Archive for the ‘insight’ Category

« Older Entries

Paranoia, anybody: redux, part II, reloaded, the sequel, extended, directors cut.

Friday, February 19th, 2010

It’s been roughly 24 hours since I posted  about paranoia and foursquare. I was correct in my foresight expecting people to respond somewhat forcibly, or strongly – but I got my responses from ENTIRELY the wrong crowd I was trying to speak to: my infosec friends.

I wanted to acknowledge valid points that were brought up in conversations carried on after the fact and transmogrify the undertone from my last post into an overtone in this one. My suspicion is that my previous snarkiness may have obfuscated the clarity of the point I was trying to make.

  • Yes, absolutely, I agree that over-sharing your location creates a vulnerability and allows an attacker to build an attack profile (excessive meaning say, more than 3-5 checkins daily). As one friend put it “updating foursquare 24/7″ = bad. Foursquare is not “HELPING” the problem – yes they are “CONTRIBUTING” to it, but they are not “THE” problem.
  • This is not a “new” attack vector. Foursquare is not the first application to allow one to publish ones whereabouts (if you REALLY wanna crap your pants, have a look at lattitude. If you think foursquare is bad your head will fall off)
  • No, in this context, knowing if you’re in a building or in a certain room to a building is irrelevant. The point here is you’re “leaving your home vulnerable”. Personal security is a different subject entirely, and I prefer to stay on topic. The site that was mentioned was “Please rob me”, inferring “come to my home and rob it while I’m not there”. If people would like to have a healthy discussion about personal security, I’d be happy to be a part of it – however this is not it. This discussion is about the home.
  • It is less likely that an ACTUAL home-invader will use foursquare over any other social/web2.0 site. Standard usage dictates one has to click an accept button to allow someone to view their checkins (unless they’re published to facebook/twitter, then it’s moot anyway). I’ve had friends that have had their homes burglarized and in every case the attacker was not what any of us would consider an “advanced enough” computer user to utilize foursquare as a prelude to a burglary. It was always something like “we saw them packing up to leave on a ski trip” -visual, in person. If an attacker is enlightened enough to employ the use of attacks like CSRF and social engineering methodology they’re going to go after what you have in the bank, in investments, carbon credits (a new one!) and other things that are far more valuable than your television.
  • In this context its foursquare that’s being thrown under the bus. Their ‘fault’ in this case was to take an already popular idea (dodgeball) and make it more popular. It’s the “in” thing to do rightnow – overshare. Some people do it, other people don’t – people manage their own risk. Telling twitter you’re going to the bar, versus checking in on foursquare AT the bar, versus gowalla, or a facebook update – its all the same thing: You’re telling the internet you’re not home. The problem is the behavior, not the “tool used”.

The last line of the last post I wrote is more or less the overall point I’m trying to make. Somehow, or for some reason the masses have decided to have an epiphany where they throw their hands in the air and declare foursquare unsafe.

Agreed, they have a valid point. I won’t argue that, but its synonymous with walking into the burn ward at a hospital, walking past rows and rows of disfigured and suffering individuals, stopping at one random person then exclaiming to the world how THIS PARTICULAR PERSON is suffering and needs medical attention and oh-woe-is-me-what-a-world.

Generally speaking, the same people who have ‘come to this realization now’ are guilty of using many other applications that “tell people they are not home”.

My point, reconstituted without snark is: You’ve been doing it for years, and you JUST NOW realized it? THATS the problem. Not foursquare. The very same author of the blogpost I linked to is guilty of frequently publishing their location using a variety of applications. At best I can only speculate, but my speculation is that it was done for the readership and stir the pot – not to actually provide any real warning.

Tags: , , , , , , , , , , , ,
Posted in insight, speculation | 6 Comments »

Dealing with liars, slander and libel.

Tuesday, February 9th, 2010

Having been practicing information security on a freelance basis for roughly 2 years now, I’ve quickly come to learn that the information security industry is very incestuous – teeming with folks that think the standard “how to survive prison” methodology works for information security. Find someone who’s made a name for themselves, beat the everliving crap out of them, assume their former glory. This is a problem. Primarily because it doesn’t work, and secondly because nobody has ever been able to do it right and get their intended results.

Moreso is a problem when people who have openly admitted their noviceness in linux, security and other things of a technical nature decide to take up a crusade. They’re loud, boisterous and spend lots of energy on a ’cause’ that they simply don’t understand. The first thing that comes to mind when thinking about these people is an angry neanderthal – angry that the wind blew out his fire, who then goes and bludgeons his neighbor with a rock out of rage, or the salem witch trials where women were called out as witches and burned alive, their pleas of innocence ignored.

This is exactly what I’m dealing with – novices, newbies and beginners who know little to nothing about information security, the industry surrounding it – picking up a torch and going on a crusade because of something they don’t understand.

I’ve been dealing with a small handful of these people, and it seems the further along I get in growing my business, the more opportunity these trolls think they have to shoot me down. I’m going to draw out, chronologically the whole series of events from then until now – including how I’ve contacted attorneys, sent cease and desist notices, and how I personally have suffered, and the friends and loves ones around me have have suffered because two guys in Riverside simply cannot act like adults. It’s a long ride, but for those interested in the whole story, end to end, read on.

I apologize to those who’s names I’m about to drop, who I told I’d keep out of this – but at this point it’s unavoidable. I have to name names to tell the story.

(more…)

Tags: , , , , , , , , , , , , , , , , , , , , , ,
Posted in insight, rants | 4 Comments »

foursquare sending passwords in the clear

Monday, February 1st, 2010

In this case, I’ll be arguing:

The easier it gets to write code(scripting, really), the sloppier it gets and the more insecure it gets.

We can see this because of the prevalence of sql injection, cross site scripting and error handling in the ever expanding catalog of new sites appearing on the internet.

I cite this from personal experience. As of late people seem to care more and more for ‘how pretty it is’ and less about what actually happens behind the scenes.  I’m reminded of the 90s when video games were stuck in 256 color 320×240, with bleeps and bloops for sound – if you didn’t have a good story people wouldn’t buy your game. Now things are different. All people seem to care about are the graphics, and the story, music, and gameplay is all phoned-in.

These days I see new tools and applications online that in most cases make me shudder. A friend of mine, @quine noticed something – the android foursquare application communicates unencrypted, using apache’s ‘basic’ authentication.

(more…)

Tags: , , , , , , , , , , ,
Posted in insight, review, technology, training | 1 Comment »

Twitter, DNS, the “Iranian cyber army” and panic – an analysis

Friday, December 18th, 2009

Status.twitter.com tells us that DNS records were overwritten temporarily tonight by attackers to redirect HTTP traffic to another host that was originally destined for twitter.com.

With the information that I know now (12:40am, 12/18):

The host which contained the landing page was hosted with bluehost. This tells us a few things

  • They didn’t have the infrastructure to do packet captures, or credential theft. Bluehost does shared hosting.
  • Any attempt to do so would have thrown TONS of SSL errors, and very likely DDoS’ed the server hosting the landing page. (Twitter had HUNDREDS of servers, these guys had 1.). All of your twitter apps would have thrown errors, or flat out stopped working.
  • Twitters security infrastructure was left untouched, and was not a target of the attack.

I’ve been watching twitter scroll with sensationalism and panic, people yelling “OH GOD TWITTER GOT HACKED EVERYONE CHANGE YOUR PASSWORDS NOW”.

Please – don’t do that.

Its going to make everyones job harder who have to work on this situation, it incites panic and causes people to prematurely flip out and do things they probably shouldn’t do.

I’ve had to deal with this in the past – people throwing their arms in the air and screaming about passwords being compromised when they in fact weren’t. It did not end well.

Please – think before you hit send.

Tags: , , , , , , , , , , , ,
Posted in insight, rants, technology | 3 Comments »

Hacking someones personal brand

Thursday, December 10th, 2009

Troll definitionI know two trolls. Roger Rustad, and David Kaiser – they run socallinux.org.

If you read anything these two post on socallinux.org you can quickly determine they use this mailing list to defame whomever they choose – and because their mailing list gets both spidered by google, and mirrored by list-serv they get pretty much automatic SEO. Multiple domain names replicating messages. And if the mailing list gets any activity for any reason the SEO goes up.

This is like a troll sniper rifle. You want someone to go down in flames, or you just want to make them real miserable? Talk smack about them somewhere that gets spidered by google and replicated to other sites. If anyone googles them, they’ll find listserv messages, mail-archive.com and google cache results all parroting the original messages.

Google is like the force. It can be used for good and evil. In this example, we’re looking at using it for evil.

(more…)

Tags: , , , , , , , , , , ,
Posted in insight, rants | No Comments »

Toorcon 11, and peoplehacking

Thursday, October 29th, 2009

Toorcon this year was awesome and fun, with the exception of cstone breaking his femur, of course.  I had originally been slated to talk, but a clerical error left my name off of the schedule. Instead I took the role of  ’staff photographer’ and shot the whole event and all the speakers. A few interesting occurences took place:

  • Mckt decided to leave early, and gave me his speaking spot, which I took. Before I was able to speak, barkode approached me and kindly asked me to give my speaking slot to his panel since they desperately needed more time. I agreed. I went from speaking, to not speaking, to speaking to not speaking in one day. I was still a little sad to not be able to give my peoplehacking talk though.
  • Jolly approached me starting out his query with “So Viss, you’re a social engineering guy…” and explained how he wanted to pwn the counting jar contest (explained below)
  • I met a really neat guy from San Francisco that lapses into a really bad scottish accent when I do my really bad irish accent. This made all the dinners and parties we went to hilarious.
  • I spent some time in the lockpicking village teaching new folks how to pick locks (this is fairly standard for me at this point)

(more…)

Tags: , , , , ,
Posted in insight, review | No Comments »

State of the pwnion.

Thursday, August 6th, 2009 
message begins
Personal details were revealed, emails, chat logs – pretty scary stuff – and very sobering. A clear demonstration that things like cross site scripting and the spreading of malware (likely for the use of cascading spam or addition to botnets) is the least of our problems. Also clear proof that people who consider themselves security folks have to be very wary of using creature comforts such as reusing passwords or even operating a wordpress blog (3 updates in a month?! and 2.8.2 is vulnerable? gaw!).
The textfile the group distributed was called zf05.txt and after skimming it’s abundantly clear that wordpress played a huge part in these folks getting rooted. Almost every example was sort of an ‘all in one’ server that was used for ‘whatever’. Its also become clear that jam packing one server with a bunch of services makes it more vulnerable to compromise. Ever heard of KISS? “Keep it simple, stupid”. It’s used very commonly among engineers, computer people – you name it. Anyone that has to build things or design things. The minute you start adding complexity for no reason the proverbial altimeter begins its decline.
People who fake tech exacerbate things. There are groups that call themselves “tech” when in reality they are simply PR or Marketing. The Web 2.0 craze has hypnotized people into putting almost everything they think and do ‘behind the scenes’. They let someone else worry about it. Some ruby programmers I’ve met are incapable of manually issuing a sql query. Others are incapable of interacting with sql unless they have phpmyadmin. These folks generate a requirement to artificially make systems more complex and less secure entirely to suit their evergrowing hatred of looking things up themselves or actually learning anything about the technology they use every day. The easiest way to think about it is this: Think of some people. Now think of these people all owning cars. Think of these people now requiring something as simple as an oil change, a tire change, or a simple tune up. Now think of these people taking their cars to a shop to get work done – for whatever reason: maybe they lack the tools, maybe their HOA doesn’t allow them to perform work on their cars on the grounds (those HOA people desperately need to be stabbed in the lungs, by the way) or maybe they just don’t know how. Now lets imagine these people have the work done, and are talking to the mechanics as they are preparing the invoice behind the counter. The mechanic begins to explain how their oil was changed, and these people abjectly refuse to learn or understand how this works even from a top-level non-technical aspect – they plug their ears and yell “NO! NO! AAALALALALA!! NOT LISTENING NO NOOOO! ALLALAAAAAA!”.
These people strongly support a fancy new term. “Cloud Computing”. Cloud computing will make this worse for everyone.
Let me jump away for a moment. I’d like to point out a fact. The attackers that distributed zf05.txt made a valid point – a point I’ve tried to make to peers, friends and clients alike – If your site/data are on shared hosting and you consider them secure that may mitigate some amount of risk. But if the other people hosting their data are vulnerable and your data is on the same system, you’re still vulnerable.
Now we have some ingredients – lets make a stew. Lets take these bits of information and put them all together and let it simmer.
- Non technical people whos requirements and behavior are insecure and promote systems being rooted
- Systems with lots of various services running on them
- A new trend of mashing these systems together to form giant systems that do the same thing, ending up being bigger and more powerful
- Commonly used software being exploited within a week of a patch.
Mix in a bowl with a wisk until creamy. Add a teaspoon of extra virgin olive oil to a cast-iron skillet. Add a bit of freshly cracked pepper to the oil and some freshly pressed/minced garlic. Let simmer until the pepper and garlic begin to bubble, then pour the mixture from the bowl into the skillet and add a squeeze of fresh key lime if you wish. Cook until firm or golden brown, flip once, then serve! Let stand for 10 minutes to cool. What do you get? What does it smell like? (Well if people actually taste of chicken then that may make one hell of a breakfast omlette). We dont know. Here’s why we don’t know:
- “Business people” like the idea of getting rid of systems administrators and IT overhead
- “Cloud Computing” does not have a security model yet
- There are no standards – this stuff is too new
- Far too many people are comfortable being hacked, and say “oh there’s nothing important on that sit/box”
.. Really, guys? You don’t use that same wordpress password everywhere? For your bank, for gmail, for your car insurance or your mobile provider to login? If a blackhat gets that password you’re really okay with it? If thats the case, I’d like you to kindly leave the internet, never to return. Please – do us all a favor, for the people that like keeping their privates private and their secrets secret, go away.
So we’re going to take all of these insecurities, vulnerabilities and holes – package them up with non-technical people demanding insecure practices so that they don’t have to learn or think and we’re going to replicate this ad nauseum and store the results in one gigantic computer grid system? Awesome. Maybe I should trade in my whitehat for a black one – since thats obviously where all the focus, media, fear and money are going to be. Or maybe I’ll just make my white hat bigger – perhaps people will come to their senses and listen to fact and reason. Perhaps not. I guess we’ll see.
I’m not the only one, either…
http://darkreading.com/securityservices/security/app-security/showArticle.jhtml?articleID=218102139&cid=RSSfeed
http://www.sensepost.com/blog/3706.html – open the ppt, this was the defcon talk. they pwned amazon ec2.
http://evilpacket.net/ – see the ‘theft of a rackspace cloud api key’. These guys got root on the rackspace/mosso cloud.

I was late to hear – by a day. Thats 10 years in internet time, we all know. If you’re not in InfoSec you probably didn’t hear. Maybe you heard somewhere, irc, twitter, other bits of the intarnets that Kevin Mitnick got hacked. Everyone chuckled. As it turns out a whole bunch of people got compromised. People I know personally who I consider friends. Rob Fuller, Dan Kaminsky, the Hak5 group and a handful of others, including Kevin Mitnick.

Personal details were revealed, emails, chat logs – pretty scary stuff – and very sobering. A clear demonstration that things like cross site scripting and the spreading of malware (likely for the use of cascading spam or addition to botnets) is the least of our problems. Also clear proof that people who consider themselves security folks have to be very wary of using creature comforts such as reusing passwords or even operating a wordpress blog (3 updates in a month?! and 2.8.2 is vulnerable? gaw!).

(more…)

Tags: , , , , , , , , , , , , , , , , , , , , ,
Posted in Uncategorized, insight, rants, review, speculation, technology | 1 Comment »

New Retainer Packages!

Sunday, July 12th, 2009

We’ve had an influx of new business recently and it’s led me to think that bolting on some extra value to our clients would really make people happy.

So I’ve put together some retainer package deals. These deals are setup to bring added value to the existing clientele we have, as well as newcomers.

It’s structured like this:

Lets say a new client comes to us and asks for a 15 minute security sweep. We perform the sweep and deliver the report, along with a quote describing what we would have done if we were allowed to continue. The quote is for, lets argue, 15 hours of security work, and 10 hours of systems architecture work. The quote is marked down with a discount since the client opted in for the 15 minute sweep. Our hours are billed out in a tiered structure, wherein the number of hours dictates the hourly rate – the more hours, the cheaper it gets.

Lets now say that the new client agrees to the quote and work begins. The work is completed to the satisfaction of the client, and a retainer package is considered – the retainer packages rate is locked in at the rate at which the project was established – thereby giving a considerably large discount to the clients who opt in for the retainer packages.

This also saves the client valuable dollars in this economy because Aten Labs is already familiar with the environment, and at this point is only mere hours of cost compared to a regular full time employee.

Sound interesting? Check out the retainers page for more info – and while you’re at it, sign up for a free 15 minute security sweep!

Tags: , , , , , , , , ,
Posted in insight | No Comments »

Heads Up!

Friday, July 10th, 2009

First, click this, and read.

There’s a group out there now called ‘Anti-Sec’ and they’re angry about how full disclosure works.

They decided that to make their point, they’d hack imageshack – All of it. They replaced every image on imageshack with a jpeg of their manifesto statement.

In it there are claims of threats – aimed at security blogs and other sites that publish exploits.

It’s probably a good idea to get an audit right now – as contradictory as that sounds.

If theres a hacking group traveling the internet touting “everyone and everything will get hacked” and their first tent-stake in the ground was imageshack?

It’s time for a perimeter check.

We’ve been doing free 15 minute audits all week – so we’re going to extend that through next week as well. Come see us if you’d like one!

Posted in insight, speculation | No Comments »

Cyber Detective Work

Saturday, June 27th, 2009

I talk shop a lot. I talk to people who are security concious, I talk to people who aren’t, and I talk to people who think that ’security’ means evil hackers from russia who are going to steal their credit cards. Think of security this way:

You run a shop. In this shop you sell things. Some things are physical, and some things are purely informational. In this store you run, do you put the combination to your back safe on a post it note on the cash register? Do you leave the keys to the front door out where the customers can get at them? Do you lock the safe and doors when you leave? Are there security cameras? Will you know if something gets stolen, or if someone is shoplifting, or if an employee is embezzling? These concepts are exactly the same, and sometimes when it comes to data, they’re far far more important. Data controls all of our financial transactions, for example. Data controls how we do most of our buisness these days. Who *DOESNT* use data for business transactions, banking information – or keeping secret data secret?

I keep saying to folks who I talk shop with: “Security isn’t what you think it is”. This is a perfect example. Tiny flaws in ones security strategy, or even lack of any security can lead to an attacker (or law enforcement or a private investigator) being able to glean information to further their purposes.

(more…)

Tags: , , , ,
Posted in insight, review, training | No Comments »

« Older Entries