Friday, December 24, 2010

The Invisible Line Between "Error" and "Data Breach" ...

Just catching up on a quick story that's circulating (if you read the news like I do) on what is being called a data breach ...but is it?

The headline is "Santander Leaks 22,600 Account Details [source:]" - but at what point does the line between accidental disclosure (or an "error") turn into a data breach?

I think the discussion needs to be had, and while Santander is doing the responsible thing here, when it comes to data breach laws in the US, how do we treat this?  Where is the line drawn between "accidental disclosure" which is just that, accidental, and a data breach which is the result of negligence?

It would seem the entire discussion is based on cause, and whether the cause was "an accident in spite of due diligence" or rather "a result of a lack of appropriate measures" ...what concerns me is this text from the article-

The ICO confirmed that it will be investigating the breach.
"We have recently been informed of a data breach involving Santander. We will be making enquiries into the circumstances of the apparent breach of the Data Protection Act before deciding what action, if any, needs to be taken," said an ICO spokesperson.
"Under the Data Protection Act, organisations that process personal information have an obligation to keep it secure; therefore, it is a matter of concern if information such as account details have been incorrectly provided to the wrong recipient," they added.

So we turn to trying to figure out how to draw a line on intent ...and that's a very difficult thing.

Friday, December 10, 2010

DDoS'ing into Oblivion

I don't know if you've noticed, but Distributed Denial of Service (DDoS) has taken the spotlight on center stage of this 3-ring circus we call the Internet.

If you don't know what a DDoS is, I suggest you go give Wikipedia a quick read, and maybe get WiFi in the cave.

What used to be a nuisance, and let's face it DDoS started out as a nuisance, has turned into an interesting and powerful weapon.  Tools like LOIC which is released by "Anonymous" and the OWASP tool that essentially does a similar task against web servers using slow header payloads are brutal.  These can cause serious outages and down web servers and entire sites, or even web farms.

Let's talk impact

  • Full pipe - a DDoS can fill your network pipe with junk traffic and effectively cut you off from the rest of the Internet
  • Overloaded server - a DDoS can actually completely overwhelm a piece of hardware, and cause the machine to die
  • Overloaded server - a DDoS can also overwhelm poorly (actually even no-so poorly) written software to completely stop responding and die
  • Software zombie - an interesting condition recently uncovered where a server is still completely responsive to other requests except that legitimate requests for targeted sites returning nothing at all
  • Huge bill - That's right, imagine paying for your Internet pipe by the megabyte... then you get a 100Mbit/sec flood for 12 straight hours ... you could go broke trying to pay that bill!
  • Bad PR - Imagine if you're launching a super-cool online game that some kid gets mad at and takes down your servers ...ouch!
Perfect example, Al-Akhbar's website has been decimated (and is still down) for a while now... interesting use of internet bandwidth.

So DDoS is a very versatile tool - and with literally millions and millions of zombie machines out there - maybe even YOURS - the attacker agents are plentiful.  I wonder what the horizon holds for DDoS attacks could be interesting.

Tuesday, November 23, 2010

The TSA Now Makes Fortune Cookies

This is how you know you're going to get the "blue glover treatment" ...when the cosmos is trying to tell you something.

Oh crap...

Wednesday, November 17, 2010

Worried About Your Children Online? You Should Be...

Fair warning - this will make you sick.

The headline on reads:
 "Germany indicts man who hacked webcams to film children"

The reality is that child predators have a much easier time on the Internet than they would in the real world ...and in this virtual world where they can be anyone they want to be the predator can be any age, sex, or personality to convince a child to put stuff onto their computer.  What happens next is an all-too-real sad fact of modern life.

The question then becomes ...what do we do about this?  Besides putting a needle into the arm of this bastard so he never hurts another child again ...what do we do?  Is better control the solution?  Anti-malware protection?

I think that ultimately the ownership of protecting your children is the parent's responsibility...and in the ever-increasingly connected world of the Internet parents need to arm themselves with as much knowledge as their children.  Your 9 year old shouldn't be better at the computer than you are... plain and simple.

While you can't control every minute of every day of your child's life, we can certainly teach them from a young age that security "best practice" like not accepting unknown files from people they don't know or trust, or other things we have been trying to teach our corporate users for years, should be followed or there could be dire consequences.  The notion of "stranger danger" applies to EVERYONE on the Internet... there are no "real people" unless mom or dad says so...unless mom or dad doesn't know better either?

Ultimately, parents, protect your children.  Teach them well, and put in as many safeguards as you can technologically to ensure that these types of predators can't get at them online.  It's just sick that human trash like this is allowed to exist... if I had my way justice for these animals would be swift...preferably with a large caliber to the skull.

Monday, November 15, 2010

Not Another TSA Rant

Hold on to something ...I just had a very intelligent discussion with a manager (I will keep her name anonymous, I'd like her not to lose her job for talking to me) of the TSA shift here at O'Hare airport.

While you catch your breath ... let me reiterate how much I loathe the invasion of privacy and the scales of privacy vs. (actual) security being tipped way askew...

So here's what happened...

I was given the "sir, step over here into this machine" line from a woman who had the demeanor of a rabid coyote, to which I replied "No thanks, I'll opt-out".

After the customary 10 people screamed back and forth "We have an opt-out!" ... they told me to wait in the middle of the screening area, and since I insisted on keeping an eye on my bags (I reminded them of the public announcement playing on infinite loop) they had one of the gentlemen (clearly a very nice guy) take my stuff, put it aside and stand over it while I was frisked.  This was interesting...

The guy giving me the "pat down" told me he was going to use the back of his hand in certain areas but never mentioned the "dirty uncle" treatment (front of hand on your junk) ... so I was left wondering.  He performed what I actually felt was a rather thorough pat-down, checking inside my belt loops, my armpits, and all the other usual places a wacko would try and hide something illegal.

He did not do the "dirty uncle" ... and when he was done, was polite and said "We're done, thanks" and walked away.

I gathered up my stuff and walked off but I did feel compelled to walk over to the shift supervisor and ask her why it was that when I opted out of the strip-search machine I didn't even have to go through the metal detector.  She didn't know, and even told me that "Yes, that is a little weird, but I don't have the authority to question the all-powerful policy."  I sensed sarcasm in her voice... I liked that she was skeptical and a bit of a cynic.

We had a great conversation for a couple of fleeting minutes about the process that they go through here at O'Hare and how they actively avoid doing the dirty uncle pat-down ... and don't actually use the strip-search machine on everyone ...only the equivalent of the "random additional screening" that we used to see - remember that?

Then we talked about National Opt-Out Day (Nov. 24th) and she acknowledged that while it wasn't necessarily something she objected to (whaaaa?) it would muck up air travel and snag long lines and cause delays if enough people did it.  We did come to an agreement that the balance between trying to keep the passengers secure and being totally invasive has gone too far into the invasive zone.  Odd for a TSA Manager - wouldn't you say?  I mean, this woman was intelligent, cynical and even questioned authority!

All in all, a positive experience.  For all the shit we give O'Hare Int'l airport about the countless delays and other crap ... the TSA here isn't too brutally invasive - and we know they could be.

Good luck, share your experiences ...and don't submit to thuggery!

Wednesday, November 3, 2010

The Great Internet Kill Switch

I stunned.  Apparently I live in a country of scared lemmings.  Check this out... this piece on the "Internet Kill Switch" by Fierce Government makes me want to cry.

Apparently 61% of the lemmings they called in this poll support the American President having an "Internet Kill Switch" in case we are attacked by a foreign nation.

"A clear majority of Americans would support giving the president authority to shut down portions of the Internet should there be "clear evidence" of a cyber attack by a foreign government, according to the results of a biannual poll of U.S. attitudes toward security."

I want to know who they called because clearly they didn't call anyone I know.  Can you imagine the misunderstanding and paranoia that must be gripping the average user to have answered like that?

Anyone who has the slightest clue about how the Internet operates knows this isn't possible.  The amount of work that would go into an "Internet Kill Switch" is insane - effectively hooking into every single ingress and egress point to/from the United States.  Because the Internet itself was designed to be resilient to attack, and our internet service providers work hard on this principle - it would be impossible to build in a single kill-switch that would "turn off Internet access" to the rest of the world.  Look at China!  They've tried ...and are currently failing at doing this exact thing.  China tried to build a choke-point through which "all Internet traffic in/out of China must pass" ...that's a big, fat FAIL there, Chief.

It's just insane to imaging how much re-engineering would have to be done to patch the "Big Red Button" (the kill switch) into every single possible path a packet could take in or out of this country.

Lunacy.  What the hell is going on out there?!

Tuesday, November 2, 2010

Cyber War - Why It's Idiotic

Let me first say that I'm overwhelmingly annoyed by all the "Cyber War" topic being Tweeted, blogged, and written about in the media.  Please stop.

I had a very intelligent conversation a little while ago with Marcus Ranum at the ISSA Louisville Metro InfoSec Conference where him and I were both speakers - and much to my surprise we were on the same page regarding this whole "Cyber War" stupidity.  War, by its very nature, is a destruction.  The goal is to cause damage so that one group (presumably a nation-state) can take over another.  This most often requires bloodshed, large amounts of resources, and most importantly - physical invasion.  This is where the whole "Cyber War" silliness breaks down for anyone that understands anything.

The people I've seen and read spouting off about "Cyber War" and "Cyber Terrorism" and all that related cyber-whatever just don't get the main point.  You can't take over another nation-state by "DDoS'ing" it off the face of the Internet.  Cutting off my Internet, shutting down a power grid, or causing a possibly catastrophic event at the other end of an IP connection simply doesn't constitute a war.  Now, if one nation-state were to openly attack the infrastructure of another, and cause, say, a nuclear meltdown killing millions - that could be an act of war ...but you'd have to make a stretch even to get that accepted.

You can't tell me that if tomorrow morning we woke up and there were billions of IP packets shooting off from Chinese Internet-space at our critical infrastructure components (wait, that's happening already isn't it?) we the United States of America would declare "Cyber War" ...and if you tried to tell me that I'd make a case to have you committed.  In the virtual world, where packets buzz around, there are on bullets.  There are no full-scale invasions.  There isn't a displacement of cultural values by a military presence.

On a slightly different view - if Switzerland hired a bunch of hackers and completely took over the entire US Internet-connected presence - and I mean anything connected to an Ethernet cable - what would that mean?  Would that mean that they then could "declare war on" the US and take over?  I'd love to see them show up no our shores with their laptops and try... even if our defenses were crippled there is a sizable military presence here that would blow them to kingdom come once they were within reach of our shores.  See my point?

So once again - "Cyber War" falls on its face as just a piece of hype that someone started and other clueless lemmings jumped on to make themselves look smart.  Let me clarify for you - if you're talking about Cyber War as our biggest threat right now - you're an IDIOT.

Thursday, October 28, 2010

Go Follow the Wh1t3 Rabbit

Hey readers - if you haven't figure it out yet, I'm not updating this blog as often as I'd like to due to the day-job taking up most of my time.  I still post here but it's not every day like it used to be ...

So if you're looking for content ...go and Follow the Wh1t3 Rabbit on my HP Web Application Security blog:

Following the Wh1t3 Rabbit -

Thanks for reading ...keep it here, I'll keep posting!

Saturday, October 23, 2010

"Not Valid Until Signed"

I feel the need to blog this because it has everything to do with the state of security these days...

I went to my local post office the other day, and along with the normally grumpy man at the window in this one-room shanty I got a little extra attitude.  As many of you reading this, I never sign the backs of my credit cards as a rule.  I know it's really not buying me all that much in terms of security or fraud protection - but I figure if I lose my card I really don't want the jackass who tries to use it to also have my signature to copy later.

That being said, I bought a small book of stamps because there are still companies that require you to mail things in the post and went up to the window to pay with my credit card.  The man at the window takes my card, swipes it, and then looks at the back of the card where instead of a signature it says "Require Photo ID" ... then hands the card back to me and says "Sign this or I can't take it".

I looked back at him curiously for a moment, then said in a polite tone "no".  His answer to me was to hand me back the card and ask for a different form of payment.  When I asked why - he told me it's because the "law requires me to sign my credit card ...see, it says so right there".  Actually, he's wrong, there is no such law that I know of, and I've used that card a million times without ever being told to sign it.

So I took the card back, paid cash and left ... but now I have this burning question in my brain - can a merchant really refuse my card because it's not signed?

The answer, according to my Bank of America rep ... is absolutely NO.  For the record, as far as I can tell, you are NOT required to sign the back of that card, and there is nothing that legally says you must ...

Of course, my local mailperson was just following the rules ...or trying to be the grumpy bastard he normally is ... or just doesn't know better.  I don't know which of those (or all?) are true but the bottom line is I'm not going to sign my card, and you shouldn't either.

Thursday, October 14, 2010

Paranoia: Everything is broken, revert to text

I had to blog this, since I saw a post come across Twitter earlier from a friend of mine commenting on how some PR people are sending around press releases on PDFs to him.


Oh, that's right ... PDFs are now considered tainted or potentially malicious attachments.  So that means that you shouldn't ever open a PDF again?  Or you COULD just run it through one of these online PDF conversion services, such as this one ( ...right?

But my point is a little deeper.  Has the pendulum gone so far to the highly complex technologies side that we're now seeing a backlash against things like PDFs?  Are PDFs now inherently untrusted attachments?  If so ... do we revert back to text-only email?

Where does this end?  What do you consider malicious attachments or technologies ...such that you'll avoid their use altogether?

Monday, September 20, 2010

Data Breaches - Who Really Loses

It's unfortunate that when a data breach happens the real losers are those who have no stake in the matter whatsoever.  In fact, the real losers in a case like that of the Lucile Salter Packard Children's Hospital at Stanford University are likely patients who have had nothing to do with this data breach.

When information is lost, the first thought often is to fine, fine, and fine again these institutions we find to be negligent in either securing their patient's data, or reporting the breaches.  The problem comes in when the fines actually start hitting, and you come to realize who's really paying them.  I'm all for levying large fines against institutions who neglectfully lose my patient health records, but is it really in my interest to fine the institution large sums when the costs will most likely simply be passed along back to me as the patient?

Think about it.  Really think about who's paying the costs for the fines being levied against hospitals, doctors and other practices when patient data walks out the door with a computer like in this case.  This $250,000.00 fine isn't coming out of the hospital administrator's salary.  It's probably not coming out of the pool of money that gets paid to the hospital's top administrative team as a yearly performance bonus.  Nope, it likely gets absorbed as an operating cost, and passed on either through higher rates or some other crap to the patients that end up there looking for care.

Let's forget the Lucile Packard Hospital case and take any particular medical establishment that has data breach issues.  As yourself who makes the decisions to skimp on security and then who gets to face the media when it comes to being the scapegoat.  It's interesting that I've never seen a clause that comes with these types of fines that says something to the effect of "fine must be paid out of hospital administrator's salary" or something like that.  Of course, it'll never happen with the amount of money the medical industry spends lobbying our dear members of the government...

By the way, let's go back to this Children's Hospital for a second.  If you read the article I reference you could almost be convinced the hospital did everything right, including launch its own investigation and determine that the patient information was in no way compromised, etc, etc, etc ...(wait ...what?).  The incident centers around an employee who used a computer which had access to patient information (so the data access is computer-based, not user-based ...interesting access model, wouldn't you say?), and was allowed to walk off premises with the computer (how does something like this happen, in real life?)... and they're surprised that the computer was not recoverable?!

There are two stellar quotes in this article I referenced... one from Susan Flanaga, RN, COO, which reads
"The privacy and security safeguards we employ are some of the most advanced technologies and controls available to hospitals today."
I chuckled when I read that.  These supposed advanced safeguards couldn't prevent a person who shouldn't walk out with a computer from taking it home with them?  The other awesome quote is this one:
"Even though the investigation revealed that no patients were harmed and apparently no patient information was compromised..."
Wait did he [Ed Kopetsky, the CIO] determine that?  Since they could not recover the computer, how exactly did they know that none of the information was compromised?  Isn't that the whole point?

I'm sure they could have been using full-disk encryption, combined with software that prevented the machine from booting off-site, combined with an automatic-self-destruction program ... but then the story would have been much less exciting and the fine probably wouldn't have happened.  Right?

Oh well, I guess the costs get passed onto the patients, they throw on another "agent" to every one of the machines or have every employee sign yet another affidavit saying they won't steal data and life goes on...

Sunday, September 12, 2010

100 Years of Credit Monitoring

[steps on soapbox]

I don't know if you've noticed, and you probably have, but there have been a lot of data breaches lately.  Every single silly one of them works just like this:

  1. Company is negligent* with customers' data
  2. Company gets breached
  3. Company tries to sweep the incident under the rug
  4. Company gets caught/noticed/outed
  5. Company send "Sorry" letters and 1 years' worth of credit monitoring to customers
Now, if you have gotten one of these "We're [not really] sorry" letters you probably have found comfort in the fact that the company who just lost your data to an attacker who will use it against you is going to pay for credit monitoring for you.

Probably not though, since you already have gotten 4-5 other letters like this in the past year or so and you've already got all the credit monitoring you can possibly need, want or even stand.  See, there is a key here that is lost on most people who happily accept this resolution and move on.  The attacker who just took your data will use it for their own financial gain.  Period. End of story.  Full stop.  These bad people don't raid databases and mass-compromise millions of machines because it's fun (although admittedly it can be- not that I would know) but because your pain is their gain.  I hope that's crystal clear.

So this leads me to the next question my mind logically jumps to ...what if you sustain monetary or personal damages from one of these many data breaches.  Obviously it's next to impossible (usually) to prove which one of the many, many breaches your data was a part of but even if you do ...what then?

Well, there are a few options you have:

  1. Hope you've bought identity theft insurance and you can get your life on track
  2. Hope your bank gives back all the money that was stolen (unless you're a business this is actually still fairly likely)
  3. Cry
  4. Sue someone
  5. Be like 99% of the victims and do nothing...
So then.  We've got a bit of a problem.  Namely - you the consumer are screwed.

Here are several sad facts we're facing in the immediate future (if you've not already experienced these):

  1. You will get several "We're [not really] sorry" letters from organizations who have your private data; many of which you shouldn't have given it to
  2. You will have your identity compromised, and receive bills or collections notices for items you never actually purchased (well "you" did, but not know what I mean)
  3. These same organizations will not improve their overall security, many of whom see data breaches as a calculated financial risk and are willing to just deal with them
  4. The same organizations will continue to be industry-regulation compliant (*cough* PCI DSS *cough*) and hide behind that when you try and legislate against them
So then... you have 100 concurrent years of credit monitoring, no one to pay for the actual damages poor security of your data causes you -leaving you stuck with the bill (this is the criminal's money now), and nothing changes.

I really wish someone would legislate a bill that would make the victim (interesting word to call the organization which just made you the victim) of a data breach financially and legally responsible for how that affects each and every single person in their compromised pool.  Of course there are the difficulties proving that your difficulties came from any specific breach, etc, etc, etc - but at least this type of action would start to put the fear of God into these irresponsible organizations...and then I woke up, right?

[steps off soapbox]

Friday, September 3, 2010

Ambition Over Intelligence - Twitter, OAuth, and Wrong

If you're using Twitter, and most of you are, you've probably had your client break in the last day or few?  If you haven't it's because your client is either written by the folks over at Twitter themselves, or you've updated your client very very recently.

If you do a web search for "hacked twitter account" you'll get thousands upon thousands of entries.  Most of them are from celebrities crying that their Twitter account was hacked when in fact someone guessed or deduced their lame password and used it to post even more insane things (or less insane?) than the celebrity would post themselves.  At any rate ... all this craziness about hacked accounts has no doubt prompted Twitter to do something to increase security.

Unfortunately, as with many things so far in its short life, Twitter got it wrong.

The Ars Technica piece here [Titled: "Compromising Twitter's OAuth Security System"] probably says it much better than I can - so I urge you to go read this brilliant piece of technical writing.  Ryan does a masterful job breaking down the issues with OAuth, the problems Twitter has with their specific implementation, and some of the reason why hacking Twitter "consumer keys" will be a hobby for bored school-kids for the foreseeable future.  I will, however, add my own commentary as I always do.

By the way, Ryan also wrote an OAuth primer (dealing with OAuth and OAuth WRAP) which you should probably read if you haven't already... it explains some of the OAuth details and behind-the-curtains issues that make it a flawed setup from the word go.  Seriously, mega-kudos Ryan, great chunk of writing there.

So as the title of the post says, ambition got the better of Twitter it seems.  While I'm ordinarily on the other end of this conversation urging technology to leave laggards behind, a technology socially rooted in its 3rd party applications like Twitter will suffer for their ambition, unfortunately.  Choosing to pull the trigger and disable basic authentication was a big move - but using their own version of OAuth (filling in some of OAuth's inherent holes) is a big mistake.

You see, we're back to a function vs. security conversation.  What do you really care about?  Do you want your social medium to be explosively adopted by virtually any 3rd party... or do you want to provide the illusion of better security?  A tough call right?

Twitter's biggest misstep in my humble opinion is threatening to invalidate secret consumer keys once they're discovered and published.  I think this is a major flaw in OAuth to begin with - but completely invalidating keys that are embedded in software particularly when it could cause a very interesting effect such as developers knocking each others' products off of Twitter's good graces.  Can you imagine the carnage?

I think it'll be interesting to see what transpires.  I'm just angry I guess that my 2 favorite Twitter clients haven't worked (and still don't work today...although I guess I need to blame the app developers more than Twitter, right?) and it's making me cranky.

Oh well ...maybe I'll actually be productive and be forcibly social, in real life.

Tuesday, July 20, 2010

Dinosaurs [in the county court]

So ... I was in the Cook County Court in Rolling Meadows, IL Monday morning.

The reason doesn't matter ... OK, I had a "great driver" citation I had to take care of ... but as I was called up to the counter I started getting that sinking feeling in the pit of my stomach.

As I glanced over to my left, as she was typing, I noticed a few things.  First, her machine was running Windows XP, which I guess isn't all that bad considering the pace of change in local government and technology.  I mean, didn't they just get off of rotary phones like last year?

Next, I noticed that the screen she was typing into was one of those emulated VT100 screens, running some proprietary terminal application connected to a server at on port ...*facepalm*... port 23.

That's right kids, this was my vehicle and drivers history all at her fingertips over telnet.

Now - before I freaked out I reminded myself that this was a closed-ended network ...and that it was probably pretty hard to get onto their network... that is until curiosity got the best of me and I turned my iPhone's WiFi antenna on... and found that there were 4 networks in range, one appropriately titled "Clerk_Gen" running ...wait for it ... WEP encryption.

Alright, I stopped short of hopping onto their network and connecting to that VT100 terminal to find anything I could  ... but how hard would that be?  I mean, seriously?  They're using telnet obviously clear-text and they're using WEP encryption for their wireless access points?

I give up.

Wednesday, July 14, 2010

Is It Even A Question?

So, what you're saying is by installing this plug-in to Chrome, which I haven't seen or vetted the source code for, I'm giving it access to my data on all websites and my browsing history?

Why would a paste-bin tool need access to my browsing history?  Shouldn't this plug-in be enabled on a per-site basis, where I want to use it rather than give it global access to everything I browse?!

Why would anyone in their right mind click the Install button!?  Or am I just that paranoid?

Monday, July 12, 2010

When All Else Fails ... Sue

Just a quick note because I can't believe what I'm reading this morning.  It's been all over Twitter, and now it's written up in Forbes Online ...

Headline Reads:

Wowza.  I almost spit my coffee through my nose this morning when I read that!  There are so many things that I want to say in comment - but I will limit them to the (mostly) factoid-based thoughts...

  • Maybe I'm missing something ...but looking up this pink-sheet stock (LGTT.PK) shows a healthy $0.00 value ...which is about right
  • How is LIGATT's legal team going to prove that Chris and the others manipulated a stock that has zero value?
  • What lies were these people spreading? I seem to recall many non-truths that Greg and his thinly veiled personas were spreading via Twitter ...
The best is this quote ... from Greg Evans himself:

"Evans explains that he hopes to set a trend by starting these investigations. "Once we begin suing bashers, other OTC companies will follow. 99% of these people who are bashing the company's stock have never ran a business, or know anything about business. They think that they can spread lies about a company with no repercussions, and that will not happen with LIGATT," says Evans."
Gotta love wishful thinking right?

Hey, he is the world's #1 Hacker ...and he did take Kevin Mittnick "under his wing" (which Kevin completely denies), and he is a CISSP ...or maybe he just made everything up.

Thursday, July 8, 2010

Hotel Maid = Security?

I'm not easily impressed anymore.

That being said, I can't tell you how many times over the years, given the number of hotel rooms I've been in, I've walked back to my room only to find that it was being cleaned ...door propped wide open, maid inside happily cleaning away - and I walked right in.

So this morning I felt like I had to give some kudos where it's very rightfully deserved, because I'm impressed.

I'm staying in the Delta Beausejour Hotel here in Moncton, N.B. Canada, so for a boutique hotel in a small northeast Canadian city I wasn't expecting much in the way of security.  Boy was I wrong!

Big kudos to the maid who was cleaning my room, because when I tried to just barge right in, she quickly yelled "Wait, stop!", then jumped in front of me, slammed the door shut and waited for me to use my room key card to get in.

I've been in several different countries, hundreds of different hotels throughout the world ...and this is the first time this has happened.  Typically the maids will just say hello and politely step aside as you walk into the room - whether it's really yours or not!  Not this time, not here in Moncton.

Bravo!  Now, if every hotel could be like this, I would feel the need to carry everything valuable with me when I walk out of my room.  Bravo indeed.

Friday, June 25, 2010

All Your Metrics Are Belong To Us

Just a quick note to help out the greater InfoSec community - Securosis via Rich Mogull is doing a big survey - and I know you guys love surveys - which you may win an iPad for if you particpate.  I mean, seriously, who doesn't want a free iPad?

When you go to fill ie out, use the Registration Code: Whabbit so I can track who fills it out from my readers.

Thanks you guys - I know we all whine about how security never has enough metrics - well now if your chance to fix that.  Let's GET CLICKING!



Monday, June 21, 2010

LIGATT, Goatse Security, and Common Freakin' Sense...

Well - it's been an eventful few weeks - and as most of you have noticed I haven't been writing as much.  There is a reason for this: I am spending a good deal of time blogging for the primary blog of my employer (link at the bottom) where I am adding significantly more value to the community than my rants here have of late.

That being said  - let's make no mistake - I'm still going to blog here and express opinions and clue you guys in on stuff that I think you should read here we go.

  1. LIGATT - Congratulations, Gregory Evans, you've now officially become a household word in the security community... although I'm sure it's not the way you intended.  Today on Twitter a new definition of a "ligatt" was born ...and it's a verb meaning "to make up something so far fetched that when examined, it unravels. For example, 'I drove my car to the moon today' ".  That little nugget comes from @dicipulus on Twitter folks - brilliant.  I know many of you have had a good time bashing these people - but I swear I'm still waiting for someone to pop up and yell "April Fools!"...
  2. Goatse - You, dear iPad email enumeration-script-builder, get the SuperPwn award.  You've not only shown a pretty clever little hack (ok, this really isn't a hack but whatever) - and at the same time made millions of people go Google goatse ... you win, twice.  Enjoy the prison sex.
  3. Common Sense - Currently apparently stuck on the tarmac awaiting extradition back to the land of reality.  What the hell is the world coming to when we can't even get the concept of vulnerability research disclosure down to a reasonable amount of circus?  This is sickening.  I refuse to perpetuate the stupidity others have already pointed out but what I'm going to instead point out is this - how much control over your private time does your employer have?  What can you do on your private time that your company/employer cannot fault you for?  I guess that all depends on the paperwork you signed when you joined right?  Where does the line of employer-employee relationship end and someone's private life begin?  This goes way beyond the fact that the media "journalists" in technology are obviously bored and need something to stir up controversy so they pick this Google vs. Microsoft sore to poke at ...really?  I think there's more to it than that ... my private life is my private life - and whether I choose to publicly blast a company's stupidity or not on the Internet should be of no concern to my employer as long as I make it clear the opinions are mine only and I do it on my own time.  Right?
Anyway ... it's just sad what passes for news lately, and how pathetic things have gotten.  I guess I'm thankful that I have an employer who can still tell the difference between my private time and private life and my job.  Anyway ... love to hear your comments as always via Twitter or here over over email.

Don't forget, the Following the White Rabbit blog has a new platform, and can be reached here [ ]... please check and update your RSS readers and let me know if something's broken!

...and yes, the opinions and thoughts expressed here ARE my very own, on my own time.  That is all.

Thursday, June 10, 2010

Ready for some Security Justice?

So just a quick blurb that my appearance on the SecurityJustice Podcast is now LIVE.  Had a great time, talked about some real issues (once we got through the opening ...unruliness, haha) ... I hope you enjoy!

Post your comments here, or on their page.

Tuesday, June 8, 2010

Thinking Through Software Testing Cycles

Testing software is an interesting discipline.

Software testing generally involves 3 facets - functionality performance security - if you're doing it right.  The true problem for any tester or manager is when these three components don't make it into every testing cycle.  This is akin to having to choose which of your 3 children will get the braces and which simply get a toothbrush and a slap on the back.

Since starting to look at web application testing more in-depth just over 2 years ago I've learned a great deal about testing cycles.  While this may seem like a simple concept, there are nuances which can make your head spin!

In my mind, it all breaks down to 3 simple questions:
  1. When to test
  2. What to test
  3. How much of it to test
I will address all 3 of these in the next few blog posts but I wanted to throw this post out there to get you thinking, and perhaps contributing some of your thoughts to this series.  I will expand my usually narrow-focused scope from security testing into the general realm of testing... and challenge you to come up with some of the answers to the questions people have posed to me, and I to others who are smarter than me on this topic.  I will also challenge you to come up with better answers than the ones I have... I don't think I'm breaking any new ground in the testing world - but in security... that may be a different story.

To get you started think about the real world scenarios that you encounter every day.  Applications (and not just those written for the train-wrecks we call web browsers) are released on a regular basis at your place of employment - I guarantee it.  If you don't know about it you have an even bigger problem than I am addressing should talk to someone about that process problem.

Think about how many applications your company delivers.  Think about whether you're doing Agile or traditional Waterfall development methodology.  Think about how long your release cycles are, how many people are involved and what powers you have to stop a poorly written application from going live.

Now- I want you to scroll back up and look at those 3 points I've highlighted for you.  How do you decide each of those 3 pieces?  Who makes the decisions?

So while your brain is going, write them down and either post them here (anonymously, or otherwise) or email them directly to me.  I want to get some real-life input from some of you to get your feedback and figure out how you solve some of these problems so that others can learn from your experiences and mine.

Thanks for reading ...I look forward to your feedback!

Monday, May 31, 2010

Media Covering Security is so Frustrating

Look, I'm not going to echo the FT article which quotes some anonymous Google employee that "Google is ditching Windows" ... but this bares emphasis.  I'm not one to take many journalists seriously [except for someone like Brian Krebs] since security is just such a complex subject few do anything short of echoing hype a writing pieces that make little sense - so again ... why post this?

Well ... I like to read articles of all types often for no other reason than to pick out the absurd pieces of "fact" that hide within.  This ...this is a win-by-2-point-conversation-in-overtime kind of awesome.  Let me set it up for you...

Over the years Microsoft was the poster child for crappy security - that no one will deny.  Over the years those who get it eventually acknowledged that the reason for this was predominantly because they were the popular kid on the block.  Having something like 90%+ market-share on business and home user desktop operating systems pretty much paints a big, blinking bullseye on your forehead.  This doesn't necessarily mean you're any more or less secure than any other competing platform - it just means that you're a target a hundred-fold more than everyone else.  Unfortunately for the boys and girls in Redmond they actually were pretty shoddy on security so that culminated into a perfect situation for security trolls, OS bigots and Mac advertising executives.

Things have changed, however, and Microsoft's flagship operating systems currently are leaps and bounds more secure than much of the competition ... so when the FT writer drops in a quote like this ...I had to laugh out loud:
“Many people have been moved away from [Windows] PCs, mostly towards Mac OS, following the China hacking attacks,” said another.
Really?  Moving away from Windows to Mac?  For what, better security?  Really?  OK then...

This demonstrates one of two things: either the writer completely made that up (which I'm leaning towards) demonstrating a complete lack of security understanding ...or their source at Google gave that quote between mopping floors.  The other option which of course is very legitimate is that the Google source demonstrates the obvious lack of security understanding we all have grown to expect from the Google minions.  I'll leave that one alone though...

So, back to this "article" ... which is either entirely made up (as someone on Slashdot has pointed out due to the quote of 10,000 employees - Google has north of 20,000 Mr. Journalist) or a sad attempt to gain clicks and buzz by getting on the sensationalist bandwagon with the inflammatory topics of Windows(+1) and Google(+1). I guess David (the author) achieved what he wanted to if he just wanted clicks ...but I don't suspect he'll be winning any long-term respect with anyone who has a clue.

So - is Google ditching Microsoft?  Who cares, I say.  We all know there is a trifecta of love between Microsoft, Google and Apple but there's no story there.  Quite frankly what I find more shocking is that Google hasn't moved over to their Chrome OS completely for internal purposes.  What's sort of telling for me is that Google is still on Windows.  No one will accuse Google of being privacy OR security -conscious.

So why all the hubub ...bub?

Edit-- The bobbleheads are showing up!  Henry Blodget cites an already suspect (and I'm being polite) source...  Can someone get a Google source to confirm this story before it spreads like the BP oil disaster?

Friday, May 28, 2010

Software - Silent, Deadly and On Your Machine

While my other blog is read-only during the migration to another platform I thought I would blog a little more frequently of the things I saw float by on Twitter this morning was this link about Adobe going to a more frequent patching schedule.

I made the obligatory joke about Adobe going to a daily patch schedule simply because of all the security bugs they've had issues with lately - but seriously, there are bigger problems than Adobe.  You may be saying to yourself - "What's worse than Adobe's current security problems?!" Good question.

Think about how much software you have on your desktop, laptop or whatever you're reading this on right now.  Now, go look.

So did you discover a ton more software than you knew was installed?  What about all those people who bought their computers at Best Buy, "pre-loaded" with dozens of apps they may or may not even know are on their computer.  So what about the patch cycles for all those apps?

You think Adobe has a bad rap for all the security vulnerabilities they include free in their apps, but that's kind of like everyone picking on Microsoft a while back.  When you're the most popular kid on the block you come under more scrutiny, and are picked on more than everyone else... which I guess is fair if you want to be #1.  It's not how bad your software is, necessarily, it's how you handle it.  Now, I'm not defending Adobe's record - because we all know how awesome that has been lately - but think about everything else out there!

How often do you check for updates on some of the software on your computer?  Ever?

More and more, software is moving to an auto-update model where it "checks in" every so often to the home base to check for updates, security or otherwise.  These pop up on your screen and I would venture to say that a good majority of people ignore the request for updates (these pieces of software have to ask for permission to update).  So silently, your computer has a ton of vulnerabilities you're not aware of that probably aren't patched.  Awesome.

So ... the next time you're ripping on Microsoft, Adobe or some other super-popular software about all the bugs they're patching - think for one second about all the other software that's on your computers that are rarely (if ever) patched.  How 'bout those bugs?

Wednesday, May 26, 2010

This passes for "hacking"?

Short post- just a quick thought because it's late and I just can't let this go...

I've never given the "Huffington Post" a second thought because it's generally accepted to be written by mildly retarded chimpanzees but this crap just drives me absolutely nuts.  I have a Google News feed for "hacked -limb -death" and I've gotten about 7-8 news articles about "hacked road signs" in Miami.

Wasn't this old news like ... months ago?!

Wait is popping a roadway sign box, and changing what's on the signs "hacking".  Can we come up with a definition of hacking for the media to reference, so they don't go off and confuse vandalism with hacking repeatedly?

I get that hacking is the hot thing to report on ...and changed road signs are funny as hell - but this is just stupid. Dear media people: please get a clue and stop over-hyping everything as hacking.

...and now I'm off to add a "-Huffington" to the search terms ...*sigh*

Saturday, May 22, 2010

Why Security Pros Drink...

A colleague posted this to his Twitter feed today ...and I felt compelled to really read and comment on the whole situation with OpenCartOne quick note - this is, not -anyway...

Now, I read this post from Ben Maynard's blog (which is a worthy read, by the way so add it to your RSS readers) - and you should too before you go any deeper into this post ...go ahead I'll wait ...


OK, so now let's talk about what just happened.  Did you read the comments?  All of them?

Ben not only sent the developer an email explaining what CSRF is but sent that same developer links and tried to explain the issue.  This developer clearly "didn't get it".  But ask yourself this that rare?

Now, I'm going to post the comment that really got me fired up from Daniel Kerr (the dev from OpenCart)... check this out:
Daniel Kerr says:
to be honest. this just shows the type of person be is. he thinks hes found some big hack and when i tell him to to stop wasting my time he goes around posting my emails in forums and his blog. ben is a prat.
this sort of problem even today effects big sites like gmail, paypal. you really think everything is down to the person who writes the script? or the web user?

Say what?!  I'd love to grab this Daniel by the shirt-collar and rub this ass-hat's face into the steaming pile of shit he just made for himself.  Are you kidding me?  Someone does your job of finding a security vulnerability in your code (a major one at that), politely tells you about it, and gives you resources to understand it better and you have the stones (or is it just ignorance now?) to call him names on his own blog?

What an asshole.

By the way, Ben went on to write his own patch for OpenCart ...and maintained it some.  But then the developer went to an entirely new level of mental midget ...he apparently broke the patch in the update of the OpenCart code.  *facepalm*

Now ... what have we learned from this experience?  I don't know about you but what I'm learning is that developers just aren't going to get it... today, tomorrow or after we force mandatory "secure coding" education on them.  They just don't get it.  The discipline of software development apparently requires such full attention of your mind that you cannot even squeeze the very thought of writing your code with an ounce of prevention.

...and this, my dear friends, is why we in InfoSec drink...heavily.

So you think if we pooled our pennies we could buy this OpenCart idiot a clue?

Friday, May 21, 2010

Missiles vs. Bytes - Appropriate Response to "Cyber War"

It's incredible the level of misunderstanding of the world of the Internet.  I don't dare say "cyber-space" because I've gotten to the point where I'm nauseated every time I hear someone pre-pend the "cyber" in front of words that are ordinary.

My news feed has been flooded with articles like this one (Pentagon Says Military Response to Cyber Attack Possible) which when taken with the FUD & panic glasses off make absolutely no sense.  What's worse is that there are quotes from various Washington leaders like this one:

Asked about the possibility of using military force after a cyber assault, James Miller, undersecretary of defense for policy, said: "Yes, we need to think about the potential for responses that are not limited to the cyber domain." []
This type of thinking is very dangerous because, as the article goes on to say, we don't even quite have a handle on what would constitute an "act of cyber-war".  There are other problems with trying to use missiles to retalliate against bits too...

I think there are 2 glaring problems with the whole idea of identifying and declaring "war" on the Internet.  In order to be able to declare war - there has to be a clear definition of an "act of war".  We can almost define that in the real world.  Cornell has a pretty good definition of what constitutes an act of war ... but there is no clear understanding of how bits and bytes can be used to declare war, or even show international aggression.

Launching a DDoS is not equated to launching an ICBM, and no one in the international community will argue that it takes a physical act of aggression to actually start a war ...right?  War is a serious thing.  Lives are lost, misery and destruction follow.  These cannot be taken lightly in spite of some people's notions to the contrary.  The point here is that even something as serious as a successful attack against a power grid most likely wouldn't be considered an act of war, at least not by current thinking.  Physical destruction and the loss of life along with a threat to sovereignty would still likely be required to draw a military retaliation.

The other and perhaps more serious problem with this line of thinking is this - how can you be 100% sure that the purported attack is in fact originating from the nation-state?  If those of us in Information Security have learned nothing else about the way that attackers work - we've at least learned that attackers tend to like to use someone else's system/network to originate their attacks.  If I am North Korea, just as an example, and I want to attack the United States over the Internet I would naturally first stealthily compromise hordes of systems in, say, China.  I would then use those systems as launch-points for the attack against the US, and thus most likely avoid blame.  Also, in today's highly connected, distributed world of the Internet an attack would likely originate from thousands of sources globally which would make it nearly impossible to track.

So what are our political and military leaders saying, exactly?  Would the next GhostNet prompt a nuclear strike against China?  And if that's the thinking, how would that be justified to the International community?

There is a lot to consider, and while there is no true anonymity on the Internet, it is very possible to create such a complex attack (after all, any attack of this nature would necessarily be complex) originating from multiple locations and cloaked by zombie systems - that it may even be possible to trigger a "retaliation war" between 2 nations which really have nothing to do with the action - and that is my true fear.

So before you jump on the "cyber war" bobble-head bandwagon and start to echo the clearly clueless about how it's conceivable a military strike could be effective against "cyber war" ...please, think.  Your children's lives may actually depend on it.

...and remember - Friends don't let friends espouse 'cyber war'

Tuesday, May 18, 2010

Code So Bad, It's ...Secure?

This past weekend a friend called me up and said he was doing a security assessment of a web site that was put together by a 3rd party he had no faith in - and wanted to know if I was interested in spending some time channeling my evil (long Twitter more if you don't get it) into this site's lack-luster security.

Not being one to turn down a good site-bashing I accepted and took out some of the tools that had been rusting in the back of the shed for a while, sharpened some utensils, and updated some software to modern versions ...and got ready.  I figured we'd drink some beers, have a little fun, ravage a database or two and call it an afternoon.  Little did I know what we were in for.

Todd showed up about 2'ish in the afternoon, and we quickly went to work.  Beers in hand we did some recon on the site, and without even needing more than 10 minutes we found several injection points, where the database was being directly exposed.

Here's where things get ...interesting.

Let me first say that we employed the flow-based methodology I've been talking about lately (video on my HP blog here) and quickly noticed that the site was all kinds of broken.  It became obvious when Todd pasted me one of the URLs he was working on via AIM that there was no regard for flow in the application.  One could go directly to a page deep within one of the registration flows without start to submit it without any of the hidden variables carried through ...that was indicative of what would soon prove to be a tragic, steaming pile of web code.

Another thing I quickly noticed is that I could change the POST requests to the server to GET requests, at will, and the server would process them as long as I included the appropriate parameters.  I could simply chain the POST parameters into the request like so:
POST /blah/verifyEmail.asp  --> GET /blah/verifyEmail.asp?param1=foo&param2=bar
which bugged me because once I started messing with this I realized I could cause the server to start doing some really weird stuff like stop responding!

One thing we quickly noticed was that while the site was hillariously SQL injectable (nearly every database call didn't properly sanitize), there were some frustrating things that made this code difficult to totally invade.

Even though the developer apparently cared nothing for sanitizing database query input parameters (one could insert the ' character into nearly every parameter value without fail.  This produced strangely familiar SQL errors such as this one ...
Microsoft OLE DB Provider for SQL Server error '80040e14'

Incorrect syntax near 'xxx'.
/IncludeDir/includeDir1/includeData.asp, line 44.
Naturally we focused on this for a minute ...but what was interesting was that the xxx was a 3-digit number that was nowhere in the http request.  This was concluded to be a "default" for the site, and we moved on to try and modify that in addition to the obvious SQL injection.

Submitting this POST to the SQL server, yielded more 'near' SQL errors, so nothing particularly interesting:'&type=&groupId=&mode=&action=submitRequest
although ... adding this showed us that the developer had at least used the SQL trim() function to remove white-space:'select @@version--&type=&groupId=&mode=&action=submitRequest
thus producing this:
Incorrect syntax near 'select@@version'.
After playing with different character combinations, encoding types and tricks we had the following information on the site and its developer ...
  1. many characters were being trim() 'd including the % + and white-space
  2. the developer was surely inserting data dynamically into queries
  3. stored procedures were being used (we found an error identifying "sproc_InsertData")
  4. parameters were not typed
  5. there were at least 2 stored procedures being used here (why?!) which would break attack strings in strange ways across different queries(??)
So after all that, and about 10 hours of hacking away, calling people who were SQLi ninjas much smarter than us ...we had nothing.  Clearly the code was bad, and we were able to poke at the database.  Unfortunately, due to some of the developer's antics, we (nor anyone we reached out to) could figure out a meaningful way to get a complete [injected] query through to extract data.

The best I can figure is this ...the developer tried to create complex, robust code but instead ended up writing a steaming, twisted pile of crap which was so bad it was almost reasonably secure.

This is the worst kind of failure because it fosters that smug feeling of "I stumped the hackers"... remember, we are limited by time & resources...the bad guys ARE NOT.  They WILL get you.

Wednesday, May 12, 2010

Thoughts on Data Breach Notification Legislation

So ...Canada's Alberta province has finally seen the light, and is the first province in Canada to enact Federal-level data breach notification laws.  Woohoo.

So why am I so excited you ask?  Because ...big deal.  Another "notification law".

So soon you Canadians up there will be just like us in the US'll get letter after letter telling you the companies you've trusted with your personal and private data have let you down ...oh - and here's a year of "free credit protection, thanks for playing".  It's all crap.

So we have PCI and other "compliance" regulations which turn into check-the-box exercises in due-diligence and "baseline absolute minimums"... and then we have the after-the-fact "notification" laws...

I'm still not excited ...but I should be right?  Why?

When there is an actual way to mandate corporate responsibility not just 'absolute minimum security' ...then I'll be happy.  Until then...congrats to Alberta, I guess.

Saturday, May 8, 2010

The FBI [Wants] Found Your Stolen Money!

I've gotten some very creative phishing scam emails in the past - but this one ...these guys are creative!

Basically it purports to be from the FBI Director (Robert Mueller) telling you that there was in investigation of some sort into some stolen money via a Nigerian scam and that there is a settlement that will be paid to you.

I thought I'd take a minute to analyze this's still got some subtle issues that make it obvious that it wasn't written by anyone official, or with English as their primary language.

First, let's see how the letterhead looks...

Anti-Terrorist and Monitory Crimes Division.
Federal Bureau Of Investigation.
J. Edgar. Hoover Building, Washington D.C


That's certainly interesting, and official-looking!  Why would anyone second-guess an email coming to them straight from the FBI at the J. Edgar Hoover building?!  Oh but look at some of the punctuation ... "J. Edgar. Hoover Building..."  Did you notice the period after Edgar?  Why would that be there, unless you just don't understand the original address...  Next, the "ATTN: BENEFICIARY" is in all CAPS, why?

Let's look further, at the opening text-

"This is to Officially inform you that it has come to our notice and we have thoroughly completed an Investigated with the help of our Intelligence Monitoring Network System that you are having an illegal transaction with Impostors claiming to be Prof. Charles C. Soludo of the Central Bank Of Nigeria, Mr. Patrick Aziza, Mr Frank Nweke,Sanusi Bello none officials of Oceanic Bank, none officials of Zenith Bank and some impostors claiming to be the Federal Bureau Of Investigation agents. During our Investigation, it came to our notice that the reason why you have not received your payment is because you have not fulfilled your Financial Obligation given to you in respect of your Contract/Inheritance Payment. 

So therefore, we have contacted the Federal Ministry Of Finance on your behalf and they have brought a solution to your problem by coordinating your payment in the total amount of $800,000.00 USD which will be deposited into an ATM CARD which you will use to withdraw funds anywhere of the world. You now have the lawful right to claim your funds which have been deposited into the ATM CARD."


Whoa!  Did you find the subtle issues I highlighted above the first time you read through?  This text is tricky indeed because it first tells you that someone is scamming you as "impostors" and then proceeds to tell you that the reason you haven't gotten your $800,000 is that you "haven't fulfilled your financial obligation"... which is interesting - starts to sound like they want money from you, doesn't it?  Why would the FBI write with such obvious grammatical errors?  And furthermore, who says "it came to our notice" anyway?

Let's read on, it's starting to get juicy.  For those that have fallen for this obvious scam, the interest has been peaked, and now they're going to set the hook and get you to part with your money in exchange for that $800,000.00 ...but how?  Check out this opening sentence!

Since the Federal Bureau of Investigation has been involved in this transaction, you are now to be rest assured that this transaction is legitimate and completely risk-free as it is our duty to Protect and Serve citizens of the United States Of America. All you have to do is immediately contact the ATM CARD CENTER via E-mail for instructions on how to procure your Approval Slip which contains details on how to receive and activate your ATM CARD for immediate use to withdraw funds being paid to you. We have confirmed that the amount required to procure the Approval Slip will cost you a total of $200 USD which will be paid directly to the ATM CARD CENTER agent via Western Union Money Transfer / MoneyGram Money Transfer. Below, you shall find contact details of the Agent whom will process your transaction: 

TELEPHONE NUMBER : +234-803-624-0664

Immediately contact Mr. Paul Smith of the ATM Card Centre with the following information: 
Full Name:
Zip Code:
Direct Phone Number:
Current Occupation:
Annual Income:

Notice a few things here... First off look at how they re-assure you that the transaction is legitimate and risk-free ..."trust us, we're the FBI"... oh - really?  Next they set the cost at $200 to get your $800k in this "legitimate and risk-free" transaction.

Let's look at a new element I've been seeing lately ...these scam-monkeys are asking for your current occupation and annual income!  Interesting ...think about why they would want that to scam you...

One last part to look at...

Once you have sent the required information to Mr. Paul Smith he will contact you with instructions on how to make the payment of $200 USD for the Approval Slip after which he will proceed towards delivery of the ATM CARD without any further delay. You have hereby been authorized/guaranteed by the Federal Bureau Of Investigation to commence towards completing this transaction, as there shall be NO delay once payment for the Approval Slip has been made to the authorized agent. 

Once you have completed payment of $200 to the agent in charge of this transaction, immediately contact me back so as to ensure your ATM CARD gets to you rapidly. 

FBI Director 

Robert Mueller.


So, once you've given them your personal details (sucker!), then Paul Smith will contact you and tell you how to give them your hard-earned money too.  Of course, Paul Smith is not on the hook for completing the rest of the transaction... Mr. Robert Mueller, the FBI Director is... say what?!  Of course you need to send the payment by Western Union, as it's not able to be tracked once you send them your cash... awesome.

I say we all send Mr. Paul Smith an email ... let's tell him (using any of the fake email accounts y'all have out there) how much we appreciate the constant amusement he provides us.

I would love for the FBI to get to know the real Paul Smith ...but I suspect that won't be happening anytime soon.

Don't be stupid ... please don't even for one half-second fall for these idiotic scams.


Friday, April 23, 2010

Source: Boston Talk Written Up

So Matt Wood (director of HP's Web App Sec Research Labs) and I presented at Source... and apparently the ideas are sound because I'm still having sidebar conversations about it.  TechTarget's SearchSecurity wrote us up - Click to read - and I hope to get your thoughts on the topic.

Slides won't be available publicly for a while ...but you can contact me directly (leave a comment, or email me) and I can get them to you on a personal basis.

I'm claiming that this is the future of web app security automation... agree or disagree - let's hear it.

Saturday, April 17, 2010

The Validation Fallacy

So lately I've been reading, writing, and thinking a lot about the security of your web applications.  One of the themes that has surfaced in almost every conversation is the idea of validation.  What do I mean?  I have been hearing from security managers and application testers alike that they measure their success (or the success of their web application security programs) in different ways - but all center on one vulnerabilities.

Interesting that after all these years of preaching by not only me but many others in the Information Security field we're still measuring by the number of vulnerabilities.  Forget the term vulnerability ...and I mean that in all seriousness.  Just use "security defect" - it's a much more powerful term.  Besides ... why do you even care how many vulnerabilities (OK, security defects) you find?

The validation fallacy is the belief that the value (or success) of a security program lies in the number of security defects you point out, or uncover.  So if the value of your program isn't in the number of bugs - how do you judge success or failure?

There are a few different metrics I can suggest you use which you will get significantly higher mileage out of.

First, and the one I currently use most - is the Defects over Cycles (DoC).  The DoC metric counts the number of defects over the span of several cycles of development of the same application.  If you're not decreasing the bugs over the life of an application then, as we like to say, you're doing something wrong.  The first time you run a security program you're going to come up with a mountain of defects.  More importantly, you're not going to fix all of them the first time around.  The success should be measured over time as the defects start to drop from one cycle to the next.

A sub-metric here, which is critical, is the Recurring Defect Rate (RDR).  The RDR is the measure of the defects that recur from one cycle (or release) to the next.  The RDR measures defects that are identified, closed, and re-appear again on the next release.  I would consider this one of the primary measures of success for a security program.  The reason I think the RDR is so critical is it takes into account much more than your ability to find bugs. Overall, the goal of any good security program is to not only decrease risk but to also drive education and the adoption of more secure practices throughout the enterprise.  If your developers continue to make the same mistakes over and over ...again, "you're doing something wrong".

Validation of your security program shouldn't come from the number of vulnerabilities you can put on a report.  Your validation should come from the pervasiveness of the secure mindset throughout the company from developer to program manager to senior management.

That is true validation.

Saturday, April 10, 2010

InfoSec Career Advice

There are a lot of people giving InfoSec career advice.  Every security conference it seems like has someone offering you career advice on where to work, what classes to take, what certifications to go for.

I want to take a realistic approach to Information Security career advice.  The reason there is a lot of useless InfoSec talent out there - that's right, I said it, useless - is because none of the "new blood" I'm running into has any business sense.  I'm not advocating more of the top-down management that drives people with MBAs to be security leaders, but I think it would give the security teams out there some credibility if they could speak business' language as well.

Interestingly enough, one of the more honest observations I can make is that there are a ton of corporate InfoSec analyst-level talent that are looking to push buttons, run scripts and get results.  There is a distinct lack of the analytical mind, business-level understanding and even worse ...common sense.  Working for a web app sec tools vendor is interesting because as a recent "researcher" proved via a ridiculous published report users expect to be coddled.  InfoSec analysts in corporate IT expect to buy something and have it do their job for them - they aren't expecting to think.

It's just mind-numbing that the types of things many of the more senior-level minds in InfoSec had to go through and learn not more than 8-10 years ago is just not making into the curriculum.  I had someone approach me at the last conference I spoke at and tell me that she just graduated with a degree in "information security" from some college, and was asking me where I would advise her to go work.  Her understanding was that going through school classes, and being able to write shell-scripts and analyze packets qualified her for a senior-level position with a large enterprise.  Wrong!

Being smart and having talent in technology does not a good InfoSec analyst make.  So my advice?

"If you want to contribute meaningfully to the Information Security field - go do something else first... business analyst risk analyst project manager, developer...anything!  Learn how the business works, learn what keeps you employed - learn how your company and business makes money."

You probably already get the technology - but can you tell me how it applies to what the business does?

Catastrophic Failure in Risk Analysis

In the early hours of the morning, as those of us in the US slept - a tragic series of events unfolded in Russia.  Poland lost an entire plane, the equivalent of Air Force One, to a fiery crash that saw the President and many of his cabinet disappear into the Russian fog and fire.

I think the BBC article says it best:
"President Lech Kaczynski and scores of other senior Polish figures have been killed in a plane crash in Russia."
Incredible, sad, and incredible.  I paused to reflect on how a tragedy like this could take place, but quickly focused on how so many senior government officials including the Polish President could be on the same rickety, 20-year-old Russian tin can.  Maybe it's just anger that my homeland is once again gripped with tragedy and sadness - maybe it's just anger at the utter idiocy of the situation.

Let me recap what makes me so angry.  Clearly someone failed at the most basic risk-analysis.  I can't believe it didn't cross someone's mind (or that it wasn't protocol) that the President and so many senior members of his governing body should not be on the same plane.  Honestly, back at my last company we joked all the time that the security team (given that there were 4 of us) shouldn't get into the same elevator ...just in case.  There was policy that the CEO and senior members of the company board could not travel together for fear of losing such a huge chunk of leadership in a tragedy.  ...but alas ... my Polish brethren just didn't think of that.

Now would be a good time to reflect upon your own risk analysis back at the office.  Do you have a policy that would protect your company, its intellectual property, and leadership in case tragedy strikes?

While you take a moment to mourn [ Monday, April 12th, 9:00am EDT - 97 seconds of silence for the 97 lives lost ] reflect back on the risk analysis you do every day and ask yourself ... "How's my risk analysis?"

Friday, April 2, 2010

[Interview] c7five -- "THOTCON co-creator and...."

So... since I'm speaking at THOTCON ( I spelled it right, see?) I think it only fitting that I give you guys an idea of what this conference is all about, and one of the creators of the soon-to-be premier midwest hacker con!

  1. First off ...who are you?  What are you (in)famous for?
    •  I am c7five. I am not sure if I am famous or (in)famous for much. Google me and let me know what you find.
  2. What sparked you to start conference?
    •  I was on the flight back from DEFCON 17 and thought "Why isn't there a hacker conference in Chicago?"
  3. What's THOTCON all about?
    •  First, it is THOTCON, not THOTCon. :-) It stands for THree-One-Two-CON. 312 is the oldest area code in Chicago. It is small venue hacking conference with a goal of putting on the best possible conference on a very limited budget. We only charged $60 for early birds and $75 for general admin. We started from scratch, used social media and a crappy website to attract 13 world-class speakers and over 200 people together on a single day in April. Given this is the very first edition of the con, we'll likely know more about what it WAS all about the next day.
  4. What's THOTCON's "unique" appeal?
    •  It is in Chicago, which is centrally located and one of the best big cities in the world. It is clean, public transit friendly, and at the end of April will be great weather for visiting. The con is also being held at a bar. Yes, that's right, you can order a drink at 10am and watch talks. It is a single track conference as well, so you don't have to jump from room to room or be worried you wont get a seat. Everyone gets a seat (or a stool).  It is being held on Friday, which means there will be plenty to do post con, the next day and night. Many people are making a weekend trip out of it.
  5. Seriously...what's with the website graphics?
    •  We purposely want to be bare-bones here. It is done in 40 column and zero graphics to be seen. You don't need to spend a lot of time or money on a website to have a great con. Next year we'll upgrade the site to 80 column.
  6. What's the toughest thing about putting together a conference?
    •  Ticket sales was the toughest challenge we had so far. Not actually selling them, but trying to sell them. We had a few false starts after getting bounced from both Paypal and Amazon payments and settled on using Showclix. They have been great to work with and it has gone smoothly (so far). The other part is selecting the right speakers. For a first time con, we actually had a ton of CFP submits. It was tough to pick the right mix of experienced speakers while giving some newcomers a chance to speak.
  7. What conferences to you go to? (or would you go to if you could?)
    •  This year I will have gone to/plan to go to Black Hat DC (I spoke there), Black Hat EU, YSTS (in Brazil; speaking there for the 2nd time), Black Hat USA, DEFCON (this year will be my 10th year going; spoke for the first time last year), and SecTor (great con in Canada).
  8. What is one trend you can easily spot (in conferences) over the last 3-5 yrs?
    •  I see them going in two different directions. There are some commercial cons popping up (i.e. SOURCE) and then there are a new batch of smaller niche cons like THOTCON and QuahogCon making their way. I think we'll see the commercial ones having a harder time than the small ones. It costs a lot more and takes a lot more work to put a commercial con together than it does a small one. Our venue costs us very little as long as people drink and eat.
  9. What blogs do you read?
    •  Only yours, man.
  10. What OS (and version) do you primarily boot into?
    •  OSX Snow Leopard
  11. [Bonus] iPhone or Droid? Why?
    • iPhone. It works. I travel a lot internationally and it also works in those places. Droid might too, I don't know. I just got an iPhone first no reason to switch right now.

Thursday, April 1, 2010

What I've Been Reading March 2010

The Information Security industry is so dynamic that many of the main-stream media outlets are simply too slow at delivering news.  How many times did you read something on ZDNet that was actually news about 3 days ago on the blogs?  The problem is, how do you stay current?  There are literally thousands of blogs out there, and many of us in the security industry constantly read, read, and read to keep up with what's going on, whats news and what's going to be in the media tomorrow - but knowing what to read is tough.

I'm going to do a monthly series on blogs I find of value - as I find them.  There are too many good blogs out there that just don't get the coverage and readership they should... so maybe some of my readers can find some new place to get their InfoSecurity 411.

If you have a blog you want to submit for this, please leave a comment, email or Twitter DM me ... I will publish your suggestions in the April edition of "What I've Been Reading"...

  • The Test Manager - A great, informative blog written by Martin Hall focusing on testing, tips and tricks and security from a test manager's perspective.  Martin is clearly qualified, to speak on the topics he writes about, and he's not going to overwhelm you with crap... overall a recommended read.
  • CounterMeasures -Rik Ferguson of Trend Micro writes a brilliant blog on all things InfoSecurity from an anti-malware company's perspective.  He's got great insight, good content, and he's just a good dude.  Lots of content you won't find anywhere else and more importantly there's always something to get you thinking...recommend this one too!
  • DarkNet - Look, I'll be honest, if you're not reading DarkNet then you're missing a metric ton of information security testing-related information from a fire hose.  This blog has something new all the time and you should be checking this in your RSS reader at least daily.
  • FireEye Malware Intelligence Lab - One of the places I turn to read about some of the nasty crap floating out there in the nether regions of the Internet... they don't update all the time but when they do the content is dead-on, informative, and useful.
  • Jack Mannino's Blog - You know Jack does he.  It's a light-hearted blog and even though Jack's a Mets fan I still recommend this one to have in your reader.

Friday, March 26, 2010

Dr. Howard, Dr. Larry, Dr. Moe? We have a problem.

Background: This is a doctor's office.  This is the same doctor's office that mandates your SSN on at least 4 forms because they claim my insurance company needs it to verify that I am covered. (Reality: I called my insurance company, they do not need my SSN).  Additionally, almost all records in this office are electronic.  Doctors have tablets, computers have all my medical data, etc.  There is still a ton of paper in the office, with test results, signatures, diagnoses, etc ... which I assume (or rather, hope) eventually gets converted to digital format and the originals get shredded.

This door is in the back of the office where, if I wanted to, I could pretend to go to the bathroom and disappear into there for a good while before anyone noticed.  I stood there for at least 2 minutes without anyone walking by, or even hearing a voice nearby.  What do you want to bet this is where their wireless, wired networks converge?  What do you want to bet that there is a dust-covered server in here with backup tapes sitting on top of it?

Oh well...

Thursday, March 25, 2010

PacketForensics - Something Smells Funny...

No doubt by now you've seen the story on Wired's "Threat Level" segment on Packet Forensics titled "Law Enforcement Applicance Subverts SSL"?  I won't re-iterate what was written in the story, you can read it yourself but this is what captured my interest:

"At a recent wiretapping convention, however, security researcher Chris Soghoian discovered that a small company was marketing internet spying boxes to the feds. The boxes were designed to intercept those communications — without breaking the encryption — by using forged security certificates, instead of the real ones that websites use to verify secure connections. To use the appliance, the government would need to acquire a forged certificate from any one of more than 100 trusted Certificate Authorities.
The attack is a classic man-in-the-middle attack, where Alice thinks she is talking directly to Bob, but instead Mallory found a way to get in the middle and pass the messages back and forth without Alice or Bob knowing she was there.
The existence of a marketed product indicates the vulnerability is likely being exploited by more than just information-hungry governments, according to leading encryption expert Matt Blaze, a computer science professor at University of Pennsylvania."
Of course, I wanted to know more.  I wanted to talk to those Packet Forensics folks myself!  Well, apparently that's a lot tougher than you'd think.

First off, I tried calling several times during business hours to their Tempe, AZ office and got a "Press 1 for sales, 2 for technical support" ...when I pressed 1 for "sales" I got a message system asking me to leave a message and someone would call me back.  Pressing 2 for "support" got me a live support person who was kind enough to tell me that if I wasn't a current customer I'd need to buzz off.  Hrmm...

Also, apparently their system doesn't think my email address (which is my real email address) is real ...

So ... Packet Forensics folks ... I swear my email address is real.  Will someone reply either privately or here on the blog?  I have many, many questions!

Here are some of those questions...
  1. Are Packet Forensics products using an exploit to perform their duties, or are the devices using legitimately purchased (but cloned) certificates of real sites?
  2. Are these devices being used on commercial carrier networks (ISPs) here in the US?
As you can guess there are many more questions, but I can't even see the products on their page without a login name and password ...geeze!