Friday, July 31, 2009

Anti-Malware-Virus-Badware FAIL

In case I haven't said yet enough yet ... "Anti-Virus" is a dead technology. Period.

Whether you're calling it "Anti-Malware", or the traditional "Anti-Virus" name, it doesn't matter, the concept was OK back when humans could keep up with virus writers, at least reasonably, but now that time is over... by about 5 years.

Have you noticed how many new pieces of malware come out in a day? There have been a plethora of reports lately (like this one from Trend Micro) which are conclusive proof that current anti-malware solutions are miserably failing... but who's listening? Let's look at some of Trend Micro's metrics...

Between October 2008 and June 2009, Trend Micro performed over 100 assessments on enterprises worldwide and discovered that:

  • 100 percent of them were infected with active malware
  • 50 percent had at least one data-stealing malware hidden in their networks
  • 45 percent had multiple data-stealing malware infections
  • 72 percent had at least 1 IRC bot
  • 50 percent had 4 or more IRC bots
  • 83 percent had at least 1 malware Web download
  • 60 percent had more than 20 malware Web downloads
  • 35 percent had at least 1 network worm
Wow. Just WOW.

How do we justify what we spend on anti-malware defenses when we are still getting compromised, having our data stolen, and rooted over, and over, and over...???

I'll tell you how - the Kool-Aid that our management is drinking has gone to their heads. The sales and marketing campaigns that anti-malware companies have put behind these failed products is absolutely epic. The amounts of money spent on marketing failed products like "anti-virus", I'm willing to bet, is more than most companies spend on IT budgets in a single year! What does that all add up to? The current state of ignorant vulnerability. We as IT professionals buy into this technology because... why? Because there isn't anything better? Because it's what we've always done? Why aren't there better solutions?

While doing some research into malware recently I snagged a few pieces of code that were graciously given to me by "anonymous" (yes, the same person who posts comments here) ... which were hitting 0% detection rate -days, and some weeks after being deployed in the wild and racking up hundreds to thousands of infections. Sites such as VirusTotal and some of the other ones out there were (at best) detecting at ~5%... across all the major scan engines in existence.

Stop and think about this for a minute. The PCI-DSS requires that you have set up, and maintain a "vulnerability management program"... which effectively (by the document's current v1.2 standards) breaks down to "Requirement 5: Use and regularly update anti-virus software or programs". With metrics like near-zero detection rates, and Trend Micro's analysis of 100% of companies being compromised in some way... how do we justify this as even raising the bar? It's NOT raising any bars ladies and gentlemen, not at all.

The industry best-practices, and guidelines are where the rubber meets the road for IT Security... and that point happens to be failing miserably right now.

So let's put out some suggestions then, right? For the average enterprise... this should be a no-brainer checklist...
  1. Take away administrative rights from everyone except administrators*
  2. *Administrators should only log in using admin accounts to perform specific duties
  3. Always make sure you're patched... make that a #1 priority
  4. Limit your user's access to non-filtered content (I highly recommend a white-list approach)
  5. When-ever possible use a read-only virtual machine where an infection would not persist
As far as vendors and innovation go - we've got to be able to do better than signature-matching... I just don't believe there isn't a better way. I recall back in the day Okena's StormWatch product (I think that was the name) had the right idea of essentially performing behavioral analysis on a machine to detect anomalies... but then Cisco bought them and... then came CSA. Hrmm...

What needs to be done is some vendor has to work directly with the OS manufacturer to effectively baseline processes, services, binaries and expecte behaviors. I realize this is a monumental undertaking but Microsoft and Apple (since we have to include them both here... both are equally vulnerable to user-ended attacks) have a duty to their customers to work to build a secure operating environment.

The most difficult part of this, of course, is all the add-ons that will inevitably happen along... messaging clients, gadgets and widgets, games end-user utilities and other toys that users simply can't help themselves but download and install. But there has to be an alternative to signatures.

Of course... every once in a while you read about something like this... and it just takes every security counter-measure from the OS level and up and throws it in the trash. C'est la vie.

If you'd like to read more on the topic... or simply want to read about the apathy that exists out there from these atrocious numbers, read George V. Hulme's (@GeorgeVHulme on Twitter) article "Uncomfortably Numb: Malware Counts".

Thursday, July 30, 2009

31337 Spotlight: @SecurityRant

Hey everyone... as we roll on to Post #300... we get to know more interesting people in the InfoSec world. Today's victim of the limelight is someone who affectionately goes by "SecurityRant" on Twitter. While I don't know anything about this person - other than they have a dislike for my 31337 Spotlight series... and ironically couldn't wait to get on the page here - the interview is quite interesting. SecurityRant always has something to say, which is no shock... and it's usually disagreeing with what I'm going on about (again, no shock).

Love him (since the profile of SecurityRant seems to point to a male) or hate him... the brutal truth always comes at you like a ninja-star through the mouthpiece that is SecurityRant... so I won't stand in your way any longer... meet ... SecurityRant!

  • So... "SecurityRant" - tell us something about yourself
My name is @Securityrant I've worked for financials, governments, International organizations, security vendors and lately for MultiNational United. In my job I've handled nuclear material and I knew there were no WMD's. I've ridden mopeds with Russian boarder guards, sung songs in small sailing towns with polish sailors while drinking un-pasteurized beer. I've had diplomatic immunity and have know cold war spies. I know how to break down and service an AK-47 or an M4, I've learned the power of playing guitar on the beach next to a fire. I've been through a police interrogation (complete with bright lamp) and worked along side the secret service. I've altered my mind though various substances, climbed some of the tallest mountains in the world and have taught myself how to code in at least 10 different languages. I have written viruses and have exploited OS's and systems that don't exist anymore. I have run a BBS in central Europe, owned a FidoNet address, was a 150 level wizard/coder on the most popular MUD in Finland. I once brought down an entire International organization because of a typo in my code, oops. My favorite computer ever was a NeXTstation. I listen to industrial, metal, techno, trance, trip-hop and ambient. Some people think I can see the future, the truth is I am just good at pattern recognition. I don't believe in god. I'm an INTJ. There is less than 6 degrees of separation between me and Kevin Bacon. I can be a little annoying. I can keep a secret. I gave up most of what I listed above for money and a suit and if you knew who I was you wouldn't believe any of this because that's exactly the way I want it. Last but not least, in this entire paragraph I may have embellished the truth a little but I'm only lying about one thing.

My friends, I am the most interesting hacker in the world. I don't always drink, but when I do, I prefer a gin and tonic.
  • What types of technologies do you focus your 'hacking' on (and why)?
I hack the only thing worth hacking: Life. For any given encounter or personal goal there is always a set of words and actions that if played out in the right order can get you just about anything if you are really good at your craft. In every job I've ever had, I've been able to breech the security of the facility/place I worked. I used to report it and write it up, but these days I just do it for kicks and keep the details to myself. My approach is always a blend of physical and network penetration techniques. Some might say that's cheating but I say only the end result matters and I'm not doing this for the glory. My current project is reverse engineering the necessary steps to massive amounts of personal wealth. I think I'm pretty close.
  • What your most famous/proud accomplishment over the course of your career?
Wouldn't that be more of a curse if you could look back on your career/life and say that was my greatest moment? To me looking back like that just means you know you reached your peak and it's all downhill from here. The only time I look back is to learn from my mistakes, not my victories, and I've made _a lot_ of mistakes, but there is one accomplishment that I'm proud of: not being noticed. My greatest skill is to be underestimated, people just don't see me coming. But it's a double edged sword. It's something that gets me in trouble with people because they don't know if they can trust me (they can, assuming they have integrity themselves) or they think I'm slacking and it's why I'm angry a lot of the time. BTW, if you keep a low profile you learn real fast who are the people who just want to stand on your throat to get ahead because they ignore people who keep a low profile. This industry is filled with attention whores and vendor bullshit and it drives me nuts.
  • What got you started in Information Security...
You know that movie with Angelina Jolie and that guy named Zero Cool? Just kidding. The same reason any of us got into InfoSec - because of an uncontrollable thirst for knowledge, because I wanted root on everything (which was really naive BTW). I didn't really get into InfoSec, I just woke up one day and realized that's what I did for a living. I despise that the InfoSec industry even exists because if we were all doing it right, security would be part of everything we do, not something independent that we paint on after the house has been built. If a system or process is well engineered from the start, it's resistant to misuse and attack by default (notice I said resistant, nothing is ever secure over time). Security should be like air, only noticed when it's missing. Eventually my desire for knowledge led me to the desire to create something which is why I started working for security vendors.
  • Tell us something that people rarely know about you?
My true Identity, which I'm not going to tell you and all that stuff I listed up above. Since I'm not going to answer this question, I'll answer something else: Why am I here?

Why am I here?
I'm here to speak bluntly about the nonsense in the security industry and just call it the way I see it. I want to be fair however, if there is true innovation and something cool then I intend to draw attention to it as well but as luck would have it, there is more to be critical about than there is to applaud these days. Securityrant is anonymous because I don't want this to be about me personally (which by answering agreeing to this interview I'm breaking that rule a little, oh well). I want this experiment to be about the things I draw attention to, not me, but I do want the ideal represented by @Securityrant to be famous in a kinda Guy Fawkes, V is for Vendetta kind of way. Part of that means letting others contribute to Securityrant as well and I invite everyone to participate. If there is something you think needs to be said but don't want to be the one saying it, send Securityrant a direct message and Securityrant will get the word out assuming I don't think you suck.
  • BONUS: What was your first computer system?

The Atari 800, after that it was anything and everything I could get my hands on. BTW, why is it that hackers always want to talk about their first computer system? I think it's a not so secret attempt to try and prove how "elite" you think you are. I just said I cut my teeth on an Atari 800, does that make me elite? No it means I'm a freaking dinosaurs and doesn't prove I have skillz in any way. Now if I had said a PDP-11, now that might have been worthy of a little respect. See what I just did there?

Wednesday, July 29, 2009

Learning the Lesson... the "Hard Way"

"In the land of the blind, the one-eyed man is king."

-- I guess you just don't realize how difficult it is to actually secure something until some of the people the industry respects, go down in flames. Enter ZF05. (link is now broken)

"Zero for Owned" was released yesterday, detailing the brutal hacks on some of the people (and sites) the security industry, check that, the White-hat segment of the security industry, consider the best and brightest. If I may, for one brief moment, indulge the ZF0 crew(?) with a quote (I fixed some typos)...

"It's July 28th, 2009! Welcome one and all to the real Black Hat Briefings. Livefrom the underground, coming right at you free of charge. You don't have to pay to come, and you don't get paid to be featured. Presented by real blackhats, this is a must-see event!
This is a big one. We hacked notable whitehats Kevin Mitnick, Dan Kaminsky, and Julien Tinnes, among others. We continued the skiddie holocaust with darkmindz, elitehackers, hak5, binrev, and blackhat-forums. Along the way we created mass mayhem. There are more rm's in this zine than you can count on a hand. Just fromtargets shown here we collected about 75,000 passwords. Passes, not hashes. If you are reading this, then your browser probably did not crash, so you know we couldn't include all of our passwords, let alone hashes. The first version of this was ten times the size of ZF04."

That's pretty powerful stuff. Let me be clear - I don't think it was right of the ZF0 folks to publish personal emails, communications and nasty details... I don't care how much of a douchebag you think someone is... no one deserves that. It does show a serious lack of moral judgement and personality ugliness.

Moving on past all the interesting details ... a singular theme runs through this entire zine... no one is safe. If you've not heard someone say it before, memorize it -

"There is no such thing as secure."

If you don't believe me (the above quote)... look around. Matasano - the 31337 of 31137... pwn3d. Dan Kaminsky, Kevin Mittnick and many other people we have grown to respect... pwn3d. Are any alarms going off yet?

Forget the personal attacks, forget all the nasty things that this dug up... it's irrelevant. What we're learning here is that there is no such thing as a totally secure system - even by those who are researching, teaching, and living high-security. This makes sense, I hope.

At the risk of going off on a rant... this can't be news to anyone! If you've ever told someone you can completely secure their assets you're a moron. There is no secure, there is only minimized risk. Every system has some level of risk of being compromised... did you write every line of code on every piece of software you're running and using? Hell no! Do you have a reasonable expectation that the code you're running for your OS (whether you're in Windows, Linux, OSX, or what-not) your mail server, your CMS, your twitter client - any of that... is even remotely secure? Again, hell no!

So is the world coming to an end?
... has every system been compromised?
... ... is there no hope of any kind of reasonable security?

Get over it. Things are going to get hacked but you need to learn a few lessons from this, and for that I think we have to say thanks to the boys (and girls?) at ZF0...

  1. Don't re-use passwords (even it's just across different systems you have access to, different customers, high/low security, etc)
  2. Segment, separate and compartmentalize so that a single compromised point-of-entry doesn't turn into a complete pwn (didn't we learn this back in... 1997 or so?)
  3. Minimize your risks! If you don't have a damn good reason to put extremely sensitive stuff on an internet-facing system... uhmm... don't
  4. Don't assume that because you're smart - that you're intelligent
  5. Accept that at some point... you will be hacked. Get over it.

So... sucks for the people who got pwn3d but at the end of the day - know we (those that actually understand security) don't think any less of you [unless we didn't like you already]. Understand that we'd prefer that everyone worked together to make things better rather than this stupid in-fighting like you see on the playground in 3rd grade recess.

Writing good, secure code is always 10x more difficult than pointing out bugs... so if all you're doing is hacking and breaking without actually contributing to the greater security of things... you're a cockroach. It obviously doesn't require a rocket scientist to find a new way of thinking the engineer didn't envision to break something down... hell, even a blind squirrel finds a nut eventually -making sure that your code stands the test of time, peer reviews and inevitable malice is the true genius.

Play nice. Work towards the greater good.


Monday, July 27, 2009

31337 Spotlight: Andre Gironda

The most beautiful thing about the hacking or Information Security community is the diversity of opinion. If you ask 2 different people, you're likely to get 2 different answers. Nowhere is that more apparent than with the character I have for you folks today... one Andre "dre" Gironda. The first time I met Andre was on a mailing list and subsequent blog post where I was flamed for my views on Web App Sec... and while I tend not to take things personally this "encounter" was one of the things that's made me work harder to evangelize the realities of Web App Security, and security in general. Andre gave me a healthy dose of his logic... and while we've had our disagreements I think he's come a long way in the last year or so... and while I've not met the guy in person - I do aim to... to see if he really is a really, really, really nice guy. [For the record, using Jim Manico as a character reference? hrmm.... I'm joking Jim!]

Andre's always full of fire-brewed opinions, unique logic and sometimes a flare for the dramatic... and while we don't always agree - I think he's someone that doesn't get enough credit for the contributions he's made to the industry. This is "dre"... in his own words...
  • Andre - tell us something about yourself
My name is Andre Gironda, though some might know me by the handle "dre", as in "Dr. Dre" or "Mac Dre" or perhaps even "Andre Nickatina". I write for the blog. I give talks usually at places like Toorcon or local OWASP chapter meetings. I don't support big events like BlackHat, Defcon, or even OWASP AppSec because I feel lost in the crowd and it always feel like I never learn anything or meet any nice people. I promote myself as a very vendor/product neutral industry analyst and information security management/risk management adviser. I dislike commercial products. I even dislike most open-source projects. Sometimes I prefer pencils and paper. My cell phone doesn't accept text messages and has a data rate of less than 10Kbps. I use a 6 year old X series Thinkpad, which is my most expensive
possession. I'm ghetto, yo.
  • What types of technologies do you focus your 'hacking' on (and why)?
I'm a generalist. Because of my involvement with OWASP, I tend to focus a lot on web applications, perhaps ones in the payment industry space. In the 90s, I used to break networks and force revisions of CatOS and IOS, as well as discover VLAN leakage and major architectural issues such as the lack of route filters at major peering locations and esoteric DoS/DDoS issues. I have been a proponent of technology innovations such as Optical Ethernet, Virtual Infrastructures, and Service-Oriented Architectures. I used to fling acronyms like CPT (which we all know probably stands for Compton), but now I'm all about ALM (which you'll have to figure out on your own).

I like the idea of hacking people and process. I like the idea that I can use my hacking skills for good and cause organizational change through discovery of
organizational management and behavior. A real "hack" to me is to take a disfunctional organization and turn it into something awesome. I lay the
smackdown on some fools, know what I'm saying?
  • What your most famous/proud accomplishment over the course of your career?
Mentoring. I like adult educational theory and learning. I'm a horrible presenter (be sure to check out videos of me from Toorcon 9, Shmoocon 2008, or most recently at Toorcamp), but I'm a good teacher over the Internet, one-on-one, or in small groups. I'm like Michelle Pfeiffer in "Dangerous Minds".
My hubris is that I'm a bullshit-detector and a skeptic. This causes me to appear as if I'm fighting with other analysts or infosec professionals. For me, this is old hat -- hacker groups used to fight (i.e. red/blue team) each other on systems and networks. Obscenities would occur. People's landline phones, public service utilities, garbage delivery services, and other "too close to home" comforts that we take for granted were suddenly snapped away (or changed in some hilarious way) based on online hacker wars. This was all in good fun back then. When you met the guy that you 0wned in person -- you bought him a beer and it was all good. Maybe you pissed in his office trashcan later that same day, but usually it was from too much drinking and not the forlorn bitterness. I miss bringing bottles of OE to vendor events and fancy dinner parties. I'm going to pour a whole 40 into the ground at the nearest park once I leave work today for all of my missed homies.
  • What got you started in Information Security...
I knew a bunch about Unix systems and network technologies such as bridges, T1/DS3/SONET/BLSR/UPSR hierarchy, the "old kind of terminal servers" with modem pools and manual dialed-number hunt-groups, as well as higher-layer Internetworking. Then I logged into this BBS called UPT, ran by Tom Jackiewicz and Lane Davis. I started using Satan, PGP, SSH, and S/Key more and more often instead of occasionally. Then I got a job. Bling bling.
  • Tell us something that people rarely know about you?
I'm a really, really, really nice person -- "in-person". Ask Jim Manico from the OWASP Podcast. We finally met in-person two weeks ago, and it's been fun working with him on the Podcast News. It was great to have you on there as well... you'll have to join us in our roundtable news segments. Shout outs to my peeps.
  • BONUS: What was your first computer system?

I clearly remember a Magnavox Odyssey² as the first piece of hardware to bring home and play with in 1979. My favorite computer of all time is one I still own: a Sun SPARCstation IPX with the Weitek 90mhz write-back cache processor (instead of pipeline burst), the memory extension board, and the SBus memory expansion card (bringing it to a total of 128MB of memory). I even have the microphone, laser mouse and pad, as well as the purple "L" to put it on its side. There's some sort of crazy framebuffer SBus card in the other slot with just as much video memory. Sun4c was clearly my favorite computer platform of all time. Respect.

Friday, July 24, 2009

31337 Spotlight: Trey Ford

Happy Friday-Before-Black-Hat-and-DefCon folks!

As you're undoubtedly packing and getting ready to run off to this weekend's Black Hat and DefCon conferences out in Vegas - I have a real treat for you guys. Every once in a while I get to write about someone I can call a real-life friend... and someone that's both respected and admired both for the contributions to the Information Security field... and to humanity. Trey Ford is one of those people who are just as genuine in person as they are on Twitter (@treyford), his blog and standing in front of you extolling the virtues of PCI Compliance.

Speaking of PCI Compliance... if you've got PCI DSS questions, Compliance questions, or just need help - he's one of those people that I can safely say has a truck-load of knowledge and is almost always ready to jump on the soap box or lend an ear... His blog is over here... he's had some great material on there over time too!

So... let's learn something about Mr. Trey Ford (aka "Capt. PCI")!
  • Yo Trey- tell us something about yourself
I am just a business guy that loves technology. A Christian, athlete, motorcyclist, pilot, cook, and (per Mike Dahn) an OCD hobbyist. I am an energetic guy that lives out of a suitcase, loves people and seeing the world from their perspective. Track me down at|at|whitehatsec|.|com, ISSA/OWASP meetings, various InfoSec / IT conferences and @TreyFord on Twitter.

  • What types of technologies do you focus your 'hacking' on (and why)?
I currently focus on the application security problem.

I was previously doing pen testing, social engineering, and compliance stuff with some really great clients. The one problem that kept coming up my assessments EVERYWHERE was website security. The solutions of yesterday just didn’t make business sense. My clients and peers needed something more flexible, and that search brought me to WhiteHat Security.
  • What your most famous/proud accomplishment over the course of your career?
LOL! Raf, I am a humble young man, not sure that I have anything famous to mention...

I guess something I have contributed *professionally* is making compliance a business enabler by focusing on risk management (based on the OCTAVE model.) Someone really wise once said that necessity is the mother of invention.

It started on a two hour car ride where I was told to read this (VISA CISP) --, we walked into a CISO briefing where I was asked to discuss how this Fortune 500 should start their payment card security program.

I started by asking obvious questions like ‘do you know where all your credit card data is?’ and ‘can you document the entire lifecycle of that data?’ and ‘do you have real business need that justifies 1)keeping and 2)paying to protect everywhere you use that data?’ I just didn’t know where to dig a moat or build castle walls without that information. The strategy was clear, the individual requirements were details to be sorted out later.

Seriously, it was a total accident (somebody please thank Paul Klahn for not warning me), but I guess it worked out. Now I can’t hide from that PCI stuff. (help?)

That work continued, affording opportunity to build a compliance practice, a PCI team that fought against compliance obsession, managing risk and ultimately saving loads of money and trouble for our clients. The lessons I learned were due to the patient individuals that worked with us to solve some really complicated problems, lessons I carry with me today.

I am not currently an ‘active’ QSA, I work for an organization wholly devoted to measuring and managing risk to website security. Their amazing client base, the conferences that graciously allow us to speak at, and our partners and prospects allow me to continue serving those still wrestling with PCI initiatives. Today I serve the OWASP PCI Project when my day job allows me time after hours...
  • What got you started in Information Security...
I was that kid that was building computers and riding his bicycle around town working for the dial-up ISP at 14, so my roots were in troubleshooting operating systems. Some years later I brought a consultant in to troubleshoot failed NetWare logins due to spanning tree protocol. Seeing this guy in action is what started me toward ‘the dark side’.

Seriously, it was just that simple. This gentleman Mark Levy (Micrologic Business Systems in Kansas City, MO) fired up this thing he called a ‘sniffer’ (whatever that is), captured some ‘packets’ (whatever that means), and then started showing me how the login was failing. This guy was phenomenal. I remember clearly Mark pointing to the screen saying, “This packet has is the login and password ... see it?” :)

I’m laughing at him. I’m like, “No, no, no- I know her password, that isn’t right.” He briefly explains the authentication mechanism, how it used hashing (and could be recovered with enough work), and I was HOOKED. Long story short is that Mark Levy, Mike O’Brien, and Mac McMillan took me under their wing and taught me networking. Those Gents set me on the straight and narrow (it was Arian Evans (and the FishNet guys) that corrupted me...)
  • Tell us something that people rarely know about you?
I’m a bit of a dropout. I dropped out in eighth grade and homeschooled (my dad signed my high school diploma.) I dropped out of college (I have like one hundred-fourty-something credit hours of college) (with no degree.)
Ironically I have a massive addiction to learning. Maybe I’ll get to finish college after we secure the Internet?
  • BONUS: What was your first computer system?
My first computer was an Amdek 286 with a HUGE 20 MB drive, 256k of memory and a math co-processor... anybody remember XTree Gold?

--- Whoa... I DO remember XTree Gold! ... a long, long time ago, in a computing universe far, far away ...

Thanks Trey!

Thursday, July 23, 2009

31337 Spotlight: "Quine"

Hello everyone! Welcome to yet another episode of "31337 Spotlight" where I focus on people you may not have heard of, but should definitely stand in the spotlight a little more. Today we shove someone I met only recently into the spotlight... He's got quite the reputation for knowing the right people and just flat getting things done - which is one hell of a statement in this industry if you know what I mean. He's a professional cat-herder during the day on Twitter since he runs "Securiry Twits" of which your humble host is a part... on Twitter (which is where I think he lives) he goes by @quine, but in the real world his name is Zach Lanier - and this is his 6 questions of fame!

Without further ado, I present to you... "Quine"
  • @Quine - tell us something about yourself
My name is Zach Lanier, though some might know me by the handle "Quine". By day (and, yes, night) I'm a "hacker, security weenie, and Security Twit herder". I've been in the information security field (professionally) for about nine years in various roles, including security assessment, incident response, security operations, and architecture. About a year ago, I took over the Security Twits list from its founder, Jennifer Leggio (a.k.a. Mediaphyter), and have been trying to continue growing this fun, knowledgeable, and helpful community.

  • What types of technologies do you focus your 'hacking' on (and why)?
I have eclectic interests, so my focus is...well, there really isn't a focus: it's all over the place. Any any given time, I've probably got my claws in conducting web app security assessments or more *ahem* "traditional" network-level penetration testing, along with corresponding defensive or remediation measures (break, fix, lather, rinse, repeat). Of late, I've been giving increasing attention to technologies like OpenID and OAuth. I think open standards like these can be quite powerful if implemented properly, but really warrant more scrutiny (especially with regard to security) if they're going to gain acceptance on an even greater scale.
  • What your most famous/proud accomplishment over the course of your career?
I can't say I've had any particularly *famous* accomplishments, but I am proud of having the opportunity to work with some really amazing, talented people; participate in and lead some challenging, but rewarding engagements; and help grow a few communities here and there, bearing witness to some great conversations and projects as a result. If I had to be a *bit* more specific, I'd say I rather enjoyed some of the security assessments and penetration tests I've worked on. Some involved the usual bag of tricks like SQLi leading to reverse shells (and snarfing financial documents);

Others, which require a bit more grace and care, involve more tactical, staged attacks. For instance, finding an anonymous FTP server that dropped us into the installation directory for the primary application on the target server. Therein was a file containing credentials, for automatic logon, of a local service account with admin privs. Using those credentials, we dumped the SAM and cracked the local administrator password, which of course was the same password for every local admin across the enterprise. We then used *those* credentials to hop onto some
*very* sensitive hosts (think HL7 data; patient records, diagnoses, billing, etc.). Though the client's jaw dropped when we delivered the news, they were nonetheless appreciative that *we* found this.
  • What got you started in Information Security...
*cues up the cliche-o-matic* I've always had an interest in understanding how/why things work the way they do. Breaking things, pushing them to their limits, improving them, and so forth seemed to mesh well with computers. When I was in high school, I was always being pushed by one of my technology teachers, Mr. Roncallo, to take on "interesting technical challenges", such as figuring out why the network chess server got hosed when it was port scanned. This led to me studying more about TCP and reverse engineering the chess server itself. In my senior year of high school, I was offered a job by a local ISP to do all things network security -- starting from scratch (hey, they were a small shop). Later, the ISP decided to start offering some consulting services to get some additional revenue. I was tapped to do some incident response, penetration testing, and integration, which allowed me to cut and sharpen my teeth on direct, customer-facing work.
  • Tell us something that people rarely know about you?
I can be *really* sarcastic and cynical. Wait, that's not news? Okay, let's see. Most people probably don't know that I happen to like a number of musicals (think "Grease", "Bye Bye Birdie", "42nd Street", etc.); I have my father to, uh, "thank" for that, having been brought up around these productions. Also, in junior high, I dated the daughter of Charlie DeChant, the saxophonist from Hall & Oates.
  • BONUS: What was your first computer system?

The first computer I programmed on was an Apple IIe, during computer class in Grade 1 of elementary school. A couple of years later, my family purchased an Apple IIGS. By the standards of the day, it felt like the IIGS was pretty limited in terms of capability. We didn't have a modem or even a hard disk in the thing, nor did we buy any interesting software for it. I suppose, then, that my first "real" computer was a Macintosh Performa 6200CD I got in 1995. It was that terribly-expensive-yet-surprisingly-anemic little puppy that got me started down the long, dark path that led to security. Side note: I was a *HUGE* Mac zealot back then; I've long since recovered even though I still use a Mac.

Wednesday, July 22, 2009

31337 Spotlight: "FalconsView"

Welcome back, to the 3rd installment of the 31337 series of interviews. This time I have a real treat for you fans of InfoSec. As you probably already have figured out, it seems that in the security world, the breakers and tinker-ers get the glory... rarely do the guys who think big picture and at layer 8 get their moments to shine... well here's one guy that does just this. With a boatload of experience, a great personality and trained in the Gracie school of Jiu-Jitsu this is one guy who's got no room for random verbal droppings.

He maintains a quality blog over at where he's addressing the 8th Layer of the OSI Model... the interface between the real world and your systems - so now I turn it over to FalconsView...

  • @FalconsView - tell us something about yourself
Hi, my name is Ben, and I've been in this industry for 15+ years now, but have only in the past couple years started attending events and uncloaking a bit. My background is from the systems and network administration ranks, but have always been obsessed with security, right, wrong, and so on. These days I've abandoned much of the hands-on tech work to focus on fundamental issues (layer 8). When I'm not working, I'm usually reading or writing. I often feel like one big intelligence aggregation system given all that I read on a daily basis. To unplug, I like to hike, camp, travel, snowboard, practice Gracie Jiu-Jitsu, read comics (Nightwing, Batman, etc.), and just generally chill out watching movies or listening to the latest releases from a variety of artists ranging from (speed) metal to rock to folk to country to classical and then some.
  • What types of technologies do you focus your 'hacking' on (and why)?
I don't hack. I used to play with exploits back in the 90s when I was in college, but I grew bored with it. Hacking doesn't really solve problems. Don't get me wrong, it's essential to the security industry -you have to have the "breakers," but I'm not one of them. As is likely evident from most of my writing, I'm far more interested in the larger problems, which today translates directly to the Layer 8 challenge. Instead, as anyone who's read my blog can probably attest, I tend to be very abstract and philosophical. I try to make a concerted effort to focus on fundamental problems and how they might be approached. Too often it seems that we dive into solutions without properly understanding the problem space. That's ok for people who break stuff for a living, but it's not ok for people like me who are trying to turn this industry on edge in order to un-level the field of battle and change the rules of engagement in our favor. I don't like playing games that I can't win, and right now we're in a no-win situation.
  • What your most famous/proud accomplishment over the course of your career?
To date, my most proud accomplishment was completing my Masters degree at The George Washington University in Washington, DC. Specifically, two parts of that experience were really awesome for me. One was taking Intro to Cryptography from Dr. Brent Morris, formerly of the NSA (of Skipjack fame). It as my hardest class, hands down, in the entire curriculum, not the least of which because he used the grading rubric literally and strictly (no curves!), which resulted in his flunking several students unheard of in grad school). The other part was completing my thesis, in which I created a high-level model for structuring security organizations, of which I'm currently working on a second version that accounts for some of the areas I omitted or that are simply infeasible in real life.
  • What got you started in Information Security...
Superhero complex? :) No no, wait - the money! :) haha, just kidding. I got into infosec through tinkering back in the days of TIGER and COPS. I learned how to execute local exploits under UNIX, accidentally learned about DoS (old school resource exhaustion) when I accidentally wrote a rabbit (fork() can be dangerous!:). Around the same time a high school friend was misappropriating resources at the college where my Dad teaches (and where I was taking classes), trading warez back in the day, and I figured out what he was up to and turned over the fix to the sysadmin. Haven't spoken to that "friend" since then (oops), but it led to fighting viruses on floppies and all sorts of fun back in the old school "here's Trumpet Winsock for your Windows 3.11 for Workgroups" days. :) The rest, as they say, is history...
  • Tell us something that people rarely know about you?
This is probably going to sound weird and come off totally wrong, but... contrary to my writing and communication style in public (tending to be direct, witty/sarcastic, etc.), I generally strive to be open, caring, compassionate, humorous, and understanding of all people. And, for the most part, I succeed. There are obviously times when I'm not approachable, or am suffering from the doldrums, but this is hopefully a very small fraction of the time. Given a chance to get to know me, I think people would be surprised by my real life personality. It just takes time to peel the onion.
  • BONUS: What was your first computer system?

The first computer I played on was a Franklin, which was quickly replaced by an Apple II (due to the lawsuit - see,_Inc._v._Franklin_Computer_Corp). That's the first platform I programmed on back in the early to mid 80s (1st grade, by my recollection). The first computer we ever had in the house was a Gateway 386SX system that I, over time, completely disassembled and reassembled many times, and it was the first platform I installed FreeBSD on (v1.1, I think?).

Tuesday, July 21, 2009

31337 Spotlight: "mckt"

In case you've been living under a rock, allow me to introduce to you another one of the not-known-well-enough Web App Security folks.... Known for his unforgettable pwnage of web sites like McAfee and others using CSRF (Cross-Site Request Forgeries) and brilliant XSS-based hack of "StrongWebMail"... "mckt" is always up to interesting things. Obviously that's not his real name, because in the daylight his ePassport says "Mike Bailey"... and his other one says Haywood Jafixit... so who knows. I count myself lucky enough to have a pretty good working relationship with this guy- so I know he's actually a human being, and not some twitter bot (long story, for another post)...

I caught up with Mike on Twitter (@mckt_) and managed to get him to answer some questions ...
  • mckt - tell us something about yourself
I'm Mike Bailey, and sometimes go by the handle "mckt." It doesn't mean anything, but it's short, hard to pronounce and fairly memorable. I'm a CISO, a geek, an artist, a musician, a foodie, a snowboarder, and a
lousy-but-enthusiastic surfer. I think pirates are cooler than ninjas. I like kung fu movies, punk rock, and motorcycle rides through the canyon. I live in Provo, Utah, which is a much cooler town than people give it credit for, though it definitely is different from the rest of the world.

I'm also a hacker, or "security researcher" if I'm trying to sound innocent. I like messing with things- finding out how they work, how they break, and how to make them work for me. Russ McRee calls me "a good guy, with an evil mind," and I've always liked that.
  • What types of technologies do you focus your 'hacking' on (and why)?
Mostly web-centric technologies. There's a few reasons for that. I've spent time as a web developer so I know how they think. It's a relatively unexplored field, and one that is growing (and changing) incredibly quickly. There's new technology popping up every day, and I get to help make it better. That all adds up to make an awful lot of excitement, which is neat.
  • What your most famous/proud accomplishment over the course of your career?
It's hard to pinpoint one event, but my proudest accomplishment is simply the progress that I've made with my current company. In just a few years, I convinced them they need to take security seriously, rewrote a huge chunk of policy, and vastly improved security education- particularly with the developers. They've still got a long way to go (who doesn't?), but I'm pretty happy about the progress made so far.

I've been involved in a few high-profile things lately- disclosing a CSRF hole in McAfee Secure, and the StrongWebMail hack. Both were fun, but the lesson learned from both is the same: web security is poorly understood, rarely considered, and critically serious stuff. It's not news to us, but it's something that a lot of non-security people need to realize. I'm about as cynical as you are about whether that will actually happen, but it's a good goal.
  • What got you started in Information Security...
The classic story: I got a job in tech support. I enjoyed it- the problem solving, techy stuff. It was a scene I hadn't been a part of for a while. I've always been geeky, having played with web design and some basic coding growing up, but hadn't put much thought into it for a few years. Once I started that job, I picked up a few programming books, set up Debian on some spare hardware, and started playing.

After doing that for a few weeks, I started taking apart some of the apps the company used. One Friday night, I found some problems with the authentication logic in one of the customers' tools- something that would allow me to dump the company's customer database, and it later turned out, access pretty much the entire CRM system. I was stunned, excited, and blown away that anybody could do something so... dumb.

I reported the issue the next Monday, got it fixed, and developed a keen interest in security. While I'd always known that things like that were possible, this was the first time I'd found a hole with such a huge impact, and the first time I realized how critical this stuff was. Within a few months, I moved to a development position (working on that same CRM app) and slowly transitioned to handling security full-time.
  • Tell us something that people rarely know about you?
I studied illustration in college. I was actually pretty good at it, but I broke my arm skateboarding and had to put school on hold while I paid medical bills. I still sketch a lot, but don't paint as much as I'd like. I'm actually thinking about putting together security-themed show- combining paintings with projections of the data leaking from the viewers' iphones, rfid chips, etc. It's something I'd like to get around to, but I don't see it happening anytime soon. Maybe if I talk about it here, I'll commit to it.
  • BONUS: What was your first computer system?

Honestly, I'm not sure, I'd have to check with my dad... it was probably just a generic beige box. I always had hardware around my house, just stuff to play with. My dad's company set up a bunch of EMS dispatch systems back in the day, and I'd go on business trips with him and teach all the cops how the systems worked- that was back when I was like 8 years old. I pretty much grew up playing with computers, never seriously, but I always considered it to be normal kids' stuff.

Monday, July 20, 2009

LoW (Linux on Windows)

Found this while digging through some posts today... it's actually kind of a neat concept.

Portalbe Ubuntu Remix is an Ubuntu system running as a Windows application. You get a shell, file-browser and everything... very interesting to play with.

Give it a shot!

31337 Spotlight: Mubix

Hi! and welcome to the 31337 spotlight. As this blog approaches post #300, a massive milestone in my mind, I wanted to highlight some of the people who really don't get enough coverage, but should. With that in mind I hope you enjoy reading about some of these extremely creative folks...

This 31337 Spotlight shines on someone who goes by "Mubix". He can be found on Twitter as @Mubix and on his blog at Room362... and always has something interesting to say. So without further ado... let's get to know Rob Fuller... aka Mubix.

  • Mubix - tell us something about yourself
Umm.. just another guy in infosec really. I have a bio on my site under "about",
but a bunch of text will never give you a whole view of someone, even if it
comes from the person themselves. So, if you're readers want to know about me,
I'm always open to a good conversation, intellectual, or otherwise, and they can
email me at or come up to me at any of the Podcasters Meetups, Conferences, or local meetups that I go to. Twitter too of course.
  • What types of technologies do you focus your 'hacking' on (and why)?
Right now I'm on a Metasploit / Reverse Engineering / Exploit Dev high. In late
2008 I was getting into a creative rut, and taking the Offensive Security course really energized me. I'm addicted to learning, just like the rest of us. That's always the "why" for me.
  • What your most famous/proud accomplishment over the course of your career?
I wouldn't say anything I've done is "famous" but the accomplishment that I am
most proud of? My Couch to Career talk, and not for my sake, but for the people
who have sent me emails saying how it's helped them display the confidence to
land them the job they wanted. Nothing better than getting those kinds of emails.
  • What got you started in Information Security...
The real answer? I wanted to learn how to hack, how to exploit a machine, how to become the super 1337 h4x0r. That's the honest answer.
  • Tell us something that people rarely know about you?
People are often surprise about how tall I am, (6'4'', which really isn't that
tall). But if I had to think of a "secret" to tell, it would be that one of
my favorite past times is sitting in public, just profiling people (making
assumptions based on actions, clothing, and interactions). I actually taught
my little sister how to do this and she was surprisingly a quick student.
  • BONUS: What was your first computer system?

I was more of a gamer than a computer person, my Game Genie was my first
hacking at home platform. You know, finding the value that held your health and
then making it static at 100. FTW.

Friday, July 17, 2009

Full Disclosure and Publicity

The merits of responsible and full disclosure have long been debated among InfoSec luminaries. The problem with announcing vulnerabilities out into the open is that often it can cause more harm than good if done irresponsibly. It's important to understand the whole debate so I'm going to sum things up, my thoughts, in a concise and simple post here.

The Dangers
First, let's talk about why full disclosure can be dangerous. Disclosing vulnerabilities, like the recent ATM [Automated Teller Machine] vulnerability which was going to be discussed at this year's Black Hat conference, can cause undo risk. When a researcher finds a bug, and the problem hits the public wire right away there is an urgency of risk that is generated around the issue. Often times it's becomes a race between the vendor and the black-hat community to see whether the issue will be patched before a mass exploit is written. The dangers of full (and irresponsible) disclosure is that of exposing an exploitable risk to everyone else and thus increasing the risk of mass exploit or loss

The Good
With the yin, there is the yang. As you can see in the screen shot - American Airlines simply can't filter an ancient file include (../../ was cool in, what, 1999?) vulnerability. The person who posted this to the Full Disclosure mailing list (claims to have) contacted American Airlines repeatedly without results - so the vulnerability goes public in the hopes of getting the vendor to fix their issue.
While I don't agree with this excessive risk, and the public shaming sometimes it's required to get the job done. After all, the whole point of researching, cooperatively disclosing, and remediating vulnerabilities is for the greater good... right?

The Rest...
There are subtle issues here that go beyond whether to disclose publicly or not... and those are hotly debated still to this day.
  1. How long should a vendor be given to respond before a discovered vulnerability goes public?
  2. What is the proper format and forum for disclosing vulnerabilities to the vendor?
  3. How much time should the vendor be given to provide a public announcement and fix before the vulnerability hits the mailing lists and public?
  4. What about the legal liabilities of reporting security research and vulnerabilities?
These and other questions must be answered... and I feel that it may be done in some not-too-distant future by a legal precedent or a regulatory ruling. Of course, I have no misgivings about researchers following mandated regulations... but still...

Thursday, July 16, 2009

Anti-Sec Goes Nuclear

Over the last few days a war appears to have broken out
... at least a war of words... in Internet space... on the Full Disclosure mailing list. Well, OK, it's more like a 3rd grade playground fight... between 2 fat kids.

The initial premise here is (or at least was) that someone claiming to be representing the Anti-Sec movement (that is, those that are against white-hat types... the "good hackers") got very annoyed with the whole concept of full disclosure. They (he/she) wasn't happy with all the bugs that were being disclosed publicly so that people (white hats, and vendors) could make money on it all... (Doesn't this just reek of the "whitehatscum" posts a few months ago?)...

This "Mission Statement" was part of a bigger rant posted to Full-Disclosure as the first shot over the bow...

"We are the Ant-Sec movement, and we are dedicated to eradicating full-disclosure of vulnerabilities and exploits and free discussion on hacking related topics. We are dedicated to stalling the ocean of script-kiddies currently trawling the Internet, and those so called "White Hat Hackers" who benefit financially from full-disclosure; employing scare-tactics in order to con people into buying their firewalls and anti-virus software.

Thus, our new targets are and Both are notable within the hacking underground and the computer security world, and both violate what the Anti-Sec movement is fighting for. Such as it is, both must be terminated...utterly."
Now...there is someone purporting to represent the "Anti-Sec Movement" making some pretty bold statements threatening to take down Milw0rm, HackForums and other white-hat-related full disclosure forums and post sites. Claiming to have at "their disposal" an handful of 0-day exploits including one for SSH and one for Apache (wait... didn't we all just agree that the SSH exploit was bunk?) Ant-Sec is going to take these sites down ... permanently.

Well this would all be even slightly [more] believable if either Milw0rm or were running exploitable Apache (and from the looks of it... it's some Apache variant... maybe... NetCraft can't identify 'em) No matter... maybe Anti-Sec has some awesome tricks up their sleeve?

Well, after some very interesting playgroud-style arguments on Full Disclosure over the past several days with lots of colorful language, mother-bashing, and death threats (on the Internet, really?) someone finally did take down... for a while - but not with any 31337 hack, rather... with a DDoS. How imaginative.

HackForums posted this:
"Recently HF has been under a very large DDOS attack. We have been forced to consider new options for hosting and we have also lost revenue the past few days. Many users have expressed a desire to contribute toward these costs and expenses. Use this paypal donate button and feel free to donate as much as you want. Any donations over $10 will recieve a special donators award. Any donations over $50 will recieve that and the Rich Bitch award as well. I thank you all for the support you have shown. Even if you can't donate your continued membership is valued. Thank you, Omni."
Anti-Sec then posted this very...creative post to the list claiming " Hacked". For the record... there is no such thing as "" you moron. And the accompanying "manifesto", if you can call it that, was this:
Blend in.
Get trusted.
Trust no one.
Own everyone.
Disclose nothing.
Destroy everything.
Take back the scene.
Never sell out, never surrender.
Get in as anonymous, Leave with no trace.

Uhmm... OK. Well let's see... how did "Anti-Sec" do so far against his own RoE (Rule of Engagement)?
  • Blend in- FAIL - hardly, loud-mouth
  • Get trusted - FAIL - by who?... obviously not
  • Own everyone- FAIL - this I'm going to want to see for myself... email me when you own "everyone" (;
  • Destroy everything- FAIL - you've (maybe) successfully executed a DDoS, congratulations you're now as 31337 as my 12y/o nephew
  • ... I'm going to stop there because this is already a train-wreck
Perhaps the finest response to this whole mass of mental vomit is this reply from someone called "Matthew 10:34"...
"Whoever hacked imageshack, I don't know who you are, but I certainly
appreciate your revival of the antisec movement. Imageshack getting
ruined is quite a big target. You guys clearly have the right idea of
how to get the message out.

However, you're missing some essential traits that many of the
original characters of the antisec movement had: a great sense of
humor, a flair for style, and a proper understanding of scorched earth
tactics. By taking the torch for the antisec movement you've got some
pretty big shoes to fill, and I'd like to offer some pointers for you
so that moving forward you may have hope of growing into them.

Jimjones' moral leadership of PHC employed a great use of humor, and
he clearly put his life where his mouth was as he is now in jail for
giving assistance to underground causes purely to satisfy moral
compulsions. I hope you believe in it as much as he believed in it.

You can get a message in front of many pairs of eyes. However, the
majority of the brains connected to them don't even have the IQ
necessary to understand that message. Would would have been a real
lesson to your target audience would have been the permanent
destruction of Imageshack's business model.

Imageshack converts UGC to pageviews to ad revenue. The proper
execution of this ruin would have been such:
* Encrypt a message to a widely-read public mailing list (like this
one) 24 hours before launch with your manifesto, and exactly what was
about to happen to imageshack
* Replace Imageshack images with shock pics and gore
* Release proof in the form of the key to decrypt original message
with plaintext manifesto and announcement

Countless retards' Myspaces covered in pain4.jpg would have
permanently destroyed the perception of Imageshack forever. It would
have left a milestone of a ruined business that people would have
remembered. As it stands, you covered retards' Myspaces with a
hifalutin document that they have no ability to understand and have
already forgotten. Its like you've bought a gigantic amount of
pageviews CPM style and written really bad copy for it.

A few years back, I think 2003 or whatever there was SQL slammer.
Insofar as worldwide impact it was probably the biggest ruin of all
time. There was no internet access or ATMs that worked in my whole
county. That's a pretty significant disruption of services. Nobody
remembers that shit. Any temporary disruption of services or user
experience will be forgotten. To do a truly transcendental ruin, you
have to permanently destroy something, whether it be someone's
business or career. The original antisec movement knew this, and
consistently generated destruction that made a difference in peoples
lives. Men are slower to forget an idea when someone gets nailed up to
a cross over it. (BlueBoar, lookin' right at you)

I hope you grow into those shoes you're trying to wear. They're of the
finest material and craftsmanship."

[For those of you wondering, Matthew 10:34 reads like this: "Think not that I am come to send peace on earth: I came not to send peace, but a sword." ... Fitting, no?]

In case you're left wondering... JimJones and PHC has some history here:

So... maybe this isn't a war amongst hackers for control of the precious information which is 0-day. Maybe this is just about some bored school-kid on summer break, trying to get people all cracked-up and crazy...

So ... in short, I wish my spam filter had caught this... but now I've subjected you to it. Ha.

... then the shoe drops, this afternoon.

Yes, that's right, we're not really Anti-Sec.

We have no 0-day exploits.

We did not hack ImageShack or Blackhat-forums or Astalavista. That was the real Anti-Sec whomever they are.

It was all a big joke.

But our goal was achieved.

We caused a huge stir on We've made them look like utter fools.

Geez, some of them are like "Let's go to the authorities! Mummy and Daddy I wanna go to authorities because my hacking forum has been threatened." What a bunch of wimps. You're on a hacking website. You've gotta expect these things. It's all part of the deal.

We've proved one thing...none of you on should be there...not even Jesse Labrocca. He should spend more time with his family rather then worry about a silly little hacking forum. Or maybe spend more time on your money-making business. Silly person.


Anonymous People
Well, I guess mission accomplished - except that no one bought it. Making crazy claims and threats isn't going to get anyone's serious attention, particularly in the style that it was written and addressed in... plain and simple.

The more serious issue here is around the clash between Black Hats vs. White Hats and the issues of full disclosure and what that does to the overall security of things and the user-state. RSnake (in his podcast with Jim Manico for OWASP) one brought up the idea of Full Disclosure and how it's absolutely necessary (in the right doses) to the continuity of a reasonable level of security- and to keep companies honest.

Well... at least it was entertaining.

Tuesday, July 14, 2009

[Rant] Pulling Back

"There are 2 kinds of InfoSec people out there... those who still believe we can build secure environments/apps and those that know it wouldn't matter anyway."
--Rafal (me)

Hi everyone, first off this is going to be an ugly one because over the course of the last 2 days I've had conversations with many of you that have started out very constructive but then quickly devolved into the "oh crap, we're fu**ed" variety. Most of this is thanks to "anonymous" (I'll let him remain nameless until he cares to step out of the shadows) who has given us (and more importantly, me) some very not-so-subtle clues on why my job grows more meaningless with every tick of the clock.

If you haven't read it yet, read the mass-spam article, and pay special attention to the comments section... this is where things went downhill... rant follows

When I wake up in the morning, what gets me energized and going is knowing that I can make a positive impact on the world I live and work in. For me that means InfoSecurity has to make progress. Progress, since I like to use Medieval metaphors, is pushing the kingdom out further and further into the wild country beyondn the castle walls. This of course means one of two things - you can either build a bigger army and spread them ever-more thin, OR you can arm the redidents of your kingdom for self-defense against the hordes that lie beyond the edge of the kingdom. Translated into 2009-speak that roughly means we're tryingn to protect people from themselves... and since we can't keep spreading our already strained InfoSec resources ever-more thin... we have to teach people to defend themselves. This is where sh** really starts to break down quickly.

The problem is people just don't give a damn. They're sheeple. Like sheep... they're herded rather easily but they have things others (the "bad guys") want like social security numbers, credit card information and passwords. It wouldn't be so bad if we could just charge them the idiot tax and move on but banks and credit cards and even our government have been passing their stupidity to the rest of us who are smart enough to figure this out. How you ask? Have you seen your bank fees lately? They're skyrocketing because of the rising costs of fraud, and banks continue to "put your money back if you get your (virtual) pocket picked)" - even if it's your own fault?!

I can make my peace with people being careless with their own property but unfortunately this is a social commune - where your stupidity translates into higher interest rates, fees, and less services for me. So naturally sentiment for this is turned against the evil hackers who are out to steal our lives because they're bad. Well... what most of you that make this argument miss is that these types of things have existed in real-life for centuries and they haven't bankrupted society (yet) beacuse people eventually got wise to the schemes... usually. What's mind-boggling is that in the digital world people still fail to see how "security" matters.

How can this be any worse? The fact that companies have adopted this same moronic mentality. I can't take it anymore, I want to smash my head into a wall every time someone at a major Fortune 1,000 company tells me that they don't need to do Web App Sec because they "don't take payments over the web"... how is that the only way that security has stuck in people's minds? Forget the network security ... we've had that figured out and are now reaping diminishing returns... have been for the last ~2-3 years... web apps are the main target now, I don't need Gartner or IDC to tell me that, do you?

Then there's the PCI-DSS... and while I love all my friends who are gurus in this space (you know who you are) this has become the absolute minimum requirement now... "do you do everything on this PCI-DSS checklist?"... which is bullsh** and we all know it but it keeps the lawyers on their leashes and makes the risk people happy until something catastrophic happens (ahem... you twits at Heartland Payment Systems) and then you sue the people who audited you? Really? You shop around for the cheapest, least-intrusive PCI auditor who will give you a passing grade with the least amount of effort and you wonder why you're making headlines? Can we stop and think for just one stupid second?

Then there's the whole point of why I'm at this stage of delerium... with the best-effort I make every day (and many of you are in the same boat)... bailing water as fast as possible - saving people and companies from their own ignorance and stupidity - everything I do to protect you has already been beaten like a red-headed step-child. Twice. Except now there are scripts for beating any security measures we may have... and the basic concepts and premises we base our careers on are shot. We're bailing water from a sinking boat when the boat is already under water.

What do you do when you've forced (beaten...) your users into compliance with security policy, you have anti-malware on every desktop, locked-down admin rights, carefully filtered web ingress/egress traffic, tight firewall rules and network security devices (IPS/WAF/what_ever) and everything is fully patched... then one of your users visits a legitimate web site and within 30 seconds is trojaned with a ring-0 trojan that completely and utterly devastates the machine. Sucking down passwords, critical data and setting up cover channels into your network without even tripping Vista's built-in protective measures. Yes... I know it's possible, for a fact. Quote me.

Does it matter that there are educational programs, open-source OWASP security tools, projects and pre-built reasonably secure code modules? Does it matter that InfoSecurity is finally making headway within the corporate world? No... why?
  1. users are still apathetic and choose to remain that way
  2. companies still would rather spend precious money on upgrading firewalls and IPSes than building secure web apps
  3. security is not simple and usable and therefore failing the user-friendly test
  4. arogant developers still try to re-invent the wheel every single time
  5. even if we succeed... we fail because the "bad guys" are 2 steps ahead, always
So what? I'm feeling a little jaded after doing the research and the follow-ups on that last article (can you tell?). Who cares if CAPTCHAs are everywhere when the bad guys are paying people in India $0.01/CAPTCHA they manually break? So rather than the "security kingdom" expanding and pushing further into the darkness we're left retreating within the realm of the kingdom...then fall back to the castle walls... then fall back inside the castle... then fall back to the inner-castle wall and now we're being over-run again and the only place left to hide and fall back to is the inner-keep. There is no falling back further... the game is over at that point. There has to be a line in the sand drawn or else this game is over boys and girls.

We're not at any particular cross-roads in IT history...but this is as good a time as any to get off our complacent asses and make a hell of a lot of noise. Reach out to those in positions to make a difference and make your case like everything depends on it. Hey, believe me when I say I understand this situation isn't bad for business - because as crappy as the world of security gets we will all have job security forever - but at what cost?

We need to stop the advancement, we need to stop pulling back. Continuing to build better anti-automation into our social-networking sites is stupid and a waste of time. No more free bugs? Who cares... it doesn't make a damn bit of difference in the end result. Here's an idea... how about you pick a side and work towards that goal. If you're a white-hat then understand you're not doing it to make yourself rich but for the betterment and the "greater good". It's time to get over ourselves and quit acting like divas because we are clearly getting our asses handed to us out there folks...

Wake up and smell the fire burning under your feet.


Sorry it had to be said.

Sunday, July 12, 2009 - Oh So Telling commercials have been lying to people for a while now - offering a "free credit report" when in fact you have to sign up for a service first... well - after going to the site and seeing this logo... I now understand.

That's right... they're "McAfee Secure".

-no more needs to be said, except...


Saturday, July 11, 2009

Devastated by a Link-Spam Tool?

If you own a blog, a forums, or are a webmaster of a social-interaction (web 2.0) site... you're going to want to read this.

Hell hath no fury like a blog comment spam engine unleashed upon your site(s). Trust me, I know.

As I was digging through my comment spam which now numbers in excesses of 1,000 spam comments/day on my "Following the White Rabbit" blog I noticed something. In the spam flood I would occasionally get an advertisement for the spam engine that created the mess. Interesting, I though - let's see how bad this thing is. Little did I know that what I was investigating was one of the nastiest, ugliest things I've ever laid eyes on as a "good guy" in information security.

The tool is called "X-Rumer" and it's developed and maintained by a Russian Federation-based organization that is known as "BotMaster Labs" -a fitting name to be sure. X-Rumer is a highly-effective tool which can very quickly over-run even the most hardy blogs, forums or other Web 2.0-style media sites.

What really started to open my eyes wide when I looked at X-Rumer 5.0 "Palladium" is the ability to breeze through CAPTCHAs... it's incredible how many different types of CAPTCHA systems this tool can break using its internal automation. Not only can it breach a CAPTCHA but also many of the more advanced pictocode types of systems (for example, identifying the picture of a non-smoking sign among other signs). Palladium treads the line of SPAM carefully by condering itself as a "correct spam" engine - which is interesting enough in that it generates fake responses, and text for the links that is drops into comments and posts.
X-Rumer is an incredible feat of code development... and sadly it's not used for the good of mankind - but for other nefarious purposes... most commonly link-spam. You don't want to have to square off against a tool like this - because odds are you'll lose. The only effective tool against something like this is reCAPTCHA (but it's rumored that even that will be broken by the tool soon). Not only can this tool auto-register itself on sites where registration is necessary, but it's also content-sensitive! If your blog is about football, there are link-spam comments that are tailored to football, so evading spam-detection engines is almost a certainty.
If the forum has more than one category, the software chooses the one most suitable for the message, otherwise it sends the message to off-top, flame sections or the like, and in case those do not exist - to the most visited category on the forum.
This juggernaut is impressive, for a piece of nasty software that's sole purpose is to spread links and ... spam... to the world of Web 2.0.

Why in the world would I write about it? Because you need to know what you're up against - and why your blogs and forums keep getting spammed even though you have registration turned on and human verification on too... you just can't stop a determined spammer... money continues to drive these people and until we (sheeple) stop clicking their links they'll continue to be at it.

Good luck.

Friday, July 10, 2009

How NOT To Do a "Security Advisory"

If you need to know how to write a completely laughable, published security advisory... look no further. This is basically a 'how to' for not being taken seriously... ever again.

This is an oldie... but still a goodie that will forever hang on my "wall of shame". Those SNOSoft people sure can release some quality stuff huh?

That is all.

Thursday, July 9, 2009

Internet Surveillance... for your Credit/Debit Cards?

I've been using the identity theft and credit protection services offered through my bank for a couple of years now. Recently I noticed a new menu option for Internet Surveillance which caught my attention. Apparently, this service (which comes with the ID theft prevention/insurance) is one that scours the Interwebs trying to find the credit card numbers and associated data that you enter in it.

This got me thinking... 2 things struck me as wrong.

First off... do I
really trust my bank with every credit card number I own? Maybe it's not so bad since I'm just putting in the name on the card and the full card number (no CVV/CVV2, or Expr Date) and even IF someone stole that data - what good would it be to them?

Second, given that Google (whom I presume they'll be using) and most other search engine's queries can be "read" from your history (or from their cache)... I really want my credit card number as a search string floating around somewhere?

How do those two things balance against my need to be free of ID theft ... on the black market? I'm leaning towards putting in a few card numbers just to see how it goes... do any of you have any thoughts on the matter? Pros? Cons? Have you tried this before (do I need to give a link to the service vendor?)

Soliciting your thoughts, either publicly or privately... thanks!

{ Update }
-- As promised, I went to put in a fake American Express card number (see pasted below) which follow the AmEx algorithm. Immediately, a JavaScript snip flagged the card input as "possibly incorrect" but let me continue anyway. Odd behavior, don't you think? After ignoring the warning I went ahead and hit accept, retyped (same error again, in JS) and then voila! my card was added for monitoring. I have pasted it below just to see if the fake
card number gets picked up!

378511096516050 - Rafal Los - FAKE AmEx card number (not following algorithm!)

Wednesday, July 8, 2009

The Importance of Understanding Flow

It never ceases to amaze me how much InfoSecurity folks depart from conventional wisdom when it comes to "hacking".

A few weeks ago I was sitting in a meeting room waiting for the folks who would be listening to me talk about App Security to come in. As people funneled into the room I overheard 3 QA guys talking about "understanding the application"... to which one of the security guys looked at them funny and said "we do black-box testing, we don't care to know the application".

Whoops, you fail.

It's not just that these security guys were going to be missing a huge chunk of the application- which they likely will - but it's in their ignorance of the actual application logic and flow that they will fail entirely. Thinking about that, and how to fix the problem, brought me back to DFDs and how useful they were to me when I worked on web application security testing back in the day. You know, I just don't think people just don't do enough intelligence gathering before diving into an application security test. Understanding the beast is fundamental to conquering it, and security folks have have a disctinct advantage over "hackers" (usually) because they have access to the actual inner-workings of the web applications they'll be testing. Being able to build, read, and understand a DFD is so fundamental to web application security testing that I'm putting together a new paper which will be released later this month (in collaboration with Richard Baker).

DFDs (Data-Flow-Diagrams) are so fundamental to understanding web applications (and any application or system) that I honestly can't imagine someone sitting down to test a web app without having a DFD in front of them. Of course, let me make sure I put it out there that this is mainly valid for internal testing teams but if you're an external tester and can get your grubby little hands on a proper DFD for the app... you can celebrate a little!

First, in case you're reading this and wondering what a DFD is - here is what the WikiPedia tells us about Data-Flow Diagrams:

A data-flow diagram (DFD) is a graphical representation of the "flow" of data through an information system. DFDs can also be used for the visualization of data processing (structured design).

On a DFD, data items flow from an external data source or an internal data store to an internal data store or an external data sink, via an internal process.

DFDs are particularly valid for penetration testing because you have a black box in front of you which takes in, processes, stores and often returns data. It is in the understanding of that flow-model that you can begin to find potential weaknesses in the application. Testing randomly through the application may get you some results but knowing where to test (where data is processed, stored and returned) will yield crucial nuggets of knowledge for focused testing.

I turned to some industry experts (the analysts) and got a few good quotes - namely this one from Michael Montecillio...
"Data Flow Diagrams (DFD's) are an invaluable aspect of an application security strategy. DFD's allow organizations to target their strategies to properly address high priority aspects of their applications. Furthermore, remediation efforts can be prioritized based on the visibility of different segments of an app. based on the mapped information found in DFD's." ~Michael Montecillo, Principal Analyst, EMA Security and Risk Management
If a DFD is so fundamental then why don't the people who do penetration testing and AppSec use these ingenious devices more? See... Michael's though directly reflects why I think this issue needs more attention - people just don't know/get it.

Can you draw a DFD? Do you know what the various shapes mean? Whether you're a novice, or a self-assessed Certified ASS (Application Security Specialist, ASS for short)... you'll want this knowledge.