Hacker’s Blog

Since I have my own domain, I can give out email addresses that are tagged to an organization. If I receive a malicious email or spam on that address, then I know that that address has leaked somehow. Attribution only goes so far though, as some organizations will sell or distribute the email to others. That’s the case for SecureWorld. The email address I used was handed out to several vendors at the conference, so I don’t know who was compromised.

It is clear that someone was.

This email wasn’t spam. It actually came with a virus. Congratulations SecureWorld, you’ve got clientele worth owning. Though I can’t imagine too many of them are going to fall for opening the attachment, I know that even the best trained security practitioners are sometimes going too fast and will make mistakes.

Some people think that they are the lunatic fringe. Mr Hoff states: Nobody really believes that security can be innovative, do they? I do.

The next thing we’ll be hearing is that rational security = security innovation or to simplify: Rational = Innovation. What could be further from lunacy?

Quite simply, in a changing environment it is irrational not to innovate. It is obvious that security is a changing environment. When was the last time the threats were consistent over time?

Now some would have you believe that constant change is itself irrational and therefore any response to it must necessarily be also. In Mathematics, 1 / 3 is rational while the square root of 3 is irrational. Both cannot be represented in decimal form by a finite number of digits, but with one third the digits repeat.

Consistency makes being rational easy. The hard work of working out a solution only needs to be performed once. Then a simple lookup can occur. To make consistency a requirement for rationality reduces rationality to automata. Not much use being rational then.

Innovation does not mean anything goes. New techniques must work to be innovative. Innovation is also not randomly trying new things. That’s luck. Innovation must be rational.

Therefore real security must be innovative.

For one to accept innovation the new ideas must be rationalized, otherwise they are seen as just random gibberish. The seven deadly sins of problem solving referred to by Hoff are all ways that keep us from being able to accept new ideas. This applies whether the solution is ours or someone else’s. (Many who lack self-confidence invert the Not Invented Here rule).

The most important aspect being innovative or to accepting innovation is that it takes time for our brains to adjust. If someone has just presented something to you that sounded rational, but doesn’t sit well in your gut, then that is when it is apparent that more time is needed. Given time, one should be able to either accept the new idea, or determine where the flawed assumption was buried. Often this type of rationalization is a background process, and “sleeping on it” is a perfectly valid approach.

It seems that people keep buying new security technology, so by their actions they must believe that innovation is necessary for security. Mr. Hoff isn’t so much presenting a new approach to security as explaining how the accepted approach is not well understood. The reality is that just about everybody believes that security can be innovative, they just don’t know it.

It is also critical to remember that if the solution doesn’t seem to fit, perhaps the problem was defined wrong. That explains why router ACLs are not acceptable network security tools 99.9% of the time.

Interesting approach to tracking how spammer’s have found your address if you have a gmail account, though it does have a flaw. CamZak.com / Google hack: Stop spam with ‘Infinite’ e-mail addresses with GMail

I have been doing something similar for years with my own domain and a catch-all address. Of course, having a catch-all address itself attracts lots of SPAM, but those end up being relatively easy to filter as they come in.

One problem with the gmail method is that if it became popular, spammers would figure it out and simply drop the post-plus portion. Therefore best way to use this effectively, is to always use a ‘+something’ for your personal emails.

This is just too funny to pass up.

David Adams’ MobileStartup.com: Now they’re gluing the SIM cards in!

There is nothing more I can add to Mr. Adams insghtful analysis.

Let me begin by saying that I have a deep respect for Frank Hayes understanding of general IT issues. However, Mr. Hayes just doesn’t get security as seen again in Common Insecurity. Mr. Hayes suggests that virtualization would have helped separate the data frrom the three different agencies so that a breach of one would not have breached the others. He also suggests that virtualization can make security easier. Both are incorrect in this scenario.
Cain & Abel poses a threat here because of its sniffing and cracking abilities. The sniffer can grab packets to any of the virtual systems, so it is a threat to all. The cracking tools threat would only be limited to one system if the accounts used to manage each virtual system were different.

Having separate systems for common functionality also complicates other security matters, such as patching, system monitoring, and the budget for high end OS security hardening tools which are licensed by the instance. Virtualization allows for some separation, but does not simplify everything. It is much better to consolidate systems doing the same thing with the same security requirements, just as a Bank’s safe deposit box is generally better than a safe at home. Cost is a significant factor here. The banks is able to spread the high security costs across many more customer’s without adding large risks.
Perhaps Mr Hayes does not recognize that this server is serving a common function, that of credit card processing, in a Service Oriented Architecture like system. This seems to be the case and led him down the path of separating these systems. Neverless, his points on virtualization and security are naive and the problem is much deeper than he considers here.

I suppose it’s too much to ask for organizations who have weak security programs to understand real risk. Here is a fine example, a Security swiss army knife like tool was found on a server that processed Credit Card transactions. So what do we do? Panic!

N.H. Breach May Have Exposed Credit Card Data – Computerworld Admittedly, the article says that a person is being investigated, but that’s not the focus. The tool is being blamed and not the person.

Cain & Abel has several capabilites. Amongts them are password / hash cracking and sniffing. Now if sniffing is considered the threat here, then I’d expect that the server and LAN have no other sniffing tools installed. Otherwise the smart attacker would just grab packets and crack offline. Cain & Abel alos has the ability to turn poorly configured switches into hubs. If this is the threat, then the target was not the system Cain & Abel was running on.

If the cracking is considered the threat, then all the evidence is right there on the system. It should be easy to determine what was going on.

Cain & Abel also has some useful tools for troubleshooting, such as a TCP Traceroute capability. Those trying to troubleshoot connectivity across several firewalls need tools like this to do so. It is very likely that this server was involved in such communications and needed that troubleshooting capability. Of course, if all this end’s up being is some sysdamin installing something that shouldn’t have been installed, then we won’t ever hear about this again, because that is not news.

Sometimes I am drawn into irony like a gawker to a highway accident. I know I should just focus on the road and keep moving, but I just can’t help to stop and look. Today’s ironic  accident was my employer’s quarterly security awareness newsletter. I’m sure they tried really hard, but the system just conspired against them.

The newsletter is a pdf, which one has to download from the intranet. To advertise its availability, they sent out an HTML formatted email with a link to the intranet page where the pdf could be obtained. In a newsletter article about Spear Phishing it says:

Don’t click on Web links within e-mail messages.
It is far safer to note the address
and retype it yourself in your browser
address window.

But wait, didn’t you just set me up to do that by sending me the HTML email? Why not use plain text, which even if linkified by the email client, is exactly as displayed.

Of course I had to hack the original email to change the underlying URL to point to this blog. I then sent that out to internally. Odds are, if you are reading this, it is because you clicked on that link.

Cheers.

I always find it interesting when academics rant about some security issue that really isn’t tied to reality. Communications experts warn of VoIP security issues. Upon reading the news brief it is apparent that VoIP is not the issue, it’s DDOS and the lack of controls on our peer to peer Internet.

At first I thought “Well they are communications experts and not security experts”. Then I looked at the members and Ross Anderson is in there. Mr. Anderson probably knows more about security than I ever will, so perhaps its just me.

You see, if I had a whole bunch of bots around the net, and had compromised their owner’s VoIP software, I would not be using it to coordinate DDOS attacks. I’d be SPITting all over the place. Especially the ones that had accounts to access the PSTN. The thing is, one can avoid SPAM by not using email, or not using it much. No one with a phone can avoid SPIT. If this ever takes off, it will be very very bad.

Update: CommunicationsResearch.net news release on their site is now missing. Other URLs: VoipInfoBlog, PhotonicsFiber.com

And a telling tale of what might have happened here. It’s a very interesting story of how the polictics of vulnerability disclosure is a field of landmines.

It also may indicate my original comments are a bit harsh, but the original press release itself at fault for that.

Late last year VMWare released a very cool new tool called the VMWare player. There are now so many cool things that one can do with VMWare that it boggles the mind.

Of course a lot of them are big security problems. Big enough to make the whole USB Drive/ipods are evil scare a while back look, well, as silly as the whole thing was. I’m not going to start listing all of the obnoxious things I can do with VMWare just yet. I don’t want the panic to get started before I get the chance to build some of them out and have some fun.

However, for the record, I do proclaim that VMWare and the portability of VMWare player is a significant technology change that now opens many security holes. Way more than just copying files around.

Wow, one of my security heroes has a blog and it looks a whole lot better than mine.

Real Security – A different perspective about information security

This reminds me that I really need to keep in tough with people better.

Hopefully, once again, I’ll be borrowing from Jim to make myself look competent. This time for my blogs design evolution.