Thursday, December 31, 2009

Bricking ourselves into a dark corner

Bruce Schneier's brilliant piece on Security Theater got me thinking.  Terrorism's aim isn't solely to kill people, it's main goal is to instill fear and force a change in the way of life of a people.  That people is us civilized westerners.  Think about it.

What's interesting is this: every time a suspected terrorist is arrested the media circus around it makes it feel like another episode of 24 with Jack Bauer just around the corner ready to fend off another bad terrorist plot.  The problem with this is that we're building fear - exactly what the terrorists want to happen.  Psychologically this actually achieves almost as much damage as actually committing the terrorist act and being successful.

What's worse is the results that happen afterwards in the political theater, here in the US.  Politicians and clueless bureaucrats [like Janet Napolitano who heads up the DHS (Dept. of Homeland Security)] have what we call knee-jerk reactions to these types of situations which actually amplify the effects beyond anything the terrorist can create himself.  Allow me to explain.

Remember Richard Reid, the would-be shoe bomber?  What about those idiots in the UK who were going to bring down a plane with liquid explosives?  The result was the same predictable one each and every time.  The response from our beloved TSA (Transportation Security Administration) was to react to the previous threat in a way that could have prevented that threat, had we been able to go back in time.

You see, the TSA believes in a policy of reactive security.  More specifically, reactive security theater, as Bruce so eloquently coined the phrase.  It's not that taking your shoes off and sending them through the x-ray machine will likely prevent any future attacks; rather, it's a reaction meant to prevent a repeat offender.  Same with the 3.0oz of liquid in the plastic baggie.  Same goes for not being able to get up during the last hour of flight -although the logic behind this one is truly bizarre, even when I really try and think it through.

This kind of thinking is dangerous, and should be eradicated from a department as critical to our way of life as the Department of Homeland Security (especially the TSA).  When we enact these half-cocked measures of illogical security we endanger more lives than we protect.  What I'm alluding to here is what we in computer security always refer to as the "false sense of security".  It's like having anti-virus installed, running, and 2 years out of date.  Sure you have something there that makes you "feel good" that you're protected but in reality you're doing nothing for your actual security.

Think I'm crazy?  Think of how the last several uncovered and publicized terrorist plots have affected your life.  UK liquids plot ... 3.0oz or less in a plastic 1Qt baggie.  Shoe bomber ... take your shoes off and place them in the bin, or on the conveyor, no wait, in the bin.  Crotch-bomber nearly burns his twig n' berries off ... can't get up for last 60 minutes of flight and the pilot can't even point out what you're flying over anymore.  Do I need to continue?

Open your eyes and realize the terrorists are winning.  They're effectively changing our way of life.  They're forcing hapless, clueless government which we're all living under to enact changes that restrict our personal liberties and ability to move about our country freely.  They're drastically breaking the rights afforded to us against unwarranted search and seizure.  Hell, you can't even take a picture of a national monument without some rent-a-cop security guard in your face about it!

So let's take a minute to step back this holiday season and apply some logic.  If we continue to allow our politicians to create these knee-jerk, backwards-looking reactionary policies we will effectively paint ourselves into a corner the American people won't be able to get out of.  Think about it!  What if terrorists are discovered trying to make laptop battery bombs?  No more laptops on planes?!  What about iPod bombs?  No more iPods or worse yet, electronics, on planes?  At what point will air travel become so incomprehensibly painful and unnecessarily inconvenient that people simply stop leisure travel by air?  Have our politicians thought of what that does to the air travel industry?

I know I've heard people say that we get what we pay for, and that the TSA simply doesn't have enough money to work with... If I read this correctly the president's budget allocated over $6 Billion dollars for security, what have we done with that?!  From the Budget document:
"...Devotes nearly $6 billion to the multi-layered, risk-based aviation security system"
WOW!


All I'm asking is that we evaluate the actions the TSA and the DHS are taking and see them for what they are - knee-jerk reactions to deter already-happened events.  We can't possibly keep our nation safe trying to prevent what's already happened, that's logical right?


Here's to hoping 2010 is a more prosperous, safer, and more logical year.


----
UPDATE:
From his blog Chris Elliott has a great post about the schizophrenic TSA rules after this latest disaster near-miss.  Chris also has a few things to say about the TSA, go give him a read.

Wednesday, December 30, 2009

International Travel, Security, and the Utter Failure that is the TSA

Here's something I never thought I'd say ...US airports are not the worst-run in the world.  The US TSA is still, sadly, run by semi-trained apes.

Over the past 2 years I've been traveling regularly cross-country (and even up into Canada) on business and have had some abysmal experiences with airports ... but then I found myself on holiday in Holland (Amsterdam to be precise) the day after the idiot from Nigeria tried to blow up his crotch and a Northworst Airlines (now Delta) plane.  Let me tell you that the Dutch airport security at Schiphol airport took inconvenience and stupidity to an entirely new level.

It's important to remember that this experience was the day after the dumbsh** tried to kill several hundred people over Detroit, so the level of knee-jerk "security" measures was unprecedented since the 9/11 atrocities.  This is my personal experience ...and will naturally have a lot of my highly-opinionated commentary so grab a coffee, sit back and enjoy.

First ... Holland (and really, northern Europe) had been absolutely buried in a massive snow-storm the likes of which they hadn't seen in >20yrs according to locals, so I was already bracing for the long lines, cancellations, delays and silliness that goes along with poor weather.  Second, I was already expecting people to be hyper-vigilant to a point of stupidity given that the attacker had left Amsterdam's Schiphol airport the day before and now all eyes were on the Dutch.

The flight I was on was supposed to leave Schiphol airport (UA 947) at 12:20pm (local time).  When I got to the airport at 9:30am, I figured it was a safe bet because there were undoubtedly slight delays in security measures.  I had also heard of some of the absolutely ludicrous security measures the TSA had enacted like "nothing on your lap, or standing up for the last hour of flight" and the 1 carry-on only rule... and I was annoyed. When I checked in, and dropped off my bag the United agent was absolutely super-polite and checked mine and my wife's suitcase and told us that we would need to be at our gate by 10:30am which meant I still had time to have a cocktail (or two) in the lounge, and get to the gate with plenty of time.

My wife and I arrived at the gate at precisely 10:28am, only to see an absolutely empty gate with lots of people standing around looking very confused.  [Another note- Schiphol airport apparently does their security at the gate rather than at one central point.  This is something very important to remember as it is a drastically different model than we're used to in the 'States.]  Anyway, getting there and seeing no one from the airport staff for a full hour really got to me, and many of the other passengers, so you can imagine that when the 4 airport workers (security staff) showed up with a cart full of tensa-barriers at 11:35 there was a riot about to break out.  By now I had learned that most people there had connecting flights, must like my wife and I, and only a few of them were actually staying in Washington DC (Dulles was the landing airport).

The airport security folks took 15 minutes (give or take a few) to set up their barriers and start barking out orders.  They explained that due to heavy new rules everyone would be, as they put it, "100% checked" before getting on this plane.  What the hell is 100% checked mean?  I didn't see any rubber gloves so I thought were were safe.  Wrong.

We were 2nd in line in the priority line which didn't seem to matter because both the priority line and the economy line were moving just as slowly.  The person in front of us had her passport taken, was drilled with questions then pulled aside.  She had her purse gone through, more questions, and then had to take off nearly everything that was decent and send it through the X-ray machine.  She was then patted down, no I mean really patted down...  On the other side of the x-ray machine, both her purse and her carry-on were opened, emptied and each item was inspected one by one.  No privacy screen, no caution, no care for people's decency/privacy.  It was revolting.

My wife and I went through the same treatment.  They opened my camera bag, emptied it nearly breaking some >$800 lenses and asked what everything was and had me show them how everything worked.  Next came my completely packed laptop bag.  It took nearly 10 minutes to take everything out, inspect it, and tell me to put it all back together and move out of the way.

The whole ordeal for my wife and I took 17 minutes.  The really crazy part was that there was now a line stretching as far as the eye could see with people waiting to undergo the same gestapo security.  Between the time that the screeners showed up and the gate opened, and the time that the plane was actually ready to push back from the gate was nearly 3 hours.  Of course, this meant that we were really late.  The announcement from the captain was that of course due to increased security many people would miss their connections and United would do its best to re-book or ask flights to "wait on us".  Given that we had a connecting flight from Washington Dulles to Chicago O'Hare with only a 1 hour layover I wasn't holding my breath to make it home.

Surprisingly though we touched down with an hour left before my next flight was to take off, one gate over from where we had landed (we landed at C7, we took off from C5 in 60 minutes).  This is where the real adventure began... and underscores why I think everyone at the TSA should be strung up then fired.

The landing was as expected with the "nothing on your lap" rule 1hr before landing.  Oddly enough, I kept my iPod on, and kept reading my magazine and none of the flight attendants were around (because they were sitting, haha) to say or do anything.  How effective is this rule?  Hint: not at all.  I actually feel bad for those folks who have kids who have to go to the restroom in the last hour of flight because now you have to figure out a way to not only immobilize your kid with nothing to keep them occupied (you know, in case your 7yo is mixing a chemical bomb in their lap...) but keep them from having to go potty (good luck!)... Clearly none of the twits running the TSA have ever traveled internationally with children or they simply don't have the sense to care.  Either way - this is a massive failure... shocking.

After we landed we were herded off the plane, into US Customs (which was a surprisingly long, yet refreshingly fast-paced line) where the agent was polite, smiling and generally well mannered.  It gave me hope that the rest of the trip wouldn't suck.  Enter the TSA rules again.

Apparently when my checked and screened baggage got off the plane I was forced to pick it up, take it 15' into a "baggage re-check" (please, someone explain this idiocy to me!) and then go through security screening again.  You think the half-wits at Schiphol were tight on security... the nice TSA monkeys once again dug through everything as if I was traveling from Yemen and shouting anti-American propaganda ... my camera was apparently a weapon?  Oh, no wait, that was my monopod ... right - that could be used to poke someone I guess?  Again, morons.  Whiskey Tango Foxtrot.

FINALLY getting back on a plane and bound for home the ordeal was over... I hope never to go through that stupidity again; sadly I sense my request will be short-lived.

Now, after that harrowing experience I have plenty to say.


  1. What purpose does the "sit down and nothing in your lap for the last hour of flight" rule serve?  We all know this is at best a knee-jerk reaction by the monkeys at the TSA to appear as if they are doing something real to combat a threat that is unlikely to manifest itself in the same manner twice.  As far as I can tell this is just going to annoy legitimate passengers, and not deter any would-be bad guys from doing anything evil.  I think a better deterrent would be to keep re-airing that interview with the guy who tackled and beat the snot out of the would-be bomber ...that was a hero who actually contributed to security.
  2. Why don't we have those full-body screening machines at every airport?  That is a civil liberties trespass I, and I'm sure many of you, am willing to take to make sure some jackass doesn't try and light his balls on fire on my flight.  We bitch about real security being at the level of stupidity yet we're unwilling to allow for something that makes sense in?  I'm sensing this is all political - but I promise you that the next election if you didn't vote for the full-body screening machines, I'm not voting for you.
  3. Let's do a comparative study of the US TSA against any of the EU security groups.  I especially was impressed with Germany's security at Frankfurt airport.  They were all professional, were dressed in shirt/tie and looked official.  They didn't walk around talking about who was going on break next and what their evening plans were ...rather, they were there, polite and professional.  TSA take note: if you hire people who couldn't even get a GED and pay them minimum wage they'll behave like McDonalds workers and won't really be effective.
  4. Training... there's something I could write an entire blog post on.  The TSA isn't even smart enough to understand PDF redaction let alone how to actually effectively train their staff.  I'll revert to the point above in bold about minimum-wage drones.
Before this post gets too long, I'll just finish up by saying that we here in the USA are woefully behind.  To quote some anonymous gentleman who was sitting next to my wife and I ..."Europe hires security based on merit, while you Americans hire based on affirmative action, what do you expect?"... yikes.

Do I sound angry?  Goddamn right I'm angry.  I'm living in the greatest country on the face of the earth and we're light-years behind Europe in real security.  I loathe the TSA and everything they've done.  I don't believe we're one teencie bit safer than we were before the tragedies of 9/11.  I strongly feel that in spite of all the rules, rhetoric, and millions of dollars that have been spent we're just as blind to real threats as we have ever been... except now we're pissing off passengers and deterring good people from coming into the US.

Mr. Obama ... I'm still waiting for that "change I can believe in" ... so please FIRE THE TSA and appoint someone competent.

Saturday, December 19, 2009

Adobe Flash 10 ... now with McAfee?

I went to update my Flash Player today (manually) on one of my VMs and noticed that this new "option" stuck out at me...

Now, not being one to turn down a free security feature I wanted to read on.  Clicking the "Learn more" option takes you to the "LiteApps" McAfee site which has this to say about the "McAfee Security Scan":

"McAfee Security Scan is a free tool that automatically checks and reports if your PC is protected. Your PC's security status is determined by the state of your anti-virus and firewall protection. Your security software may be switched off or become out of date without you realizing. Or, you may not have security software installed on your PC. McAfee Security Scan lets you know if your PC is at risk and what you can do to protect it. Feel confident knowing that McAfee works behind the scenes to protect you by automatically starting the scan every week so that you are kept informed if your PC's security changes."

That's kinda cool right?  Maybe Adobe has gotten so much pressure not only from us in the security community but also from end-users that are sick of their machines being trojaned and rooted from terribly-coded Adobe software - that they are now partnering with McAfee (now, granted McAfee isn't exactly a good A/M engine) to give you the courtesy scan to let you know how badly you've been rooted before applying the latest in a round of never-ending bug fixes...

Hey Adobe ... how about you guys just write slightly less crappy "everyone's gotta have it" software, and we'll all sleep better... just sayin'

As for me, I'm going to skip the free anti-virus scan and just uninstall Flash.

Thursday, December 17, 2009

*facepalm* - US Drone Communications Intercepted in Iraq

In a story that sounds like it belongs in a 007 spy novel, it appears as though some very enterprising Iraqis (no doubt backed by their Iranian, anti-US friends) have figured out that the Predator UAVs (Unmanned Aerial Vehicles) that strike fear into the hearts of insurgents everywhere transmit their video feeds over a semi-sophisticated satellite network.  That video feed can be leeched off the transmitting satellites with a $26 piece of Russian pirate software.  I will pause a moment while you gasp and re-read that...

.....

This bodes well for their efforts to evade detection, air strike or death by simply using some Russian-made (there's a shock) satellite-intercepting software called "SkyGrabber".  A quick blurb from the SkyGrabber site has this to say:
"The satellite transmits data all users in one stream. The data are accepted by all who are in the satellite coverage area. In fact, you can set up your satellite dish on this satellite and we'll receive the data, which is produced by other users.
But you say, well, well, we get the data, but how do we get the files that other users are downloading? The SkyGrabber can do it. The program intercepts data of other users, assemble in files and saves files in your hard drive. SkyGrabber makes your life more exciting and interesting." 
More exciting and interesting indeed!  What a brilliant (mis)use of technology right?  While this is a pretty cool way to get, as the site says, "free movies and softwares" - this isn't the software isn't the story.

News flash: US government is not encrypting military critical communications!  What does that say about our military's ability?  Not a whole hell of a lot if you ask me.  What amazes me is this quote from the WSJ article...

U.S. military personnel in Iraq discovered the problem late last year when they apprehended a Shiite militant whose laptop contained files of intercepted drone video feeds. In July, the U.S. military found pirated drone video feeds on other militant laptops, leading some officials to conclude that militant groups trained and funded by Iran were regularly intercepting feeds.
In the summer 2009 incident, the military found "days and days and hours and hours of proof" that the feeds were being intercepted and shared with multiple extremist groups, the person said. "It is part of their kit now."


That just blows my mind.  I've always figured our military wasn't the most brilliant at using digital-age technology, but this simply takes the cake.  How do smart, military-trained people figure that using non-encrypted communications is a good idea?  Was it a cost-savings?  Did someone do the risk-analysis on this one and say "Well, it's not critical communications data that will put our troops at risk, so the extra $50 on encryption is unjustified" ... Sadly I suspect so.

What I do find mildly sensational and amusing is the "shadow cyber-war" claim that everyone in the media seems to be taking up.  What does that even MEAN?!  This isn't a cyber-war tactic, not that the term itself has any meaning at this point that anyone comprehends (except for RSnake...) but this is simple military espionage, nay, simple surveillance!  This has nothing to do with any silly cyber-war ... it's an amazingly stupid lack of intellect on the US Military part, and an ingenious use of pirate software on the insurgents.

Wake up people... this is not an "escalating shadow cyber war" and anyone who says that should be beaten with their words.  Maybe the military should send their communications geniuses to some basic risk-analysis training? ...or just call 007, he'll know what to do.

Friday, December 11, 2009

"Locking" Touch Screen Devices

Do you have a touch-screen device like an iPhone, Android-based phone, or one of the others that require you to use your finger?

If so, do this for me.  Take out the device, and don't power it on yet or touch the screen.  Hold it up against the light so you can see the smudges and fingerprints on the screen's surface.

Now thing about it for a second.

Odds are, if you're like me what you're looking at is a concentration of fingerprint "marks" on the buttons where you most commonly press.  If you're like me and have an iPhone that has a PIN set on it you turn it on/off a few dozen times a day or more right?  After the course of a full day those fingerprints are pretty well established on the buttons that are making up your PIN.  This presents a problem.

Covering specifically the Apple iPhone I've done some digging and Google'ing and found a few manufacturers that sell "fingerprint resistant" screen protectors, but I've tried a few both off eBay and some bought at the Apple Store and none of them actually resist fingerprints that well.  Not well enough, anyway.

The issue comes down to the way that the iPhone's security is set up.  Clearly it's not meant to be a high-security device, as it's a "toy" by nature.  My wife's T-Mobile G1 touch-screen device is a little different and you can tell the HTC (manufacturer of the device) engineers actually tried to think things through.  First, it's not just buttons you press but a multi-point swipe you make with your finger on the G1.  It's like a big connect-the-dots game where you don't pick up your finger just connect a few dots ... that's your "PIN".  This is significantly more difficult to find patterns in since you're effectively creating smudges (lines) when you input your PIN.

While HTC's way is clearly better, at least to me it seems that way, both have the flaw that they pick up grease from our fingers and leave it there for someone who wants to get into your device to follow.  You don't even need fingerprint dust, or Krazy Glue (see fume trick the CSIs do on TV) ... you just have to hold your device up to the light at a certain angle and guess the password.  With there being typically a 4-digit PIN on devices like the iPhone it's not hard to figure out the combination when the total space is 256 combinations!  Throw in a little TV CSI magic and you can probably get it in a few tries.

The advice then?  When you are using your device WIPE OFF YOUR FINGERPRINT MARKS!  It's a simple, easy way to protect your device from being victimized when you're not looking.

Good luck!

Tuesday, December 8, 2009

Smoking doctors vs PC users

You know, I get one of these Greg House moments every once in a while, and this time it just happened to be when a friend on Twitter (@falconsview) brought up an interesting question... the train of thoughts went something like this:

...
ME: Looking down from doctor's office at a bunch of doctors at the back entrance of the hotel ... smoking.
@andrewsmhay: "ah, but at least they know, and accept, the risk (as stupid a risk as it is)."
@falconsview: "can you actually say that people "know the risk"? I mean, really? people tend to be v bad at estimating risks..."
...

We proceeded to poke fun of doctors and how they probably get a discount on cancer treatments and other rather tasteless things ... but this stuck with me.

As I was sitting in traffic on the way home I thought to myself ... "self ... you know this could really apply to the user categories in my previous post!" ...

How many people think they understand the risks of what they're doing when they use their computers in an unsafe manner yet in reality have no idea how big the risks they're taking?

For example, a very close personal friend of mine does all her life on her laptop - yet when asked why she doesn't back up her response is "it's no big deal ...".  This demonstrates a clear lack of understanding of the risks of the digital age.

Think about it this way, everyone that you know that has a computer, especially those that are not-so-tech-savvy probably thinks they have some clue on how to be safe.  They may even think they understand what it means when all those pop-ups asking them to make system changes pop up.  They may even fool themselves into thinking that they understand what's going on with their computer ...the reality is 99.999% of them don't.  I'd be willing to make a wager on that.

The solution?  Maybe Best Buy and the other PC stores should sell a free 1hr "class" with each computer.  This class would illustrate the risks of using the PC, and how to minimize un-necessary risks maybe?

Oh ... that's right.  Nevermind, that'll never happen.  Why?  Because as long as "Geek Squad" exists it is in the best-interest of the big electronics stores to have you buying, screwing up your PC, and coming back to get it "fixed" by one of these chuckle-monkeys.  Sad huh?

So those doctors that were smoking ... I'm sure they understood what they were doing is stupid, and to what degree it is stupid - but are they mentally comprehending the risks?  Like the users ... probably not.

Thursday, December 3, 2009

Exposing Malware - Part 2: Infestation

A little while ago I wrote part 1 of this series malware forcusing on it's insane efficiency ... and since that time I've had some more time to do additional research and play with a few more "code samples" which continue to baffle and amaze so I'm writing this second part of the series on "infestation".

The semantic issue here is critical to the post - this isn't necessarily an article about infection but really about infestation of connected computing devices by what can only be described, collectively, as malware.  Malware in this definition is essentially the collection of traditional viruses, trojan horses, worms, ad-ware, scare-ware, crime-ware, ransom-ware and everything else ... did I miss a catchy buzzword?

Anyway, the rate at which a connected computing device gets over-run by malicious software is incredible.  Recent statistics I've heard peg the average compromise time of a non-protected workstation on the open Internet at around 8 minutes.  This was 2+ years ago that this metric was measured ... I'm confident it's even less time now.  These types of studies in time to compromise are interesting because it serves to illustrate the sheer volume of evil circulating the Internet.  I've thought about the vectors for compromise (or over-run if you like) and have classified them into 5 categories:
  1. Self-Inflicted-Accidental
  2. Self-Inflicted-Ignorant
  3. Unattended-Circumstancial
  4. Targeted
  5. Delivered
I think these five (5) categories can be applied to all infections/infestations and each have unique qualities ...so let me dive into them here.


  • Self-Inflicted-Accidental
 While many people "do it to themselves" I firmly believe there is a segment of the Internet-using population that simply hasn't gotten the memo yet.  The Internet is a nasty, hostile, and vile place boys and girls.  This is easily dismissed as the naive crowd, those that just haven't been awakened to the stark reality of interconnectedness.  I will grant you this- this group shrinks faster than new members are added ... with education everywhere, and security-aware individuals (much like you reading this) beating the drums it's tough to be naive for very long, unless you operate your brand new computing device in a cave ... but that brings up other issues!

  The problem here with this group is that they are too trusting.  They're like your grandparents, who trust the maid who's "so nice" but is cleaning them out of every piece of valuable in the house.  They will be shocked when they find out they've been infested; then they will become educated (and some become jaded) and their outlook changes and they fall out of the group.

Impact: sadly, when these folks get hit, it's epic
Remedy: Either more education, or simply let them get whacked


  • Self-Inflicted-Ignorant
 This is the other self-inflicted group.  Unfortunately, I feel no sympathy for these folks that get infested.  They've been warned, maybe they've even gotten whacked before - but like the kid who keeps sticking his finger in the fire they just don't learn.  The really unfortunate thing here is that a vast majority of these folks feel like they're entitled to be compensated for the pain they self-inflict with their ignorance.  They'll likely get infested, have their banking credentials or credit card info swiped and money stolen then demand that their banks fix it.  Even more insane are the banks and institutions (primarily in the financial industry) who continue to foster this type of behavior.  Now, I understand there is a fine, very blurry line between being compromised where you can do nothing about it, and being just ignorant ... but if you're getting whacked repeatedly there has to be some accountability.

  I've met many threat-ignorant people in my years in IT and I'm certain you have too.  In fact, many of you chuckle as you read this because it's either your manager, your CEO, your parent, spouse or in-laws that drop into this category.  I'm sorry in advance for saying it but ... these folks should have their Internet-usage ability revoked.

  I just don't understand how people can be so ignorant and keep at it.  Maybe it's our fault (I say our and mean collectively the business & IT world) for allowing them to be this way.  Maybe we're not giving them enough responsibility for their own actions (or non-actions)?  I mean, look ... if you have a gun you have to be licensed to use it right?  ...and you're responsible if you cause yourself or someone else harm?  I know Internet access doesn't require a license or certification but maybe it should?  Maybe you should have to take a "basic certification" to get an IPV6 IP address (if that ever happens...)  I don't quite have the logistics worked out but there absolutely MUST be some accountability here ... we as an industry group must find a way to educate and drive out ignorance from the connected masses.

Impact: Epic fail ... made worse by the coddling currently coming from financial services industry
Remedy: Education and accountability ...or something!


  • Unattended-Circumstantial
  This category of infestations just happens by circumstance.  Picture a computing device Internet-connected just sitting there humming away serving up web pages, widgets or data.  Along comes a malicious agent ...doesn't matter whether it's a human being or a script - only that an infestation happens.  My favorite example here in this category is the kiosk at the airport or hotels.  These are unwilling participants set in place by people who for what-ever reason haven't fortified them enough against malicious intent.  Getting infested like this is painful because there is often someone to blame - but it's hard to point the finger.  Computing devices are connected to the Internet every minute of every day ... many of them for no good reason.  These devices are constantly getting infested in spite of any kind of "anti-virus protection" that is placed on them, and as worms and other automated attack vectors advance this problem is going to get worse!

  Look around, I am willing to bet you can name at least 5 connected devices within arms' reach right where you are this minute.  Whether it's a refrigerator, a video gaming console, your mobile phone, laptop, DVR or even television everything is becoming connected and too often there is no thought given to answering the "what if this thing gets infested?" question.

  What would you do if you woke up tomorrow morning only to find that your Internet-connected DVR has suddenly been taken over?  The warranty may or may not cover this problem because technically it's not a manufacturer's defect right?  There is no broken hardware, no smoking hard disk or sparking internals - only a malicious piece of software now embedded inside the device that randomly deletes your favorite non-watched hows, and orders adult material when you're not around.  What do you do!?

Impact: Everything from mischief to malice to catastrophic failure.  If your refrigerator becomes infested with malware and malfunctions, that's one thing, but if your car's on-board computer suddenly shuts down your car in the center lane on your way home at 65mph - that's an entirely different issue.  It could happen, soon.
Remedy:  I honestly don't have an answer to this.  Better SDL-integrated security is the only answer here that even makes sense as many of these devices and infestations are outside the realm of reasonable responsibility of not only the owners but even the operators!


  • Targeted
 Sometimes, you're just screwed.  We in information security have long told audiences, businesses and managers that if you are targeted for an attack there is very little you can do to "be safe".  Attackers have a way of getting their way.  This works the exact same way with malicious software and infection/infestation.  If someone writes a purpose-built piece of code that attacks users of AT&T broadband (as if we don't have enough problems with our carrier) who run Windows Vista (again...why? isn't this situation enough pain in itself?) and use a specific social media application (a la Facebook) I have news for you - they're going to win.  It's like the Canadian Mounties ... they'll get their man/woman/target.

  My main take on this specific segment of the problem is this - if you're worrying about this infestation type that to me means you've solved the other 3 previous ones (above) and I want to know how you did it.

Impact: What ever the bad-guys want.  Generally the impact isn't "catastrophic failure" ... and the less you notice the impact, the better for the bad guys.
Remedy: Stop worrying about this one, you're not going to solve this problem.


  • Delivered
  Finally we come to the "delivered" infestation type.  This type of infestation is very similar to the targeted type - except that the delivery mechanism is generally someone else's.  To elaborate further it's easier to just give an example.  Say you've a user of Twitter (and I know you are), and you use TweetDeck.  Now, in its own right, TweetDeck isn't a malicious piece of software ... I hope.  Now, if someone compromises the TweetDeck update system and you get a notification next time you fire up your client that an update is available, you click OK ...it's not your fault that you were just delivered a piece of malware and now are infested!  There are no ignorant actions on your part, and you're not naive because you're using reasonably trusted software which is being used as the delivery mechanism for malware.

  Again, just as in the previous example, there are very few things you can to do avoid being infested here in this situation.  You can't review every application you use manually, and it's unrealistic to think that you're not going to load up any 3rd party tools or software on your computing devices.  Again ...welcome to screwed-ville.  Take a number, get a seat and wait to be re-imaged.

Impact: As with targeted infestation ... this can be anything from annoyance to identity theft and digital impersonation!
Remedy: ... hrmm.... I'll let you know if I figure this one out.  I'm open to suggestions!

---
  There you have it, infestation by malware is ugly.  Sometimes you can prevent it, many times you can't.  The results are incredibly diverse and range from your search results being compromised and "swapped out" for someone else's targeted results, to identity theft and impersonation, to catastrophic failure.  Problem is ... out of these 5 types we're only realistically able to do something about 2 or so of them.

  What do you think?

Wednesday, November 25, 2009

Open Wide: 2 Sides of Every Coin

Last month at the CSI: Annual 2009 conference as a few of us sat around contemplating and discussing the finer points of InfoSec, an interesting topic came up.  I managed to stir up the "functional vs secure" question again and we went round and round on the question of whether it would be better for the overall state of end-user security if updates were forced (much the way Google Chrome just auto-magically updates itself) and end-users could do nothing about it... OR whether it's better to simply let people decide [for themselves] to whether or not to update.  Both sides of the point were argued (by InfoSec professionals, mind you) and I wanted to present the debate from both sides for your consideration ... and maybe get an idea of where some of you stand.


The focus revolves fundamentally around whether it is better for the users to choose to update their own computer software components (for information security reasons) or whether it would be better to simply push updates on the user without giving them an option.


First let's look at the obvious answer ... OK, maybe not so obvious but at least it's the easy, top-of-the-mind answer right?  Let's talk pros and cons... Let's pretend we can force updates on end-users.



On the positive side of the coin, it's good for the overall state of security on the Internet when you can force connected systems to update buggy software ... right?  Imagine if back when those network-borne worms were cruising and crushing Windows boxes all those machines would have self-patched themselves [from the central source] with the click of a button back at Microsoft HQ.  That's a pretty rosy picture, all those exposed, vulnerable machines and unsuspecting end-users magically patched, no user intervention required.  When someone comes to me and tells me their machine is hosed up with some piece of malware I'm always tempted to check how far behind in their Windows O/S updates they are.  Sure enough, 9 out of 10 people that come to me for help, are months behind on their Windows patches ... at best.  Some have sadly never gotten the memo and continue to ignore the little red shield in the bottom-right corner of their screen begging them to update; and it's equally likely they have never updated their machines and are vulnerable to all sorts of things.  Now, we all know that a vulnerable machine is rarely an isolated thing.  There is always collateral damage when some Windows box gets nailed with yet another nasty bug.  Once you're infested the machines around you tend to fall prey pretty quickly (as they're often just as out-of-date as your computer) and Heaven help us if you're connected to some corporate VPN or something important.  Schools, businesses, libraries, homes ... all fall victim to carelessness (or cluelessness, your pick if it even matters) when it comes to leaving machines unpatched.  It would truly be awesome if any Internet-connected machine would automatically grab and install the latest updates as they become available (using some realistic interval of every 6hrs or something) - and I'm willing to bet the incident count would drop substantially.


Sure, problems would all be immediately fixed up and the worms would die quickly ... but don't forget the side-effects.  The ugly truth is this - remember when you last updated that "super-critical" Windows patch and your super-critical business application stopped working?  Now imagine that on a massive scale.  For reasons beyond my comprehension developers tend to exploit unintended functionality otherwise known as defects to make their programs work.  Thus, when the vendor comes along and patches a gaping hole allowing crazy functionality ... you guessed it, the applications break and have to be re-engineered.  How many of these can you name off the top of your head?  I bet it's more than 1.  In the real world not all patches are deployable to our workstations because they may just break something we can't live without.  It doesn't matter that the break is caused by a fix for a critical security issue the application is exploiting ... it only matters that the application cannot break down, and the fix cannot be applied.  Without sufficient choice or option a lot (and I mean, a lot) of businesses would be in seriously hot water almost every patch Tuesday.


So really, neither of these options comes out as the clear choice in any real-life setting.  While I would love to enforce updates on everyone I know that doesn't know how to use their computer properly ... the reality is it would break a lot of things people cannot function without.  The reality of security is that if you can't do something it really doesn't matter whether you're secure or not.  So there has to be a happy middle somewhere?


What if... when you installed Windows it asked what type of PC you were installing and gave you the choice between "Home User and Enterprise User"?  In Home User mode it would ask you if you're a computer expert and if you answered NOT it would simply change all the internal settings to auto-update, no choice.  If you fancied yourself a computer genius the O/S installer would ask you if you wanted forced updates or if you would simply like to be alerted of updates that you can then go install on your own.  In the enterprise/corporate world of course the choice would be made at the central control servers (maybe via an AD policy element).  This would then allow a business to choose which model it wants to follow, although I highly suspect few would choose the forced-updates.


The real answer, for those of you living in today's reality is that while we all would love to force updates on people ... it's simply not feasible to do so.  Pushing updates may make everyone safer to some measurable degree but it may also drop productivity and usability by about the same percentage which drives us to a catastrophic failure.


What do you think?  Where do you stand?  Now is your chance to provide that sound argument for your beliefs and aspirations.  I look forward to reading your comments!  (when you post a comment please let me know if you do NOT want it published!)

Friday, November 20, 2009

Apple vs. Kaspersky - Functionality Wins

Let me set the backdrop for you like this... I just loaded a new machine with Windows 7 primarily to continue to use some of the "can't replace" Windows apps ... one of them being iTunes for my iPhone.  As far as installations goes, everything went great!  I installed the OS first, then my stand-by anti-virus Kaspersky (KAV) 2010... then I went and installed iTunes 9.  Everything was solid.

Once I got everything else I needed installed I started to re-load my iTunes library from the ginormous external drive I have ... and still, all was good.  Last thing I needed to do was re-download all my podcasts.

Now, let me remind you in case you've somehow managed to forget, how much I value functionality over security.  I don't.  I think the rate at which outrageously unnecessary functionality wins out over common-sense security is appalling.  Moving right along with the story ...

I bought a few songs via iTunes, downloaded them successfully and started rocking out while the podcasts were supposed to download.  I read some email ... I "twittered", and read some blogs from my Google reader.  I then went back to my iTunes only to find that it had failed at downloading every... single ... podcast.  Every single one had failed with an error -3458.  Googling the error I couldn't find anything coherent, or relevant beyond iTunes 7 ... even some stuff that recommended I check permissions on folders.  But since iTunes had just installed itself on a new machine, and everything else was working - even downloading newly purchased music - I was baffled.

This is where my spidey sense kicked in and I thought ... "hrmm, what if Kaspersky is somehow causing this?"  What I did next was turned OFF (paused, as KAV calles it) the anti-virus client and tried downloading the podcasts again.  The result?  You guessed it ... everything started downloading smoothly.

I was absolutely baffled.  Why in the world would downloading regular music work fine, while downloading podcasts fail?  Totally baffling.  Without digging into a packet sniffer (which I had not yet installed on that machine) I emailed my go-to Kaspersky support guy and Kenneth quickly responded (as he always does ... which makes me wonder if he sleeps?).  Anyway ... there was no internal knowledgebase hint at Kaspersky but what he suggested was mind-boggling from a "security oriented person".

Kenneth suggested I configure Kaspersky Antivirus to trust iTunes.exe and iTunesHelper.exe ... for no other reason than "it would probably work".  Did it?  Yea, sadly this solution works.

Now, we had a longer conversation about what's going on behind the scenes, and apparently it has something to do with the way that iTunes (thanks Apple) is ever-expanding what iTunes actually does on your system ... and something dealing with the way that podcasts are downloaded goes beyond what the normal profile for an application allows ... thus podcasts fail to download unless you explicitly trust iTunes binaries on your machine.

OK, so here's my problem.  First ... what the hell is Apple doing with iTunes that requires such a "constantly changing software profile" as Kaspersky support put it?!  I would really like to figure out what Apple's doing, and why they feel the need to change the program fingerprint "with every update" ... very interesting indeed.

Now, what has this taught me?  Once again boys and girls ... functionality has run amuck.  The answer, of course, if you want the cool things that programs like iTunes do ... you have to take away the security controls.  I don't know about you but explicitly trusting iTunes makes my skin crawl ... I really wish that there were other alternatives for connecting to the iTunes online store.

I'm mad as hell folks ... mad as hell that functionality, over and over, and over ... continues to win over common-sense security controls.  I guess as long as cool widgets are built that even people like me can't seem to live without ... this will remain the status quo and there is no incentive to change.

*facepalm*

Have you run into anything like this?  Have a feature vs security story to tell?  Either leave a comment or catch me on Twitter (@RafalLos) - I want to publish the best one out there!

Thursday, November 19, 2009

Bring on (the) KY

Hey everyone!

Just a quick note that tomorrow [Friday, November 20th, 2009] I will be speaking at the Louisville, KY chapter of ISACA (more info here on their homepage) on the topic of "Solving Problems That Don't Exist".  If you missed my ISACA eSymposium earlier in the year, and you happen to find yourself near Louisville tomorrow ... register and come by!

The initial talk via webcast picked up something like 1,600 folks so I welcome everyone to come by.  Bring friends, co-workers, your management ... maybe you'll learn something new or just spend a good lunch getting to hear what folks around you in similar industries are doing about this type of issue.  You DO need to reserve your space, so do so now if you haven't already!

If you want more information, or the slides ... or a seat please let me know!



TOPIC:
Solving Problems That Don’t Exist
Building better security practices


WHEN:
Friday, November 20th 2009
11:30 – 12:00 Networking
12:00 – 1:00 Speaker


WHERE:
Waterfront Plaza (Directions)
10 Floor east tower
321 W Main Street
Louisville, KY


COST: $5 (Pizza will be served) – 1 Hour of CPE
Please RSVP to .
(Cash will be accepted at the door, but please RSVP)

Tuesday, November 17, 2009

OWASP 2009 (AppSecDC) Thoughts

I'm finally home and have a minute to write about the past week's OWASP AppSec DC 2009 conference.  And what a conference it was - far and away the best conference on information security of the year.  This includes the organization, the venue, the audience/attendees and the presenters.

I think some of my favorite presentations were Josh Abraham's 20-minute "Synergy! A world where tools communicate", Tom & Kevin's "Social Zombies: Your friends want to eat your brains", Chris Weber's 2 outstanding talks "Finding Hotspots" and "Unicode Transformations", and of course RSnake's "The 10 least likely and most dangerous people on the Internet".  If you missed of those (or just want to re-visit them) the OWASP folks will be posting the videos and slides shortly if not already... check here.

I think it needs to be said that the OWASP crowds are some of the more passionate folks around ... while there are still some zombies like there were at CSI: Annual 2009, it's nowhere near as bad!  People actually participate, and I saw many hallway discussions that happened - and not just amongst the speakers either.  This was a great chance to combine ideas, pick people's brains and think about how to solve some of the problems plaguing application security.

Perhaps the most interesting presenter was Chris Weber with the "Unicode Transformations: finding elusive vulnerabilities" talk ... that was seriously fascinating.  I know I sat and stared as Chris demonstrated his mastery of the Unicode world and some of the ways of encoding, double-encoding and other tricks that even made my head spin.  I can't wait to dig into this topic more...

As always the OWASP projects were presented and updated, and I think the 3 that are on my personal watch-list (and should be on yours) are the ESAPI (Enterprise Security API) project, the OWASP O2 Platform, and the ESAPI Web App Firewall.  Some really big dents can be made in the general insecurity of web applications if these 3 are executed right, and deployed properly.

I'd like to thank everyone who attended my "When Web 2.0 Attacks!" talk, and if you have any questions, comments, discussions or other just want the slides you can always email me directly or leave a comment with your contact info!

See everyone at the next OWASP event!

Monday, November 9, 2009

The iPhone "worm"... SRSLY

Read carefully because I'm only going to say this once ... the "iPhone worm" everyone is buzzing about is possible because of the fact that people jailbreak their phones and then do not change their admin password from the default.  That's seriously asking for it.

At any rate, if you read up on the iPhone, infections like this are only [at least currently] possible on a jailbroken iPhone due to the iPhone's inherent code-signing feature.

When ikee was interviewed over IRC for JD's blog, the virus writer had this interesting tidbit to say:

[09:05] {ikee} Secondly i was quite amazed by the number of people who didn't RTFM and change their default passwords.
[09:07] {JD} How far did you expect it to spread, exactly?
[09:08] {ikee} Well i didn't think that many people would have not changed their passwords I was expecting to see maybe 10~ or so people, at first I was not even going to add the replicate/worm code but it was a learning experience and i got a tad carried away :)

Well there you have it.  Even ikee didn't think that there were enough people who didn't "RTFM: Read the F*****g Manual" and neglected to change the default password.

Lesson here?

  1. RTFM
  2. Always know what you're doing when you apply any "hack"

Friday, November 6, 2009

Completely Missing the Point

You know what really grinds my gears?  "Writers" who publish articles on topics they clearly have no understanding of ... that's magnified even further when they write for a publication (physical or digital) that has a legitimately large reader-base.

I write this after careful consideration of an article a good friend of mine sent me the other day ... which made me just "WTF" all over.  His email went something like this:

So, a colleague forwarded me the URL of a slate article. http://www.slate.com/id/2233719/   (copied below)
It got me thinking, especially the complaint about drupal blocking javascript.  
  1. Business schools seem to be churning out NYT readers.
  2. NYT readers also probably read the Washington Post and Slate.
  3. These readers likely believe everything written.
  4. These readers as C* people (CIO, etc.) have the typical "superior", "I know all" attitude.
  5. They read articles like this and see it as gospel.
This is why web app security is difficult to explain to the higher-ups ... after all, the experts at Slate tell us that Javascript is a 14-year-old technology and we shouldn't be blocking it on our website!


So ... I thought about it some.  So now I will tell you why I think Chris Wilson needs to stop writing about technology ... at least until he's learned a little about it.

First off, I'm not an open-source bigot; in fact, I'm not for or against open or closed source ... each has their merits and has their place in our very large technology world.  Second, I learned a long time ago that open source people are their own special breed and much like their closed-source counterparts have their unique quirks, nuances and such.  Lastly, I think this article is both inflammatory and misguided, and it misses the point entirely.  In fact, I think it's so misguided that I agree with my friend in his thought pattern on how this article actually can lead to less understanding of security concepts!  But me ranting isn't going to make my point on its own, let's analyze this article... follow along boys and girls.


  1. Chris must get paid for flowery language ... or his audience is just so much higher-brow than I because the first few paragraphs remind me of Bill Murray dropping C4 explosives into a gopher hole ... way, way over-done.  By the way, what "swing demographic" is he referring to?  I know many, many sites that are built on Drupal and none of the administrators I know (personally, mind you) would call Drupal "pocked with political landmines".
  2. Drupal knows best: First off, I'm thrilled Drupal doesn't trust end-users (particularly novice admins) with the ability to drop JavaScript into where it doesn't belong.  I mean, gee Chris ... it's only JavaScript right?  What could possibly go wrong?  By the way, high fructose corn syrup is really, really bad for our children and is the leading cause of childhood obesity...
  3. Drupal is impenetrable: I have to give Chris points for his Dennis Miller -esque humor here ... although I think he meant to say INS (Immigration and Naturalization Service) not the ICE (Immigrations and Customs Enforcement) ... right?  Anywho ... Drupal's steel learning curve isn't a bad thing kids ... it discourages people from the normal "click, click, click, I've got a site" mentality.  Holy crap, you have to know something do publish a website ... no way, Wayne!
  4. Drupal hates change: Nice dig on the farm bill ... I won't even dignify this point by rebutting it.
  5. Drupal is righteous: Yes, and they damn well should be ... they built the thing and they know better than you about how it runs and what the inner workings are.  I love the "Drupal doesn't break web site. People with Drupal break web sites" ... uhmm... yea, so?  See point 4.
Alright, here's why I really think this is an article worthy of the hall of shame and why Chris needs to go back and actually do some research.  If Chris had done some research, maybe gone over to Secunia.org's vulnerability database he would discover that Drupal has had 264 vulnerabilities since it's been tracked... and guess what - an overwhelming majority of those have been in add-on modules.  Drupal's core is actually, by my count (and someone please, correct me if I've misjudged here) pretty well secured.

Anyway ... that comment on 14 year old technology being blocked is the genius point here, from my reading.  For my money, it doesn't get any better than when someone says something like this:
"Should you, say, go completely rogue and try to add some Javascript in the body of a page—a 14-year-old technology that controls interactive components like buttons—the platform will have none of it."
demonstrates a clear contempt for the power of "14 year old technology like JavaScript" ... which by the way remains one the web's biggest vulnerabilities.

Some advice Chris ... think before you write ... and if you have no expertise - please don't make our jobs in InfoSec any harder by spreading stupidity in the ranks.

... hey, you were all thinking it, someone had to say it.

Tuesday, October 27, 2009

CSI: Annual 2009

Hello everyone, day 2 is behind us now at CSI: Annual 2009 and I wanted to post some thoughts, now that I've completed the panel at the Web Security Summit, and my 9:45am talk on "A Risk Focused Approach to Web App Security" (slides coming soon...).

First let me say that I'm disappointed. This goes full-circle, allow me to explain.

First the attendees ... where's the passion? Where's the love for what you're doing? I see attendees slumped over, walking from session to session heads-down on their blackberries ... they walk in, sit down, and open the laptop and tune out. Aren't you here because you want to learn something? ... hear something new? Are we, the speakers, failing to impress? (more on this in a moment) So I have to say that the attendees this year are sparse and just have way too many of the glazed-over, glossy-eyed looks about. Getting this year's attendees to participate in a session is damn near impossible ... and not for lack of trying! (if you know me, or have been to one of my talks, you know I speak the truth ) The panel I hosted yesterday titled "Web Security Summit" had a decent crowd, yet far from what I was hoping for. That aside, almost everyone that was in there simply sat and stared when we the panelists tried to engage our audience! Only the brave (attentive?) raised their hands, few answered questions, even fewer asked questions ... it was painful. We did get, towards the end, on a few fiery topics like PCI and some privacy issues which really got a few of the attendees fired up and going ... and for that I thank you deeply. Sadly, though, for the 5 or so people who never looked up from your laptops (and are unlikely to be reading this post) ... what were you doing, taking notes I hope?

Next, I want to say thank you to Jen Jabbusch, Josh Abraham, Sharon Besser, and Mike Bailey for being on my panel, and contributing to some very interesting conversations. Even if the crowd was apathetic ... at least I know you guys still love your jobs and feel strongly about the big issues!

Now, let me move on to the speakers. I'm not going to bash anyone or critique because I'm no world-class speaker either ... but many of the presentations that were given continue to be lack-luster, and quite honestly dry. I think we have the information, the content is there ... but we need to figure out a way to be more dynamic, more engaging and get the attendees to pay attention and give a sh** more! I'm not sure how that can be accomplished quit yet - I'm working on it.

As for the quality of the conference overall, I think Robert, Dina and Sara did a fantastic job as always working with what was available ... we all expected a lower turnout this year given shrinking budgets and corporate belt-tightening. You guys were, as always, great to work with and I hope I was able to contribute to the quality of the conference in a positive way.

Now, for the most important thing ... the side conversations that happen in-between talks, in the hallways and watering holes of the venue. I think what I'll take back with me most of all is the fact that I am continually reminded how little I know by people around me. I had the pleasure of having lunch today with @mubix, @jabra, and @mckt_ and quite honestly ... that was awesome. We covered a wide range of topics from Metasploit, to web app hacking, to creating some truly evil integrations of long-forgotten tools ... there is some great work coming! I think that the projects and ideas we outlined over lunch is about 6 months of work for ourselves; and will probably be 2 years of work for everyone else... well done guys, well done.

I guess overall while I'm disappointed at one end, conferences like this still bring brilliant minds together and at the end of the day I'm just happy to be a part of it and contribute in what ever way I can.

Next up ... AppSec DC!

Edit: I can't hold it in... I don't need to repeat the content of the Twitter stream we launched ... but I'm going to simply say that no one should ever say the word "turnkey" coupled with "security" ever again. It makes zero sense, so stop it. Also, if you're going to claim to be a subject-matter expert at least make sure that your information is relevant (say, within the last 18 months?) and that you can articulate what you want to say ... eesh.

Thursday, October 22, 2009

Fox News: Bring Your Toddler To Work Day?


As someone (@bug_bear) aptly pointed out in response to me posting this on Twitter ... "Is it bring your toddler to work day" at Fox News?

Might be that someone at Fox is testing out some new tool ... that auto-publishes to their site and Twitter at the same time? Or maybe ... they were pwn3d?


... personally I'm leaning towards the toddler theory. Either way, I know it's OT and nothing to do with security (or maybe ... naaaa) but I saw it and had to post it!

Hell in a Handbasket ...

I've been reading a ton of articles lately on data breaches, cyber attacks, cyber warfare and other things ... and thought that I should share some of the more interesting articles with you that I've found, in case you've missed these gems...
  • eHealthEurope - "Private medical records offered for sale" - In a lesson of sub-sub-sub-sub-contracting failures another Indian company fails to secure information they're entrusted with protecting while "on the job". Indian companies are having a surprisingly hard time keeping data privacy and protection a priority ... wait, I can't even say that with a straight face.
  • Reuters - "New study reveals push to electronic medical records puts patient privacy at risk" - Just one disturbing thing jumps out at me when I read this article ... "70% say senior management does not view privacy and data security as a priority" when speaking about electronic medical records. *gasp* Let's couple that with the $210 per patient record cost of a data breach and you can start to account for why a trip to the doctor for a simple check-up costs you and your health insurance company $500... In other news, paper medical records are routinely found insecure when they end up on a trash heap out behind the doctor's office.
  • ZDNet - "GAO Report: NASA at 'high risk' of data breach" - There's a shock. NASA, the people who send humans to outer space, can't figure out data security ... although it's interesting that the GAO keeps finding these audits they do so poor when they can't keep their own house clean.
  • National Post - "Turning power lines into battle lines" - Those crazy Canadians are worried about cyber-warfare on the north american power grid. They're nuts ... or not. If you don't think that what happened during the "great blackout of 2003" could happen again, in a much more controlled way ... you're the one that's nuts.
  • MyPlainView.com - "Bank says online system is secure in wake of hack job" - You've gotta love a bank president who will go on record after a customer is hacked and say this: "Glenn said ASB uses a protection system called "Multi-Factor Authentication Solution" ... Because of this system we are very confident that our bank system was not breached" -Is he serious?
  • InformationWeek/Government - "Cyberwar Readiness Recast as Low Priority" - While I (mostly) agree with the findings of this "think tank report" I think they're dead wrong on their understanding of "cyber warfare". They're somehow confusing Cyber Warfare as "...at best, cyberwarefare operations 'can confuse and frustrate operators of military systems, and the only temporarily'..." and urges that the government instead focus on shoring up critical infrastructure such as our ailing national power grid and other areas. Yes, that course of action is correct but what they're missing is that a "cyber war" waged on the US will not target strictly military assets ... a half-intelligent attack would break down communications, power and other critical infrastructure first! (more on this topic coming soon, stay tuned)
  • Sky News - "Cyber attack fears as firms cut IT costs" - I think this story sort of wrote itself, but it's still worth the watch/read... the more companies cut their IT budgets they more they're exposing themselves to attacks via computer networks. Right, we know that. Why don't executives?
  • RevolutionRadio - "DARPA, Microsoft, Lockheed team up to reinvent the Internet" - I cracked up... I can't resist but to post this. WHY, oh why would you (a) go with Microsoft and (b) re-write an entirely new "MNP -Military Network Protocol" ... I know TCP/IP has its problems but ... seriously, Microsoft? Really?
  • The Chosun Ilbo - "N. Korean hackers infiltrated S. Korean military networks" - In what I would classify as a real cyber-warfare attack, North Korean is being accused of breaking into the South Korean military network and stealing some very serious state-secrets... "It looks like 2,000 national secrets have been stolen" ... how do they know the extent of the damage? It looks like the N. Korea vs. S. Korea battle is heating up again as North Korea starts to flex its military might versus the rest of the civilized world...

Wednesday, October 21, 2009

Protected Tweets - Oxymoron?

Google has done it again! Somehow, the magical Googlebot has managed to worm its way into protected tweets on Twitter. To be fair, this story was first broken by the L.A. Times ... yea.

You know what I'm talking about, those strange people who choose to "protect" their tweets so only a select few can read them aren't so protected anymore.

Who knows what other design flaw [:cough: security hole :cough:] the Google-bot is exploiting but as Rob Fuller (@mubix) put it on Twitter "hmm sounds like a job for User Agent Switcher" ... indeed.

So let me get this straight ... I as a regular user with my user-agent (no, I don't use the standards personally) cannot read your protected tweets, but the Google-search-index bot can? Really ... is this a design flaw or simply a security hole that Google somehow discovered, accidentally? I'm leaning towards a accidentally-on-purpose design flaw; and now that a formal partnership (for search purposes) between Twitter and Google has been announced - who knows what else we're going to dig up?

OK, so a few questions arise...
  1. Since Microsoft's Bing already has a partnership with Twitter to search tweets is there another such hole looming there too?
  2. Is this a bug, a feature, or something else?
  3. If I change my user-agent to the Googlebot, can I read protected tweets anonymously?
... I'm not even sure I want to know. I don't bother protecting my Tweets given that this is a social platform for public dissemination of thought ... right?

"The Jihad Job" ... recruiting via email

An article titled " 'Jihadi job' email to lawyer " on The Telegraph from Calcutta, India caught my attention... and not just because I think that there is plenty of jihad recruiting going on over email and modern technologies but because just recently I wrote about the "Google conspiracy".

I've been keeping track of articles and blogs referencing "cyber jihad" and it's interesting that such a topic is now hitting the main-stream media (at least in India). I wonder if the good folks over at the Googleplex could tell us how many emails (just volume-wise) are sent around GMail every day with the terms "jihad" ... with a recruiting intention.

Makes me wonder whether Google's already doing that sort of analytics already ... or if that's the next step?

What do you think?

What privacy? I use Google ...

When news got out that Google had indexed GoogleVoice transcribed voicemails the other day some people were shocked, some angered ... I just figured it was par for the course as far as Google is concerned. I think the lovable bear has now become the over-grown monster.

You're not concerned, right? Is it time to get the tin-foil hat out?

First, let's see how Google interacts with us in our daily lives ...
  • Google Analytics (website cookie-based tracking)
  • Google AdWords (advertising)
  • Google GMail (email)
  • Google Voice (voicemail)
  • Google Maps (local, national, global maps)
  • Google Docs (documents stored in the "Google Cloud")
  • ... and this list goes on, and on, and on, and on ...
So you see folks... this should start to concern you, deeply concern you. Google likely knows more about you than your parents, your spouse, or even your employer - which brings up an interesting point...

What's stopping Google from launching the next great Google service - "Google Complete Profile" ... that's right Google can combine all the information it has on you from many, many disparate (and hopefully segregated) databases and offer anyone a complete profile on you -for a price.

Think I'm crazy? Google can index where you like to eat, what you search, what sites you visit, what you buy, where you go to, who calls you and what calls you make, what documents you write and what emails you get. Combining that into a complete personal profile is an absolutely terrifying idea.

Sure, it's no big deal that the largest data-mining organization on the planet has every piece of information about me that's crossed the Internet ... or is it?

Put the pieces together! Some of you get fired up about the government's Patriot Act and spying on US citizens ... but what about Google spying on YOU?! I'm not saying that I know of any specific projects within Google to conspire with, say, the US Government (or any other governments for that matter) but let's pretend we believe in conspiracy theories for a moment. Let's pretend that Google is feeding all the information that it has about all of the users it has through a monstrous analytics engine and then red-flagging suspicious activity which is then forwarded to the proper authorities.

Did you search for "pipe bomb", then map out a directions to the local Radio Shack or hardware store? Did someone send you an email with schematics and/or reference revolutionary ideals? Did you get a voicemail or place a call to someone that's already "on the list"? Was there an email thread or newsgroup you participate in that would red-flag you in conjunction with the other things already mentioned?

So, call me crazy, call me a conspiracy nut ... but I'm going to keep wearing my tin-foil hat and limit what information I give to Google voluntarily ... but I suspect that it will be a futile effort, given their depth of penetration into our daily lives.

What do you think?

Wednesday, October 14, 2009

Infosec is Rotten

You know what I just noticed? We are a really, really nasty group of people. InfoSec has gone from being an unruly pirate mob where everyone's just happy to be hacking away at something, welcoming new faces to just being plain nasty. Exclusion of anyone who doesn't think like us, nastiness to anyone who will admit to being "new" and other sorts of anti-social behavior are going to ruin this industry if it's not too late already. I've been reading blogs, mailing lists, and such for as long as some of them have been around and I have seen the de-evolution and it's gotten to a point where I can't take it anymore.

Jump on a mailing list, read a blog comment roll, or Twitter and you're bound to find people just flat out being nasty ... I just can't take it anymore. Looking at the ugliness that's visible from space, here's just some of the things that I've observed and learned (in no particular order) ...
  • If you're new, and you dare state that in a post/comment you will be flamed by the "super-senior-jackass-know-it-all" ... guaranteed. Never admit you're "new to security"...
  • Pursuant to above... Apparently newcomers are not welcome in security anymore
  • There are cliques, just like on the playground in grade school, made up of people whom are too stupid to think for themselves and feel like they need to attack others who aren't like them ... I think we call those gangs in real-life.
  • There are experts who teach and "experts" who would rather horde the information and call you stupid ... know to see that distinction
  • Most mailing lists are at very least civil, Full-Disclosure is not one of them
  • There are certain people who just need to change their name because they've managed to piss off everyone in the industry, ahem
  • A few particularly big smart-asses like to hijack your blog post by starting a war in the comments section. Those are called comment-trolls and should be moderated out.
  • There are actually people for whom the Mac vs. PC vs. Linux war never died ... they're like religious fanatics only worse because you can't just slam the door in their face
  • No one with a legitimate column in a "real publication" has any idea what they're talking about because they're too busy trying to be politically correct or pandering to the company paying them to blog/write ... so sad
  • It's safe to assume that most industry analysts working for large companies of that nature are bought and paid for to speak a certain opinion ... let's just let it go
So there you go. We're a nasty group but let's not paint it all black ... there are plenty amongst us who are willing to teach, take in new recruits and would love to sit down and talk with just about anyone. I shouldn't paint the whole industry this way ... but if you're just looking around it's easy to find this infighting and the problem is that it kills the types of things that would ordinarily flourish like exchanges of ideas, new thinking and creativity.

Let me say also that if you've got an idea and someone wants to tell you that your approach is wrong, listen to them. Maybe they're right, maybe not - but in the end if you have two opposing viewpoints you can only become more intelligent by understanding both of them!

Anyway ... I just couldn't let it go anymore so ... let 'em fly.

------
Quick clarification: For the one on people with a legitimate column in a "real publication" ... think about all those "columnists" who wrote about how the SideKick issue was a great example of "cloud failure". Forget that it has as much do with "Cloud" as Darwin did to the Enlightenment - it was a matter of journalists writing blindly to try and attract people who then read their crap and highly broken group-think emerges. If you're a journalist you have a responsibility to triple-check your facts, make damn-sure you know what you're talking about and for Heaven's sake ... when in doubt ask Hoff (on Cloud stuff) ... Anyway - that's what I was pointing out specifically.

Monday, October 12, 2009

Reporting a Phishing Email

So this afternoon I open up my mailbox and oh, look ... "HSBC Bank" has sent me an email. Given that I don't have an account there, and my email client is already telling me this is phishing (well, duh?) I decided that I would give it a read just for the comedic aspect of it.

Honestly, I expected something sophisticated, well-disguised, maybe even official-looking. I was sorely disappointed:
.
HSBC BANK PLC
452 5TH AVE. NEW YORK,
NY 10018. USA
http://www.us.hsbc.com

Ref No: HSBC/30A/IPF-09Z

RE: INSTRUCTIONS TO CREDIT YOUR BANK ACCOUNT WITH US$5,000,000.00

We at this bank wish to congratulate and inform you that after thorough review of your unpaid funds in conjunction with the World Bank Auditors report, your payment file was forwarded to our bank for the immediate transfer of a first installment amount of US$5,000,000.00 to your bank account.

The Auditors reports shows that you have been going through hard times by paying a lot of money to see to the release of your funds, which has been delayed by some dubious officials that dealt with you in the past.

We therefore advice that you stop further communication with any other group, individuals or institutions, since you do not have to pay any money or transfer fee to receive your funds as you have met up with the whole funds transfer requirements.

Should you follow our banks directives, the first installment amount of US$5,000,000.00 will be credited and reflect in your bank account within 3 to 4 bank working days.

For further information on this funds transfer notice, kindly send to me the following:

(1) Your Full Name:
(2) Phone, Fax and Mobile Number:
(3) Company Name, Home Address:
(4) Profession, Age and Marital status:

Yours sincerely,
Mr. Williams Baron
HSBC Bank Plc, USA

Disclaimer
*****************************************************************************
The information contained in this e-mail, any attached files, and response threads are confidential and may be legally privileged. It is intended solely for the use of individual(s) or entity to which it is addressed and others authorized to receive it. If you are not the intended recipient, kindly notify the sender HSBC BANK by return mail and delete this message and any attachment(s) immediately.
*****************************************************************************
What disappointed me more, though, beyond the sheer stupidity of the phisher - is how hard it was to report this to HSBC Bank and let them know about it. Why is it difficult to be a good, responsible human these days?!

I thought I'd approach this as a regular person might and not use my mad Google skills ... but rather hit HSBC's homepage first. There's really no link/button that pops out at me (the user) that says "Click here for information on security/privacy". Thinking I may just have to go dig into the specific region I clicked the link for North America ... unfortunately not much changed.

What I did notice after looking around the page is at the very, very bottom of the page, in light gray-on-white font there is a "Security" link. Are people really expected to see this link?! Why is something so important as security buried so far down in the page, and in a color that's so low-contrast that it took me a second look to find it? Now, I don't want to question the good bank's motives here - but do they really want people finding this link and reporting security issues?

Anyway, clicking the link brings you to a page that asks you to either sign in or sign up for personal/business banking... so it looks like all hope is lost if you're not a customer trying to be a good Samaritan and report a problem to them, right? Luckily the menu bar along the left has a nice selection of security topics to choose from so when I clicked the Fraud link I finally found something that looked like I was headed in the right direction (here). Sadly, even though "Phishing Scams" was a big item in their FAQ, and the document gave some really insightful information about how to keep from being a victim of phishing ... I was still baffled as to how to actually report a phishing email I had received. Does HSBC care or even want to know? - I started to ask myself.

Just then my eyes glanced across the page and found a phone number in bold letters ...

Of course I immediately called the phone number! ... and was promptly disappointed to find that I had to poke around the system as this was their main call-center phone number and the only trace of reporting phishing was a message about "support for internet banking or pin reset". Going into that menu left me completely befuddled as I found myself being asked for my account number (or SSN, yikes?) multiple times by the system in order to continue and I almost gave up. Just when I was giving up, I kept pressing numbers in that last menu until I got a voice! The person on the phone was kind enough to direct me to an email I should simply send the phishing email to: usphishing@us.hsbc.com.

While I had now sent off the phishing email I had received, along with my contact information I still felt unfulfilled. I was curious how this wasn't posted anywhere visible. Curiously ... it was given a little Google-fu. This page [http://www.hsbcusa.com/hsbcusa/abouthsbc/contacthsbc.html], actually produces a link that clearly asks you to report Phishing and Spoofing scams to that email address - but why couldn't I find it?

Turns out, there are 2 separate things at work here. First off, in my desperate need to find someone in security to send this to, I completely omitted to look at the "Contact Us" page ... where the phishing email link lives. Second, HSBC's site is laid out a little bit strange, and whereas I would suggest that the "Report Phishing" section also be moved under a more "prominent" security heading?

One thing still bugs me ... how much does a major world bank really care about security if they've got the link to it buried down in the page, in an impossible-to-see contrast and font size?

Don't get me wrong, I'm not slamming or singling out HSBC here - just about every bank is like this ... I invite responses, rebuttals or commentary, as always.

... still feel good about on-line banking?
Google+