Wednesday, September 30, 2009

Caught My Attention

Hey everyone, I'm taking a 4-day holiday to see some family ... and then off to SecTor... so I thought I would leave you today with a post on some of the things that have caught my attention lately, in no particular order...
  • I just updated my laptop's BIOS... in Windows ... Vista ... without generating any warnings or pop-ups asking for credentials ... should that worry me? --after all the safety nets we've put into the latest Windows versions (7 included) especially Vista (which was UAC overload anyway) ... the fact that I can update the very core of my computer with code I just downloaded (notice I didn't say anything about verifying certificates, signatures or anything) is appalling. I mean, sure, I'm positive there are mechanisms built into the update mechanism to make sure that it's downloading and flashing with "approved" BIOS updates ... right? right?
  • An extremely popular [product] website that a colleague of mine was asked to "vulnerability scan" as part of a product/services sale turned up ... you ready for this ... 300+ XSS, 5+ SQL Injections (pull the DB right out, point-n-click style), and CSRF on their purchase/profile pages and a boat-load of other vulns. This site, we were told, was "built and audited" by one of the "Big 3" consulting companies ... *facepalm* was all I can do. Anyone who argues against the value of black-box scanners for WebAppSec should hear this ... these guys claim to "do it manually" ... riiiiiight.
  • When I got my new laptop last week from work, and realized we're still hobbling along with Symantec A/V I broke down and installed Comodo's firewall+A/V in addition... it's just sick that you have to have multiple "anti-malware A/M" agents running on a machine now to keep you relatively safe from crap out there ... even if you're not surfing porn and warez all day ... ugh
  • No joke ... yesterday I got an @ tweet from some random user ... followed it on my "sandbox" VM just to see where it went and ... no joke ... it was an ad for a local escort service ... yes, local! Wow, even hookers are getting into location-based Twitter "advertising" eh? Sick...
So ... yea that it for today - some interesting things to rattle around in your brain as you eat lunch or whatever it is you're doing as you're reading this.

... stay vigilant.

Tuesday, September 29, 2009

Of Metrics, Magic, and Failure

As everyone knows companies have been tightening their belts lately, and IT spending is harder to come by no matter what Gartner and the other analysts are saying. You and I know full well that getting money out of management, even if it's a great cause, is like pulling the cell phone out of a teenager's hands... possible but unlikely.

Now, over the last couple of weeks, and more recently today via Jeremiah Grossman on Twitter) folks have been talking to me about metrics, and more importantly measuring "web based exposure to risk" ... right. We can talk about this all we want, but talking it to death won't make it any more real.

At the heart of the problem is the fact that we're essentially being asked the same question your parents asked you when you asked, begged, and pleaded for $toy: "what will happen if you don't get $toy ... right now? Can you wait until Christmas?"

There are two camps that have formed over the last several years, when it comes to answering that question ...
  1. The "FUDs" - You know who you are. "We'll be hacked if we don't buy product X" ... sound familiar? Seeing Fear|Uncertainty|Doubt only works for so long before they catch on!
  2. The "Franks" - With the mentality of an accountant and the numbers to back it up, the "Franks" typically don't give any emotion into their work, it's all risk and numbers
The problem here, of course, is that neither is very effective. Let me re-phrase- neither group has been very effective so far. Selling FUD may work for a while but eventually Chicken Little will realize the sky isn't necessarily always falling ... and will start asking questions. On the other hand, you can't really do InfoSec as a numbers game. This isn't a casino where you can simply play the odds and hope to win ... there aren't any established odds and no one else (except maybe for you) is playing by any rules.

So we've got a problem. There are 3 things that are going to save Info Security ... web app security more specifically - metrics, magic, and failure. Don't laugh.

  • Metrics: You can measure damn near anything these days, and if you look hard enough and network with enough people eventually you'll get some pretty decent numbers on things like how many times the average credit card authorization site for a mid-market company gets attacked (actually attacked, not "scanned") in a given quarter. You can even scam your way into getting people to giving you metrics on how many times companies in your industry, maybe even your competitors, (anonymously of course) have been attacked and maybe even hacked. You may even get someone like Gartner, Forester or IDC to publish a report on the metrics of being hacked and how much it costs per record lost, or hour of downtime. This is all great information but it's entirely worthless if you don't have the right context. By context I'm referring to the specific context that makes sense to the metrics you're collecting ... clear as mud right? Here's an example -if you're a very large online retailer it only makes sense to collect metrics of like context ... from other businesses that are of similar size, market, and exposure. In this instance collecting metrics from an industrial business won't help your cause any ... or will it?
  • Magic: When metrics alone just don't make the case, make the case with a little bit of home-brew magic. Security folks are known for our passion and ability to manufacture a reality that fits our ends. I'm not saying to make things up, that's what the FUDs often do, I'm simply telling you to get creative. Make the numbers pop without making them up ... it's harder than it sounds. Being a magician also involves getting numbers from places that you can't talk about ... friends in your network, your own systems or other sources that can't clearly be cited for anonymity. Adding a pinch of magic to your pitch will make the metrics get someone's attention and scream "You can't ignore me!"
  • Failure: It's a fact, nothing helps along a security agenda like a catastrophic hack. Once you've been breached your executives will write checks for amounts you've never seen before... in record time. The problem is once you've had a major breach your job may be on the line and then things get really crazy (see my post on the dangers of a disaster-driven security program) while everyone is running around with their hair on fire. The trick is to not be the victim of a major breach but something big enough to spark attention and make people inside your company paranoid, that's when you get to work your magic. (see the Magic above). Some great person once said "Without failure, we cannot know what it is to succeed" ... and that's very true even today in InfoSec.
There you have it, Frank meet FUD. I will argue that there are no clear [security/risk] metrics that will win the mind of a sufficiently uneducated executive... so we must educate them and always make sure they understand the risks...

Speaking of risks ... how do you measure that, exactly? Do you measure what you find ($found_vulns) against the function of the application ($function) and the value ($value) combined with exposure ($exposure) ... ? And riddle me this Batman... what about those vulns which aren't found? How do you measure risk with that many unknowns?

Sadly, if I had the answers to those questions I think I would be writing this post off a yacht in the South Pacific, but alas, I'm sitting at my desk in Chicago... (damn it's cold for September).

For starters, and maybe as a spring-board for a good risk formula I have used the following elements successfully ...
  • Dollar-value of the asset being assessed/analyzed -should be the easiest metric to gather
  • Relative exposure to defined threats (notice I say defined threats) - exposure is relative to the industry, type of business, type of technology, type of asset, etc ... this can have multiple components within it (to be discussed at a different time)
  • Relative complexity of asset - remember, complexity is the enemy of security
These are the simplest-case metrics you can gather that will work for building a business-case for risk-based analysis.

Good luck! More coming soon...

Sunday, September 27, 2009

Enforcing Responsibility via Business Regulations

For those of us on this side of the globe, you may have not caught this earlier this week, in fact it's still making the Australian papers and news! As I was catching up on my Google news alerts for the last few days, I kept coming across a headline that read "Bolton Tangled in Web Scam", and "Bolton Faces Losing Internet Companies" ... sounded ominous so I decided to give it to read.

Here's the story... apparently a chap named Nicholas Bolton who owns multiple domain name companies in Australia has had his ability to do business at one of his registrars (Bottle Domains) revoked. This means that not only can he take new registrations, but he can also not do business... thus he loses his company. What did he do to deserve such a harsh judgement? How did this all happen?

Apparently, back in January of this year Australian Style's database (which is the parent company of Bottle Domains) and its subsidiary (Bottle Domains) was compromised. The authorities knew this to be the case because the details of some 40,000 of the customers were for sale out on the Internet. That's pretty bad. What happened next was worse. During the course of the ensuing investigation, the auDA caught wind of a previous data breach dating back to 2007 for which Bolton had failed to properly notify his customers.

According to the Sydney Morning Herald ...
"As a result, auDA terminated the accreditation of Bottle Domains in April this year ''due to a serious breach of its obligations under the registrar agreement''."
... that's absolutely unheard of! What's worse, further investigations lead to the discovery of a total of 3 data breaches in Bolton's engerprises... and a whole string of negligence, cover-up, and neglect of customer obligation. So, just like that... Bolton's companies are out of business. Doors closed.

Bolton even tried to go to the Australian Supreme Court... which didn't do him much good, as the Justices didn't quite see things his way... and he further got his hand slapped. While this a pretty incredible story I think it's even more important to note the great lengths that the Aussies will go to, in order to protect their privacy!

The auDA has some rigid requirements for acceditation, including corporate requirement 3.6: "The Registrar must have opted in under the Privacy Act of 1988"... that's quite interesting. Having given the Privacy Act of 1988 a cursory read, I can assure you of one thing - it's quite protective of personal privacy as it relates to corporations.

So this begs the question... WHY don't more regulatory bodies (say, within the US) do this? I may be going out on a limb here but I suspect that we've had such egregious acts of privacy breach here in the states many times over ... yet nothing of this nature has happened. Wouldn't it be great if there was some retail industry regulation, maybe run by a conglomeration of the major credit issuers, that stated that if a corporation breached user privacy they could have their ability to process credit payments revoked? Better yet - wouldn't it be even better if this self-regulating industry body actually acted on this?

Sure, I'm talking crazy here, but aren't regulations here to give people comfort that if someone breaks the rules, they will have to pay the penalty? Wow... I really wish we had some regulatory bodies with balls in this country. Too bad, such a shame.

Wednesday, September 23, 2009

Your Kids At Risk: Social Media

Apparently, parents haven't gotten the word out enough to their children... or maybe parents just don't understand... or worse yet - maybe we haven't made this clear enough...

Parents talk to your kids about what they're posting online!

There are many reasons for this, but something like this is my primary concern...
  • Go to "the Goog" (Google)
  • Drop in this search paramter: "school schedule" -video
  • Gasp.
So you may ask yourself why it's a big deal that your child has posted their class schedule online, for the whole world to see... primarily because it is a great indicator of other dangerous behavior. If you have a child (or teenager) that's old enough to use a computer odds are they're either on MySpace, or Facebook... or both, and are posting their personal information without thinking twice.

The reason that things like class schedules, gathering locations, and other information is bad to the general public is that, as you already know, there are predators out there who are loving the fact that this information is easier to access than ever! Kids who post this information online think they're providing this to their friends, and generally have the "what harm can it possibly do?" attitude - but parents must change these habits through education and cooperative understanding.

I don't need to scare you into believing that children are abducted or attacked all the time based off of the information they post online, or even by the people they decide to meet in person (from online)... so here are some helpful things to keep in mind and go over with your online kid. Remember, safety is job #1.

Top 5 things you should never share online...
  1. Your full name, your parents, or your siblings names
  2. Specific home address, name of school
  3. Phone numbers, email address
  4. Specifics of your "routine" (for example, your daily route home, where you have soccer practice, etc)
  5. "Hangouts" or specific places where you will be
Some thoughts for parents...
  • Google your kids profiles, their Facebook & MySpace pages
  • Explain to your children why sharing information is dangerous
  • Explore your kids' social networks privacy settings, talk to your kids about using them
I know I'm not the first to say this... but if you're not doing your job as a parent and investigating what your kids are up to, teaching them how to be safe online... who will?

Tuesday, September 22, 2009

Why "Web 2.0": Zero Expectation of Privacy

Privacy in the world of "Web 2.0" is like a diet pizza... What? You've never heard of a diet pizza? Exactly my point.

Seriously though folks, let's think about this seriously. The main components of the "Web 2.0 experience" are... (in order of importance)
  1. personalized
  2. highly interactive
  3. feature-rich
It's simply impossible to have content that's personalized yet anonymous. Can't be done.

So here we go, let the debate ensue - I'm telling you right now though, you can't have the type of tailored content you're looking for on your iPhone, desktop or refrigerator without giving away some information about yourself. Let me explain why.

The personalized browsing experience is all about collecting data about you such as where you visit, how long you stay, what you read and what you buy and mining it along with millions of other people's data to create content that appears specific to you. You simply can't decouple the what from the who... as technology continues to tie seemingly irrelevant things together in searchable databases every bit of information about you can be personal.

Your IP address isn't necessarily a "private" piece of data when it comes to your identity... or is it? Five years ago if someone was logging IP addresses and site preferences it wouldn't mean anything... today that data can be tied to a specific user (yes, even if you're sitting at a coffee shop in Chattanooga), so now it's starting to get contentious about whether that's private information or not!

Think about it!

You want to see only what you find relevant... but how do you do that without allowing some system somewhere to keep track of everything you view/do to make sure that system then can turn that data into a presentation of relevance to you? Can't be done. Want proof? Turn OFF cookies in your browser. Try it now... and see how many sites complain and simply give you a terrible experience!

Furthermore... look at the cookies in your browser cache... do you recognize all of them? Simply going to Google's homepage drops a whopping 33 cookies on your browser. A simple browse to's homepage brings in cookies from,, all of which are tracking your habits and clicks so they can personalize your experience... right?

Let's assume you're using FireFox, even as a secondary browser, go to the add-ons site and do a very simple search for "cookie"... look at the amount of tools that are dedicated to monitoring, deleting, opting-out-of, and manipulating cookies! It's enough to make your head spin. I highly suggest FireCookie (FireBug add-on) for FireFox... it's an eye-opener!

Moving beyond the idea of cookies... there are many, many ways companies keep track of you! Have you ever gone to a site and gotten you've never been to before only to be served up an ad for a "local" service or product? How do they know where you live? Either you've given someone, somewhere that information and it's been passed along, or they've geo-located your IP address, or your browser simply told the site it's location... pretty scary?

Let's face it, privacy is a dying thing. We fight every day to keep our habits and clicks private but let's face it, we lost that battle with credit cards and automated tollway transponders... so it's only logical we lose that battle of privacy online.

Wednesday, September 16, 2009

Unraveling A "Work-From-Home" Twitter Scam/Spam

If you're on teh Twitter like I am (@RafalLos) you've without a doubt noticed you're being followed (twit-stalked?) by one of those bots.

You know what I'm talking about. They follow you, sit silent until one day the @ you with some link they hope you follow, or re-tweet something someone-else says, and insert a link they want you to go to. Honestly, I wonder how many people fall for these things. I guess enough so that they keep doing it, right?

Anyway, this one (shown above) particularly annoyed me because I looked up this account's history and and what I found wasn't really revalation, but it was interesting. Each hour, via the Twitter API (so you know it's a script running somewhere), this bot would @ between 3-4 people with the same message I got above. As of the writing of this post, this account was still active, and had 0 friends, 0 followers, and 19 tweets -all of which were the above link. A quick search for "Google hiring" brought up 30 other bots that are tweeting and re-tweeting this same message, but some with obfuscated (shortened/hidden) URLs.

I was intrigued, and chose to look into this more. What followed was a twisting, winding road to a place many of us have seen before, from a phantom company selling you the "work from home to be a millionaire" dream.

First, a "wget" yielded:
--2009-09-16 21:56:02--
Connecting to||:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily Location: /?3d7fa980 [following]
--2009-09-16 21:56:02--
Connecting to||:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily Location: / [following]
--2009-09-16 21:56:02--
Connecting to||:80... connected.
HTTP request sent, awaiting response... 302 Found Location: [following]
--2009-09-16 21:56:03--
Reusing existing connection to
HTTP request sent, awaiting response... 200 OK
Length: 783 [text/html]
Saving to: `index.html'
I found the part I highlighted in red above interesting, because it only showed up like that the first time I hit the site from my machine. Subsequent tries would simply net me the single-redirect to the www.ajobwithgoogle page. So that was interesting and a little more digging (with the help of some Twitter friends) showed the site is very careful about how it does redirects and keeps track of people. The first time you hit the site you get that 3-step redirect loop which hands you a "key" (/?3d7fa980) in my example. Every other time you hit the site after that (as you can see by the redirect, you are simply 302-redirected to the ajobwithgoogle site... interesting!

The page you're redirected to is nothing short of an obvious fraud ploy. It's one of those "Use Google to make millions working from home" pages that they hope you fall for. This farse even had a bunch of fake comments added to the "article" to make it look a lot more legitimate than it would at first-glance! All links on that page, point you to this horribly inviting page (but shady as crap) on{some affiliate IDs here}. OK, obviously this "Search 4 Profit, LLC" must be legitimate, right? I mean, it says "As Seen on: ABC, CNBC, CNN"... what they don't say is that this site (and off-shoots of it) were actually seen on these news outlets... but as a story about fraud!

There are even "Terms", "Refunds" and "Privacy Policy" links on the bottom of the page to help you feel better about this site, and what it's selling... but check this out, because someone didn't pay attention in Web Dev 101.

The "Terms" page... read carefully
How it Works! By clicking "Rush My Order" I am agreeing to receive GoogleFortune for a 7-day bonus period for $1.97 billed to my credit Card(please allow 5 days for the shipping process and 2 days to try the product). If you enjoy GoogleFortune, simply do nothing. On the 7th day my credit card will automatically be charged $69.97 and every month, thereafter, unless I cancel by calling 1-877-361-8622 M - F, 8am-7pm PST. No Hassle, Cancel Anytime!Product is fully refundable within 30 days of purchase. Customer's cancelling within their billing period will be fully refunded upon request. I also agree to the 14 day and 21 day bonus trials to Grant Members Site� (1-877-495-1145) and Network Agenda� (1-800-418-9320) for $19.95 a month and $9.95 a month thereafter, the trial will begin the day I accept these terms, should I choose not to cancel. For refunds please contact customer support at 1-877-361-8622 M - F, 8am-7pm PST, GoogleFortune only. Please note the following terms and conditions you accept when ordering from us: i. Prices are subject to change without notice. We reserve the right to correct typographical and printing errors. We have done our best to ensure that all information is accurate and up-to-date. Errors and omissions occasionally occur and are subject to correction. We apologize for any inconvenience this may cause. We will notify you via e-mail of your refund once we have received and processed. You can expect a full refund in the same form of payment you used to make your purchase within 7 to 14 business days from calling to request the refund, depending on your financial institution."
Whoa! If you don't read that carefully you'll not realize that you're being signed up for 2 more services at a BIG cost to you each month! Let's call some phone numbers!

The GoogleFortune number is answered by a sweet female voice "Thank you for calling customer service"... she proceeds to tell you the hours, and when it's best to call (Wed-Fri) and then asks for your patience, and hangs up. Nice.

Grant's Members Site is a site that purports to be by one Dr. John Porter who has devoted his life to helping ordinary Americans get tax-free cash from the government. Wait... wasn't there some fool on TV a few years ago running our with a suit of question marks selling a book like this?! And I'm going to give him $19.95 a month... why?! The 877 phone number at this place doesn't get picked up by anything... just dead air. If you call during business hours, you get someone who will eventually pick up, but makes it very, very difficult to "get a refund" or "resign from their service"...

The other site "NetworkAgenda" sells virtual office software which does amazing things like a web calendar, webmail, virtual time-card, and many other awesome features that require you to give them money for... all of which are available via Google or any other legit provider free of charge. Sweet. The phone number here is picked up by a machine that identifies the company properly and asks you to call within business hours. When I did... I got someone who was clear on a VOIP system because they were breaking up like crazy - but she was kind enough to take my information down and told me someone would get back to me... I'm still waiting patiently.

The "Privacy Policy" on the main site was an absolute joke... the pinnacle of which was this:
So they're basically saying anything you give them they can resell/transfer to anyone they want and you can't do anything about it... unless you call them and instruct them not to...hah!

Their "Refunds" page (which was a copy/paste of the Terms & Conditions page because someone forgot to change the page header) basically says they'll refund you... if you call them within 30 days. Calling them within business hours and asking some questions yielded a lot of hold time... then the person I talked to said they could not disclose any information about the company aside from the non-existant physical street address. They won't answer questions, they won't really talk to you except put you on a long, long hold repeatedly... as expected.

Curious where 7614 Arvilla Ave, Sun Valley CA is? Check out this Google Maps link... which is basically a large industrial lot... so unless they're into construction there is no company there. Oh, and this is actually Burbank and not Sun Valley...

It was time to do a little digging on the domain and IPs. First off, a traceroute to the IP address never made it to the destination... shocking.

That's when I ran into this site, Blog... which is intensely comprehensive in outlining the fraud that someone here is running, and connecting the dots between shadow corporations and SelfProfitsMadeEasy down to Raven Media, Inc. I suggest you go read that blog post because there is some very serious investment in time, energy, and smoke here... but again, the only reason it's up is because some schmuck somewhere keeps paying them.

Monday, September 14, 2009

Ethical Hackers ... Like ... "Robin Hood"??

I have no idea how this made it into my inbox, but someone (named "RobbinH00d) sent this to my GMail yesterday... so I'm going to post it because I find it humorous. Looks like some hacking group is trying to be the Robin Hood of hacking, helping out those who just can't figure out how to hack for themselves...

Check out this post on (which is an interesting site...):

"About Us:
We are a group of Ethical Hackers based in the Turkey but our staff comprises of Experienced hackers around the world, we have over the years strategically recruited the best hackers from the UK,USA,Russia,India,Philippians,Vietnam and Egypt.
Our policy is simple "making the world a better place by creating an equal balance" in other words, hack the rich and give to the poor, Robin Hood style :-)
The way we do this is to sell Carding Stuff and hacking softwares and tools at really cheap prices so that everyone can afford it and also be able to hack.You can definitely be a hacker with our new approach tutorial. We can offer you pre-written tutorials but we will also allocate you your own specialist hacker, who you can add to your yahoo messenger and will give you a more hands on approach by teaching you everything you want to know over instant messenging.
We are ethical hackers and here to help not make money, we only charge because of the cost,time and effort involved in the services and products we offer.
Enjoy your stay and we hope we can help.
Thank you!! :-)"
Wait. Ethical hackers, right? Robbing the rich, teaching the ... non-31337?

OK, I'm amused. You mean if I pay them I can have my own "ethical hacker" on stand-by on Yahoo IM, to teach me everything I need to know?

Some of the services they have available...
  • Hacking classes
  • Carding services (CVV, CVV2, and "fulls" which are full-info packages)
  • Maillist, mailers, cPanel
  • Shipping service
  • Spamming service
  • Shells
  • SMTP relays
  • Logins for banks, PayPal, eBay and other merchants
  • Card reader/writers
... where is the ethical hacking... this is straight black-hat!

Either there is a huge market for lame, wanna-be hackers ... or these guys are just getting desperate! Come on there, "Big HAcker Group"... really? Well, at least their prices seem somewhat reasonable, haha.

If you want to give yourself a good laugh, read the rest of their post... I chuckled all the way to the end.

Saturday, September 12, 2009

Exposing Malware - Part 1: Efficiency

Code bloat has reached epic proportions lately. The latest Windows version (Windows 7) comes on a DVD because the installation is 2.6Gb (or so) in size. Does anyone remember the days when an operating system was <100Mb? I know, I know... we've got cool graphics now, and sounds and multi-threading and preemption and other neato features... but really? 2.6Gb for an OS?!

I bring this up because this is the first part in a series of articles about malware. Malware, no matter what you call it - scare-ware, malware, adware, viruses... whatever - is malicious software that's built for the purpose of extracting money from you somehow. Here's the crazy thing about malware... once you get over the fact that it's evil you can't help but be quite impressed with the features.

First off... the programs some of these coders crank out rival anything Redmond, or just about any other shop puts out. I've recently run across a piece of software, called a packer, which at a mere 52kb (with GUI) could fundamentally make any nasty piece of code absolutely undetectable. This isn't some command-line too either, it is a fully-features, GUI-driven encryption/obfuscation utility that has an absolute cornucopia of features. I am impressed.

It seems that although your average developer seems to have lost their ability to make code efficient and small... the guys and girls writing the nasties out there are getting better and better at it. Why, you ask? Let's look at the reasons we'll cover in much greater detail in the upcoming series of posts...
  1. Stealth - If you're distributing malware, you don't want to get caught. The object of infection is to hold the machine once it's infected... and keep making money for the infector. A big part of this plan is being stealthy enough such that the code you've dropped into the host machine is not detected... this involves encryption, obfuscation and other interesting methods to be discussed later.
  2. Speed - Bloated code runs slow. Slow-running code takes longer to execute on the host, whether we're talking CPU cycles, or memory footprint... and this increases the chance that the [hopefully] resident anti-malware engine catches it. This is bad, obviously so speed-optimization is important.
  3. Efficiency - Efficient code seeks to minimize externalities, such as DLLs, libraries, config files, etc... again, decreasing the likelihood of being detected. Malware detection engines often rely on heuristics which watch processes and their behaviors... you start tripping too many externalities... you're more likely to get caught.
So the important lesson here, from people who write evil code - is to be small, efficient, fast, and stealthy. Removing the stealthy component ... why can't all code, like that which runs my operating system, be small and efficient, and fast? Perhaps there is plenty to learn here as we dig deep into the rabbit-hole of malware?

Friday, September 11, 2009

Rant: Sad State of Affairs

No pun intended, but it's a sad, sad state of affairs out there boys and girls. There's a website that's being advertised on public television that's guaranteeing a discreet affair... how sick are we? You know what's more sick than that? Their website security is really good.

More to the point, have you noticed something about all the immoral, illegal and flat-out improper site out there? They (on average) have better security than the legitimate [business-oriented] websites we use every day.

Why is that? Here's why... -->$

Let's look at this rationally, shall we? Everyone knows that if you want to find the best security in the physical world, you go to one of two places - Las Vegas casinos or the Federal Reserve. Think about why those two places are so insanely guarded and why you never hear of someone knocking off a casino, or Fort Knox. That's where the money is! Make sense now?

Online gambling sites and similar web sites that make money by the truckload have a vested interest in keeping their security top-notch and have been proven to spare no expense. So why are you sitting at your desk, frustrated that your management won't spend more than the equivalent of bubble-gum on your enterprise web site security?

Damn good question, isn't it?

It's almost strange that some businesses see themselves as a magnet for would-be evildoers, while others choose (willingly) to think that they won't be a target. Maybe it's the whole subconscious guilt of knowing you're putting up a site that many people will find repugnant, and will target? Maybe it's the simple truth that where money is, criminals (not just hackers) will follow?

The more I thought about it, the more simple the answer became. The whole thing is a simple risk equation. By hosting a high risk site [simply by the nature of what is being hosted] the owners clearly want to add as little extra risk as possible. That makes sense! Let's look at the factors...
  1. Currency -- Gambling and "other sites of questionable moral value" {ahem} have a high value when it comes to currency. People pay big money to play online poker, gamble, or see adult content. The business of these sites is to minimize effort while maximizing profit, so few expenses are spared when it comes to keeping sites up, running, and secure.
  2. Users -- The users that generally frequent sites "of questionable moral value" typically aren't the type to give up their hard-earned dollars easily; therefore, they're always looking for a freebie. Maybe a way to get free content, cheat the system and make more money, or just play for free... let's face it, the hackers know that there is a ton of cash sitting in these sites and are always on the lookout to exploit them.
  3. Modus Operandi -- The general theme is make money, lots of it, often. Site owners recognize they will be the target of attack and manipulation, and counter accordingly. It's no secret that they're trying to make the most money off of you that they can... and they don't ever want to give it back.
So right about now you're saying... "Sure, but with those 3 factors, my business should have military-grade security as well, right?" Absolutely. Only not. Here's why...

Ordinary business sites can hide behind regulations, lawyers, and an apathetic public user base... those other guys don't get that luxury. It's just a sad state when the general banking site is used primarily by people who aren't smart enough, or intelligent enough, to care about their personal identity protection. These folks will keep using a site even after they've been compromised repeatedly (ahem, TJX...) without thinking twice. If only ordinary users were a little less forgiving right?

As far as regulations go... yes I see them as a bad thing. Companies can hide behind the shield of "well, we did the necessary minimum, so you can't sue me" rather than doing what is "right"... again, sad state of affairs. Then you throw lawyers and massive legal teams who go after anyone who should challenge the sovereignty of your company like rabid wolves into the mix... and the victims don't stand a chance.

Just sad... sick and sad.

Thursday, September 10, 2009

WASC ProxyPot Project is LIVE

In case you haven't heard, or have missed the announcement the WASC group has started deploying their Distributed Open Proxy Honeypot project... or the "proxypot". Headed by Ryan Barnett of Breach Security fame, this project seeks to take a sneak peek at the attacks that are happening on real web sites right now, by setting up open proxies for attackers to use in their hacking attempts. The obvious goal is to gather intelligence, and data on hackers' techniques in the wild.

The project is distributing a specially set-up VM which will pose as an open proxy which hackers scour the 'net for, and then log all the traffic and attempted attacks that are sent through that proxy. I love the idea of setting a snare for the "bad guys", so that they might show us some of the latest techniques they're using to attack websites in the real world.

Now, I suspect that this will only catch those attacks and attackers who aren't smart enough to dig into the actual proxy to see what it's doing... but it will still provide valuable insight into actual attack patterns that are being used in the real world. This is valuable information!

Project Overview (from the site)

From a counter-intelligence perspective, standard honeypot/honeynet technologies have not bared much fruit in the way of web attack data. Web-based honeypots have not been as successful as OS level or other honeypot applications (such as SMTP) due to the lack of their perceived value. Deploying an attractive honeypot web site is a complicated, time-consuming task. Other than a Script Kiddie probing for an easy defacement or an indiscriminant worm, you just won't get much traffic.

So the question is - How can we increase our traffic, and thus, our chances of obtaining valuable web attack reconnaissance?

This project will use one of the web attacker's most trusted tools against them - the Open Proxy server. Instead of being the target of the attacks, we opt to be used as a conduit of the attack data in order to gather our intelligence. By deploying multiple, specially configured open proxy server (or proxypot), we aim to take a birds-eye look at the types of malicious traffic that traverse these systems. The honeypot systems will conduct real-time analysis on the HTTP traffic to categorize the requests into threat classifications outlined by the Web Security Threat Classification and report all logging data to a centralized location.

This is one of the more worthy causees for the use of your power and bandwidth... If you're interested, go download and run the VM and help gather intelligence, and of course, they have a Twitter update stream @WASCHoneyPots!

Wednesday, September 9, 2009

Good vs. Good Enough

I try to read as much as I possibly can every day on the topic of security in general... and add any knowledge or thought to trying to actually solve the bigger picture problems that society is facing. Last night I accidentally saw a post from way back to 2002, which continues to ring true today and so I decided to not only bring it back into the light - but also to continue the discussion.

That post I'm talking about is "Club vs. Lojack Solutions" on a blog titled "Dive into Mark" written by Mark Pilgrim. I got to this blog post because someone going by the handle "Acidus" (hey dude, I've been trying to get a hold of you, answer your email!) posted a comment on RSnake's blog post "Email obfuscation and Spam Robots" (on Anyway, all this is relevant because it goes back to addressing the anti-automation battle that security professionals find themselves in every single day in our daily lives.

That post from back in 2002 (7 years ago, wow) nails what I've been thinking about square between the eyes, and makes the brilliant reference to a comparison between "The Club" (you guys all remember, this, right?) auto theft deterrent device and the "LoJack" automobile location service/device. For those of you too young to remember the commercials for each, I suggest you watch the YouTube videos I linked you to.

So here's the dilemma. If you've got a reasonably high-profile web 2.0 (I'm mainly referring to social media here, since nearly every popular site capitalizes on social media somehow) site you've got the problem of crooks using automation against you to either post millions of comment spams, harvest your user's emails, or create fake accounts... the list goes on and on. You now have to figure out how you're going to stop them. You can either use The Club, or LoJack. Obviously these are metaphors but you'll have to really decide whether you're going to try and defend, or simply react. Let's look at both approaches and see how these can be applied to real-life InfoSecurity-related situations...

Let's assume you are the administrator, or security-person-at-large in charge of protecting a relatively large (1MM+ user base), well-ranked (Alexa Top 250), active site. You are conforming to the "Web 2.0" spirit by making your site highly interactive, while at the same time providing a transaction-based system for commerce and cash-flow generation.

The Club approach...
The main goal of using this approach is to deter the bottom 80% of would-be attackers. You're not going for ultimate security and you realize that your approach puts you at an advantage only until others around you with like sites adopt your techniques. By engaging mechanisms like CAPTCHAs, defensive programming practices (code which looks for signs of tamper and disengages the would-be attacker), and visible signs that you're using under-the-covers security you're hoping to deter would-be attackers. Like the brilliant blog post I cited says... You're not trying to deter someone who's out to hack your site, just someone who wants to hack a site. This makes it such that you're no longer the lowest-hanging fruit and the attacker moves on. Makes sense! Here are some possible ideas to use for this approach:
  • CAPTCHAs where possible (or better yet, reCAPTCHAS since they're not broken by automation, yet, and cost attackers real money to break!)
  • Session rate-limiters which will look at a session and rate-limit how many posts or interactions someone can have from a specific IP address, range, etc
  • Header-based protection such as referrer, user-agent and other types of tracking and blocking... of course this all breaks down as soon as someone realizes that they can change all of the above at will. Again you're blocking the un-sophisticated skiddie (script-kiddie)
  • Hidden-variables within forms can be effective against basic automation attacks, but usually require a simple adjustment of a script to lose all effectiveness
  • Badges such as the "tested and secured by {insert company here}" but be careful not to display worthless badges such as those "HackerSafe" (sorry, McAfee Secured) or "HackerProof" ones out there... those will actually make you targets!
Remember, you're not trying to outrun the bear, just the fellow hiker!

The LoJack approach...
A wise man once told me, "admittance is the first step to recovery"... and with that I think it's appropriate to bring up the LoJack approach. You're not necessarily admitting defeat if you use the LoJack approach but you're simply admitting that odds are, you will be hacked. Rather than expending energy (time + money + resources) trying to deter hackers and would-be marauders you're going to spend time trying to make sure that you know when you've been compromised and can react. Technologies that center around detection and response are most appropriate here. Let's look at the tools and approaches we can use here...
  • Web App Firewalls can be used effectively here because they will act like an alarm (if trained right) to when something has gone awry and is deviating from standard operation of your site
  • Virtual dye-packs are effective if you're an organization which deals with identities, credit cards and the like. You're going to want to slip in an innocuous looking "tracer" data point that when used, will trigger a mechanism which will help locate and root-out the criminal element where it hides.
  • Separation and Isolation... if you haven't fallen victim to the sheep-think cloud mentality yet. Hopefully you can compartmentalized your data and objects such that a compromise in one sector won't necessarily be a catastrophe in another
  • Trip-wire type sensors and alerting... for when systems start to behave abnormally, or begin to exhibit strange patterns of behavior...
You're working against the determined attacker here. You're working against someone who doesn't just want to hack a web site... they want to attack your web site and steal your goodies. We've all said it before, you're not going to stop the determined attacker... but you can make damn sure you know when they've struck.

Some interesting approaches, ringing back from 2002, and just as true today. The crazy thing is, we're perpetually locked into a death-struggle with the hacker kind. We're stuck in an arms race where we build a better mousetrap, and the hacker/mouse simply adapts and gets smarter to overcome our measure. There is no winning this battle, the "good guys" simply have too much surface area to cover so that leave you having to choose... the Club, or LoJack... your call.

So I will bring this all back to a central theme here, what's "good" versus "good enough". What are you trying to do in your security strategy? Are you trying to ensure that you're beating the 80% of skiddies who are going to scan your site and be loud? ... or are you defending yourself against someone who actually will "go in like a super-hacker" (sorry Russ, I couldn't resist) and admit front-line defeat up-front?

Strategies must be adapted in this continuing race to outsmart an element that's better equipped, has more time, has more opportunity and more room for error than us "good guys". What's good for you, may not be good enough for others. Sometimes, "good enough" simply isn't - and you must see that writing on the wall too. So the next time you're sitting and looking at the design specification for a web-based piece of architecture... ask yourself what's good, and what will be good enough.

Good luck.

Tuesday, September 8, 2009

Arrogance? Stupidy? Hello... Oracle?

Have you read the news today? Oracle is delaying a patch bundle... wait, a critical patch bundle a week because of a conference it's hoping administrators will attend. I'm literally sitting at my desk, mouth agape, as I read that headline. H-Online has the full story, but it breaks down like this:
"Oracle's reason for delaying its patch day is the OpenWorld 2009 Oracle conference taking place from 11th to 15th October, which generally attracts large numbers of administrators responsible for Oracle installations. Since this would force administrators to choose between not attending the conference and delaying installation of the updates, the vendor has decided to put its quarterly Critical Patch Update (CPU) back a week from 13th to 20th October." (DJ Walker-Morgan, H-Online)
Oye! What the hell is going on over at Oracle? Since you're including a critical security patch in your CPU (critical patch update) let's wait an extra week so we don't make admins choose between coming to a conference (self-promotion, no doubt) and securing their systems?!

Does this look like just a stupid maneuver to anyone else? Bueller?

Will someone smack some sense into Oracle please? Not to be outdone in their stupidity, Adobe has also delayed their patch release by a month... (more on this at ComputerWorld)

The Perfect Storm

I bet you can name at least 1 person you know first hand that has more revolving debt than they can hope to pay off in the next 5 years...

Couple this with the fact that the odds are really good that the person you're thinking of has had their credit file, or some portion thereof, stolen in the past year or so and you have the following situation.

7:00pm, Residence of John Debtor
{phone rings}
[John Debtor] "Hello?"
[Voice] "Hello Mr. Debtor, this is Mr. Scammer, I'm with the Fake Collection Agency, we've received your file for collection on your Acme High Interest credit card. Is now a good time to talk?"
[John Debtor] ... recalls that he does have an Acme High Interest credit card, and hasn't paid it in a few months.... "Yes, now is fine."
[Voice] "We'd like to offer you a chance to settle the debt for 50% of the total owned, is this something you would be interested in?"
[John Debtor] {very excited to settle for 50% of his total debt} "Yes, I would like to do that!"
[Voice] "Great, let's proceed... first I'll need you to confirm your information."

You know where it goes from there. First the credit card information, full number, expiration, CVV/CVV2, then we move onto home address and any other details they can get out of our happy debtor, which likely includes the SSN. The next logical step is to "get payment" for the 50% settlement.


[Voice] "Now sir, we'll need to make a bank draft to make this official... can you please go grab your checkbook? I'll need your routing number, checking account number, and check number..."

... at this point the game is over. John Debtor thinks he is helping himself out of debt when in fact, something much more sinister has transpired.

So what do you do if you're actually in debt? Do you trust debt collectors? How do you know which one to trust since they're all slimy and will lie any chance they get to collect?

This is a real dilemma, I think, that's plaguing our nation (and probably other places in the world) where there is no solution currently. We could simply say never trust someone when they call you but then again... what if they're calling from your credit card company? What if they already know your details like things a legitimate caller from your credit card company would know? CallerID is certainly no help here as it can be spoofed...

I'm left wondering - what's the solution?

Wednesday, September 2, 2009 - Are You Kidding Me?!

Have you ever seen advice that seems to come from a reliable source... that just slaps you in the face with stupidity? A colleague of mine (whom would know a little something about travel) Ed Bellis ( posted this to Twitter - and I just had to slap myself to believe it. is actually advocating that you scan your passport and driver's license and email it to yourself. Worse yet, you should email it to a friend!

I can't tell you the number of things wrong with this recommendation... but I can tell you that it's just stupid... here's why:

  1. Email isn't "secure"... and your passport and government-issued ID is your entire identity! How many times recently have we seen email hacked... not just hacked but passwords guessed and maybe worse? Let's think for a second, you should absolutely never, ever, ever email yourself (especially using any of the public free webmail options) anything critical like your passport or photo ID.
  2. Why would you EVER give your friend (unless you trust them with your life, literally) all of your personal information. Do you know for a fact that they're going to treat it as a super-sensitive piece of information to be guarded at all cost? I seriously doubt it.
With this terrible advice, allow me to give you some real useful travel advice...
  1. If you're traveling to a foreign country - always register yourself with the local US Embassy first thing upon arrival. That way, even if you DO lose all your identification, you can at least get your way home.
  2. Never, ever, ever send sensitive information like your passport (especially your passport) or government-issued photo ID over non-encrypted, strongly authenticated email. Ever. Was that clear? If you are going to do something like this... (and I don't advise is) I recommend using a service like -which at least encrypts and forces stronger authentication.
  3. DO make a copy of your personal identification such as your photo ID and passport, but store it on an encrypted memory stick... in your fire-proof combination safe in your HOME.
  4. IF you're going to store things online there are many "online secure storage" options... Google them. I will do a write-up at a later date on these, stay tuned.
Thanks for reading, and for the love of all things good and pure - ignore these idiotic suggestions which may lead directly to the 2nd worst thing that can happen to your identity... theft.

Stay safe.

Tuesday, September 1, 2009

Like Stealing Candy from a Baby

... only the candy is an identity.
... and the baby is a dead body.

I've been contemplating writing this article for a while, not knowing the impact it would bring but I just can't justify keeping my mouth shut any longer. There is too much at risk here.

A little over a year and half ago, while I was wondering what I would do for my next day-job, I engaged with an organization that basically dealt in corpses. You know, when you check that little box on the back of your license that says you'll donate your body parts when you pop off... these folks get your parts. Effectively this was a human chop-shop... and it wreaked with a stench that I can still recall vivdly. The problem wasn't exclusively in the organization's lack of security because that was an atrocity in itself - but in the absolute ignorance for identity theft and the precious information they had in their possession.

This organization, prior to my arrival, never even had a firewall on their Internet-facing DSL circuit. Everyone could get access to their MS Access database, or spreadsheets where hundreds upon hundreds of records were meticulously kept. The information gathered was an absolute what's-what in information and identity theft. Social security numbers, home address and phone number, birthdate, eye color, hair color, weight... and so on, and so one. Given that the person was deceased, they figured it wouldn't matter anymore except that they often couldn't find the right information for the right body. Yea... this is what disturbed me. When they were done parting out a body they would send it to the crematory so the family could get their family member's remains. Unfortunately, due to their absolute incompetence in record-keeping... more often than not the families didn't get the right ashes, or worse yet - the person was "lost" in their black-hole of a filing system.

I was appalled. It seemed like any kinds of controls I wanted to put into place were met with a staunch reply of "well, we don't have money for that"... and they really didn't want to hear anything about the kind of absolute atrocities they were committing. I shudder to think what's transpired there over the past 18 or so months... but the point is I suspect nothing has gotten better. So you'd have to ask yourself... how many "hackers" have stumbled upon a wide-open internet-connected server with no security controls, perused the many data files on there only to discover a trove of information about people who can't even speak for themselves!

How should organizations like this be held accountable?

For even more... read Gunter's post from back in March called "Digging up the Dead" (or in the comments below). (Thanks for the link Gunter!)