Tuesday, October 27, 2009

CSI: Annual 2009

Hello everyone, day 2 is behind us now at CSI: Annual 2009 and I wanted to post some thoughts, now that I've completed the panel at the Web Security Summit, and my 9:45am talk on "A Risk Focused Approach to Web App Security" (slides coming soon...).

First let me say that I'm disappointed. This goes full-circle, allow me to explain.

First the attendees ... where's the passion? Where's the love for what you're doing? I see attendees slumped over, walking from session to session heads-down on their blackberries ... they walk in, sit down, and open the laptop and tune out. Aren't you here because you want to learn something? ... hear something new? Are we, the speakers, failing to impress? (more on this in a moment) So I have to say that the attendees this year are sparse and just have way too many of the glazed-over, glossy-eyed looks about. Getting this year's attendees to participate in a session is damn near impossible ... and not for lack of trying! (if you know me, or have been to one of my talks, you know I speak the truth ) The panel I hosted yesterday titled "Web Security Summit" had a decent crowd, yet far from what I was hoping for. That aside, almost everyone that was in there simply sat and stared when we the panelists tried to engage our audience! Only the brave (attentive?) raised their hands, few answered questions, even fewer asked questions ... it was painful. We did get, towards the end, on a few fiery topics like PCI and some privacy issues which really got a few of the attendees fired up and going ... and for that I thank you deeply. Sadly, though, for the 5 or so people who never looked up from your laptops (and are unlikely to be reading this post) ... what were you doing, taking notes I hope?

Next, I want to say thank you to Jen Jabbusch, Josh Abraham, Sharon Besser, and Mike Bailey for being on my panel, and contributing to some very interesting conversations. Even if the crowd was apathetic ... at least I know you guys still love your jobs and feel strongly about the big issues!

Now, let me move on to the speakers. I'm not going to bash anyone or critique because I'm no world-class speaker either ... but many of the presentations that were given continue to be lack-luster, and quite honestly dry. I think we have the information, the content is there ... but we need to figure out a way to be more dynamic, more engaging and get the attendees to pay attention and give a sh** more! I'm not sure how that can be accomplished quit yet - I'm working on it.

As for the quality of the conference overall, I think Robert, Dina and Sara did a fantastic job as always working with what was available ... we all expected a lower turnout this year given shrinking budgets and corporate belt-tightening. You guys were, as always, great to work with and I hope I was able to contribute to the quality of the conference in a positive way.

Now, for the most important thing ... the side conversations that happen in-between talks, in the hallways and watering holes of the venue. I think what I'll take back with me most of all is the fact that I am continually reminded how little I know by people around me. I had the pleasure of having lunch today with @mubix, @jabra, and @mckt_ and quite honestly ... that was awesome. We covered a wide range of topics from Metasploit, to web app hacking, to creating some truly evil integrations of long-forgotten tools ... there is some great work coming! I think that the projects and ideas we outlined over lunch is about 6 months of work for ourselves; and will probably be 2 years of work for everyone else... well done guys, well done.

I guess overall while I'm disappointed at one end, conferences like this still bring brilliant minds together and at the end of the day I'm just happy to be a part of it and contribute in what ever way I can.

Next up ... AppSec DC!

Edit: I can't hold it in... I don't need to repeat the content of the Twitter stream we launched ... but I'm going to simply say that no one should ever say the word "turnkey" coupled with "security" ever again. It makes zero sense, so stop it. Also, if you're going to claim to be a subject-matter expert at least make sure that your information is relevant (say, within the last 18 months?) and that you can articulate what you want to say ... eesh.

Thursday, October 22, 2009

Fox News: Bring Your Toddler To Work Day?

As someone (@bug_bear) aptly pointed out in response to me posting this on Twitter ... "Is it bring your toddler to work day" at Fox News?

Might be that someone at Fox is testing out some new tool ... that auto-publishes to their site and Twitter at the same time? Or maybe ... they were pwn3d?

... personally I'm leaning towards the toddler theory. Either way, I know it's OT and nothing to do with security (or maybe ... naaaa) but I saw it and had to post it!

Hell in a Handbasket ...

I've been reading a ton of articles lately on data breaches, cyber attacks, cyber warfare and other things ... and thought that I should share some of the more interesting articles with you that I've found, in case you've missed these gems...
  • eHealthEurope - "Private medical records offered for sale" - In a lesson of sub-sub-sub-sub-contracting failures another Indian company fails to secure information they're entrusted with protecting while "on the job". Indian companies are having a surprisingly hard time keeping data privacy and protection a priority ... wait, I can't even say that with a straight face.
  • Reuters - "New study reveals push to electronic medical records puts patient privacy at risk" - Just one disturbing thing jumps out at me when I read this article ... "70% say senior management does not view privacy and data security as a priority" when speaking about electronic medical records. *gasp* Let's couple that with the $210 per patient record cost of a data breach and you can start to account for why a trip to the doctor for a simple check-up costs you and your health insurance company $500... In other news, paper medical records are routinely found insecure when they end up on a trash heap out behind the doctor's office.
  • ZDNet - "GAO Report: NASA at 'high risk' of data breach" - There's a shock. NASA, the people who send humans to outer space, can't figure out data security ... although it's interesting that the GAO keeps finding these audits they do so poor when they can't keep their own house clean.
  • National Post - "Turning power lines into battle lines" - Those crazy Canadians are worried about cyber-warfare on the north american power grid. They're nuts ... or not. If you don't think that what happened during the "great blackout of 2003" could happen again, in a much more controlled way ... you're the one that's nuts.
  • MyPlainView.com - "Bank says online system is secure in wake of hack job" - You've gotta love a bank president who will go on record after a customer is hacked and say this: "Glenn said ASB uses a protection system called "Multi-Factor Authentication Solution" ... Because of this system we are very confident that our bank system was not breached" -Is he serious?
  • InformationWeek/Government - "Cyberwar Readiness Recast as Low Priority" - While I (mostly) agree with the findings of this "think tank report" I think they're dead wrong on their understanding of "cyber warfare". They're somehow confusing Cyber Warfare as "...at best, cyberwarefare operations 'can confuse and frustrate operators of military systems, and the only temporarily'..." and urges that the government instead focus on shoring up critical infrastructure such as our ailing national power grid and other areas. Yes, that course of action is correct but what they're missing is that a "cyber war" waged on the US will not target strictly military assets ... a half-intelligent attack would break down communications, power and other critical infrastructure first! (more on this topic coming soon, stay tuned)
  • Sky News - "Cyber attack fears as firms cut IT costs" - I think this story sort of wrote itself, but it's still worth the watch/read... the more companies cut their IT budgets they more they're exposing themselves to attacks via computer networks. Right, we know that. Why don't executives?
  • RevolutionRadio - "DARPA, Microsoft, Lockheed team up to reinvent the Internet" - I cracked up... I can't resist but to post this. WHY, oh why would you (a) go with Microsoft and (b) re-write an entirely new "MNP -Military Network Protocol" ... I know TCP/IP has its problems but ... seriously, Microsoft? Really?
  • The Chosun Ilbo - "N. Korean hackers infiltrated S. Korean military networks" - In what I would classify as a real cyber-warfare attack, North Korean is being accused of breaking into the South Korean military network and stealing some very serious state-secrets... "It looks like 2,000 national secrets have been stolen" ... how do they know the extent of the damage? It looks like the N. Korea vs. S. Korea battle is heating up again as North Korea starts to flex its military might versus the rest of the civilized world...

Wednesday, October 21, 2009

Protected Tweets - Oxymoron?

Google has done it again! Somehow, the magical Googlebot has managed to worm its way into protected tweets on Twitter. To be fair, this story was first broken by the L.A. Times ... yea.

You know what I'm talking about, those strange people who choose to "protect" their tweets so only a select few can read them aren't so protected anymore.

Who knows what other design flaw [:cough: security hole :cough:] the Google-bot is exploiting but as Rob Fuller (@mubix) put it on Twitter "hmm sounds like a job for User Agent Switcher" ... indeed.

So let me get this straight ... I as a regular user with my user-agent (no, I don't use the standards personally) cannot read your protected tweets, but the Google-search-index bot can? Really ... is this a design flaw or simply a security hole that Google somehow discovered, accidentally? I'm leaning towards a accidentally-on-purpose design flaw; and now that a formal partnership (for search purposes) between Twitter and Google has been announced - who knows what else we're going to dig up?

OK, so a few questions arise...
  1. Since Microsoft's Bing already has a partnership with Twitter to search tweets is there another such hole looming there too?
  2. Is this a bug, a feature, or something else?
  3. If I change my user-agent to the Googlebot, can I read protected tweets anonymously?
... I'm not even sure I want to know. I don't bother protecting my Tweets given that this is a social platform for public dissemination of thought ... right?

"The Jihad Job" ... recruiting via email

An article titled " 'Jihadi job' email to lawyer " on The Telegraph from Calcutta, India caught my attention... and not just because I think that there is plenty of jihad recruiting going on over email and modern technologies but because just recently I wrote about the "Google conspiracy".

I've been keeping track of articles and blogs referencing "cyber jihad" and it's interesting that such a topic is now hitting the main-stream media (at least in India). I wonder if the good folks over at the Googleplex could tell us how many emails (just volume-wise) are sent around GMail every day with the terms "jihad" ... with a recruiting intention.

Makes me wonder whether Google's already doing that sort of analytics already ... or if that's the next step?

What do you think?

What privacy? I use Google ...

When news got out that Google had indexed GoogleVoice transcribed voicemails the other day some people were shocked, some angered ... I just figured it was par for the course as far as Google is concerned. I think the lovable bear has now become the over-grown monster.

You're not concerned, right? Is it time to get the tin-foil hat out?

First, let's see how Google interacts with us in our daily lives ...
  • Google Analytics (website cookie-based tracking)
  • Google AdWords (advertising)
  • Google GMail (email)
  • Google Voice (voicemail)
  • Google Maps (local, national, global maps)
  • Google Docs (documents stored in the "Google Cloud")
  • ... and this list goes on, and on, and on, and on ...
So you see folks... this should start to concern you, deeply concern you. Google likely knows more about you than your parents, your spouse, or even your employer - which brings up an interesting point...

What's stopping Google from launching the next great Google service - "Google Complete Profile" ... that's right Google can combine all the information it has on you from many, many disparate (and hopefully segregated) databases and offer anyone a complete profile on you -for a price.

Think I'm crazy? Google can index where you like to eat, what you search, what sites you visit, what you buy, where you go to, who calls you and what calls you make, what documents you write and what emails you get. Combining that into a complete personal profile is an absolutely terrifying idea.

Sure, it's no big deal that the largest data-mining organization on the planet has every piece of information about me that's crossed the Internet ... or is it?

Put the pieces together! Some of you get fired up about the government's Patriot Act and spying on US citizens ... but what about Google spying on YOU?! I'm not saying that I know of any specific projects within Google to conspire with, say, the US Government (or any other governments for that matter) but let's pretend we believe in conspiracy theories for a moment. Let's pretend that Google is feeding all the information that it has about all of the users it has through a monstrous analytics engine and then red-flagging suspicious activity which is then forwarded to the proper authorities.

Did you search for "pipe bomb", then map out a directions to the local Radio Shack or hardware store? Did someone send you an email with schematics and/or reference revolutionary ideals? Did you get a voicemail or place a call to someone that's already "on the list"? Was there an email thread or newsgroup you participate in that would red-flag you in conjunction with the other things already mentioned?

So, call me crazy, call me a conspiracy nut ... but I'm going to keep wearing my tin-foil hat and limit what information I give to Google voluntarily ... but I suspect that it will be a futile effort, given their depth of penetration into our daily lives.

What do you think?

Wednesday, October 14, 2009

Infosec is Rotten

You know what I just noticed? We are a really, really nasty group of people. InfoSec has gone from being an unruly pirate mob where everyone's just happy to be hacking away at something, welcoming new faces to just being plain nasty. Exclusion of anyone who doesn't think like us, nastiness to anyone who will admit to being "new" and other sorts of anti-social behavior are going to ruin this industry if it's not too late already. I've been reading blogs, mailing lists, and such for as long as some of them have been around and I have seen the de-evolution and it's gotten to a point where I can't take it anymore.

Jump on a mailing list, read a blog comment roll, or Twitter and you're bound to find people just flat out being nasty ... I just can't take it anymore. Looking at the ugliness that's visible from space, here's just some of the things that I've observed and learned (in no particular order) ...
  • If you're new, and you dare state that in a post/comment you will be flamed by the "super-senior-jackass-know-it-all" ... guaranteed. Never admit you're "new to security"...
  • Pursuant to above... Apparently newcomers are not welcome in security anymore
  • There are cliques, just like on the playground in grade school, made up of people whom are too stupid to think for themselves and feel like they need to attack others who aren't like them ... I think we call those gangs in real-life.
  • There are experts who teach and "experts" who would rather horde the information and call you stupid ... know to see that distinction
  • Most mailing lists are at very least civil, Full-Disclosure is not one of them
  • There are certain people who just need to change their name because they've managed to piss off everyone in the industry, ahem
  • A few particularly big smart-asses like to hijack your blog post by starting a war in the comments section. Those are called comment-trolls and should be moderated out.
  • There are actually people for whom the Mac vs. PC vs. Linux war never died ... they're like religious fanatics only worse because you can't just slam the door in their face
  • No one with a legitimate column in a "real publication" has any idea what they're talking about because they're too busy trying to be politically correct or pandering to the company paying them to blog/write ... so sad
  • It's safe to assume that most industry analysts working for large companies of that nature are bought and paid for to speak a certain opinion ... let's just let it go
So there you go. We're a nasty group but let's not paint it all black ... there are plenty amongst us who are willing to teach, take in new recruits and would love to sit down and talk with just about anyone. I shouldn't paint the whole industry this way ... but if you're just looking around it's easy to find this infighting and the problem is that it kills the types of things that would ordinarily flourish like exchanges of ideas, new thinking and creativity.

Let me say also that if you've got an idea and someone wants to tell you that your approach is wrong, listen to them. Maybe they're right, maybe not - but in the end if you have two opposing viewpoints you can only become more intelligent by understanding both of them!

Anyway ... I just couldn't let it go anymore so ... let 'em fly.

Quick clarification: For the one on people with a legitimate column in a "real publication" ... think about all those "columnists" who wrote about how the SideKick issue was a great example of "cloud failure". Forget that it has as much do with "Cloud" as Darwin did to the Enlightenment - it was a matter of journalists writing blindly to try and attract people who then read their crap and highly broken group-think emerges. If you're a journalist you have a responsibility to triple-check your facts, make damn-sure you know what you're talking about and for Heaven's sake ... when in doubt ask Hoff (on Cloud stuff) ... Anyway - that's what I was pointing out specifically.

Monday, October 12, 2009

Reporting a Phishing Email

So this afternoon I open up my mailbox and oh, look ... "HSBC Bank" has sent me an email. Given that I don't have an account there, and my email client is already telling me this is phishing (well, duh?) I decided that I would give it a read just for the comedic aspect of it.

Honestly, I expected something sophisticated, well-disguised, maybe even official-looking. I was sorely disappointed:
NY 10018. USA

Ref No: HSBC/30A/IPF-09Z


We at this bank wish to congratulate and inform you that after thorough review of your unpaid funds in conjunction with the World Bank Auditors report, your payment file was forwarded to our bank for the immediate transfer of a first installment amount of US$5,000,000.00 to your bank account.

The Auditors reports shows that you have been going through hard times by paying a lot of money to see to the release of your funds, which has been delayed by some dubious officials that dealt with you in the past.

We therefore advice that you stop further communication with any other group, individuals or institutions, since you do not have to pay any money or transfer fee to receive your funds as you have met up with the whole funds transfer requirements.

Should you follow our banks directives, the first installment amount of US$5,000,000.00 will be credited and reflect in your bank account within 3 to 4 bank working days.

For further information on this funds transfer notice, kindly send to me the following:

(1) Your Full Name:
(2) Phone, Fax and Mobile Number:
(3) Company Name, Home Address:
(4) Profession, Age and Marital status:

Yours sincerely,
Mr. Williams Baron
HSBC Bank Plc, USA

The information contained in this e-mail, any attached files, and response threads are confidential and may be legally privileged. It is intended solely for the use of individual(s) or entity to which it is addressed and others authorized to receive it. If you are not the intended recipient, kindly notify the sender HSBC BANK by return mail and delete this message and any attachment(s) immediately.
What disappointed me more, though, beyond the sheer stupidity of the phisher - is how hard it was to report this to HSBC Bank and let them know about it. Why is it difficult to be a good, responsible human these days?!

I thought I'd approach this as a regular person might and not use my mad Google skills ... but rather hit HSBC's homepage first. There's really no link/button that pops out at me (the user) that says "Click here for information on security/privacy". Thinking I may just have to go dig into the specific region I clicked the link for North America ... unfortunately not much changed.

What I did notice after looking around the page is at the very, very bottom of the page, in light gray-on-white font there is a "Security" link. Are people really expected to see this link?! Why is something so important as security buried so far down in the page, and in a color that's so low-contrast that it took me a second look to find it? Now, I don't want to question the good bank's motives here - but do they really want people finding this link and reporting security issues?

Anyway, clicking the link brings you to a page that asks you to either sign in or sign up for personal/business banking... so it looks like all hope is lost if you're not a customer trying to be a good Samaritan and report a problem to them, right? Luckily the menu bar along the left has a nice selection of security topics to choose from so when I clicked the Fraud link I finally found something that looked like I was headed in the right direction (here). Sadly, even though "Phishing Scams" was a big item in their FAQ, and the document gave some really insightful information about how to keep from being a victim of phishing ... I was still baffled as to how to actually report a phishing email I had received. Does HSBC care or even want to know? - I started to ask myself.

Just then my eyes glanced across the page and found a phone number in bold letters ...

Of course I immediately called the phone number! ... and was promptly disappointed to find that I had to poke around the system as this was their main call-center phone number and the only trace of reporting phishing was a message about "support for internet banking or pin reset". Going into that menu left me completely befuddled as I found myself being asked for my account number (or SSN, yikes?) multiple times by the system in order to continue and I almost gave up. Just when I was giving up, I kept pressing numbers in that last menu until I got a voice! The person on the phone was kind enough to direct me to an email I should simply send the phishing email to: usphishing@us.hsbc.com.

While I had now sent off the phishing email I had received, along with my contact information I still felt unfulfilled. I was curious how this wasn't posted anywhere visible. Curiously ... it was given a little Google-fu. This page [http://www.hsbcusa.com/hsbcusa/abouthsbc/contacthsbc.html], actually produces a link that clearly asks you to report Phishing and Spoofing scams to that email address - but why couldn't I find it?

Turns out, there are 2 separate things at work here. First off, in my desperate need to find someone in security to send this to, I completely omitted to look at the "Contact Us" page ... where the phishing email link lives. Second, HSBC's site is laid out a little bit strange, and whereas I would suggest that the "Report Phishing" section also be moved under a more "prominent" security heading?

One thing still bugs me ... how much does a major world bank really care about security if they've got the link to it buried down in the page, in an impossible-to-see contrast and font size?

Don't get me wrong, I'm not slamming or singling out HSBC here - just about every bank is like this ... I invite responses, rebuttals or commentary, as always.

... still feel good about on-line banking?

Thursday, October 8, 2009

Twitter Advice - "Yea, That Hottie's a Bot"

Strange thing this Twitter... While I'm certainly not out there posting updates to see myself type, I find that there are dangers to having followers – more specifically the dangers of having unchecked followers. Allow me to explain this problem that you too likely have, if you're a Twit (new slang for Twitter user).

There are essentially 3 reasons that bots [or rather their owners, the “Bot Masters”] will choose to follow legitimate human Twits. I'll go over them in more detail but essentially these reasons are reputation, infection/SPAM, and bot C&C. There may actually be other reasons as well, but these are the top 3 reasons that I personally review every follower I get – and while that may be time-consuming you'll soon see the dangers to both you and your legitimate tweeple (Twitter followers … I didn't make it up) of having un-checked followers.

First, the reputation angle. New SPAM bots or SPAM accounts are hitting Twitter at a head-spinning rate. Since Twitter doesn't really require any sort of human-verify mechanism to register (unlike most other free web services) there is nothing to really stop entire armies of Twit-bots from invading the social networking service. Every once in a while, the magic Twitter SPAM-bot gnomes go through and remove droves of accounts that are found to be SPAM'ing the Twitter-verse (are you loving all these new words as much as I am?). To keep from being caught, bots (more correctly, the bot-masters) have started to employ some semi-advanced measures to make sure they aren't detected. First off, the reason why Julie Smith (hint: that smokin' hot blond in the avatar isn't real) is now following you is that the bot-master is hoping that by being associated with legitimate Twitter users of good reputation they will be less likely to be caught. Second, you'll notice that bots often tweet (post, in Twitter-speak) random, and seemingly senseless things to keep from being detected as a “stale account” (those accounts whom have joined, followed a million people, but never posted anything themselves). Moreover, bots will now re-tweet (re-post something someone else has “tweeted”) to make themselves blend in more with the normal Twitter user-base. Think about it … it would be simple to detect accounts which simply Tweet nonsense (or repeated SPAM tweets) that have zero followers and zero “friends” (people they are following). With a combination of following reputable Tweeple, re-tweeting those posts of reputable users, and tweeting random things – Twitter SPAM-bots are much less likely to be detected either by a program of even a human user.

The next major reason that Twitter-bots will follow legitimate humans is to SPAM you or trick you into clicking on something. While this may not be a revelation to you, and it shouldn't be, these bots are here to make you click links. These links will result in one of two things … you getting a page advertising herbal Viagra substitutes, genitalia enlargement pills, or penny stocks OR you getting a page (or series of pages) which will result in some sort of infection on your machine. The not-so-hidden motivation behind getting you to click links is … ta-da … money. Criminals are doing everything they possibly can to get you to click, buy and view their pages so that they get paid. Simple as that boys and girls. Services like TinyURL and other URL-shortening services don't make this any harder – but then again, that's not necessarily their fault or something they should do anything about. This is all simply a culmination of free, convenient services which criminals are taking advantage of to get you to part with your hard-earned money. Whether you get a message via direct-tweet (if you've been lured into following a SPAM-bot) or via an “@reply” which is a public reply (bonus points for possibly luring others too) or by a well-placed obscured link in the bot's profile … make no mistake the aim is to get your click, and your money.

The last notable reason that bots follow you (and often hope you'll follow them back, is for botnet command and control (C&C). Even though proof-of-concept posts have appeared over the past several months on the web many folks still aren't aware that entire botnets operate via Twitter as both an infection vector as well as a command and control means. This makes Twitter twice as dangerous for those people in this position. If you're lured into clicking a link and get infected with something (which there is a very low probability of you realizing) the malware on your computer is fairly likely then controlled by the a similar vector. A simple “the sky is blue today” tweet may seem innocuous to you, and you may even entirely ignore it in your read stream but it could translate to a command to the bot which has infested your machine to then perform some action. Very underhanded stuff – but believe me when I say it's out there. If you haven't yet read up on the Twitter bots and some of the advanced C&C mechanisms using natural language … you should make yourself aware of these dangers. Being careful who follows you (and subsequently whom you follow) goes a long way to protect your safety on the Internet.

Since I'm one of those people who think that caution without advised recourse is fairly useless I will next talk about some of the things you can do to protect yourself, and some basic recommendations for being safe(er) on Twitter. Perhaps this advice could even apply beyond Twitter to other social media … I know it certainly loosely applies to FaceBook and the like.
Here are some recommendations on how to keep yourself safe(er) on Twitter and other social media platforms...
  • Never auto-follow (or auto-add a “friend”) blindly – this is a dangerous practice that could lead to getting yourself compromised. You wouldn't just trust someone blindly without at least investigating them a little bit in real life … right? So why take that chance in the digital realm?
  • Turn on follow alerts – Keeping up with who's following or adding you as a friend is very important... it will let you know that you have a potential new friend, follower or stalker!
  • Be careful not to stupid-click – It's been drilled into end-user's brains for years now and most people are smart enough to know not to just click on anything they see (especially when a total stranger says so) but it's worth repeating. Please … don't be a sheep and simply click-click-click away your personal safety and security on-line. Think before you click.
  • Sorry, she's probably a bot – Successful malware distributors and black-hat SEO magicians have figured out how to get guys to lose their brains and do stupid things – hot women. Sadly, the statistic is staggering against better judgment … if it didn't work they wouldn't keep doing it! Why do you think you get those follow + tweets from what appears to be a gorgeous young woman asking you to “check out her pictures”? If you're stupid enough to fall for those, and yes, there are many that still do, there may be no hope for you. Remember, the same principle works on both sexes and there are entire armies of Twitter-bots that will look at your profile and figure out whether you're male female and formulate a pre-determined attack strategy accordingly.
There you have it. Reasons why bots will follow you, on Twitter, and what you can do to combat the rising tide of malware and malice on the social networking service.

Good luck out there, and be smart!

Wednesday, October 7, 2009

Things I Learned at SecTor 2009

Over the years, I've made it a habit to write down a list of "Things I learned at {conference}" list... since management always asked when I got back from my vacation. Now that I speak at them, it's still habit I guess to just keep a list of things I learned ... although now I can be humorous about it!

Given that I've just left SecTor, I thought I would write down some of the amusing and educational things I've learned over the past day (since I was only there day 1 ... boo).
  1. The whole cloud conversation has just gotten started. Hoff gave a brilliant keynote (complete with Squirrel) on just how complex this simple idea of "Cloud Computing" is ... and why so many, many people misunderstand it
  2. People from Toronto are passionate about things they love... and even more passionate about things they care nothing at all for
  3. The end-user doesn't stand a snowball's chance in hell of understanding "personal security" in an inter-connected, Internet-enabled world
  4. Malware is evolving faster, and often works better than legitimate software -this should worry you more than I can even convey in a blog
  5. Brian, Nanna, and the SecTor team treat their speakers better than any conference I've ever been to, or spoken at
  6. "The Four Horsemen" is an acquired taste, but makes for a great party starter
  7. What happens in the name of Hackers for Charities, stays in Toronto ... unless video and photos of Hoff giving Brian a "man-dance" are posted all over Twitter
  8. We are about 2-3 years away from software being able to fully impersonate a human being on the Internet ... whether this leads to Cyber-War is debatable and depends on what you take Cyber War to mean (via @RSnake)
  9. Even your video gaming console, video games and the once sacred nerd retreat of virtual reality isn't safe from hacking (via @PaperGhost)
  10. EAP! Authentication and Authorization of networking nodes is so complex it makes my brain hurt ... that can't be good for those trying to implement it
In the final analysis, I'm sad I was only able to spend a day with old friends, new friends, and people I've only talked to virtually ... but look forward to the full presentations and follow-up conversations -especially around the crimeware/software underground.

Thanks for having me Toronto, I hope you all enjoyed my talk, learned something ... and I look forward to seeing everyone again!

Monday, October 5, 2009

Musings on US Customs...

I drove from Chicago to Toronto and back this weekend ... and along the way crossed the border at Port Huron/Sarnia twice ... which means that I had a glimps into both Canadian and US border agents along the way.

I can't say much about the actual security aspect but here are some random thoughts ...

USA --> Canada
  • No line on the border crossing
  • Border agent was very friendly
  • Asked 4 questions, looked at our passports and wished us a good trip

Canada --> USA

  • 45 minute line (4 lines for cars, 2 for trucks ... all filled)
  • Border agent was a total jerk
  • Asked 8 seemingly random questions (even for a security paranoid like myself)

From what I can tell, the long line and hassle at the US border crossing was absolutely mindless. Do I feel safer that the agent asked me how I knew the woman sitting besides me? No. Do I feel safer that the agent was a complete a** when speaking to my wife? No. Did I observe anything that would indicate that there was rhyme or reason for the "security theater" that took place at the border?

... in a word .. .No.

Saturday, October 3, 2009

They Don't Stand a Chance

The average web browsing user still has a 60+% chance of surfing with Internet Explorer (IE) ... worse yet, there is a 1 in 4 chance that the same user is using Internet Explorer 6 -that's the reality we live in. Why is this so bad? Internet Explorer 6 is widely known to have more holes than Swiss Cheese and came from a simpler time ... back when surfing sites didn't give you diseases.

But I digress ...

The end-user is in serious trouble ladies and gentlemen. There are more malicious sites that stand up every day than legitimate ones, and even a seasoned [security] veteran often can't tell the difference between a malicious site and a legitimate one without a deep-dive into the code. While malware and site hacks have gone nuclear and are evolving at an incredible rate the technology with which the average Joe the plumber surfs the web is even remotely keeping up. This creates a serious problem for those average users, and even the security-conscious user.

Let's take a best-case scenario, which we can all acknowledge is a rare thing ... maybe somewhere around 1% of all users - the security-conscious end-user. The security-conscious end-user will be careful what sites they visit, notice pop-ups, scare-ware, and may even be surfing with the latest FireFox build with NoScript updated and running. What if even this user profile is still infected with malware?? Impossible you say?

What if a super-popular, commercial website like FoxSports could get infected with something nasty? Worse yet ...what if someone dropped an iFrame into FoxSports.com's site to re-direct you to somewhere that would be silently and transparently serving up malware? Sure, NoScript would catch that right? Not if you're trusting a site like FoxSports.com ... and why would you not?

So now we have a worst-case scenario that's playing out every hour of every day. Public, commercial web sites are infected with who-knows-what types of malware and even the best defenses against these attacks fail because they aren't "smart enough" to protect the user.

What we have is a combination of poor web site design, poor browser design, poor end-user education, and security protections that are simply not usable in an every-guy kind of way. What's the typical web browsing user to do? They don't stand a chance!

There is a remedy though, but it involves a chain-reaction of responsibility and security effectiveness...
  • Sites must do better at securing their content ... this won't happen until people publicize their failures and hold the owners accountable. Can you sue a site owner like Fox if your computer gets infected with some malware that cleans out your bank account?
  • Layered defenses must be in place such as ...
  • Regular site security scans (looking for vulnerabilities)
  • Network-based web site attack defenses (if you want to call them WAFs...)
  • Expanded use of malicious site content checkers (like the Google Safe-Browsing API)
  • End-users must be educated more on the dangers of simply surfing to a known, public website and how that can impact them
  • Browsers, OSes, and applications must build auto-update mechanisms into their code that is enabled by default to protect clueless users from their own ignorance
Meanwhile, those folks that are still using IE6 (or other out-of-date) browsers should be redirected to an update page on Microsoft's site ... I think if the owners and operators of some of the more popular Internet sites got together and agreed to disallow anything other than the most current browsers and simply show a warning page with links to download updates ... the world would become a much safer place.

What am I advocating? Cooperation. I am advocating an open project where we design a single "Browser Warning!" type page and get the top sites to start implementing it for when-ever someone hits them with an out-of-date browser. This is a huge problem friends ... who's with me?