Tuesday, August 26, 2008

FAA & ATC on the fritz

This is incredible... another "FAA glitch" causing incredible ground stops and delays with planes stacked up from Chicago to Atlanta.

If you read between the lines you recognize the classic symptoms of "what just happened" syndrome. In this syndrome we can clearly see signs of confusion followed by mass hysteria as literally dozens of people scramble to figure out "what just happened"... all without success. My guess is, reboot the system, things will come back to normal.

[Paper] Failed: Information Security and Data Protection in a Consumer Digital World

As promised - My paper on the top 5 reasons information theft, fraud and identity theft are running so rampant is complete.

If you've still got your pre-published copy out, please feel free to continue to submit comments that I may review the final in the coming weeks. I have done some research on this topic and feel these are legitimately the 5 reasons why Information Security is in deep trouble.

Please grab the paper here...

Tuesday, August 19, 2008

Data Breach Overload - Are Users Desensatized?

It's everywhere. It's covered in blogs, articles, whitepapers, press releases and the news. Data breaches are an everyday occurrence. That horrifies me.

It should worry all of us in IT Security and Risk Management practices that every day people read about their information being pilfered from online databases, unencrypted systems, and tapes or other media and have started to grow insensitive to this news. I've seen it talking to people in business; they general population is starting to get used to information theft and it's becoming background noise - much like viruses back in the day... this isn't good. This means that we're failing at our jobs so catastrophically that people who should be worried are now starting to grow insensitive to information being stolen. People are starting to assume that their information will be stolen at some point and are expecting banks and credit institutions to compensate them immediately when funds disappear... interesting.

Identity theft is on the rise, the numbers of identities is well in the hundreds of millions of identities stolen - and it's not showing any signs of slowing down.

What's going on? Why isn't IT security able to mitigate the risks that cause data and identity theft?

Unfortunately, I think the problems are numerous and the answers are still few. From my point of view, these are the main obstacles to having less identity theft and fraud...
  1. Consumers opt for simplicity over security
  2. Data storage is decentralized
  3. Consumerization is driving adoption of insecure technologies "to support the users"
  4. Identity/Information protection has been pushed off onto banks/credit vendors
  5. Consumers still don't understand the impact of their information being stolen/compromised
In the whitepaper I'm publishing in the next few days, I'm addressing these 5 critical issues, and what can possibly be done to address and overcome them. I know it's been talked-about before - but it's worth repeating until everyone has heard it. If you have any feedback you'd like to see in the paper, please ping me or leave a comment here.

Thursday, August 14, 2008

TSA Security - Still an Oxymoron [and getting worse]

The more of these I read, the more I will continue to express my opinion that I shared with an Army gentleman on my way home from Atlanta the other day - the TSA should be fired wholesale, and replaced by competent military personnel.

I can confirm, personally, that the TSA's facilities in SFO are horribly bad, as I walked past a screening point in the airport, past a door marked "Transportation Security Administration Staff Only" which was taped open (meaning, there was tape over the door lock)! Another door was propped open with a chair and a oscilating fan placed on it, presumably to cool off the room.

Now the above mentioned article indicates that an unencrypted computer for the CLEAR program was stolen and then put back into a locked cabinet... how does this happen? First off, how is it that the TSA and its partners are still not encrypting laptops? How does a laptop go missing from a locked cabinet, then get put back into that same locked cabinet without anyone noticing who took it or put it there. How bad is security at these places?

While I understand I may be subjecting myself to some "additional security screening (read: hassle)" I will be starting to take more pictures of the TSA "secure areas" with my trusty travel camera as I travel. Someone needs to expose this crap, and make the TSA accountable - I guess if it has to be me, so be it. While I'm not planning on getting myself into trouble, or taking pictures of anything that's a security breach (obviously, I travel enough to know safety is a concern)... someone has to keep these folks accountable for their absolute lack of knowledge, security, and concern.

More to come.

Tuesday, August 12, 2008

WabiSabiLabi - Hacks for Sale?

A year or so back a site called WabiSabiLabi generated a lot of press and buzz when it announced that it would auction potentially zero-day vulnerabilities on an "open market" much like eBay. That being said there was some interesting press a little later where one of the co-founders [Roberto Preatoni] was arrested for some alleged spying on a Brazilian CEO.

Lots of press, lots of buzz... then they flat-lined. Today, if you google "WabiSabiLabi" you get results that mostly date to 2007, and then you find many write-ups about this gem... a hardware-based UTM platform.

I challenge you to find something relevant from those WabiSabiLabi folks, within the last few months... anything. I am probably among the majority when I say that an online marketplace for supposed 0-day vulnerabilities is a bad idea, as a concept. Obviously it's not flourishing quite as well as they had hoped, judging by the screen shot here - so what happened? Is there simply not a market for 0Day vulns?


I honestly don't know the answer to that question, but I suspect it lies somewhere between ethics and finances. Some have a hard time ethically with this idea, while others just don't feel like paying for vulnerability disclosure... at least publicly. Whatever the reason, it looks like this was an endeavor that never had any wind in their sails... too bad, so sad.

Sunday, August 10, 2008

Stupid Card Security - The Case of the MBTA and CharlieCards/CharlieTickets

In a story initially written up [very completely] on Wired's Blog, a Federal Judge has essentially halted (via a temporary restraining order) a bunch of MIT students from giving their presentation on the MBTA [Massachusetts Bay Transit Authority] fare cards and the vulnerabilities associated with them. The article in Wired already writes the case up nicely, and even includes a link to the (now-public-domain) vulnerability report.

Given all the number of magnetic swipe cards out there for various things and the recent cases rash of "hack the card" incidents [Oyster card case, many others] there are several lessons-learned here that I think apply to every one of these cases.
  1. Centralize card-management: For the love of all things good and pure, a centralized card-management system stops a vast majority of these "hack the fare card" issues. Dave and Buster's started doing this when someone figured out that you could simply pick up a game card, load $10 on it, take it home, and magically program another $100 into it (don't ask how I know...) - why hasn't this lesson been learned industry-wide?
  2. Use strong encryption: This is important - because in order to "dismantle" these cards one first must generally crack the encryption key on them... right? So it would follow that a strong crypto-algorithm (and likely not one that's custom-made... why do people insist on reinventing the wheel?)
  3. Checksum bits: Like in this CharlieTicket/Card case where the checksum was only 6 bits (2^6 = 64 total combinations) weak checksums are silly. If you only have 6 check bits then one in every 64 tries will be a winner. Like the PDF above-referened suggests... all one has to do is implement 16-bits for checksum (2^16 = 65,536) which will make only 1 in 65,536 cards a winner.
What it all really boils down to is lazy implementations. Corporations, governments and organizations simply don't think intelligently. Much like in today's business world (take software for example) we test the positive assumption hundreds or millions of times - but in the end we rarely try and test the negative... why is that? Sure, if you do the same [good] thing a million times it'll likely never break - but what about that one person who will stand there and try the negative [bad] thing a few times... how does the system behave then?

Lesson-learned here, although I suspect we'll still keep seeing this stupidity in the future, is think things through and don't try and take the simple implementation - because you'll be very upset when it gets hacked and it'll be all your own damn fault. As a side note, NXP is at fault for more than one of these gaffs in security... think that through... shouldn't the MBTA be suing NXP?

BTW: *great* editorial piece on this topic here [BorePatch].

Saturday, August 9, 2008

Why Can't Hackers Spell?

Seriously? Why? If you haven't been keeping score, the 'hackers' who set of various viruses, worms and other malware over the past several years just can't seem to spell right, and clearly don't have any regard for proper grammar...

As I was reading about this latest FaceBook "worm"... I came across an article on TechCrunch that details some of the messages being left on the "wall" of hacked users. The messages are hillarious..
."LOL. You’ve been catched on hidden cam, yo"
Who writes like that?

This isn't the first time, and definitely won't be the last time some [presumably foreign] hackers have had incredibly poor grammar and spelling... oh well.

Wednesday, August 6, 2008

Hacking Feedburner for Subscribers, Olympic Orange Hacktivism, and more

Hey everyone, just putting together an aggregate of the latest "interesting" news out there on hacking, breaking and such... enjoy.
  1. "Hacking" FeedBurner to get as many subscribers as you want is simple... simply hack the OPML file, import into NetVibes, and voila! Link here: http://lena-tcl.blogspot.com/2008/08/feedburner-hacked-inflate-your.html
  2. The new ePassports being distributed around the world are now confirmed to be hacked and cloned in "minutes". This should bother you greatly given that there was recently a large batch of them stolen in the UK, as reported by the BBC. ... I love this quote from the Gizmodo article...
    "Initially, the assumption was that cloned chips would be spotted because their key codes would not match those stored in an international database. However, only 10 of the 45 countries participating in the e-passport program have signed up to for the Public Key Directory (PKD) code system, and only five are currently using it."
  3. "Hacktivism" against China's [lack of] human rights apparently had some hackers changing the headlines colors to Orange on the official Beijing 2008 site, apparently that's what we're supposed to do to protest China... display orange. The Super Bowl site was hacked, why wouldn't this one go down as well? Read more here: http://www.news.com.au/heraldsun/beijing_olympics/story/0,27313,24141410-5017275,00.html
  4. GIFAR... if you haven't heard of this yet - or aren't at BlackHat (like me) to hear the talk and watch the exploits live... Google it. Seriously.
  5. Someone hacked the tornado siren network in Akron/Canton Ohio [US]... hahaha! Seriously though, this could have caused some very serious problems - but underscores just how STUPID these systems are.
  6. Yes, the finally busted the people who "hacked" TJX and Barnes & Noble. Too much press coverage already but in case you were living in a cave, see here, and here... and...
  7. Fake "flash" SPAM campaign ... it's nasty, but yesterday's news. Quick read here.
  8. Exploit Wednesday, as it's called, is an interesting twist on Microsoft's Patch Tuesday... but Microsoft is trying to head this one off at the pass - is this even possible with automated patch-based-exploitation on the horizon?
  9. Apple is now the king of vulnerabilities, not Microsoft! This article points out what all you "Apple's shit don't stink" groupies have already found out - reality check time! IBM's ISS/X-Force released this report which highlights some very interesting facts - does anyone else feel that Oracle is so far back simply bacause it's not publicly disclosing?
  10. Here's one that didn't make the headlines but should - Police in Korea are seeking some hackers who stole 9 million credit records for profit in Korea. There are at least 2 of these "hackers" who ... "escaped to China". I wonder if they were Chinese citizens.
    "Out of the 9 million records the hacker got hold of, 4.8 million belong to banks, 260,000 to loan firms, 650,000 to online shopping malls, 5,300 to universities, and 3.2 million to various web pages."
That's it... now you're caught up.

Monday, August 4, 2008

Irish Bank Accounts Hacked by Random Number Generator

In what I can only believe is an incomplete account of what is actually going on, this article on iStockAnalyst.com speaks of Irish banks being pilfered using a "sophisticated" attack, a random number generator.

UNDERWORLD fraudsters are using random number generators to tap into the bank accounts of Irish customers.

For the first time ever account holders have been left almost powerless to protect their bank accounts from conmen.

The Irish Sunday Mirror has spoken to a number of people whose accounts have been hacked by the criminals using the sophisticated scam.

The gangs generate the numbers of accounts using random trawling techniques and then attempt to buy goods online without having to use the cardholder's name or address.

Interesting... A few of the words in this story seem a little bit contradictory to me. "random number generator" and "sophisticated scam" just don't seem to belong together in a sentence, but it's the last phrase there that really makes me wonder. What sort of insanely poor security practice would allow an attacker to break into an account without knowing an account holder's name or address but only generating random numbers. This almost reminds me of the applications that were being circulated in the late 90's to generate fake credit card numbers. This was an insecurity in the processing systems (as these numbers were not validated in real-time) rather than the card number but it still was a simple "hack".

I simply can't seem to make myself understand how I could break into an Irish bank customer's account (or buy something on his/her behalf) just by using a random number generator.

Without much more to go on I investigated the Bank of Ireland's security model and found this nugget.
The bank is protected by a firewall, which forms a barrier between the outside Internet and the internal bank network
A firewall? Well hamburgers, that solves all my security problems!

Now, to be fair, the rest of the FAQ does tell a slightly more intelligent story, as the bank requires a login name, a provided 6-digit PIN (which you are asked to provide random digits from), and some piece of personal information (seemingly at semi-random). That's not too bad... but of course there's always some hapless clod who'll complain about any upgrade to new security measures. Read this person's complaint, and then ask yourself if you think this is really "less" secure... First off, drop-downs keep keystroke loggers at bay (although not good JavaScript hacks) and asking for the random pin bits on multiple pages keeps you that much more safe (one could argue)...

So - if anyone from Ireland has any idea how generating random numbers equates to bank fraud... please shed some light?

Saturday, August 2, 2008

Gary McKinnon: Public Enemy #1

[First, and foremost, this is my 100th post... so I'm very excited to be here...]

Gary McKinnon is the United States' public enemy #1 these days. No doubt you've read about him in the papers, or somewhere online. The short story is this... from February 2001 thru March 2002 Gary McKinnon penetrated something like 80+ military systems, and 16 NASA computers leaving messages, taking information and allegedly shutting down a Washington-based military net for 24hrs. Given all he's done, you'd figure there would of course be a criminal case and he'd get 5, maybe 10 years in prison and some fines right? You'd be very wrong.
Gary McKinnon is facing extradition from his native Britain and as much as 70 years in prison. Perhaps by now the terms "crueal and unusual" are creeping into your brain? Why in the world would a hacker (who hasn't done any "real damage" that's been demonstrated yet) get basically a life sentence [given that he's already in his 40's]?

The answer is quite simple ladies and gentlemen. Bruised egos. The United States government's networks are so poorly defended that they are penetrated all the time from China, internally from within the US, and now from British hackers seeking proof of the existence of little green men [erm... UFOs]. The Belfast Telegraph quotes an un-named source in the US government of saying he'd like to see Gary McKinnon "fry" for his crimes. Isn't that a little extreme? We've got states here in the US, Illinois being one of them, who have yet to pass proper child rape laws, and we're going to prosecute a "hacker" and have him "fry" for his crimes?

Obviously, if you haven't gotten all charged up about this yet, it's a clear case of over-zealous old men and women in the US legal system and government looking at things completely out of perspective. Instead of dealing out a fair punnishment (say... 12 months prison, 2 years probabtion, no computer/internet access) we're going to send him to jail for what will amount to the rest of his natural life? What a joke. The US legal system has truly hit rock-bottom, and I'm embarssed to say that I live in this country sometimes.

If we are to be the greatest country on earth, and set an example for the rest of the world- perhaps we could come up with punnishments that fit the crime. Kill/rape a child - you should "fry". Hack the government, you should get an appropriate punnishment and the government agency should be fired wholesale... and replaced with competent InfoSec and IT professionals.

It's a sad, sad day folks. I do like Gary's comment...
"I'm very angry," he says. "I genuinely believe that we are the 51st State. You see it everywhere you go, not just our foreign policy, but in our schools, our hospitals and now our courts. The British Government simply bends over backwards for America."

Friday, August 1, 2008

Admin Interface on the Web - It Boggles the Mind

As system administration has matured and information technology has come along over the past decade or so we've learned many things which appear to go in one ear and then out the other. Most of these deal with secure systems design, and basically how to keep from making yourself an easy target for hackers.

With that glowing in the back of my mind like a energy-saving lightbulb I went on a hunt for things that should not be available on the web.

First off, I think I've had this debate with people so many times it hurt my brain - but administrative interfaces to applications, appliances, or widgets simply shouldn't be available to the general web-based casual viewer. Worse yet, it should definitely *not* be index-able with a search engine.

With that in mind, I decided to give Google a chance to see how many people still allow open, administrator pages on the 'net. Granted, sometimes you just can't help this, right... but if I can index your admin page, and your authentication mechanism isn't well-built... it's only a matter of time before I pwn you. Check it out for yourself, go to Google, and use this search term "inurl:"admin" intext:administrator login" and see what you get. Scarry, huh? How many of these systems that you find do you think you can grind away at until you guess a password via brute-force?

Common boys and girls... you should *not* put an admin interface on the general net, that's what we have VPNs for, and management networks. *sigh*.
Google+