Archive for February, 2010

Paranoia, anybody: redux, part II, reloaded, the sequel, extended, directors cut.

Friday, February 19th, 2010

It’s been roughly 24 hours since I posted  about paranoia and foursquare. I was correct in my foresight expecting people to respond somewhat forcibly, or strongly – but I got my responses from ENTIRELY the wrong crowd I was trying to speak to: my infosec friends.

I wanted to acknowledge valid points that were brought up in conversations carried on after the fact and transmogrify the undertone from my last post into an overtone in this one. My suspicion is that my previous snarkiness may have obfuscated the clarity of the point I was trying to make.

  • Yes, absolutely, I agree that over-sharing your location creates a vulnerability and allows an attacker to build an attack profile (excessive meaning say, more than 3-5 checkins daily). As one friend put it “updating foursquare 24/7″ = bad. Foursquare is not “HELPING” the problem – yes they are “CONTRIBUTING” to it, but they are not “THE” problem.
  • This is not a “new” attack vector. Foursquare is not the first application to allow one to publish ones whereabouts (if you REALLY wanna crap your pants, have a look at lattitude. If you think foursquare is bad your head will fall off)
  • No, in this context, knowing if you’re in a building or in a certain room to a building is irrelevant. The point here is you’re “leaving your home vulnerable”. Personal security is a different subject entirely, and I prefer to stay on topic. The site that was mentioned was “Please rob me”, inferring “come to my home and rob it while I’m not there”. If people would like to have a healthy discussion about personal security, I’d be happy to be a part of it – however this is not it. This discussion is about the home.
  • It is less likely that an ACTUAL home-invader will use foursquare over any other social/web2.0 site. Standard usage dictates one has to click an accept button to allow someone to view their checkins (unless they’re published to facebook/twitter, then it’s moot anyway). I’ve had friends that have had their homes burglarized and in every case the attacker was not what any of us would consider an “advanced enough” computer user to utilize foursquare as a prelude to a burglary. It was always something like “we saw them packing up to leave on a ski trip” -visual, in person. If an attacker is enlightened enough to employ the use of attacks like CSRF and social engineering methodology they’re going to go after what you have in the bank, in investments, carbon credits (a new one!) and other things that are far more valuable than your television.
  • In this context its foursquare that’s being thrown under the bus. Their ‘fault’ in this case was to take an already popular idea (dodgeball) and make it more popular. It’s the “in” thing to do rightnow – overshare. Some people do it, other people don’t – people manage their own risk. Telling twitter you’re going to the bar, versus checking in on foursquare AT the bar, versus gowalla, or a facebook update – its all the same thing: You’re telling the internet you’re not home. The problem is the behavior, not the “tool used”.

The last line of the last post I wrote is more or less the overall point I’m trying to make. Somehow, or for some reason the masses have decided to have an epiphany where they throw their hands in the air and declare foursquare unsafe.

Agreed, they have a valid point. I won’t argue that, but its synonymous with walking into the burn ward at a hospital, walking past rows and rows of disfigured and suffering individuals, stopping at one random person then exclaiming to the world how THIS PARTICULAR PERSON is suffering and needs medical attention and oh-woe-is-me-what-a-world.

Generally speaking, the same people who have ‘come to this realization now’ are guilty of using many other applications that “tell people they are not home”.

My point, reconstituted without snark is: You’ve been doing it for years, and you JUST NOW realized it? THATS the problem. Not foursquare. The very same author of the blogpost I linked to is guilty of frequently publishing their location using a variety of applications. At best I can only speculate, but my speculation is that it was done for the readership and stir the pot – not to actually provide any real warning.

Tags: , , , , , , , , , , , ,
Posted in insight, speculation | 6 Comments »

Paranoia, anybody?

Thursday, February 18th, 2010

So in a previous post, I discussed “Convergence Theory“, which is the concept that argues people will “go with the crowd”. There’s a new fad in town, and it’s all about ditching foursquare because you think you’re going to get robbed.

In this case, frankly, I’m appalled. This is absurdity at its best. Lets all get on the paranoia choo-choo with Jennifer Van Grove and the silly website she’s blogging about, cancel our foursquare accounts, and go hide at home in fear. Sorry to call you out like this Jen, but this is purely knee-jerk baseless paranoia. If someone sees me IN THE PARKING LOT AT THE GROCERY STORE, then they also know I’m not home. This isn’t anything new.

The common complaint I have with blogposts and arguments like this is that people never think two steps ahead. Nobody ever considers engaging their foresight muscle and actually thinking this sort of thing through to conclusion.

I’m a security-minded person. That means I have to very often think like an attacker. I have to plan out “missions”, I have to completely exhaust all nefarious ideas and plotting in an effort to fortify the clients that hire me to make them more secure. This exercise allows me to put on an attackers hat and logistically consider courses of action in an effort to understand things like the frame of mind and context of an attacker.

In the last few weeks I’ve seen a lot of folks all of the sudden “realize” that when checking into foursquare this tells the internet that “you’re not at home”. Disappointingly enough the first thing that short-sighted people think is “OH GOD THIS MEANS EVERYONE KNOWS I’M NOT HOME. I’M GOING TO GET ROBBED!”. I cannot articulate using text exactly the style in which I face-palmed. To bring some clarity to those who have chosen to forego foresight, I’ve made this handy flow-chart. Have a look:

Simply put: If you’re going to rob someone, you have to put a little thought into it. You may be shot. You may be caught on camera. You may have to deal with nosy neighbors. Do you even know who this person is or where they live? Think about it for more than 30 seconds. If you’re still convinced that foursquare will get you robbed, print this chart out, and put it over your display using a stapler.

Stop being paranoid. Stop following the crowd. Wake up.

Tags: , , , , , , , , , ,
Posted in rants | 9 Comments »

Dealing with liars, slander and libel.

Tuesday, February 9th, 2010

Having been practicing information security on a freelance basis for roughly 2 years now, I’ve quickly come to learn that the information security industry is very incestuous – teeming with folks that think the standard “how to survive prison” methodology works for information security. Find someone who’s made a name for themselves, beat the everliving crap out of them, assume their former glory. This is a problem. Primarily because it doesn’t work, and secondly because nobody has ever been able to do it right and get their intended results.

Moreso is a problem when people who have openly admitted their noviceness in linux, security and other things of a technical nature decide to take up a crusade. They’re loud, boisterous and spend lots of energy on a ’cause’ that they simply don’t understand. The first thing that comes to mind when thinking about these people is an angry neanderthal – angry that the wind blew out his fire, who then goes and bludgeons his neighbor with a rock out of rage, or the salem witch trials where women were called out as witches and burned alive, their pleas of innocence ignored.

This is exactly what I’m dealing with – novices, newbies and beginners who know little to nothing about information security, the industry surrounding it – picking up a torch and going on a crusade because of something they don’t understand.

I’ve been dealing with a small handful of these people, and it seems the further along I get in growing my business, the more opportunity these trolls think they have to shoot me down. I’m going to draw out, chronologically the whole series of events from then until now – including how I’ve contacted attorneys, sent cease and desist notices, and how I personally have suffered, and the friends and loves ones around me have have suffered because two guys in Riverside simply cannot act like adults. It’s a long ride, but for those interested in the whole story, end to end, read on.

I apologize to those who’s names I’m about to drop, who I told I’d keep out of this – but at this point it’s unavoidable. I have to name names to tell the story.

(more…)

Tags: , , , , , , , , , , , , , , , , , , , , , ,
Posted in insight, rants | 7 Comments »

foursquare sending passwords in the clear

Monday, February 1st, 2010

In this case, I’ll be arguing:

The easier it gets to write code(scripting, really), the sloppier it gets and the more insecure it gets.

We can see this because of the prevalence of sql injection, cross site scripting and error handling in the ever expanding catalog of new sites appearing on the internet.

I cite this from personal experience. As of late people seem to care more and more for ‘how pretty it is’ and less about what actually happens behind the scenes.  I’m reminded of the 90s when video games were stuck in 256 color 320×240, with bleeps and bloops for sound – if you didn’t have a good story people wouldn’t buy your game. Now things are different. All people seem to care about are the graphics, and the story, music, and gameplay is all phoned-in.

These days I see new tools and applications online that in most cases make me shudder. A friend of mine, @quine noticed something – the android foursquare application communicates unencrypted, using apache’s ‘basic’ authentication.

(more…)

Tags: , , , , , , , , , , ,
Posted in insight, review, technology, training | 1 Comment »