Register for PaulDotCom training at Blackhat USA: Defensive Countermeasures: Foundations for Becoming a Devious Defender & Offensive Countermeasures: The Art Of Active Defense July 27-28 & 29-30.
PaulDotCom Security Weekly - Episode 235 for Thursday March 17th, 2011.
- SOURCE Boston on April 20 - 22- Paul and Larry will be there to hang out, talk security and drink beer.
- Born To Run (and Hack) - Don't forget to sign up for Hacker run!
- SANS Classes
Guest Interview: Peter Herzog
Pete is a security analyst, creator of the OSSTMM, and the co-founder of the open, non-profit, security research organization, ISECOM. He also started the Hacker Highschool Project to provide information security awareness to teens and can be sometimes seen drinking Sangria as it was intended, in Barcelona, Spain.
- How did you get your start in Information Security?
- What gave you inspiration for the Hacker High School project?
- What made you create OSSTMM and why did you decide to turn it into open source?
- You recently wrote an article discussing patches - isn't defense in depth good?
Special Guest Tech Segment: Georgia Weidman presents Transparent Botnet Control for Smartphones Over SMS
Georgia Weidman is a member of the GRM n00bs, a group providing training and media for information security beginners. She is a survivor of the collegiate cyber defense competition and now she specializes in whatever security work she can get.
A Special PSA from the PDC Crew: "Lessons in Social Engineering" or "How to Ask the PDC Crew For Help", also "We See Through Your Ruse"
We get a lot of good e-mail here at PaulDotCom. We try to answer as much of it as we can, and offer advice where we can too. Often we direct people to our IRC and mailing list as well so that they can pick the minds of other great minds as well. Sometimes we get e-mails that are too precious not to share (names and addresses changed to protect the innocent), and yes, this is from an ACTUAL email exchange:
From: carla To: <firstname.lastname@example.org> Subject: Hi Hey Paul, I read your article on your webpage, and I was wondering if you could help me at all, its in regards to my outlook web access email account... Regards Carla
Here's how we read this message:
From: carla To: <email@example.com> Subject: Hi Hey Paul, I read your article on your webpage, and I was wondering if you could help me at all, its in regards to my outlook web access email account... Yeah, you know, that article, on the internet? You know the one! The one with all the words? And the pictures? And the good advice even! If you can help me, it would be awesome. MY outlook account, not some corporate fool, who you'll help me compromise and spend the rest of your life in federal pound me in the ass prison. No, nothing like that. Purely on the up and up. Regards Carla (I actually remembered to sign the name to the e-mail of to match the fake/newly created e-mail account from gmail…)
Ah HAH! Let me retort!
From: <firstname.lastname@example.org> To: carla Subject: Hi Hi Carly, Sure, can you send me the URL, your username, and your password? ;) Thanks! Cheers, Paul
Hook, line, sinker.
From: carla To: <email@example.com> Subject: Hi Hey Paul, thanks for replying. Thats the thing... I have lost the password... I am trying to recover it... Its for my work emails, and the IT guy is on his jollys at the mo, so I cant access my email. Is there anyway of me recovering it at all that you know of? Thanks
Yeah? That's what I thought. Here's what we read:
From: carla To: <firstname.lastname@example.org> Subject: Hi Hey Paul thanks for replying. So, as you can see my e-mail admin is out of town, and well, my SE game is way off (as you can tell by these e-mails), so I figured I'd play you for the fool. A Patsy if you will - see what I did there with the irish reference on St. Paddy's day? Yeah, so if you can totally help me break into these systems it would be totally cool. No, I can't offer to pay you , but I'll think about sending you some cigarettes in prison. They use them for money in there don'tcha know. So, can I get my jollies, and get you to recover my password or what? Carla
So, that being said, there's a right way to ask for help. There's also a right way to gain access to this type of information, and as of this writing, we have no contracts in place authorizing this kind of testing. Besides, we take several more beers and naked pictures to fall for this type os social engineering. We are, after all, professionals. (yeah, yeah, professional what, that's what everyone is trying to figure out...)
Stories For Discussion
- Why does it take this? - [Larry] - So, MAYBE in response to Aston getting firesheeped, twitter now has better support for all SSL all the time. Why does it take a celebrity to fix a problem that should have been implemented the correct way in the first place, but hundreds of thousands of normal folks were getting pwned right along.
- [No link] - [Larry] - While I'm in rant mode, what's with customers feeling the need to go all death metal on me when I show up on site? I mean, they know I'm coming and do they google me, and feel that they have to dress and act a certain way for when I show up? I this because they want to have some camaraderie so I'll be gently with your report? No, I won;t be gentle, I'll lay it straight and work with you to make recommendations that are a fit for your business, whether or not you wear all black, a pentagram and necklace and skull rings and have to go home at lunch to re-douse yourself in cologne or you're a mild mannered middle management super hero. I mean, I get it that you googled me and you judged a book by the cover, and you want to fit in? I just don't get it, and besides, you look silly pretending to be something you're not.
- RSnake, dead at 34 - [Larry] - You, Sir, will be missed. Yeah, I know he's not really dead, but his online presence is. So, how do you get the facebook page appropriately immortalized? An Obituaty for the same named person in the close to same area with a similar age. It is like a fake ID in reverse, and may be an interesting DoS technique for an attacker.
- Tasty meat - Caribou - [Larry] - This one looks neat, an Android app that will brute force HID card access systems to open doors over the network. Now, I'm going to call shenanigans until we see source code - but not too many shenanigans, as the individual claims to be working with the vendor and CIRT first. But, (and it is a big butt), id argue in order for this to work, you still need to have the affected moving parts, either internet accessible, or on a network with wireless access (either open, weak keys, or a rogue)…not that any of those situations would EVER happen...
- Mid-Atlantic CCDC Wrap-Up- This is my article on the event, fun times as always. Thanks to Casey O'Brien for keeping us involved with this event. Thanks to the JHU APL A/V team, you guys totally rock. You can view videos from the event on the PaulDotCom Ustream Channel.
- The Girl Who Hacked HBGary - [pauldotcom] - If ever there could be a potential work of fiction and social engineering. This is the story of an unnamed girl who apparently did an interview with Forbes about Anonymous. She claims to have learned how to code in low-level languages at an early age, learning from her Dad. She quickly turns her attention into hacking when she can't gain legitimate access to some online forums. Then she hacks the forums and earns respect. She finds vulnerabilities in software and exploits them for fun. Eventually she joins "ananonymous", but now she is bored with it all and apparently going to school. While this sounds like a Hollywood movie plot, there is no way of knowing if this is true. However, it reminds me of Allan Paller's talk at CCDC. He is creating and using hacking challenges to flesh out security talent at a young age, and giving them an opportunity to do something useful with it. I commend the efforts in this area, and truly hope we are able to find the talented computer security mad scientists in this country and focus their efforts on positive things, like protecting the nation, rather than teenage hormone fueled hacking escapades.
- Table Stakes - I've been thinking a lot about this topic lately, so Rich's article is timely. Rich says that we are finally at the table, security is a legit "thing" now, and we should stop whining about FUD, products, sales people, and a host of other things. First, we're not complaining, well some of us may be, but most of us are trying to keep this business away from FUD and stop people from using half-baked products. This is important to business, any business, not just security, and its important for all of us to understand business as it related to security. I hear ya Rich, not all of us do, and we could benefit from a "Business 101 for security professionals course". I have a degree in business, and it was nothing more than experience that taught me what I know, albeit I am still learning. The business landscape is constantly changing, and we have to roll with the punches as technology, and the security of the technology, constantly changes. Okay, enough rambling, let me address Rich's points, some of which are really spot on. 1) Hate the endless compliance cycle? For most of you it's the only reason executives listen to you at all. - Really? If the only reason stakeholders listen to me is because of PCI, I am doing it WRONG. Compliance is one phase of the game, don't forget about raw security and that thing called risk management. If you can't work with your management on all three fronts, you are playing a losing game (hopefully its not global thermonuclear war). 2) Hate the "industry"? Name me one other area of society involving big money that doesn't become dominated by some sort of industry. - I think we're dominated by business, and if you don't understand the business, you shouldn't be complaining. Thats not to say we all can't work to make this industry have integrity. 3) Despondent over lack of innovation? Then stop buying the same crap you buy every year and invest in the products struggling to innovate - I could not agree more! We have crappy products because people buy them. 4) Tired of users who just don't get it? How about you stop pretending human behavior can change and that just because you see something a certain way you're any better than everyone else. BINGO! Don't give up on user education, but continue to use innovative technologies that protect the user and let them do their jobs. 5) Pissed at careless developers? Go write a secure piece of software on time, budget, and specifications, and come talk to me again. - Yes, writing secure software is hard. However, this is another area where you can use education, coupled with technology, to make resilient software. There are many efforts in this area, Rugged, Dan Kaminskies project. 6) Shocked that the bad guys are targeting you personally? Why the f* wouldn't they try to remove or distract the guards? Do you want to be friends? - So true, I used to hear "No one would want to hack us". Get over it, people want to hack you. They are many. They have all different motives. They come in all shapes, flavors, and sizes. Defense is hard, be creative. 7) Angry at vendors that lie about capabilities? Then stop forcing them to have dozens of widgets and performance capabilities you won't ever use or send back for a refund. - Whoa, how is it my fault that vendors lie about capabilities? Its true, technology gets complicated because everyone wants something custom for their needs. Dear vendors, provide your customers a nice API, tell them to hire some talented people, and stop requesting one off features. There's a start. Example, why do I need 8,000 features in my web browser or document publishing product? Its a tough market, and features rule, but my bet is that you could sell module and trimmed down versions of software. Problem is human nature tells us that we want the "advanced" version of everything, not the basic, because heaven forbid we don't have a feature, like Mr. Clippy.
- Why I am Quitting Security - You know what, if you want to quit, then quit, we don't want you anymore. There is nothing more than I hate than a quitter. Lets stop being afraid to talk about what is happening in information security and work together to make this a better place. BTW, try not to lose your phone at a hacker conference. I lost my phone once, it sucked, I wrote an article about lessons learned, other people learned from my mistake.
- :) LOL POOP - Why is it that saying "POOP" is still funny no matter how old you are?
- Ninjas v. Pirates - "Pirates need ninjas. Ninjas need pirates." I think there is a point together, pirates and ninjas need to work together. Now, having said that, if you are a ninja you should learn how to come out of the shadows and talk to people. If you are a pirate, learn when to act like a ninja. We all need to be a little of both to be truly successful.
- 59 Open Source Tools That Can Replace Popular Software - One thing that people under estimate is how much time it takes to configure and maintain open-source tools. Make sure that you factor this into your equation when looking for solutions to your problem. I talk to so many people that say, "I don't have the budget for that" but spend WAY more than that in time and resources configuring something from the ground up.I hate to make this analogy, but your car should just work. Some people like to tinker, and thats cool, but most of us just need to get around. Now, there are certainly exceptions, and it goes back to customization. It may be better to employ people to keep custom versions of the software running for you, just make sure you see the whole picture when making these decisions.
- Information - Be free! - Let information be free, sometimes we protect information out of habit, or feeling like we're the cool kids.