Posted: 30 Aug 2008 01:51 PM CDT
John McCain’s pick for VP, Sarah Palin, knows a thing or two about retrieving evidence from a computer. The mainstream reporting calls her a “hacker” because she is able to retrieve files from the Windows recycle bin.
The Anchorage Daily News reports back in September 2004:
And this is how Salon reports the same incident:
Is this where the McCain administration is going to get their computer security expertise? She’s not a security expert but it is nice to see someone at the level of state govenor who knows their way around a computer.
Posted: 30 Aug 2008 01:01 PM CDT
Passing through Portland's PDX Airport, I was struck by this ad for SeaPort Airlines:
Things are pretty bad for TSA when right after "faster travel," a company lists "No TSA" as its second value proposition. (Bottom left corner.)
It's actually sort of impressive how much hate and resentment the TSA has built in the few long years of its existence.
Posted: 30 Aug 2008 11:30 AM CDT
If you are looking to have your own box and get your hands dirty with Linux administration then slicehost is a great option for you.
My last hosting company didn't allow me access to log files and were just an overall pain to work with. I can tell you that if Alan Shimel had had my hosting company the guys that took over his domain probably wouldn't have had the patience to wait out what it took me to move mine...anyway I digress.
Slicehost is great, here is a breakdown of their plans:
RAM PRICE HD BW
You start with a slimmed down version of one of the following OS's"
Debian 4.0 (etch)
Ubuntu 7.10 (gutsy)
Ubuntu 8.04.1 LTS (hardy)
My Ubuntu install was only about half a gig, so I had plenty of space for the carnal0wnage site even though the blog really takes all the traffic. I'm not going to do a lockdown guide, there are so many on the net, but you basically SSH in (also has a web console if you get locked out) and start "apt-getting" what you need to set up your box they way YOU want it. You also have full reboot privileges or if you really hose up your install you can just reformat.
Things I did:
installed stuff I probably don't need :-)
locked down sshd
installed apache2 and modsecurity
configured DNS for web and google mail
installed and configured denyhosts
started tweaking iptables rules
You can't beat 20 bucks a month for an IP and root on your own box ;-)
They also have an API so you can script management and status tasks
Posted: 30 Aug 2008 07:17 AM CDT
Posted: 29 Aug 2008 03:30 PM CDT
I was looking at a bot the other day I received though email. The "botmaster" (and I use that term loosely) was using mIRC-based bot, something I haven't seen in a long time. It wasn't packed, didn't perform any tricks to get installed, etc. Everything screamed amateur.
So, I ran it through my honeynet and just sat there and watched. Since it was mIRC I could open it up and just watch the channel. To my complete amazement, after confirming I was a bot (by asking me to echo some text back to him) the "botmaster" gave me admin access to the IRC channel. Huh!?!
(In the picture below the botmaster is @Gigi, my infection is @Childse.)
So, what is a self-respecting malware analyst like myself to do? Oh, I don't know. :)
Posted: 29 Aug 2008 02:00 PM CDT
I'm reading the news and it's like watching Mythbusters. On one hand, NASA managed to find "life" in space. On the other hand, my myth of NASA's security is busted. For the sake of discussion, it does not matter how the virus got there and whether or not it is dangerous or just annoying. The simple fact is that there are no more sanctuaries.
I hate to sound like I'm FUD-ing - and I hope that no one will Defudder me - however, there are some questions that should be asked.
Posted: 29 Aug 2008 09:34 AM CDT
Photo credit: "Dictionaries" originally uploaded by jovike
Posted: 29 Aug 2008 07:44 AM CDT
Posted: 29 Aug 2008 07:27 AM CDT
Posted: 29 Aug 2008 05:55 AM CDT
ISR-evilgrade is a modular framework that allow us to take advantage of poor upgrade implementations by injecting fake updates and exploiting the system or software. How does it work? It works with modules, each module implements the structure needed to emulate a false update of specific applications/systems. Evilgrade needs the manipulation of...
Read the full post at darknet.org.uk
Posted: 28 Aug 2008 07:22 PM CDT
Posted: 28 Aug 2008 05:26 PM CDT
UPDATE: 6:30PM, Dale
PCSF is not perfect, but it is my favorite event in the control system security space by far. One main reason is the number, variety and quality of attendees. The lunch, evening, break discussions were highly interesting and even three days had me scrambling to talk with all the people I’d like to. The venue and schedule helped maximize opportunities for these discussions.
The program was mixed. I was not a big fan of the all day plenary session on Tuesday. Some of the panels had format challenges. The quality of the sessions may have been down slightly, but that is subjective. There were some very strong sessions, and I even missed some of the more highly reviewed sessions, and the days when there were 3 or 4 tracks usually meant something interesting was going on. There may be a need to spice up the next events, more shorter presentations, perhaps PCSF classic presentations for newcomers, more livelier debate and discussion sessions, etc.
I believe it is essential that PCSF continue and grow mainly because there isn’t a good alternative and starting over would be difficult. The information exchange and education at PCSF is needed. 200 people from 17 countries with little notice the week before Labor Day is impressive. Four tracks on Wednesday; three tracks on Thursday that were easily filled as submissions exceeded time. Hopefully whatever issue prevented DHS from attending will be resolved, and whatever format PCSF ends up in the future can focus on how to make this annual event and other events even stronger.
The Vulnerability Disclosure Workshop followed up the panel. There is never a shortage of opinions on this subject. Not sure we made any progress. It was interesting that Daniel and I from Digital Bond were the only ones in the room that would disclose a vuln to anyone besides the vendor [we disclose to US-CERT and Core had left].
Back to the Plenary to wrap up. A report by PCSF Brazil - - not directly affiliated with PCSF, but there have been interesting discussions about PCSF Europe and other international locations.
Jason Holcomb, Bandolier
I started the morning going to Jason’s Bandolier presentation at 8AM for support. Nice job and the presentation will be posted on our site shortly.
Included in the presentation is the updated list of planned Bandolier security audit files. It is great that we were able to add Areva, Emerson Ovation and others to the list. We will update the SCADApedia page shortly.
I moved over to the vendor panel in progress, interesting group with smart guys and gals from ABB, Emerson, Honeywell, Invensys, Siemens, Telvent, and Yokogawa. Doing a little liveblogging during the Q&A
- Love the point of needing to move by Secure by Default from the ABB rep
Posted: 28 Aug 2008 04:47 PM CDT
As a flurry of emails (about an as of yet not officially released control system vulnerability) show this morning, once a document goes online the damage is done. It is eternal, and it is virtually impossible to stop the dissemination of the document, or put the genie back into the bottle. This applies to any critical document be it vulnerability disclosures, network topologies, control system diagrams etc.
Google hacking is a powerful tool. Some interesting results:
FOUO filetype:pdf shows the number of FOUO documents (pdf only try it on doc and see what you find) available via google.
scada filetype:doc shows just how easy it is to find critical control system information. Such a document can be seen at:
And don’t even get me started on what you can find when you start drilling down into any specific asset owner via google.
Why do I bring this up? Well, it serves as a reminder that we need to exercise discretion in who we share documents with, and how we make them available. Share a document with someone who is not as responsible as they ought to be and you might as well put it up on the internet yourself. Even if there isn’t a direct link to a document it still may be available to the world if the web server’s directory permissions are permissive.
The sheer amount of information available succinctly defining and diagraming critical infrastructure both here in the US and abroad is staggering. I have seen entire power distributions and generation systems’ scada, and topology diagrams available online.
Posted: 28 Aug 2008 03:28 PM CDT
I am not going to put a lot of design into the site. I simply wanted a place for a separate site and feed for simplicity. I will still be posting the podcast here as well.
Posted: 28 Aug 2008 02:14 PM CDT
Most Realistic Hacker Movies Survey
Ever wonder if what the hackers do in the movies can actually be done?
So did I. Now that I'm in the industry, I'm continually analyzing every Hacker based movie theme for accuracy. Sometimes I wonder if Hollywood even employs a Computer Security Expert or Hacking consultant to advise on technical possibilities. I get a kick out of a film that portrays a hacker at the computer and the screen displays them flying around like an X-wing in an asteroid field of formulas while they frantically type at the keyboard.
Below are movies involving a hacker of some sort. I'd like to poll my readers and get your opinion on the most realistic hacker movies. I've purposely left out pictures that are beyond reality, such as The Matrix and Tron. I also didn't include Documentaries or true story based films, such as Revolution OS and Takedown. Please refrain from voting on movies that you have not seen. The scaling is 1 – 5.
1 - Unrealistic
2 - A bit Absurd
3 - Somewhat Realistic
4 - Quite Accurate
5 - Realistic
Realistic Hacker Movie Polls
Comment below if you have another nomination. I'll leave these polls going indefinitely and continually add hacker movies as they are released. Maybe this archive will get to a point where you can actually identify a non documentary but educational hacker film.Note: There is a poll embedded within this post, please visit the site to participate in this post's poll. Note: There is a poll embedded within this post, please visit the site to participate in this post's poll. Note: There is a poll embedded within this post, please visit the site to participate in this post's poll. Note: There is a poll embedded within this post, please visit the site to participate in this post's poll. Note: There is a poll embedded within this post, please visit the site to participate in this post's poll. Note: There is a poll embedded within this post, please visit the site to participate in this post's poll. Note: There is a poll embedded within this post, please visit the site to participate in this post's poll. Note: There is a poll embedded within this post, please visit the site to participate in this post's poll. Note: There is a poll embedded within this post, please visit the site to participate in this post's poll. Note: There is a poll embedded within this post, please visit the site to participate in this post's poll. Note: There is a poll embedded within this post, please visit the site to participate in this post's poll.
Digg this to bring in more voters, and don’t forget to Bookmark this page for future results and additional movies.
Posted: 28 Aug 2008 01:20 PM CDT
PCI version 1.2 is starting to make its rounds. Having been through 1.0, then 1.1, this new version continues to give me the warm and fuzzies about this regulation. Why? Because it's just so reasonable. I know people will take issue with that, but if you've been around regulations for awhile you know what I mean (does anyone remember HIPAA and all the cycles we went around on that? Or the SOX COBIT meat grinder?).
Amichai and I held a webinar last week. Recalling the rush around 1.1 as organizations tried to get their heads around the regulations, we decided to help folks get a head start. Our net take away is the old Hitchhiker's Guide to the Galaxy adage, "Don't Panic."
Posted: 28 Aug 2008 11:00 AM CDT
UPDATE: Next day, Dale Peterson
I missed the Waterfall Solutions Unidirectional Connectivity presentation but caught up with them at the evening exhibit. They have a product that through hardware, I heard the term diode and optical communications, only allows one way communication. Hence they use the term unidirectional. It is an interesting concept that could be useful if you are pushing data from a more secure zone to a less secure zone, such as control center to DMZ. It is purely one way, so there are no acks, resend, recovery, etc. Where is this a good option?
UPDATE: 4PM, Dale Peterson
I also attended the RISI / incident database talk. I’m convinced it can work, because it has worked. The question is whether there is enough interest to do this pro bono or receive funding. Interestingly, I was thinking why would a business want to go through the effort to collect and maintain this database. Maybe one with a portal strategy??? Maybe we should talk to Mark Fabro and Eric Byres.
Bryan Singer of Wurldtech had the long slot after lunch to talk about Achilles inside. [Full disclosure: Wurldtech is a past client and current advertiser]. Actually have a few comments about this. After the 1:30 presentation I still can’t tell you what Achilles Inside is. I asked a few others, and they couldn’t either. Perhaps it was to avoid commercialism, and it could be the greatest thing ever, but the message needs some work.
There were some interesting parts of the presentation such as “Safety does not deal with intentional actions” and the impact of bridging the traffic for monitoring. Wurldtech had to be specify their own hardware to minimize the impact of monitoring during testing.
A bit of discussion on vulnerability disclosure as well. Wurldtech will not release vulnerability information and is very sympathetic to the problems of patching.
UPDATE : Morning Recap, Jason Holcomb
Several good presentations and side conversations so far today.
I attended the first one “Are You Compliant or Liable? Industrial Security and Compliance Using the Holistic Lifecycle Model” with a bit of a personal agenda. I assumed those attending might also be interested in our Bandolier project so I wanted to listen any issues that may be relevant.
(Side Note: This was presented by Clint Bodungen of CIDG, Chris Paul of Joyce and Paul, and Jeff Whitney of Berkana Resources Corporation). I do appreciate the holistic approach to compliance (CIDG’s model). In fact, I have worked on something very similar for another organization only we called it the “security framework”.
Not sure if I’m convinced on all the legal arguments made by attorney Chris Paul but IANAL, as they say. He talked a lot about potential criminal or civil liabilities based on security negligence. I’m just not sure if avoiding a lawsuit is the right motivation for control system security but I suppose it can help get the attention of some.
Next up for me was Eric Byres’ and Mark Fabro’s presentation about the Repository for Industrial Security Incidents (RISI). This is a spinoff of the work Eric did at BCIT with ISID (Industrial Security Incident Database). Here’s the overview:
They are actively gathering input on if and how to carry out this project so I’m sure they would love to hear from you if you have an opinion. There will be some challenges for them but I am definitely curious to see what this looks like in final form.
I rounded out the morning with “Control Systems Threat Awareness” by Robert Huber and Sean McBride of INL. These guys have used various data collection points to help understand the current threat and trends over time. It was a good follow-up to yesterday’s presentation by Stephen Gill of Team Cymru. It was a well-organized compilation of threat data. They’ve taken many of the things you’ve heard, such as control system presentations at hacker conferences, and plotted them in a measurable way that illustrates an increasing “adversary interest”.
One of the really interesting slides did a comparison of how control system application vendors make their security contact information available versus that of the big traditional IT software companies. It measured the percentage of the two groups that had a /security web page and a dedicated e-mail address for security issues, a standard of sorts for interfacing with the security research community. As you might imagine, the results showed tat only a very small minority of the control system application vendors followed the practice.
Thinking back on day one, the highlights for me were Phyliss Schneck’s keynote and Mark Fabro’s closed to press presentation. Plenary sessions are tough because it is hard to calibrate the presentation to a large audience with very different experience and interest levels.
Day two is called solution day. There are four tracks going on and then an exhibit tonight. I find these sessions more interesting than the plenary event. There are more details and more focused.
When Good Traffic Goes Bad: When is Application Traffic Too Much?
Daniel Peck from Digital Bond joined Tom Maufer of Mu Dynamics and Kevin McGrath of ABB in this presentation. Interesting denial of service examples from Brown’s Ferry Unit 3 Scram [too much traffic to a PLC], Amazon S3 [too many logins], and Ralph Langner’s OPC DoS paper from S4. Ralph showed how very long group names and too many client connections could exhaust all resources and cause a DoS. The OPC applications did not have any limits.
Vendors can improve the situation through rate limiting, syn cookies and source filtering, as well as beefing up their logging. Asset owners should consider quality of service measures, and maybe there is a case for looking at load balancing rather than purely redundancy?
Lots of good talk on the importance and methods for vendor testing, followed now by Mu doing a demo of some testing options with their product.
Guess what - - the demo didn’t work - - may have been for the best as the Q&A was more interesting.
Posted: 28 Aug 2008 10:55 AM CDT
A few people have asked me where all the blogs from the Conferences section have gone to - there were so many entries on there it was screwing up and generally not working very well, so I'm currently rejigging all the entries onto their own sections. Bear with me if your RSS Feeds go a bit screwy while I'm republishing some of the older stuff back onto the site...
Posted: 28 Aug 2008 10:47 AM CDT
Knujon has released a report detailing the illicit activities of a rogue internet domain registrar (sanctioned by ICANN no less) that is apparently responsible for a statistically significant amount of illicit internet traffic. The registrar in question is monikered Directi Group.
Posted: 28 Aug 2008 10:00 AM CDT
ICSA Labs Network IPS testing is not a once-and-done test. Instead products must maintain their certification once attained. There is an annual test as well as testing after the vulnerability set is updated. Fortinet's annual testing recently completed and they retained their certification for their FortiGate models. They are now in the midst of testing against the latest vulnerability set. See the report from annual testing.
Posted: 28 Aug 2008 09:03 AM CDT
Posted: 28 Aug 2008 07:28 AM CDT
I'm calling weak sauce - WEAK SAUCE, baby!
Well, I wanted to write about this when I saw it, but I was on holiday and too busy watching Batman punching people into walls to care.
But now I'm back in black, so I figure I can still rant about it. Are you ready?
As you'll have seen from the link above, it's all about how "computer security pros were vulnerable to scams". The scam in question? Pretending to be security researchers on social networking sites, then....adding themselves to the "targets" friend list, thus demonstrating how they "exploited their trust".
I mean, wait....what. That's it?
Okay, time to strap on the Cynicism-o-tron 3000 and get to work. For the purposes of this ramble, let's assume the site in question is Myspace. It could be Facebook or any of the others really, but let's go with Myspace because this gag relied on the people that ended up being used as fakes NOT having a real profile on the site in question.
From my experience, there are lots of real security people on Facebook. Myspace? Not so many.
1. I've been on Myspace for years. If someone wants to add themselves to my profile as a friend, great, go nuts. There's no personally identifiable information on there besides what I'm happy with being in the public domain on there anyway so it's not like some scammer just got his hands on the PG Goldmine. You'll find the same generic info on every webpage I'm currently lurking on.
The article makes no mention of exactly WHAT information the people who were duped into adding the fake security guys had on their page. Was it random crap? Was it anything more than generic info? Was it name, address, social security number? The login codes for thermonuclear destruction courtesy of the "Defense Industry Worker"? What? I think this is pretty important, personally. It would be like one of these guys adding me to their friend list then jumping up and down going YAHOO! ANOTHER ONE BITES THE DUST, BABY!
Meanwhile, I'd be doing this:
Yeah, it's the cat again. But WTF-Cat is used with good reason here.
2. This might come as an amazing surprise - or not - but most of the time, I have my page privacy settings wide open, because I use it to attract scumbags, bots and asshats.
I want to have Bots send me add requests. I want people who think they're a leet hax0r to make me their new favourite band in the world, ever. I love it when I get hit with random spam runs, because I know it's going to turn into something interesting. The flipside of this is, I don't assume anybody I have on my friend list is who they say they are. Sure, I can verify the people I need to verify through other channels - but for the most part, it doesn't matter who I have on my list, they're just names and faces and people I talk to. There are only a handful of people on anybodies Myspace friend list (or any other list, for that matter) who you actually need to verify as being who they are, either for work or some other purpose.
Again, if these guys had sent me a friend request pretending to be Bruce Schneier or whoever, would they be scoffing at my "level of trust", without realising that yes, I was actually suspicious in the first place at a security researcher wanting to be my friend and priming the Blog for another bizarre tale about fakes and frauds?
Of course, I wouldn't have had the chance because I'd have been one of the "chosen ones" in the AP article. Yay. I wonder how many people condemned to their fate of being social networking idiots weren't using their profiles for something similar - luring in bad guys?
3. There is an assumption here that these people are stupid. Why? Well, check out the quote where the guy says "Any of these people would happily click on a malware site or viewed our page with a data stealing application".
Really? Why would they? Did you actually try this? Or are we just assuming?
You know what happens when you click on an external link on Myspace these days? This:
Would someone involved in security actually manage to get themselves Phished (for example), or blindly go to a (plainly displayed) URL that says .EXE at the end of it after seeing that page? Stranger things have happened I guess, but who knows. As for the "data stealing application on the profile page", that's kind of tricky to pull off on Facebook (unless these guys started making rogue Facebook applications as part of their gag too, which seems unlikely), so again I'll have to roll with Myspace as that's about the most customisable social networking site where you could potentially get away with such a thing.
The most common "data stealers" (if you could call them that) on Myspace pages are geolocational trackers and the like, and you know what? Because of the way many of them are embedded on the page, there is NO way to know you visited a page with one on there unless you view source for every single page you ever visit on Myspace, ever. And once you've hit the page, it's already too late.
At this point, you need to make a choice - accept that there's a small risk from any page you could ever click on, ever, and live with it - or take the logic used here to its extreme point and never use any website or page, ever again, because it "might have had something on it".
4. There is an assumption here that random people involved in random aspects of security are necessarily going to be "experts" at all the ins-and-outs of social networking security tactics, which is simply not going to be the case. There's a large and fairly complex set of practices that the smarter 2.0 users employ to keep safe on these websites, and it makes no sense to be all happy that you "caught out" defense industry workers because the last time I checked, defense industry workers tended to specialise in creating electronics and making sure shit doesn't blow up, as opposed knowing which fake profile on their Myspace list was going to turn into Tubgirl and Lemonparty.
Education and advice might be more proactive here as opposed deriding them in AP articles (even when done anonymously), but that's just me.
5. What does this prove, really? Hell, with absolutely nothing more than a solitary EMail to Myspace Customer Service, it's possible to get an entirely legitimate profile deleted as long as you word it correctly. What did the people behind this actually do to their victims besides add them to friend lists? The article doesn't indicate that anything more was done than people saying they "could" have done this, or "could" have done that. So in effect (and unless it was stated otherwise at Black Hat), nobody got Trojaned, nobody got hacked, nobody got Phished, nobody had their data stolen by creepy applications.
What happened was, a bunch of people had some other people add them to their friend list. Excuse me for being dense, but isn't that what you're supposed to do on social networking sites?
Posted: 28 Aug 2008 07:13 AM CDT
If you like to shoot Zombie Nazis in the face with a chaingun - and really, who doesn't - you might want to take a look at the coolest Flickr tool thing I've seen in quite some time. If you used to like playing Wolfenstein back in the day, then here comes Christmas - in the form of an explorable 3d Wolfenstein map that houses images selected from Flickr accounts of your choice in a pixellated fashion. Hence:
Posted: 28 Aug 2008 07:12 AM CDT
|You are subscribed to email updates from Security Bloggers Network |
To stop receiving these emails, you may unsubscribe now.
|Email Delivery powered by FeedBurner|
|Inbox too full? Subscribe to the feed version of Security Bloggers Network in a feed reader.|
|If you prefer to unsubscribe via postal mail, write to: Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610|