Archive for the ‘review’ Category

foursquare sending passwords in the clear

Monday, February 1st, 2010

In this case, I’ll be arguing:

The easier it gets to write code(scripting, really), the sloppier it gets and the more insecure it gets.

We can see this because of the prevalence of sql injection, cross site scripting and error handling in the ever expanding catalog of new sites appearing on the internet.

I cite this from personal experience. As of late people seem to care more and more for ‘how pretty it is’ and less about what actually happens behind the scenes.  I’m reminded of the 90s when video games were stuck in 256 color 320×240, with bleeps and bloops for sound – if you didn’t have a good story people wouldn’t buy your game. Now things are different. All people seem to care about are the graphics, and the story, music, and gameplay is all phoned-in.

These days I see new tools and applications online that in most cases make me shudder. A friend of mine, @quine noticed something – the android foursquare application communicates unencrypted, using apache’s ‘basic’ authentication.

(more…)

Tags: , , , , , , , , , , ,
Posted in insight, review, technology, training | 1 Comment »

Toorcon 11, and peoplehacking

Thursday, October 29th, 2009

Toorcon this year was awesome and fun, with the exception of cstone breaking his femur, of course.  I had originally been slated to talk, but a clerical error left my name off of the schedule. Instead I took the role of  ’staff photographer’ and shot the whole event and all the speakers. A few interesting occurences took place:

  • Mckt decided to leave early, and gave me his speaking spot, which I took. Before I was able to speak, barkode approached me and kindly asked me to give my speaking slot to his panel since they desperately needed more time. I agreed. I went from speaking, to not speaking, to speaking to not speaking in one day. I was still a little sad to not be able to give my peoplehacking talk though.
  • Jolly approached me starting out his query with “So Viss, you’re a social engineering guy…” and explained how he wanted to pwn the counting jar contest (explained below)
  • I met a really neat guy from San Francisco that lapses into a really bad scottish accent when I do my really bad irish accent. This made all the dinners and parties we went to hilarious.
  • I spent some time in the lockpicking village teaching new folks how to pick locks (this is fairly standard for me at this point)

(more…)

Tags: , , , , ,
Posted in insight, review | No Comments »

State of the pwnion.

Thursday, August 6th, 2009 
message begins
Personal details were revealed, emails, chat logs – pretty scary stuff – and very sobering. A clear demonstration that things like cross site scripting and the spreading of malware (likely for the use of cascading spam or addition to botnets) is the least of our problems. Also clear proof that people who consider themselves security folks have to be very wary of using creature comforts such as reusing passwords or even operating a wordpress blog (3 updates in a month?! and 2.8.2 is vulnerable? gaw!).
The textfile the group distributed was called zf05.txt and after skimming it’s abundantly clear that wordpress played a huge part in these folks getting rooted. Almost every example was sort of an ‘all in one’ server that was used for ‘whatever’. Its also become clear that jam packing one server with a bunch of services makes it more vulnerable to compromise. Ever heard of KISS? “Keep it simple, stupid”. It’s used very commonly among engineers, computer people – you name it. Anyone that has to build things or design things. The minute you start adding complexity for no reason the proverbial altimeter begins its decline.
People who fake tech exacerbate things. There are groups that call themselves “tech” when in reality they are simply PR or Marketing. The Web 2.0 craze has hypnotized people into putting almost everything they think and do ‘behind the scenes’. They let someone else worry about it. Some ruby programmers I’ve met are incapable of manually issuing a sql query. Others are incapable of interacting with sql unless they have phpmyadmin. These folks generate a requirement to artificially make systems more complex and less secure entirely to suit their evergrowing hatred of looking things up themselves or actually learning anything about the technology they use every day. The easiest way to think about it is this: Think of some people. Now think of these people all owning cars. Think of these people now requiring something as simple as an oil change, a tire change, or a simple tune up. Now think of these people taking their cars to a shop to get work done – for whatever reason: maybe they lack the tools, maybe their HOA doesn’t allow them to perform work on their cars on the grounds (those HOA people desperately need to be stabbed in the lungs, by the way) or maybe they just don’t know how. Now lets imagine these people have the work done, and are talking to the mechanics as they are preparing the invoice behind the counter. The mechanic begins to explain how their oil was changed, and these people abjectly refuse to learn or understand how this works even from a top-level non-technical aspect – they plug their ears and yell “NO! NO! AAALALALALA!! NOT LISTENING NO NOOOO! ALLALAAAAAA!”.
These people strongly support a fancy new term. “Cloud Computing”. Cloud computing will make this worse for everyone.
Let me jump away for a moment. I’d like to point out a fact. The attackers that distributed zf05.txt made a valid point – a point I’ve tried to make to peers, friends and clients alike – If your site/data are on shared hosting and you consider them secure that may mitigate some amount of risk. But if the other people hosting their data are vulnerable and your data is on the same system, you’re still vulnerable.
Now we have some ingredients – lets make a stew. Lets take these bits of information and put them all together and let it simmer.
- Non technical people whos requirements and behavior are insecure and promote systems being rooted
- Systems with lots of various services running on them
- A new trend of mashing these systems together to form giant systems that do the same thing, ending up being bigger and more powerful
- Commonly used software being exploited within a week of a patch.
Mix in a bowl with a wisk until creamy. Add a teaspoon of extra virgin olive oil to a cast-iron skillet. Add a bit of freshly cracked pepper to the oil and some freshly pressed/minced garlic. Let simmer until the pepper and garlic begin to bubble, then pour the mixture from the bowl into the skillet and add a squeeze of fresh key lime if you wish. Cook until firm or golden brown, flip once, then serve! Let stand for 10 minutes to cool. What do you get? What does it smell like? (Well if people actually taste of chicken then that may make one hell of a breakfast omlette). We dont know. Here’s why we don’t know:
- “Business people” like the idea of getting rid of systems administrators and IT overhead
- “Cloud Computing” does not have a security model yet
- There are no standards – this stuff is too new
- Far too many people are comfortable being hacked, and say “oh there’s nothing important on that sit/box”
.. Really, guys? You don’t use that same wordpress password everywhere? For your bank, for gmail, for your car insurance or your mobile provider to login? If a blackhat gets that password you’re really okay with it? If thats the case, I’d like you to kindly leave the internet, never to return. Please – do us all a favor, for the people that like keeping their privates private and their secrets secret, go away.
So we’re going to take all of these insecurities, vulnerabilities and holes – package them up with non-technical people demanding insecure practices so that they don’t have to learn or think and we’re going to replicate this ad nauseum and store the results in one gigantic computer grid system? Awesome. Maybe I should trade in my whitehat for a black one – since thats obviously where all the focus, media, fear and money are going to be. Or maybe I’ll just make my white hat bigger – perhaps people will come to their senses and listen to fact and reason. Perhaps not. I guess we’ll see.
I’m not the only one, either…
http://darkreading.com/securityservices/security/app-security/showArticle.jhtml?articleID=218102139&cid=RSSfeed
http://www.sensepost.com/blog/3706.html – open the ppt, this was the defcon talk. they pwned amazon ec2.
http://evilpacket.net/ – see the ‘theft of a rackspace cloud api key’. These guys got root on the rackspace/mosso cloud.

I was late to hear – by a day. Thats 10 years in internet time, we all know. If you’re not in InfoSec you probably didn’t hear. Maybe you heard somewhere, irc, twitter, other bits of the intarnets that Kevin Mitnick got hacked. Everyone chuckled. As it turns out a whole bunch of people got compromised. People I know personally who I consider friends. Rob Fuller, Dan Kaminsky, the Hak5 group and a handful of others, including Kevin Mitnick.

Personal details were revealed, emails, chat logs – pretty scary stuff – and very sobering. A clear demonstration that things like cross site scripting and the spreading of malware (likely for the use of cascading spam or addition to botnets) is the least of our problems. Also clear proof that people who consider themselves security folks have to be very wary of using creature comforts such as reusing passwords or even operating a wordpress blog (3 updates in a month?! and 2.8.2 is vulnerable? gaw!).

(more…)

Tags: , , , , , , , , , , , , , , , , , , , , ,
Posted in Uncategorized, insight, rants, review, speculation, technology | 1 Comment »

Cyber Detective Work

Saturday, June 27th, 2009

I talk shop a lot. I talk to people who are security concious, I talk to people who aren’t, and I talk to people who think that ’security’ means evil hackers from russia who are going to steal their credit cards. Think of security this way:

You run a shop. In this shop you sell things. Some things are physical, and some things are purely informational. In this store you run, do you put the combination to your back safe on a post it note on the cash register? Do you leave the keys to the front door out where the customers can get at them? Do you lock the safe and doors when you leave? Are there security cameras? Will you know if something gets stolen, or if someone is shoplifting, or if an employee is embezzling? These concepts are exactly the same, and sometimes when it comes to data, they’re far far more important. Data controls all of our financial transactions, for example. Data controls how we do most of our buisness these days. Who *DOESNT* use data for business transactions, banking information – or keeping secret data secret?

I keep saying to folks who I talk shop with: “Security isn’t what you think it is”. This is a perfect example. Tiny flaws in ones security strategy, or even lack of any security can lead to an attacker (or law enforcement or a private investigator) being able to glean information to further their purposes.

(more…)

Tags: , , , ,
Posted in insight, review, training | No Comments »

Making Security Research Relevant

Monday, January 19th, 2009

I’m very very open and transparent about security, technology and what I do. I’ve written documentation so thorough that my clients have ended the contracts stating “we dont need you anymore – with these docs we can do the work ourselves” – in the grander scheme of things thats awesome. I love it when clients learn from me and it makes me feel really good about what I do – especially if it sticks the first time – but it certainly is prohibitive towards me paying my rent.

I’ve been very vocal in the last year about what I do – to the point it manifests itself as talks I give during BarCamp (LA and San Diego), and Refresh San Diego which is held at Qualcomm. Here is my most recent talk


Security 102, part 1 from Dan Tentler on Vimeo.


Security102, part 2 from Dan Tentler on Vimeo.

Video courtesy of @northlight


(more…)

Tags: , , , , , , , , , , , , , , ,
Posted in insight, rants, review | 1 Comment »

Expediency in patches/fixes/knowledge

Tuesday, December 16th, 2008

Everyone knows that there are vunlerabilities from time to time and you should upgrade things like wordpress, windows, osx and other pieces of software commonly used by lots of people. One thing that people don’t take into account is the actual times and dates of the proof of concept (POC), subsequent weaponization of the exploit (if it came from a nefarious source) then the vendors patch and announcement (if they even notice or care).
Lets take the most recent exploit that came out for internet explorer as our example. The first easily referencable date I could find for this exploit.

Thats right – Four days from POC to “publically downloadable and available for anybody to use“.

The day I’m writing this post (Monday Night, Dec 16) The microsoft investigation page still says they’re investigating. If they have any sense tomorrows ‘patch tuesday’ security patch should contain a fix.

That being said – It’s been a week and there is no patch. What does that mean for the end user, CEO, Marketing folks, Sales people, Graphic Artists and other people who arent focused on security all the time?

  • Everyone running IE7 in your enterprise/company/network is vulnerable (and still is, as of Dec 15)
  • If this is exploited there is a fair chance that nobody will know until there is a patch, or the antivirus vendors catch up.
  • If this is exploited on 0-day, then an attacker has been in your network FOR A WEEK ALREADY.
  • Once the fix comes out the hole is patched..
  • But it’s very likely entirely separate attacks were used once IE7 was exploited, so applying the patch to fix IE7 won’t fix any damage the attacker has done

Not everyone has to be security concious all the time. For that theres people like us!
Heres something I see every day: The list of new exploits that come out on milw0rm.com (which is just one of the many sites that exist for publishing known exploits):

Look at the third one down on Dec 15 :)

Tags: , , ,
Posted in insight, review | 2 Comments »

Post Mortem

Wednesday, November 26th, 2008

So security101 went fairly well – people didn’t show up until later, and I had spent too much time screwing aroung with ettercap and MITM attacks to have enough battery to complete the entirety of the talk with all the examples I had hoped for.

Some of the attendees ended up asking lots of questions so the ‘flow’ I had envisioned sort of went out the window – but I’d much rather have people interested and actively asking me questions: It shows interest. I’d rather have interest then have them all silent while I blather on and on.

We all ended up at my place afterwards and I was giving short demos on MITM dns tomfoolery, rewriting all queries for microsoft.com to linux.com, and doing SSL MITM attacks against hotmail using ettercap. Pretty fun stuff!

I’ll be holding the class again for anybody that missed it the first time and wants to have it again, but I haven’t chosen a date yet.

If you’re interested in a date, please leave a comment! I’d like to hold the class when more people can attend.

Tags: , , ,
Posted in insight, rants, review, speculation, training | No Comments »