Wednesday, April 6, 2011

The Hype Over Epsilon ...Baby in the Bath Water?

You've heard the expression "don't throw out the baby with the bath water" right?  The reference is to discarding something important in the mess of something unwanted ...makes me think a little about this big in-your-face headline on USA Today's "Money" section ...from Tuesday April 5th.

"Epsilon hack triggers phishing fears" with the subtitle 'So be careful where you click'.



Is this a good thing, or a bad thing?  Clearly such hype, at least from a security perspective, warrants temperance and sanity for our own credibility ...but could there be a silver lining here?

The fact that this headline is on the front page of Tuesday's USA Today Money section says something ... it says that this is a big story, sure.  But there's a more subtle benefit here ... given the readership of the USA Today, and who's going to read that front page headline and sub-headline ...maybe this is a good thing?

Maybe more people, more of the 'common users' we see as constant phishing victims, will read this and think twice about clicking that email that show up in their mailbox unsolicited?

Or maybe not.

But I can tell you with certainty that even if 10% of the readers of this interestingly written (using a quote from a competitor to the company that just got hacked? uncool) article think twice and don't fall for a phishing scam I'll be thrilled.

Friday, April 1, 2011

Information Security Comedy Genius

You just can't make this stuff up ... I don't know if you follow the Bugtraq mailing listor not, but as I read this today I first thought that hey, it's April Fools' ...but when I realized it was a serious post I read on and the result was a serious LOL ...and projectile coffee all over my monitor/keyboard as a result of Thor's reply.

So here's what happened ...

An email came in with a disclosure..."Microsoft VISTA TCP/IP heap buffer underflow"


...which had this gem of a paragraph in it (for a little context, the person is referring to a PoC he wrote as the program):

"To execute either the sample program or any other system command, the user has to be either the admin, in the admin group or the Administrators group. Since this buffer underflow never makes it to kernel memory, it could be possible that propping up the underflow will make it overflow and take control over the operating system without any restriction."

...which I figured for an April Fools' gag, until I realized it was serious.

Then ...came the LOLs ...because in proper form "Thor" (Hammer of God) had this brilliant rebuttal:
"Just so that I understand correctly, are you reporting that if one is logged on as the administrator, it may be possible to execute this exploit in order to take over the machine? t"

You just can't make this shit up folks ...welcome to Information Security.

Sunday, March 13, 2011

Breaking Your AT&T Broadband Neighbor's Bank

A few weeks ago when Canada's major Internet providers announced they were going to be capping Internet transfer on a monthly basis, some of us here in the 'States chuckled.  Guess we're in for a dose of that now too as AT&T just announced they're doing the same starting in May.

What's really interesting to me from a security perspective is this - how many AT&T customers do you think have a relatively easy-to-break-into WiFi network that ties right into their AT&T home DSL or uVerse?

So, here's an interesting scenario.  A home user goes over the 150Gb threshold, by many gigabytes.  Month after month ... how does that user then go about proving that it wasn't their activity but the result of someone breaking into their wireless and soaking up lots of bits?

Having a transfer cap sure makes the case for having more security on your wireless, do it not?  The problem with many home wireless still being easily breakable is going to collide with broadband charges and caps ...real soon.  The question is - what will be the result, and how will the courts treat it?  How will AT&T treat it if I spike to 400Gb one month?  Can I claim that it wasn't me?  I suspect it would be interesting to see how the home DSL w/WiFi that AT&T is giving out is going to provide protection against these types of bandwidth-stealing attacks.

This AT&T strategy is easily at odds with the distributed nature of BitTorrent, vast amounts of streaming media -and oh yea ...pirates.  This is an interesting tactic in AT&Ts ongoing war against pirated content, and various other forms of wrong-doing.  It's an interesting tactic ...because if you can choke off the means to distribute illegal content (and let's face it, this is how pirates distribute illegal content) or at least make it very, very expensive to aid the pirates -maybe they (whoever "they" are) have a chance of winning the war.

I can't wait to see how this shakes out...

Thursday, February 24, 2011

Cool Things I Learned About Security From Watching Spy Movies...

I love spy movies, I've watched every single one I can find from "Spies Like Us" to the "Mission: Impossible" series and everything in between (including the really, really bad ones too).  Spy movies teach us a lot about real security, how it can be defeated and some of the Hollywood truisms (and "bending the rules") demonstrate what we're all already thinking, and probably now to be true anyway.  I've learned a lot, and I see a great many applications to real life InfoSecurity so I thought I'd share them with you here ...


  1. You're being attacked.  Right now... and now... and now.
  2. Computers are easy to manipulate
  3. People are even easier to manipulate
  4. Your 'perimeter' is only as strong as the guy holding that USB stick walking in your office door
  5. Encryption is breakable ...actually - "encryption" you build yourself is breakable
  6. The common denominator amongst the thousands of daily use social media, financial, and other high traffic sites is one set of credentials
  7. If you want to break military-grade encryption to steal intellectual property or state secrets, use a $15 hammer applied to the owner's open palm
  8. Knowing where your target is located at all times is critical.  Spies use expensive equipment like satellites, GPS, and other gadgets, in lieu of expensive gadgetry I suggest FaceBook or FourSquare.
  9. Remember when it was cool to watch a movie spy 'tap in' and listen in on a person's cell phone call from another part of the world?  Yea, that's possible.
  10. By the time you've gotten down to here, I've utilized the exploit you don't know about in that browser you're using to gain access to your machine.  You really shouldn't keep pictures like that in that 'hidden' folder in "My Documents" ...HR would be unhappy with you.

Wednesday, February 9, 2011

Hooray for Accountability (ZDI Drops 22 0day)

Well, it's February 2011, and the year is flying by already.  Quite frankly, I'm thrilled to see this story run and made a big deal out of -because if you're anything like me you're sick to your stomach from all the large software vendors that have been non-accountable for the crap they release.

The Register is running a story about how the ZDI has "spilled the beans" on 22 advisories, and some of the juicy details of the bugs.  Rather than waiting indefinitely for the vendor to decide whether they care to take the time to patch their software or not - ZDI has taken a stand and published the bugs just 180 days after confirming the vulnerability with the vendor.  I think that's fair, don't you?  6 months to analyze, identify, strategize and release a patch is plenty of time -even if you're a monster Fortune 100 corporation.

What I think is the bigger story, bigger than the 22 bugs released (one of which is of an unpatched flaw in the parent company, HP ...oh noes!) is that the ZDI changed their policy a while back so as not to wait indefinitely for a patch from the vendor before publishing the bugs.  Now, it's 180 days, and time to pay the piper... and you have to hold them in high regard for that.

If you'd like to see the disclosure on the ZDI blog, check it out here ...companies include EMC, Novell, CA, SCO, HP and of course IBM.

In all the buzz and press around this release, I think it's critical to remember one thing - accountability is paramount.  If you don't hold yourself accountable ...the ZDI boys and girls will.

Sunday, January 16, 2011

Hackers "Borrow" Excess Server Capacity, Play CoD: Black Ops

[Cross-posted from Following the Wh1t3 Rabbit]



"For Satan always finds some mischief still for idle hands to do." --Isaac Watts

Those pesky hax0rz.
They just want to hack in, steal your data, plant trojans and spread evil.  ...sometimes not though.

Stories like this just don't get enough coverage because it's more funny than sinister - but apparently on November 12th, around 2:00am local time someone broke into the Seacoast Radiology of Rochester, NY server and didn't try and download their 232Gb of database ...nope, they just borrowed the server to play "Call of Duty: Black Ops".  For 4.5hrs that night someone was using the radiology center's server capacity to play a video game.

You can just tell when someone is giving a quote that they don't know what they're really saying which is evident in lines like this one:

"Our server is 232 gigabytes,” Wood told SecurityNewsDaily. “If somebody tried to download it with the speed that we have, it would take them 27 days. We don’t think there’s someone out there with a huge database trying to pick and choose who they’re going to attack"  (Source: MSNBC)

Well ... I for one am glad this person has a crystal ball, because I'm not sure I would make a statement like this one:

"Wood said Seacoast has not received any reports of identity theft related to the incident. He believes the hackers took advantage of the server’s size simply to play the massively popular video game and nothing more."

Mischief ...or something more sinister?  I certainly have no idea ...but it's certainly not your typical hacking story.
Google+