion on encryption, not sure why because as one of the panelists noted integrity is much
- They asked my question “Do vendors have any obligation to provide security vulnerability mitigation for customers who do not have a current support contract?” Invensys says definitely. Siemens frames it well, out of warranty, no support contract, not current contact info . . . talks about User Group, we will always help them in an emergency - - vague but it sounds like they will help on a time and materials basis or some other cost basis. They move on to the next question.
- Do you have 3, 5, 10 year plan? Telvent focused on 5 year plans and defined a bit. Interesting they have a plan on how to bolster legacy systems until they are replaced.

Putting the Genie Back Into the Bottle [Digital Bond]

Posted: 28 Aug 2008 04:47 PM CDT

As a flurry of emails (about an as of yet not officially released control system vulnerability) show this morning, once a document goes online the damage is done. It is eternal, and it is virtually impossible to stop the dissemination of the document, or put the genie back into the bottle. This applies to any critical document be it vulnerability disclosures, network topologies, control system diagrams etc.

Google hacking is a powerful tool. Some interesting results:

FOUO filetype:pdf  shows the number of FOUO documents (pdf only try it on doc and see what you find) available via google.

scada filetype:doc shows just how easy it is to find critical control system information. Such a document can be seen at:

And don’t even get me started on what you can find when you start drilling down into any specific asset owner via google.


Why do I bring this up? Well, it serves as a reminder that we need to exercise discretion in who we share documents with, and how we make them available. Share a document with someone who is not as responsible as they ought to be and you might as well put it up on the internet yourself. Even if there isn’t a direct link to a document it still may be available to the world if the web server’s directory permissions are permissive.


The sheer amount of information available succinctly defining and diagraming critical infrastructure both here in the US and abroad is staggering. I have seen entire power distributions and generation systems’ scada, and topology diagrams available online.


New spot for the podcast [An Information Security Place]

Posted: 28 Aug 2008 03:28 PM CDT

image I have recently created a website that will strictly host the podcast.  The site is located at  The feed for site is located here.

I am not going to put a lot of design into the site.  I simply wanted a place for a separate site and feed for simplicity.  I will still be posting the podcast here as well.


Which film is the Most Realistic Hacker Movie? [SecurePuter]

Posted: 28 Aug 2008 02:14 PM CDT

Most Realistic Hacker Movies Survey

Ever wonder if what the hackers do in the movies can actually be done?

So did I. Now that I'm in the industry, I'm continually analyzing every Hacker based movie theme for accuracy. Sometimes I wonder if Hollywood even employs a Computer Security Expert or Hacking consultant to advise on technical possibilities. I get a kick out of a film that portrays a hacker at the computer and the screen displays them flying around like an X-wing in an asteroid field of formulas while they frantically type at the keyboard.

Below are movies involving a hacker of some sort. I'd like to poll my readers and get your opinion on the most realistic hacker movies. I've purposely left out pictures that are beyond reality, such as The Matrix and Tron. I also didn't include Documentaries or true story based films, such as Revolution OS and Takedown. Please refrain from voting on movies that you have not seen. The scaling is 1 – 5.

1 - Unrealistic
Not a chance that this is possible

2 - A bit Absurd
Ok some elements work, but the presentation is all wrong

3 - Somewhat Realistic
About half of what is shown is possible

4 - Quite Accurate
The majority was accurate, but there are some holes.

5 - Realistic
Everything featured is possible, and the terms, technology, and display are all real.

Realistic Hacker Movie Polls

Comment below if you have another nomination. I'll leave these polls going indefinitely and continually add hacker movies as they are released. Maybe this archive will get to a point where you can actually identify a non documentary but educational hacker film.

Note: There is a poll embedded within this post, please visit the site to participate in this post's poll.

Note: There is a poll embedded within this post, please visit the site to participate in this post's poll.

Note: There is a poll embedded within this post, please visit the site to participate in this post's poll.

Note: There is a poll embedded within this post, please visit the site to participate in this post's poll.

Note: There is a poll embedded within this post, please visit the site to participate in this post's poll.

Note: There is a poll embedded within this post, please visit the site to participate in this post's poll.

Note: There is a poll embedded within this post, please visit the site to participate in this post's poll.

Note: There is a poll embedded within this post, please visit the site to participate in this post's poll.

Note: There is a poll embedded within this post, please visit the site to participate in this post's poll.

Note: There is a poll embedded within this post, please visit the site to participate in this post's poll.

Note: There is a poll embedded within this post, please visit the site to participate in this post's poll.

Digg this to bring in more voters, and don’t forget to Bookmark this page for future results and additional movies.

PCI version 1.2 is coming [ImperViews]

Posted: 28 Aug 2008 01:20 PM CDT

PCI version 1.2 is starting to make its rounds. Having been through 1.0, then 1.1, this new version continues to give me the warm and fuzzies about this regulation. Why? Because it's just so reasonable. I know people will take issue with that, but if you've been around regulations for awhile you know what I mean (does anyone remember HIPAA and all the cycles we went around on that? Or the SOX COBIT meat grinder?).

Amichai and I held a webinar last week. Recalling the rush around 1.1 as organizations tried to get their heads around the regulations, we decided to help folks get a head start. Our net take away is the old Hitchhiker's Guide to the Galaxy adage, "Don't Panic."


PCSF: Wednesday,Day Two - Solution Day [Digital Bond]

Posted: 28 Aug 2008 11:00 AM CDT

UPDATE: Next day, Dale Peterson

I missed the Waterfall Solutions Unidirectional Connectivity presentation but caught up with them at the evening exhibit. They have a product that through hardware, I heard the term diode and optical communications, only allows one way communication. Hence they use the term unidirectional. It is an interesting concept that could be useful if you are pushing data from a more secure zone to a less secure zone, such as control center to DMZ. It is purely one way, so there are no acks, resend, recovery, etc. Where is this a good option?

UPDATE: 4PM, Dale Peterson

I also attended the RISI / incident database talk. I’m convinced it can work, because it has worked. The question is whether there is enough interest to do this pro bono or receive funding. Interestingly, I was thinking why would a business want to go through the effort to collect and maintain this database. Maybe one with a portal strategy??? Maybe we should talk to Mark Fabro and Eric Byres.

Bryan Singer of Wurldtech had the long slot after lunch to talk about Achilles inside. [Full disclosure: Wurldtech is a past client and current advertiser]. Actually have a few comments about this. After the 1:30 presentation I still can’t tell you what Achilles Inside is. I asked a few others, and they couldn’t either. Perhaps it was to avoid commercialism, and it could be the greatest thing ever, but the message needs some work.

There were some interesting parts of the presentation such as “Safety does not deal with intentional actions” and the impact of bridging the traffic for monitoring. Wurldtech had to be specify their own hardware to minimize the impact of monitoring during testing.

A bit of discussion on vulnerability disclosure as well. Wurldtech will not release vulnerability information and is very sympathetic to the problems of patching.

UPDATE : Morning Recap, Jason Holcomb

Several good presentations and side conversations so far today.

I attended the first one “Are You Compliant or Liable? Industrial Security and Compliance Using the Holistic Lifecycle Model” with a bit of a personal agenda. I assumed those attending might also be interested in our Bandolier project so I wanted to listen any issues that may be relevant.

(Side Note: This was presented by Clint Bodungen of CIDG, Chris Paul of Joyce and Paul, and Jeff Whitney of Berkana Resources Corporation). I do appreciate the holistic approach to compliance (CIDG’s model). In fact, I have worked on something very similar for another organization only we called it the “security framework”.

Not sure if I’m convinced on all the legal arguments made by attorney Chris Paul but IANAL, as they say. He talked a lot about potential criminal or civil liabilities based on security negligence. I’m just not sure if avoiding a lawsuit is the right motivation for control system security but I suppose it can help get the attention of some.

Next up for me was Eric Byres’ and Mark Fabro’s presentation about the Repository for Industrial Security Incidents (RISI). This is a spinoff of the work Eric did at BCIT with ISID (Industrial Security Incident Database). Here’s the overview:

  • You will need to submit an incident to the database in order to have full access (this is the same policy used with the ISID)
  • The difference with this system is there will be online access
  • There will be a paid quarterly newsletter that will provide summary information from the database — statistics, sector-specific data, etc…
  • There will be somewhere between 75 and 150 incidents in the database from the beginning

They are actively gathering input on if and how to carry out this project so I’m sure they would love to hear from you if you have an opinion. There will be some challenges for them but I am definitely curious to see what this looks like in final form.

I rounded out the morning with “Control Systems Threat Awareness” by Robert Huber and Sean McBride of INL. These guys have used various data collection points to help understand the current threat and trends over time. It was a good follow-up to yesterday’s presentation by Stephen Gill of Team Cymru. It was a well-organized compilation of threat data. They’ve taken many of the things you’ve heard, such as control system presentations at hacker conferences,  and plotted them in a measurable way that illustrates an increasing “adversary interest”.

One of the really interesting slides did a comparison of how control system application vendors make their security contact information available versus that of the big traditional IT software companies.  It measured the percentage of the two groups that had a /security web page and a dedicated e-mail address for security issues, a standard of sorts for interfacing with the security research community. As you might imagine, the results showed tat only a very small minority of the control system application vendors followed the practice.


Thinking back on day one, the highlights for me were Phyliss Schneck’s keynote and Mark Fabro’s closed to press presentation. Plenary sessions are tough because it is hard to calibrate the presentation to a large audience with very different experience and interest levels.

Day two is called solution day. There are four tracks going on and then an exhibit tonight. I find these sessions more interesting than the plenary event. There are more details and more focused.

When Good Traffic Goes Bad: When is Application Traffic Too Much?

Daniel Peck from Digital Bond joined Tom Maufer of Mu Dynamics and Kevin McGrath of ABB in this presentation. Interesting denial of service examples from Brown’s Ferry Unit 3 Scram [too much traffic to a PLC], Amazon S3 [too many logins], and Ralph Langner’s OPC DoS paper from S4. Ralph showed how very long group names and too many client connections could exhaust all resources and cause a DoS. The OPC applications did not have any limits.

Vendors can improve the situation through rate limiting, syn cookies and source filtering, as well as beefing up their logging. Asset owners should consider quality of service measures, and maybe there is a case for looking at load balancing rather than purely redundancy?

Lots of good talk on the importance and methods for vendor testing, followed now by Mu doing a demo of some testing options with their product.

Guess what - - the demo didn’t work - - may have been for the best as the Q&A was more interesting.

Fixer-upper... [ - A Revolution is the Solution]

Posted: 28 Aug 2008 10:55 AM CDT

A few people have asked me where all the blogs from the Conferences section have gone to - there were so many entries on there it was screwing up and generally not working very well, so I'm currently rejigging all the entries onto their own sections. Bear with me if your RSS Feeds go a bit screwy while I'm republishing some of the older stuff back onto the site...

Knujon Investigates Rogue Registrar [Infosecurity.US]

Posted: 28 Aug 2008 10:47 AM CDT

Knujon has released a report detailing the illicit activities of a rogue internet domain registrar (sanctioned by ICANN no less) that is apparently responsible for a statistically significant amount of illicit internet traffic. The registrar in question is monikered Directi Group.

Phantom Registrars, Fake Pharmacies, and the Secret Infrastructure

Garth Bruen said, “In our continuing effort to shed light on the dark corners of the Internet we have produced this report on the Directi Group, a fairly large player in the Registrar world. We have highlighted their use of the controversial service, their association with EstDomains, their continued sponsorship of fake pharmacy domains, and their apparent ability to get Registrar accreditation’s for 48 Phantom Companies.”

Fortinet Retains Certification [ICSA Labs - Network IPS Testing]

Posted: 28 Aug 2008 10:00 AM CDT

ICSA Labs Network IPS testing is not a once-and-done test. Instead products must maintain their certification once attained. There is an annual test as well as testing after the vulnerability set is updated. Fortinet's annual testing recently completed and they retained their certification for their FortiGate models. They are now in the midst of testing against the latest vulnerability set. See the report from annual testing.

Palestinian Al-Fatah Hackers Attack Hamas Military Web Site [Infosecurity.US]

Posted: 28 Aug 2008 09:03 AM CDT

yNet’s Roee Nahmias (with contributions from Niv Lillian and Erez Ronen) reports an attack on one Palestinian factions’ web site by an opposing faction. This time, evidence points to Fatah hackers defacing an Hamas military site.

[1] yNet News

[2] Fatah

[3] Hamas

This just in - people add other people to social networking friend lists. No, really [ - A Revolution is the Solution]

Posted: 28 Aug 2008 07:28 AM CDT

I'm calling weak sauce - WEAK SAUCE, baby!


Well, I wanted to write about this when I saw it, but I was on holiday and too busy watching Batman punching people into walls to care.

But now I'm back in black, so I figure I can still rant about it. Are you ready?

As you'll have seen from the link above, it's all about how "computer security pros were vulnerable to scams". The scam in question? Pretending to be security researchers on social networking sites, then....adding themselves to the "targets" friend list, thus demonstrating how they "exploited their trust".

I mean, wait....what. That's it?

Okay, time to strap on the Cynicism-o-tron 3000 and get to work. For the purposes of this ramble, let's assume the site in question is Myspace. It could be Facebook or any of the others really, but let's go with Myspace because this gag relied on the people that ended up being used as fakes NOT having a real profile on the site in question.

From my experience, there are lots of real security people on Facebook. Myspace? Not so many.

1. I've been on Myspace for years. If someone wants to add themselves to my profile as a friend, great, go nuts. There's no personally identifiable information on there besides what I'm happy with being in the public domain on there anyway so it's not like some scammer just got his hands on the PG Goldmine. You'll find the same generic info on every webpage I'm currently lurking on.

The article makes no mention of exactly WHAT information the people who were duped into adding the fake security guys had on their page. Was it random crap? Was it anything more than generic info? Was it name, address, social security number? The login codes for thermonuclear destruction courtesy of the "Defense Industry Worker"? What? I think this is pretty important, personally. It would be like one of these guys adding me to their friend list then jumping up and down going YAHOO! ANOTHER ONE BITES THE DUST, BABY!

Meanwhile, I'd be doing this:

Yeah, it's the cat again. But WTF-Cat is used with good reason here.

2. This might come as an amazing surprise - or not - but most of the time, I have my page privacy settings wide open, because I use it to attract scumbags, bots and asshats.

I want to have Bots send me add requests. I want people who think they're a leet hax0r to make me their new favourite band in the world, ever. I love it when I get hit with random spam runs, because I know it's going to turn into something interesting. The flipside of this is, I don't assume anybody I have on my friend list is who they say they are. Sure, I can verify the people I need to verify through other channels - but for the most part, it doesn't matter who I have on my list, they're just names and faces and people I talk to. There are only a handful of people on anybodies Myspace friend list (or any other list, for that matter) who you actually need to verify as being who they are, either for work or some other purpose.

Again, if these guys had sent me a friend request pretending to be Bruce Schneier or whoever, would they be scoffing at my "level of trust", without realising that yes, I was actually suspicious in the first place at a security researcher wanting to be my friend and priming the Blog for another bizarre tale about fakes and frauds?

Of course, I wouldn't have had the chance because I'd have been one of the "chosen ones" in the AP article. Yay. I wonder how many people condemned to their fate of being social networking idiots weren't using their profiles for something similar - luring in bad guys?

3. There is an assumption here that these people are stupid. Why? Well, check out the quote where the guy says "Any of these people would happily click on a malware site or viewed our page with a data stealing application".

Really? Why would they? Did you actually try this? Or are we just assuming?

You know what happens when you click on an external link on Myspace these days? This:

Would someone involved in security actually manage to get themselves Phished (for example), or blindly go to a (plainly displayed) URL that says .EXE at the end of it after seeing that page? Stranger things have happened I guess, but who knows. As for the "data stealing application on the profile page", that's kind of tricky to pull off on Facebook (unless these guys started making rogue Facebook applications as part of their gag too, which seems unlikely), so again I'll have to roll with Myspace as that's about the most customisable social networking site where you could potentially get away with such a thing.

The most common "data stealers" (if you could call them that) on Myspace pages are geolocational trackers and the like, and you know what? Because of the way many of them are embedded on the page, there is NO way to know you visited a page with one on there unless you view source for every single page you ever visit on Myspace, ever. And once you've hit the page, it's already too late.

At this point, you need to make a choice - accept that there's a small risk from any page you could ever click on, ever, and live with it - or take the logic used here to its extreme point and never use any website or page, ever again, because it "might have had something on it".

4. There is an assumption here that random people involved in random aspects of security are necessarily going to be "experts" at all the ins-and-outs of social networking security tactics, which is simply not going to be the case. There's a large and fairly complex set of practices that the smarter 2.0 users employ to keep safe on these websites, and it makes no sense to be all happy that you "caught out" defense industry workers because the last time I checked, defense industry workers tended to specialise in creating electronics and making sure shit doesn't blow up, as opposed knowing which fake profile on their Myspace list was going to turn into Tubgirl and Lemonparty.

Education and advice might be more proactive here as opposed deriding them in AP articles (even when done anonymously), but that's just me.

5. What does this prove, really? Hell, with absolutely nothing more than a solitary EMail to Myspace Customer Service, it's possible to get an entirely legitimate profile deleted as long as you word it correctly. What did the people behind this actually do to their victims besides add them to friend lists? The article doesn't indicate that anything more was done than people saying they "could" have done this, or "could" have done that. So in effect (and unless it was stated otherwise at Black Hat), nobody got Trojaned, nobody got hacked, nobody got Phished, nobody had their data stolen by creepy applications.

What happened was, a bunch of people had some other people add them to their friend list. Excuse me for being dense, but isn't that what you're supposed to do on social networking sites?

Wolfenghost [ - A Revolution is the Solution]

Posted: 28 Aug 2008 07:13 AM CDT

If you like to shoot Zombie Nazis in the face with a chaingun - and really, who doesn't - you might want to take a look at the coolest Flickr tool thing I've seen in quite some time. If you used to like playing Wolfenstein back in the day, then here comes Christmas - in the form of an explorable 3d Wolfenstein map that houses images selected from Flickr accounts of your choice in a pixellated fashion. Hence:


Is this supposed to be a gag? [ - A Revolution is the Solution]

Posted: 28 Aug 2008 07:12 AM CDT

You decide!

No comments: