Monday, December 29, 2008

OWASP Comment... W T F

Hey all, ordinarily I would post crap like this bud a friend sent me this over IM, so it's really his fault... .

I hit the link and I about wet myself laughing. First off, the comment demonstrates an utter lack of comprehension for the subject being berated... and don't even get me started on the unicorn and flowery background... .

Anyway - Kyle... I'd like to offer you some intelligent thoughts...but then I realized I don't like to publicly criticize people... so I'll just leave it at that.

Tuesday, December 23, 2008

Uni-Ball 207 vs. "Check Washing" ... (part 2)

First off, the response to this post has been awesome, thanks to everyone who's Google'd it, emailed it to their friends/family/co-workers, etc... Let's keep the tide of awareness going.

Thanks to Steve Gradman, Sr. Brand Manager from the Uni-Ball division of the Sanford Corp for his email reply - lots of valuable information. I guess this and the previous post has really raised more questions that I've had answers to previously, so here goes some of the things that I've questioned, and some additional answers I'm still hazy about...
  • First, if you have no idea what this is all about, you should check out this video on YouTube from FarFromBoring which demonstrates how criminals "wash" checks and other legal documents using Acetone... to remove dye-based inks. Obviously the target of this prescriptions or checks (or other legal documents) which require your signature
  • Why should you care? - If you write checks, or mail important documents (or maybe transport them somehow) you should care. Every legal document could be a target - more often than not with the aim of making money
  • Besides checks - prescriptions are another major target - doctors are you listening?
  • Just about anyone can do a "check wash"... Acetone is simple to acquire
  • So why are there still dye-based pens being sold?
  • Are there any drawbacks to pigment-based inks?
I sent an email asking for some additional information from Steve Gradman, and he was kind enough to reply here...
  1. What prompted Sanford (Uni-Ball) to pursue research in "secure" ink? It was through a number of security experts suggesting people singing their checks with a uni-ball 207 some years ago due to the pigmented ink formula that was impervious to chemical washing. That was the hallmark of our marketing on the 207 franchise which is now our number one seller. Since then we have been working to expand that formula to nearly the entire product line so people could simply think of any uni-ball with uni-super-ink as their first line of defense in protecting their assets.
  2. Can you share any market research or metrics on the incidents of "document washing" fraud with me? Check fraud about a $850 million dollar problem, criminal check washing of personal account is about a $70MM problem (according to the American Bankers Association). We still write $39Billion checks a year according to Frank Abagnale, and while that number is declining the value of each check is actually increasing.
  3. Would you say that dye-based inks are antiquated and should be replaced globally? There is still a lot of applications that benefit from dye based ink like fashion colors, fluorescent, sparkles etc, signing documents isn’t one of them.
  4. Why wouldn't Sanford (or any instrument company) convert all pens to pigmented ink? Are there draw-backs to this ink technology? There are no drawbacks but there is a lack of flexibility and color creation is much more difficult than with a dye based ink. However, a uni-ball “uni-super-ink” pigment ink is more vibrant and is fade and water resistant as well as considered archival quality vs. dye inks.
Wow - great information. If anyone has any additional information that would make sense adding to this post - please let me know and I will happily add it.


Monday, December 22, 2008

UniBall - Pen Companies vs Theft Protection

Merry Christmas everyone!

I'm sitting here on my first day of vacation, away from work but always vigilant on matters of security and identity theft... interesting where these topics creep up. As I was watching the Giants vs. Panthers last night I caught a commercial for Uni-Ball 207 pen. It caugt my attention because the actor peddling the pen was S. Epatha Merkerson (of Law & Order Fame...I think) and the topic was of course identity theft... interesting.

Interestingly enough I had to do some research into why this pen warranted my $3 (per unit), and here's what I found. This site [,9,1] has some details, and even an endorsement by Catch Me If You Can professional check fraud expert Frank Abagnale. Still, I always thought a pen was a pen, but this site will tell me otherwise.

From their fact sheet:

Helps Prevent Check Fraud:
Uni-ball 207 gel pens use specially formulated inks that contain color pigments, which are absorbed in to a check’s paper fibers. When an individual tries to “wash” the information written on the check, the ink is in effect “trapped” making the act of check fraud more difficult.

So, not all pens are created equal? I guess I wasn't aware that physical check fraud or other physical identity theft was that prevalent... sounds like something I'm going to have to do some more research into. Maybe the folks at Sanford (here in Oak Brook, IL) can shed some additional light on the subject?

Saturday, December 20, 2008

"Incidents buried in back-page press"

Article From [ ]

Published: December 20, 2008

Regional Briefs: UNCSA tells its students to monitor credit

Officials at the UNC School of the Arts say they are notifying current and former students that their names and Social Security numbers "may have been accidentally exposed" in a security breach involving a university computer server.

The server in question went online in July 2003. The security breach occurred in May of 2006 and affected about 2,700 students who were enrolled between 2003 and 2006.

Each of these students is being notified. The group includes summer-session students and 256 of the 1,162 students currently enrolled at the school.

"We have no reason to believe that the personal information was stolen, used inappropriately or even accessed," Lisa Smith, the chief information officer at UNCSA, said in a statement. "However, we are notifying the affected parties so that they might take steps to monitor their credit to ensure their identities have not been stolen."

School officials say they became aware of the breach last week. They say they are still trying to determine its cause.

The N.C. Attorney General's Office has been notified.

School officials say they are conducting tests to ensure the future safety of personal data.

Perhaps I just don't get it; and maybe I'm reading far too deep into this alleged "incident"... but if I'm a student at this school I'm furious. There are 2 highlights here that should get you thinking about how seriously loss of personal information is being taken.

Without getting on my soap-box, I'd simply like to comment that if the incident took place in May 2006, and the officials were notified last week - something is desperately wrong here. That's 2 and a half years that has passed since the breach and they're finding out about it now? Even in the most absolutely inefficiently idiotic of administrations this isn't possible. Something smells like rotting fish here.

Thwarted by YoVille

Yoville sucks... but more on that in a second.

Well, I officially started my "mandatory" 2-weeks vacation courtesy of HP today and I figured I'd start it off by converting my wife's malware-ridden WindowsXP laptop to something less security-issue-prone. Naturally I picked Ubuntu (8.10) since that's what my workstation at home (formerly Vista Ultimate) runs.....

Everything was going so well. I'd managed to convince her that this OS would be faster (which it was, booted in 30 seconds versus a minute and 30 seconds); and this OS would be more stable, more flexible, more "cool" and definitely (and most importantly, to me anyway) more secure.

Everything was rocking until she hopped on Facebook, and then went to meet some of her virtual friends on Yoville!... and that's where things went sideways.

Apparently, all the security and extensibility in the world was no match for a broken Flash 10 plug-in. Apparently, Flash 10 doesn't work so well in Ubuntu 8.10; and it breaks Yoville.

Dammit. I was so close... so close.

This undoubtedly proves my point - security without the usability of "cool" is never going to catch on.

Thursday, December 18, 2008

Breach Leads to Better Security


Call me a skeptic, but when a company that's just experienced a major data breach says "we're fixing the problem", I'm a little leery. Honestly, when Innisbrook says that as a result of a recent data breach...

"Since the incident, Innisbrook has replaced the affected servers, installed better security software and stopped storing people's credit card information entirely..."
I may believe a lot of stupid things, but I wasn't born yesterday. I wonder how much this little "incident" has cost them in lost revenue, eDiscovery, notification and other costs as result of the data breach? I think it's rather interesting that places like this start to think about security after the fact... when it's already too late.


Wednesday, December 17, 2008

Failed - The 5 Reasons Why...

Failed: Information Security and Data Protection in a Consumer Digital World by Rafal Los on 15/12/08

Hello everyone, just thought I'd take a minute to say that my paper was accepted and published on on 12/15/2008. Direct link included above for your reading pleasure

I published this myself a while back but it's nice to see it formalized and available permanently now - I continue to welcome your comments and thoughts on the paper or the topic.


Tuesday, December 16, 2008

You're [In]Secure Online

Thinking of going shopping online this holiday season? Think again.

Between the scammers, spammers, and security gaffes out there it's just not the type of environment you want to enter your credit card into. What's worse, your browser may be out to get you too! With all that risk... let's look at the real problems with transacting online this holiday season, or any other time...Link
  1. Obviously credit card companies (even the PCI certified ones) just suck at security (see this blog entry for a start:
  2. This isn't the first article to say online shopping is going to be like running blind through a mine-field (see here:
  3. Your browser (if it's IE) is going to get you hacked and you won't even know it! (see here: or google it)Link
  4. LinkBanks certainly don't seem to care all too much about security, as they have huge flaws themselves that'll allow their users to be phished or scammed (see here: or google for yourself)
So with that... why would you want to take your shopping or browsing online? Go to the stores, hit the mall, tell online retailers and your credit card companies that you refuse to be the victim in their pathetic attempt to evade having to implement good security. Take a stand!

OK, that may be a bit over-the-top, I know... but it gets my point across. Here are some simple tips for keeping yourself relatively safe online this season... (or when-ever)
  • Never, ever, ever follow a link you get in an email - if you get an email from your bank telling you to "click here to continue/login to your account" DON'T. Go to your bank's website or call their 800 number and report the incident!
  • User one-time credit card numbers - your credit card company, if they're of any value, will have this available somewhere on their website. Generating a one-time credit card number means that you're safe even if someone steals the entire database of card numbers from the PCI Certified merchant you're buying online from...
  • Never use your debit card online - ... because unlike with a credit card, your money is gone instantly ... without the ability to dispute, etc
  • Never use your debit card w/PIN - online or at a store, never, ever use your PIN number at a merchant (even at a brick-and-mortar store) because who knows how good their security is, and again (see point above) once your PIN is lost, you're hosed!
  • Stop using Internet Explorer - while this is just a good rule to follow every-day (because no good can come from using ActiveX) now it's even more critical with the serious flaw Microsoft refuses to patch (and yes, there are exploits out there right now for it)
  • Be aware - Be smart and aware of what's going on. If something doesn't seem right, close the browser (ALT + F4) and don't go back to that page...
  • Update your anti-virus - although anti-virus doesn't help much these days, make sure you're at least updated. If you want advice on the best one out there to use... Kaspersky is what I trust my (Windows) PC to... and I visit some seriously icky sites...
That's it... that's the best advice I can offer, and hopefully you'll pass this along to friends, family, and co-workers. It's vital that we stay vigilant against stupidity, companies that don't care, and foreign threats.

Merry Christmas.

Monday, December 15, 2008

Trust me, I'm your browser...

Ryan Narine over at ZDNet published an interesting article on a new story from Chapin Information Services about the security of password-storage mechanisms in your browser.
Now, I read this and immediately thought... do I even store passwords in my browser? Duh... no! But that led to a much deeper thought - I read down some of the comments people have left and came to the conclusion that most of the people that read that post missed the point entirely. Rather than looking at whether open-source Mozilla is better or closed-source MS IE is better... why aren't we looking at why in the world someone would trust their passwords to a browser. Look, there are dozens of reasons why this is a bad idea before you even start not the least of which is that no matter what the browser there has been at some point an vuln that made the security mechanism completely useless in these browsers. Aside from that the purpose of a browser, boys and girls is what? That's right, it's to render and display web-based content. It's *not* to manage passwords to web sites and applications.

This whole thing has me thinking (which is sort of dangerous around the holidays...) why someone hasn't written a BHO or Mozilla plug-in that masquerades as a "password manager" and simply steals all your passwords (all your passwords are belong to teh hax0r). Oh... no, wait - that's been done.

Sunday, December 14, 2008

CSIS Takes 16 Months to Research Obvious

On December 8th, 2008 the Center for Strategic and International Studies (CSIS) released a report titled "Securing Cyberspace for the 44th Presidency"
"...that recommends that President-elect Obama establish a new National Office for Cyberspace in the Executive Office of the President and appoint a new assistant for cyberspace to run that office."

As I read that on GSN Magazine's online site I couldn't help but think to myself... duh? The report proposes a merging of the existing National Cyber Security Center and the Joint Inter-Agency Cyber Task Force - and work for the National Security Council. The new office would be called the National Office for Cybersecurity (NOC)... This report makes a few interesting points...
  1. I can't believe it takes a group of intelligent people 16 months to make this recommendation
  2. Cyber Security is finally going to be taken seriously at the National Security Council level
  3. It's taken incident after incident for our government to take cyber security seriously
  4. The BSA jumped in immediately after the report was released... and agered (??)
  5. The report recommends the government only buy "secure" products and services - but notes that those standards are yet to be developed...
  6. The NOC (National Office of for Cyberspace) should be working with NIST (National Institute for Standards and Technology) to protect SCADA systems powering America's critical infrastructure
Incredibly, those of us who have been working in information security for years could have probably made these points and similar recommendations with about 5 seconds of thought... not 16 months of research. Again... an excellent waste of time to make an obvious point.

Friday, December 12, 2008

Security Philosophy: What does it all mean?

Hey folks - I know it's basically the weekend and I should be headed out but it's been an insane 2 weeks at the office and I just have to get some stuff out of my brain and onto this blog before it falls out to make room for other crap.

This post isn't so much a rant as it is a philosophical approach to a long career protecting IT assets in the field known as IT Security.

Since 1999 I've been working and learning IT Security. Over the years my thinking has evolved from purely seeing things in black and white to a rainbow of shades of gray. I have a few key points here now for your consideration...
  • Security is shades of gray. Over the years I've learned that I cannot give a real answer to the question: Is this asset secure? The reason I can't say yes ever, is because I'd be lying. You security pragmatists know exactly what I'm talking about. We've consistently failed to make an impact to management because we just can't answer the "am I secure yet?" question. The answer is always no.
  • Security isn't an end-game. We're never going to reach a state within our respective arenas whether that's where you work, or where you consult, where we've "won". The bad guys are always going to keep coming, there will be new holes to fill tomorrow, and new security challenges. Most of us see that as a glass half-full because (a) we'll never be out of a job and (b) we've always got something new to do... but it's tiring knowing you're never going to get there.
  • The business doesn't actually care. I've said it. Poll just about any business leader out there and they'll tell you they're doing many things to secure their customer and themselves from hackers. Dig into that or sit in on a project meeting from the inside... and you quickly realize that's crap. Sure, they're willing to invest heavily in security as long as it's unobtrusive, simple, and free. My colleague Russ McRee over at continually proves that banks, of all verticals, posture themselves as having great security - but in actuality care very very little.
  • It's nearly impossible to measure good security. Isn't that the sad truth? Good security is nearly impossible to measure. How can you tell your upper-management that today you stopped a hacker from stealing a million credit cards from your database? You can't. You can't even say with any reasonable certainty that you've ever done that. We're all selling life insurance folks, hoping the patient doesn't die before we get a chance to cash our paychecks.
This brings me to the main point I've been building up to... and I hope it's almost obvious at this point. I've been asking myself lately... what is it that I've accomplished? Have I made the world a safer place by tirelessly fighting the corporate machine to be more security-minded? Have I moved that needle at all? I'd like to think that I have, and I'd like to say that between the awareness & evangelization, project work in corp. america, and my personal crusades I've changed at least a few important people's minds to be more security conscious. But how do I measure that? The sales folks at my day job measure their success by the dollar revenue they generate for the company... how do I measure my worth to my employer? How do any of us?

I know what you're thinking, what a way to start a weekend... but it's been building over the past several months and I've got some research coming soon that'll help make me feel a little better. Stay tuned. And don't let your job drive you to drinking :)

SFO Airport - Security Assessment RFP

In case anyone out there is interested, San Francisco Airport has issued a RFP for a full-scale assessment of all of their physical and digital security measures. I think I find it interesting that the expected price tag is around $375,000 over the course of the engagement. That's a lot of money to spend, but absolutely necessary.

I've flown through SFO a time or two, and believe me they're going to find a trove of security vulnerabilities in that airport... assuming they can get through the ridiculous lines and terrible inefficiencies of that place.


Thursday, December 4, 2008

Ronald McDonald Goes Rogue

CyberINSecure is running a story that just made me laugh. Some scammers are preying on stupid McDonald's users...

It's not that the first page is suspect - because it looks like a legitimate survey. It's the 2nd page that has me baffled. What retarded monkey would enter their credit card information like this? I mean, if someone's going to offer you money to take a survey, why in the world would they want your credit card number and information [and PIN]?! Unreal....

Wednesday, December 3, 2008

Santa's GMail Hacked - Is *nothing* sacred?

This screen shot says it all... although I suspect it's a mock-up given the convenient placement of advertisements, emails, and gTalk messages.

Funny nonetheless, and appropriate for the season.

Tuesday, December 2, 2008

Yes - they ARE out to get you

Folks, if you've missed this (or don't read DarkNet regularly) you need to see this. Yes, people *are* out to get you ... well, your browser more specifically. There have been browser exploitation frameworks in the past, true, but this release of Browser Rider is aiming to be the Cadillac of browser exploitation (minus the annoying bongs... Top Gear reference).

Check out Browser Rider - Web Exploitation Framework...

And if you REALLY want to freak yourself out... check out the demo, middle-bottom of the page. Yea... it's bad.

Monday, December 1, 2008

Friends Don't Let Friends Hack... and Do Drugs

... and this is exactly why:

Whiskey Tango Foxtrot?!

I'm not sure who should be redder (more red?) in the face -Luxottica Retail or the "hacker". First off... if you're Luxottica you've got huge problems... and not because someone just stole data although that would appear to be a problem in itself. No, you have problems because they stole if off your mainframe... which should be buried deep within the annals of your company's security onion. Look, one of two situations are true. Either the company has terrible security and allows "outsiders" to ride their virtual rails straight to mainframe equipment (which is deplorable), or they had (gulp) a mainframe attached to a web page somewhere - which should have them brought up on charges... of stupidity for one thing. The situation is unclear on whether this was a web application hack, but if it was - wowza! I've been in several environments where a mainframe is just a screen-scraper-appliance away but those systems have to be rigerously controlled and are generally installed by default to be stupid-resistant. I'm not even going to guess at the exact cause until it's announced (if it ever is, which I doubt) - but this next quote has me on the floor laughing...
"A routine check by the information technology department discovered that a
hacker had been inside a computer mainframe and downloaded the personal
information of more than 59,000 former workers."

Obviously it wasn't routine enough, eh?

As for the "Heroin Hacker"... wow. Brings the phrase "Out in a Blaze of Glory" to new heights huh?