The Hype Over Epsilon ...Baby in the Bath Water?

You've heard the expression "don't throw out the baby with the bath water" right?  The reference is to discarding something important in the mess of something unwanted ...makes me think a little about this big in-your-face headline on USA Today's "Money" section ...from Tuesday April 5th.

"Epsilon hack triggers phishing fears" with the subtitle 'So be careful where you click'.

Is this a good thing, or a bad thing?  Clearly such hype, at least from a security perspective, warrants temperance and sanity for our own credibility ...but could there be a silver lining here?

The fact that this headline is on the front page of Tuesday's USA Today Money section says something ... it says that this is a big story, sure.  But there's a more subtle benefit here ... given the readership of the USA Today, and who's going to read that front page headline and sub-headline ...maybe this is a good thing?

Maybe more people, more of the 'common users' we see as constant phishing victims, will read this and think twice about clicking that email that show up in their mailbox unsolicited?

Or maybe not.

But I can tell you with certainty that even if 10% of the readers of this interestingly written (using a quote from a competitor to the company that just got hacked? uncool) article think twice and don't fall for a phishing scam I'll be thrilled.

Information Security Comedy Genius

You just can't make this stuff up ... I don't know if you follow the Bugtraq mailing listor not, but as I read this today I first thought that hey, it's April Fools' ...but when I realized it was a serious post I read on and the result was a serious LOL ...and projectile coffee all over my monitor/keyboard as a result of Thor's reply.

So here's what happened ...

An email came in with a disclosure..."Microsoft VISTA TCP/IP heap buffer underflow"


...which had this gem of a paragraph in it (for a little context, the person is referring to a PoC he wrote as the program):

"To execute either the sample program or any other system command, the user has to be either the admin, in the admin group or the Administrators group. Since this buffer underflow never makes it to kernel memory, it could be possible that propping up the underflow will make it overflow and take control over the operating system without any restriction."

...which I figured for an April Fools' gag, until I realized it was serious.

Then ...came the LOLs ...because in proper form "Thor" (Hammer of God) had this brilliant rebuttal:

"Just so that I understand correctly, are you reporting that if one is logged on as the administrator, it may be possible to execute this exploit in order to take over the machine? t"

You just can't make this shit up folks ...welcome to Information Security.

Breaking Your AT&T Broadband Neighbor's Bank

A few weeks ago when Canada's major Internet providers announced they were going to be capping Internet transfer on a monthly basis, some of us here in the 'States chuckled.  Guess we're in for a dose of that now too as AT&T just announced they're doing the same starting in May.

What's really interesting to me from a security perspective is this - how many AT&T customers do you think have a relatively easy-to-break-into WiFi network that ties right into their AT&T home DSL or uVerse?

So, here's an interesting scenario.  A home user goes over the 150Gb threshold, by many gigabytes.  Month after month ... how does that user then go about proving that it wasn't their activity but the result of someone breaking into their wireless and soaking up lots of bits?

Having a transfer cap sure makes the case for having more security on your wireless, do it not?  The problem with many home wireless still being easily breakable is going to collide with broadband charges and caps ...real soon.  The question is - what will be the result, and how will the courts treat it?  How will AT&T treat it if I spike to 400Gb one month?  Can I claim that it wasn't me?  I suspect it would be interesting to see how the home DSL w/WiFi that AT&T is giving out is going to provide protection against these types of bandwidth-stealing attacks.

This AT&T strategy is easily at odds with the distributed nature of BitTorrent, vast amounts of streaming media -and oh yea ...pirates.  This is an interesting tactic in AT&Ts ongoing war against pirated content, and various other forms of wrong-doing.  It's an interesting tactic ...because if you can choke off the means to distribute illegal content (and let's face it, this is how pirates distribute illegal content) or at least make it very, very expensive to aid the pirates -maybe they (whoever "they" are) have a chance of winning the war.

I can't wait to see how this shakes out...

Cool Things I Learned About Security From Watching Spy Movies...

I love spy movies, I've watched every single one I can find from "Spies Like Us" to the "Mission: Impossible" series and everything in between (including the really, really bad ones too).  Spy movies teach us a lot about real security, how it can be defeated and some of the Hollywood truisms (and "bending the rules") demonstrate what we're all already thinking, and probably now to be true anyway.  I've learned a lot, and I see a great many applications to real life InfoSecurity so I thought I'd share them with you here ...

1. You're being attacked.  Right now... and now... and now.
2. Computers are easy to manipulate
3. People are even easier to manipulate
4. Your 'perimeter' is only as strong as the guy holding that USB stick walking in your office door
5. Encryption is breakable ...actually - "encryption" you build yourself is breakable
6. The common denominator amongst the thousands of daily use social media, financial, and other high traffic sites is one set of credentials
7. If you want to break military-grade encryption to steal intellectual property or state secrets, use a $15 hammer applied to the owner's open palm
8. Knowing where your target is located at all times is critical.  Spies use expensive equipment like satellites, GPS, and other gadgets, in lieu of expensive gadgetry I suggest FaceBook or FourSquare.
9. Remember when it was cool to watch a movie spy 'tap in' and listen in on a person's cell phone call from another part of the world?  Yea, that's possible.
10. By the time you've gotten down to here, I've utilized the exploit you don't know about in that browser you're using to gain access to your machine.  You really shouldn't keep pictures like that in that 'hidden' folder in "My Documents" ...HR would be unhappy with you.

Hooray for Accountability (ZDI Drops 22 0day)

Well, it's February 2011, and the year is flying by already.  Quite frankly, I'm thrilled to see this story run and made a big deal out of -because if you're anything like me you're sick to your stomach from all the large software vendors that have been non-accountable for the crap they release.

The Register is running a story about how the ZDI has "spilled the beans" on 22 advisories, and some of the juicy details of the bugs.  Rather than waiting indefinitely for the vendor to decide whether they care to take the time to patch their software or not - ZDI has taken a stand and published the bugs just 180 days after confirming the vulnerability with the vendor.  I think that's fair, don't you?  6 months to analyze, identify, strategize and release a patch is plenty of time -even if you're a monster Fortune 100 corporation.

What I think is the bigger story, bigger than the 22 bugs released (one of which is of an unpatched flaw in the parent company, HP ...oh noes!) is that the ZDI changed their policy a while back so as not to wait indefinitely for a patch from the vendor before publishing the bugs.  Now, it's 180 days, and time to pay the piper... and you have to hold them in high regard for that.

If you'd like to see the disclosure on the ZDI blog, check it out here ...companies include EMC, Novell, CA, SCO, HP and of course IBM.

In all the buzz and press around this release, I think it's critical to remember one thing - accountability is paramount.  If you don't hold yourself accountable ...the ZDI boys and girls will.

Hackers "Borrow" Excess Server Capacity, Play CoD: Black Ops

[Cross-posted from Following the Wh1t3 Rabbit]

"For Satan always finds some mischief still for idle hands to do." --Isaac Watts

Those pesky hax0rz.

They just want to hack in, steal your data, plant trojans and spread evil.  ...sometimes not though.

Stories like this just don't get enough coverage because it's more funny than sinister - but apparently on November 12th, around 2:00am local time someone broke into the Seacoast Radiology of Rochester, NY server and didn't try and download their 232Gb of database ...nope, they just borrowed the server to play "Call of Duty: Black Ops".  For 4.5hrs that night someone was using the radiology center's server capacity to play a video game.

You can just tell when someone is giving a quote that they don't know what they're really saying which is evident in lines like this one:

"Our server is 232 gigabytes,” Wood told SecurityNewsDaily. “If somebody tried to download it with the speed that we have, it would take them 27 days. We don’t think there’s someone out there with a huge database trying to pick and choose who they’re going to attack"  (Source: MSNBC)

Well ... I for one am glad this person has a crystal ball, because I'm not sure I would make a statement like this one:

"Wood said Seacoast has not received any reports of identity theft related to the incident. He believes the hackers took advantage of the server’s size simply to play the massively popular video game and nothing more."

Mischief ...or something more sinister?  I certainly have no idea ...but it's certainly not your typical hacking story.

The Invisible Line Between "Error" and "Data Breach" ...

Just catching up on a quick story that's circulating (if you read the news like I do) on what is being called a data breach ...but is it?

The headline is "Santander Leaks 22,600 Account Details [source: computing.co.uk]" - but at what point does the line between accidental disclosure (or an "error") turn into a data breach?

I think the discussion needs to be had, and while Santander is doing the responsible thing here, when it comes to data breach laws in the US, how do we treat this?  Where is the line drawn between "accidental disclosure" which is just that, accidental, and a data breach which is the result of negligence?

It would seem the entire discussion is based on cause, and whether the cause was "an accident in spite of due diligence" or rather "a result of a lack of appropriate measures" ...what concerns me is this text from the article-

The ICO confirmed that it will be investigating the breach.
"We have recently been informed of a data breach involving Santander. We will be making enquiries into the circumstances of the apparent breach of the Data Protection Act before deciding what action, if any, needs to be taken," said an ICO spokesperson.
"Under the Data Protection Act, organisations that process personal information have an obligation to keep it secure; therefore, it is a matter of concern if information such as account details have been incorrectly provided to the wrong recipient," they added.

So we turn to trying to figure out how to draw a line on intent ...and that's a very difficult thing.

DDoS'ing into Oblivion

I don't know if you've noticed, but Distributed Denial of Service (DDoS) has taken the spotlight on center stage of this 3-ring circus we call the Internet.

If you don't know what a DDoS is, I suggest you go give Wikipedia a quick read, and maybe get WiFi in the cave.


What used to be a nuisance, and let's face it DDoS started out as a nuisance, has turned into an interesting and powerful weapon.  Tools like LOIC which is released by "Anonymous" and the OWASP tool that essentially does a similar task against web servers using slow header payloads are brutal.  These can cause serious outages and down web servers and entire sites, or even web farms.

Let's talk impact

• Full pipe - a DDoS can fill your network pipe with junk traffic and effectively cut you off from the rest of the Internet
• Overloaded server - a DDoS can actually completely overwhelm a piece of hardware, and cause the machine to die
• Overloaded server - a DDoS can also overwhelm poorly (actually even no-so poorly) written software to completely stop responding and die
• Software zombie - an interesting condition recently uncovered where a server is still completely responsive to other requests except that legitimate requests for targeted sites returning nothing at all
• Huge bill - That's right, imagine paying for your Internet pipe by the megabyte... then you get a 100Mbit/sec flood for 12 straight hours ... you could go broke trying to pay that bill!
• Bad PR - Imagine if you're launching a super-cool online game that some kid gets mad at and takes down your servers ...ouch!

Perfect example, Al-Akhbar's website has been decimated (and is still down) for a while now... interesting use of internet bandwidth.

So DDoS is a very versatile tool - and with literally millions and millions of zombie machines out there - maybe even YOURS - the attacker agents are plentiful.  I wonder what the horizon holds for DDoS attacks ...it could be interesting.

The TSA Now Makes Fortune Cookies

This is how you know you're going to get the "blue glover treatment" ...when the cosmos is trying to tell you something.

Oh crap...

Worried About Your Children Online? You Should Be...

Fair warning - this will make you sick.

The headline on MonstersAndCritics.com reads:
 "Germany indicts man who hacked webcams to film children"


The reality is that child predators have a much easier time on the Internet than they would in the real world ...and in this virtual world where they can be anyone they want to be the predator can be any age, sex, or personality to convince a child to put stuff onto their computer.  What happens next is an all-too-real sad fact of modern life.


The question then becomes ...what do we do about this?  Besides putting a needle into the arm of this bastard so he never hurts another child again ...what do we do?  Is better control the solution?  Anti-malware protection?


I think that ultimately the ownership of protecting your children is the parent's responsibility...and in the ever-increasingly connected world of the Internet parents need to arm themselves with as much knowledge as their children.  Your 9 year old shouldn't be better at the computer than you are... plain and simple.


While you can't control every minute of every day of your child's life, we can certainly teach them from a young age that security "best practice" like not accepting unknown files from people they don't know or trust, or other things we have been trying to teach our corporate users for years, should be followed or there could be dire consequences.  The notion of "stranger danger" applies to EVERYONE on the Internet... there are no "real people" unless mom or dad says so...unless mom or dad doesn't know better either?


Ultimately, parents, protect your children.  Teach them well, and put in as many safeguards as you can technologically to ensure that these types of predators can't get at them online.  It's just sick that human trash like this is allowed to exist... if I had my way justice for these animals would be swift...preferably with a large caliber to the skull.

Not Another TSA Rant

Hold on to something ...I just had a very intelligent discussion with a manager (I will keep her name anonymous, I'd like her not to lose her job for talking to me) of the TSA shift here at O'Hare airport.

While you catch your breath ... let me reiterate how much I loathe the invasion of privacy and the scales of privacy vs. (actual) security being tipped way askew...

So here's what happened...

I was given the "sir, step over here into this machine" line from a woman who had the demeanor of a rabid coyote, to which I replied "No thanks, I'll opt-out".

After the customary 10 people screamed back and forth "We have an opt-out!" ... they told me to wait in the middle of the screening area, and since I insisted on keeping an eye on my bags (I reminded them of the public announcement playing on infinite loop) they had one of the gentlemen (clearly a very nice guy) take my stuff, put it aside and stand over it while I was frisked.  This was interesting...


The guy giving me the "pat down" told me he was going to use the back of his hand in certain areas but never mentioned the "dirty uncle" treatment (front of hand on your junk) ... so I was left wondering.  He performed what I actually felt was a rather thorough pat-down, checking inside my belt loops, my armpits, and all the other usual places a wacko would try and hide something illegal.

He did not do the "dirty uncle" ... and when he was done, was polite and said "We're done, thanks" and walked away.

I gathered up my stuff and walked off but I did feel compelled to walk over to the shift supervisor and ask her why it was that when I opted out of the strip-search machine I didn't even have to go through the metal detector.  She didn't know, and even told me that "Yes, that is a little weird, but I don't have the authority to question the all-powerful policy."  I sensed sarcasm in her voice... I liked that she was skeptical and a bit of a cynic.

We had a great conversation for a couple of fleeting minutes about the process that they go through here at O'Hare and how they actively avoid doing the dirty uncle pat-down ... and don't actually use the strip-search machine on everyone ...only the equivalent of the "random additional screening" that we used to see - remember that?

Then we talked about National Opt-Out Day (Nov. 24th) and she acknowledged that while it wasn't necessarily something she objected to (whaaaa?) it would muck up air travel and snag long lines and cause delays if enough people did it.  We did come to an agreement that the balance between trying to keep the passengers secure and being totally invasive has gone too far into the invasive zone.  Odd for a TSA Manager - wouldn't you say?  I mean, this woman was intelligent, cynical and even questioned authority!

All in all, a positive experience.  For all the shit we give O'Hare Int'l airport about the countless delays and other crap ... the TSA here isn't too brutally invasive - and we know they could be.

Good luck, share your experiences ...and don't submit to thuggery!

The Great Internet Kill Switch

I stunned.  Apparently I live in a country of scared lemmings.  Check this out... this piece on the "Internet Kill Switch" by Fierce Government makes me want to cry.

Apparently 61% of the lemmings they called in this poll support the American President having an "Internet Kill Switch" in case we are attacked by a foreign nation.

"A clear majority of Americans would support giving the president authority to shut down portions of the Internet should there be "clear evidence" of a cyber attack by a foreign government, according to the results of a biannual poll of U.S. attitudes toward security."

I want to know who they called because clearly they didn't call anyone I know.  Can you imagine the misunderstanding and paranoia that must be gripping the average user to have answered like that?

Anyone who has the slightest clue about how the Internet operates knows this isn't possible.  The amount of work that would go into an "Internet Kill Switch" is insane - effectively hooking into every single ingress and egress point to/from the United States.  Because the Internet itself was designed to be resilient to attack, and our internet service providers work hard on this principle - it would be impossible to build in a single kill-switch that would "turn off Internet access" to the rest of the world.  Look at China!  They've tried ...and are currently failing at doing this exact thing.  China tried to build a choke-point through which "all Internet traffic in/out of China must pass" ...that's a big, fat FAIL there, Chief.

It's just insane to imaging how much re-engineering would have to be done to patch the "Big Red Button" (the kill switch) into every single possible path a packet could take in or out of this country.

Lunacy.  What the hell is going on out there?!

Cyber War - Why It's Idiotic

Let me first say that I'm overwhelmingly annoyed by all the "Cyber War" topic being Tweeted, blogged, and written about in the media.  Please stop.

I had a very intelligent conversation a little while ago with Marcus Ranum at the ISSA Louisville Metro InfoSec Conference where him and I were both speakers - and much to my surprise we were on the same page regarding this whole "Cyber War" stupidity.  War, by its very nature, is a destruction.  The goal is to cause damage so that one group (presumably a nation-state) can take over another.  This most often requires bloodshed, large amounts of resources, and most importantly - physical invasion.  This is where the whole "Cyber War" silliness breaks down for anyone that understands anything.

The people I've seen and read spouting off about "Cyber War" and "Cyber Terrorism" and all that related cyber-whatever just don't get the main point.  You can't take over another nation-state by "DDoS'ing" it off the face of the Internet.  Cutting off my Internet, shutting down a power grid, or causing a possibly catastrophic event at the other end of an IP connection simply doesn't constitute a war.  Now, if one nation-state were to openly attack the infrastructure of another, and cause, say, a nuclear meltdown killing millions - that could be an act of war ...but you'd have to make a stretch even to get that accepted.

You can't tell me that if tomorrow morning we woke up and there were billions of IP packets shooting off from Chinese Internet-space at our critical infrastructure components (wait, that's happening already isn't it?) we the United States of America would declare "Cyber War" ...and if you tried to tell me that I'd make a case to have you committed.  In the virtual world, where packets buzz around, there are on bullets.  There are no full-scale invasions.  There isn't a displacement of cultural values by a military presence.

On a slightly different view - if Switzerland hired a bunch of hackers and completely took over the entire US Internet-connected presence - and I mean anything connected to an Ethernet cable - what would that mean?  Would that mean that they then could "declare war on" the US and take over?  I'd love to see them show up no our shores with their laptops and try... even if our defenses were crippled there is a sizable military presence here that would blow them to kingdom come once they were within reach of our shores.  See my point?

So once again - "Cyber War" falls on its face as just a piece of hype that someone started and other clueless lemmings jumped on to make themselves look smart.  Let me clarify for you - if you're talking about Cyber War as our biggest threat right now - you're an IDIOT.

Go Follow the Wh1t3 Rabbit

Hey readers - if you haven't figure it out yet, I'm not updating this blog as often as I'd like to due to the day-job taking up most of my time.  I still post here but it's not every day like it used to be ...

So if you're looking for content ...go and Follow the Wh1t3 Rabbit on my HP Web Application Security blog:

Following the Wh1t3 Rabbit - HP.com/go/white-rabbit

Thanks for reading ...keep it here, I'll keep posting!

"Not Valid Until Signed"

I feel the need to blog this because it has everything to do with the state of security these days...

I went to my local post office the other day, and along with the normally grumpy man at the window in this one-room shanty I got a little extra attitude.  As many of you reading this, I never sign the backs of my credit cards as a rule.  I know it's really not buying me all that much in terms of security or fraud protection - but I figure if I lose my card I really don't want the jackass who tries to use it to also have my signature to copy later.

That being said, I bought a small book of stamps because there are still companies that require you to mail things in the post and went up to the window to pay with my credit card.  The man at the window takes my card, swipes it, and then looks at the back of the card where instead of a signature it says "Require Photo ID" ... then hands the card back to me and says "Sign this or I can't take it".

I looked back at him curiously for a moment, then said in a polite tone "no".  His answer to me was to hand me back the card and ask for a different form of payment.  When I asked why - he told me it's because the "law requires me to sign my credit card ...see, it says so right there".  Actually, he's wrong, there is no such law that I know of, and I've used that card a million times without ever being told to sign it.

So I took the card back, paid cash and left ... but now I have this burning question in my brain - can a merchant really refuse my card because it's not signed?


The answer, according to my Bank of America rep ... is absolutely NO.  For the record, as far as I can tell, you are NOT required to sign the back of that card, and there is nothing that legally says you must ...

Of course, my local mailperson was just following the rules ...or trying to be the grumpy bastard he normally is ... or just doesn't know better.  I don't know which of those (or all?) are true but the bottom line is I'm not going to sign my card, and you shouldn't either.