Posts tagged “security”.

I’m speaking at SOURCE Boston 2009

SOURCE Boston officially let the cat out of the bag yesterday by posting their schedule, so I can now say what I’ve known for since about mid-December: I’m doing a talk on the SOURCE business track entitled Massachusetts Data Breach Laws, Regulations, and Responsibilities.

I’m excited to be a part of SOURCE. I attended last year and it was an excellent conference. A great mix of  secruity geeks and business types and everything just seemed to click. Not as “free-for-all-ish” as DEFCON or HOPE, not as stuffy as a business conference. This year, it’s shaping up to be even better: They moved the conference to a better location, and the schedule is even more impressive then last year. If you’re a security geek, you should definitely look into attending. It is worth every penny.

Of course there is an off chance that someone might make a grand entrance a touch early. I think everyone is hoping that doesn’t happen.

What’s the opposite of FUD?

What’s the opposite of FUD? Unbridled optimism? Rosy colored glasses syndrome? Sheesh. This @ryanaraine posted this on Twitter this morning: Microsoft to issue out-of-cycle patch for the ‘unknown exploit’. This features such choice quotes as:

It’s the kind of development that could give “zero-day” a whole new meaning: a wave of alleged Internet Explorer exploits, the total number of experimentally validated cases of which apparently numbers zero.

What in the Wide Wide World of Sports is “experimentally validated cases?” Did I miss something here? Is this some kind of new InfoSec standard that I was previously unaware of? How much verification do you want? Take your pick: ISC, Trend Micro, F-Secure, ZDNet, or the  Washington Post. What else does he want, have the hole paint itself purple and dance naked on the table in front of him singing “zero day exploits are here again?”

This IS being actively exploited. I have a list of sites that are being used to host exploits sitting in my INBOX right now. If you use IE, you need to patch ASAP or switch you web browser over to something else. To suggest this may not be “actually valid” is irresponsbile and is undermining the efforts of security people across the Internet.

Tools, Twitter, and Terrorism

Over the weekend, the Federation of the American Scientists posted a presentation by the Army’s 304th Military Intelligence Battalion. This presentation went over a few things, focusing on the use of mobile technology and the possible use of Twitter by Terrorist cells for either Open Source Intelligence gathering (OSINT) or a Command, Control, Communication, Computers and Intelligence (C4I) tool.

Needless to say, most of the population of Twitter has basically taken the report to mean “Oh my god, the Army thinks Twitter is a Terrorist tool!” and has dismissed the report out of hand. Even some security weblogs I read have been fairly dismissive of the report. After reading up on the report, I completely agree with it’s findings. I’ve had similar concerns floating in the back of my mind since for a while now.

Twitter is a great tool for distributing information quickly, and while that is a good thing, it can also be used for not-so-good things as well. Twitter, with it’s mobile integration and the fact that everyone has a mobile device make it ideal for a distributed intelligence network. The report mentions that this was used with great effect during the Republican National Convention by dirty hippies activists in avoiding apprehension. The report looks at these uses and proposed three scenarios:

Scenario 1: Terrorist operative “A” uses Twitter with (or without) a cell phone camera/video function to send back messages, and to receive messages, from the rest of his cell… Other members of his cell receive near real time updates (similar to the movement updates that were sent by activists at the RNC) on how, where, and the number of troops that are moving in order to conduct an ambush.

Scenario 2: Terrorist operative “A” has a mobile phone for Tweet messaging and for taking images. Operative “A” also has a separate mobile phone that is actually an explosive device and/or a suicide vest for remote detonation. Terrorist operative “B” has the detonator and a mobile to view “A’s” Tweets and images. This may allow “B” to select the precise moment of remote detonation based on near real time movement and imagery that is being sent by “A.”

Scenario 3: Cyber Terrorist operative “A” finds U.S. [soldier] Smith’s Twitter account. Operative “A” joins Smith’s Tweets and begins to elicit information from Smith. This information is then used for… identity theft, hacking, and/or physical [attacks]. This scenario is not new and has already been discussed for other social networking sites, such as My Space and/or Face Book.

There a real-world examples of people using Twitter for things similar to Scenario 1 and 3 today and while Scenario 2 is the most far-fetched, it is still in the realm of possibility. While I don’t think that there are currently terrorists actively designing operations with Twitter in mind, I do believe that it has registered with them. I’m also sure that information on Twitter is going to be mind by both sides, so it is important to make sure that the “good guys” know that how it can be used against them and also how it can be used against the “bad guys.”

Figuring out your opponent’s next move is key in strategic battles and researching all the options is key. The report came up with a few not-so-far-fetched scenarios in which Twitter plays a key role. Coming up with these scenarios allows people to plan to combat them. While it’s easy to dismiss the report as paranoia and think as Twitter as 100% Sunshine and Puppies, it is important to realize that like any tool, Twitter can be used for good things and bad.

I don’t think you thought your cunning plan all the way through…

From the Boston Globe (Emaphasis Mine)

A junior at Needham High School posted students’ schedules and identification numbers and teachers’ classroom rosters on his Facebook account after hacking into an online student information system, school officials said yesterday.

Anatomy of a Subway Hack – Banned in Boston!

NOTE: This weblog, and especially this post is of my own opinion and had nothing to do with my employer.

If you’ve been paying attention to the usual DEFCON brouhaha this weekend, you’ll note that my fine public transportation system decided to file an injunction against 3 MIT students who tested the MBTA’s security and successfully reversed engineering the Charlie Card. Too bad the presentation deck had already been released. Whoopsie!

As a surly information security engineer and a regular MBTA rider, I feel that I can more-or-less discuss with some authority the issues discussed in the presentation deck.

First, the physical security issues they discuss are spot on. As any regular rider of the MBTA knows, there are near constant issues with “exit only” doors unlocked or left wide open and people zipping through open gates when someone is exiting. The MBTA “customer service agents” either ignore it or flat out don’t care. On the Green Line (Which are trolleys, for you non-Bostonian folk.) people regularly get on via a rear door completely bypassing the fare collection system up front. Hell, even the MBTA Police seem to not want to deal with it. As someone who drops $250/month on the MBTA, I am the one who ends up getting screwed.

Social engineering the employees is always one of the biggest issues and the hardest to protect from. As shown in the deck, one can hit up eBay and make oneself into a true blue MBTA employee. I’ve seen first hand (badly) forged MBCR (MBTA’s commuter rail contractor) credentials being used by people to scam free rides. The MBTA spends big bucks on their Anti-Terrorism education campaigns, perhaps that would be better spent in educating their employees to do the same and teach them to start securing their infrastructure. They should also start classifying their information and at least try to keep “non-public” information somewhat private.

The Charlie Card issues are trivial. I long suspected that the stored value cards were similar to the New York Metro Card and would be vulnerable to a cloning attack or could be easily reversed engineered. These guys sat down and did it. From what I can glean regarding the RFID attack, the encryption key is trivial to crack and can be brute forced rather quickly. Had the MBTA opted to go with a more secure RFID system, this would be a lot harder to break, and from the sounds of it, more secure fare collection systems exist.

I’m somewhat pleased at the local media coverage on this. They seem to be painting a fair picture of the situation. So, Kudos to them.

In my not so humble opinion, the MBTA is 100% in the wrong on this. The judge should not have issued the gag order and the presentation should have gone forward. By doing so, the MBTA squashed discussion on its security, and has made itself even less secure in the process.

UPDATE: Apparently k4sac from twitter submitted this to digg. If you liked the post, considering feeding my ego and giving it a bump.

HOPE Presentation

I am still recovering from The Last HOPE. What a weekend. My presentation went very well. While a few of the small jokes fell flat, it went very well. I don’t remember so many people coming up to me during the rest of the conference telling me they liked my presentation. So I guess people liked it.

Without further ado, my presentation:

  • Ghetto IDS and Honeypots for the Home User PPT (4.2MB)
  • Ghetto IDS and Honeypots for the Home User PDF (1.8MB)

SOURCE Boston here I come

As previously mentioned, I’ll be going to SOURCE Boston tommorow. I’ll be attempting to the conference on my somewhat shiny and new Twitter Feed. Per haps I may even, *gulp* “live blog” (Ugh. I feel dirty for saying that).

Truth be told, I’m not 100% sure what to expect. Most of my previous “security” conferences have been either DEFCON or HOPE, which I assume will be slightly more “low brow” then SOURCE. For example, I’m not expecting SOURCE to have A room full of hammocks you can crash on. But, from what I can gather, and from what the schedule says, it will be a pretty good time. It looks like it’s going to be a good mix of business types and security geeks, and it’s approaching the idea with the right attitude (Pub crawl anyone?). Another plus, any conference where I don’t expect the conference attendees to smell like week-old BO == Win. (Hooray!)

I’ll be staying mostly on the Security Technology track, with possibly heading over to the Application Security track if something over there catches my interest. I’ll be attending the pre-conference gathering tonight, along with the reception tomorrow night and the pub crawl on Thursday. If anyone of the four of you who read this want to meet up, IM, text, tweet, comment, or poke me at the conference.


One of the cool things about the new job, is that they are very pro-conference. Even better, they have a budget for conferences that cost money! Source Boston sounds really cool. While it may not be as cool as DEFCON or ShmooCon, it definitely has that “hacker-ish” feel to it. Of course, any conference with a pub crawl associated with it definitely gets the thumbs up from me.

PaperGhost amuses me to no end…

PaperGhost runs, a very informative and amusing look at malware. He’s full of amusing quotes such as:

Bruce Lee understood that there was no problem on this Earth that could not be solved by repeatedly punching someone in the face until they stopped getting up.

Over the past month or so, he’s outdone himself.

I occasionally take down phish sites and the such. However, PaperGhost has done everything short of handing down divine judgement to a bunch of script kiddies who think that phishing Myspace and Habbo Hotel accounts is the bleeding edge of computer coolness. PaperGhost has shown them that such enterprises do not end well:

A bit of reading, but highly enjoyable…

I love your product, but, it sucks…

Nepenthes is a wonderful tool that is great for collection of various malware nastiness. It’s extremely useful and has provided me a fair share of amusement when I review the logs seeing all the various trash the Internet’s tubes try to dump onto my computer. I love Nepenthes.

Unfortunately for me, Nepenthes also completely sucks.

Nepenthes does some amazing things in the areas of collecting malware, examining payloads, and automatic analysis. However, from a user perspective, it’s a fetid pile of yak’s droppings and an abomination in the sight of God. The software seems to be in a perpetual state of debugging, which, by itself is OK, but it seems to constantly want you to run it from the console. This makes it difficult if you ever want to run it unattended, which in most cases you will want to do considering you’re essentially trawling for malware. Also, the logging facilities also seem to reflect this, as extracting meaningful messages from the log file is pretty close to reading tea leaves.

The thing that really drives me batty is trying to get Nepenthes and Honeyd to work together. The author seems to know that people want to do this and tries to explain what has happened, but provides a next-to-useless explanation and ends it with an update of “The Honeyd guy managed to do this, but I don’t know how.”

I know that almost all open source software is on some level classified as a hobby, but wouldn’t you at least try to make inquiries as to how to make it work, and or adjust the codebases to make this kind of setup easier? Instead, you have people like me who are using duct tape and bailing wire solutions to “fix” the problem, and are unable to recommend the software for use in production environments because of specifically that.

Which is sad, because I love Nepenthes.