- Why everyone needs a shredder
- Data lingers in off-network devices
- Storm worm will continue to turn
- Countdown to database timing attacks
- What we're (not) learning from TJX
- Facebook users often pass ID info to strangers
- There's hope for stopping mobile malware
- Fighting click fraud through trust
- Defcon diary: The real story
- Of spineless TV producers, WEP cloaking and blocking WiFi
August 23, 2007 | Comments: (0)
Ever wonder what you should do with all the free credit card offers that you receive in the mail from Visa, MasterCard, AMEX and everyone else?
Well, the answer is simple -- you should shred them or burn them or do anything that you can to destroy them in a manner that won't allow for them to be used by someone else who wants to hijack your identity and destroy your personal credit rating. Seriously!
Most people (myself included) have likely deferred to the time-honored "fold it up and rip it up" approach over the years, as it's the easiest way to dispose of the seemingly endless parade of offers without going to much trouble.
And, logic would follow, once you've sufficiently mangled one of the junk letters by ripping them up there's seemingly little chance that someone could put all the pieces back together and get the resulting carcass accepted by any legitimate credit card issuer. Right? Wrong!
In his latest project, terminal prankster Rob Cockerham, operator of the Cockeyed.com site -- which has previously detailed everything from the best ways to fight back against spammers to a scientific process for predicting the ingredients of a typical bag of mixed nuts -- illustrates just how stupid and greedy and willing to ignore an individual's privacy these credit companies really are when it comes to dealing with their own junk mail offers.
In a series of photos posted on Cockeyed, Cockerham shows off how he ripped up such a credit card offer, taped it back together, and mailed it in to the good folks at Chase MasterCard -- who apparently ignored the physical condition of the application and sent him a new card without so much as a phone call to ensure the paperwork wasn't duped.
On top of that, Cockerham had the card shipped to an address different from the one the offer was originally mailed to, and arranged for it to be activated from a cell phone number that was different from the number the company had listed in the original letter.
Chase Mastercard's own advice on dealing with the credit card offers is almost comical in light of the exercise, as the company specifically recommends that you should simply tear them up (or shred them… at least they were half right).
Now maybe MasterCard has some secret wealth of personal data that allowed them to figure out that Cockerham was having the card mailed to his parent's house and that the number he gave them is that of his real mobile phone, but even if that is the case, should they really accept tattered credit card applications pieced together with tape without so much as calling the involved customer to make sure there's no sign of fraud? No way!
Credit card companies can enforce PCI and host security symposiums and do all they want in the name of good PR around improving security, but the fact of the matter is that if they did a better job of protecting their customers by using common sense and policing their own business practices they could probably eliminate a lot of fraudulent activity.
My take on this one is that it seems they don't really care after all, especially if it means slowing down their business, which is pretty sad indeed.
(Matt Hines will be on vacation from Zero Day until after the Labor Day weekend.)
Posted by Matt Hines on August 23, 2007 01:44 PM
August 22, 2007 | Comments: (0)
Data lingers in off-network devices
Data breaches such as the one reported by Merrill Lynch earlier this month -- through which the company lost some 33,000 employee records via a laptop stolen from a New Jersey office -- could be avoided if companies did a better job of managing and defending information stored on devices that move off of corporate networks, according to a new report published by Ponemon Institute.
Presented by its authors at the Privacy Symposium being held at Harvard University on Wednesday, the study -- which is based on a survey completed by 735 senior IT security professionals -- finds that 73 percent of those corporations it interviewed experienced the loss or theft of a data-bearing machine sometime in the last 2 years.
Despite that reality, and the fact that 62 percent of study respondents admitted that they were unsure if their off-network equipment contains unprotected sensitive or confidential information, some 39 percent said they do not view the management of such devices as a "critical component" to security.
In a nod to the lack of tools being used by businesses to track data leakage, 30 percent of those individuals responding to the survey said they would never be able to detect the loss or theft of confidential data from off-network equipment when it happened.
Unsurprisingly, based on the results, Ponemon found that a vast majority 70 percent of all data breaches result from the loss of off-network equipment, including laptops, PDAs and cell phones.
"Protecting data that is stored on devices outside the confines and control of the corporate network is a problem for which many companies simply do not have a solution," said Dr. Larry Ponemon, founder and chairman of the research company bearing his name. "Our research shows that, while most companies recognize the risk off-network data poses, few seem to have a grasp on how to manage the many challenges off-network data present to maintaining a strong data security program, and many do not even have a policy to address the situation."
Added, Robert Houghton, president of Redemtech, the company that sponsored the study:
"The cost of a security breach is astronomical, whether it occurs over the network or results from lost or stolen off-network assets," Houghton said. "The results of this study should alarm CEOs who have customer or employee information, and a brand to protect. After years of effort to establish secure computing, many companies are neglecting this very basic risk."
Posted by Matt Hines on August 22, 2007 02:02 PM
August 17, 2007 | Comments: (0)
Storm worm will continue to turn
If you haven't noticed, your spam folder -- if not your inbox -- has probably been packed with attacks disguised as eCards over the last several weeks.
Many security researchers have been warning of the new attack surge, and highlighted the fact that it is being both propagated by the well-known Storm Worm and used to install the very botnet software that serves as the P2P viruses' foundation.
While the eCard disguise is hardly a new approach for hackers some researchers feel that the approach is likely reeling in a fair number of victims based on the sheer number of messages that are being generated and the fact that the platforms is such a tailor-made vehicle for such a use -- in that eCards are designed to look like the come from someone you know, yet are delivered by an unfamiliar, seemingly innocuous, third party source.
In addition to its strong likelihood for confusing some less savvy end users, the new wave of Storm activity is likely being carried out by the same gang that created the original version of the worm, said Randy Abrams, director of technical education at security software vendor Eset.
The social engineering technique is a hallmark of the work carried out by the Storm Worm Gang, which is believed to operate out of Russia, he said.
"These guys are very active in doing their own social engineering, so it's very probable that a lot of the recent eCard, pump-and-dump and pharmaceutical attacks that are showing up are coming from the original group," Abrams said. "Most of the spam that's being used to deliver this stuff is the result of zombie PCs infected by Storm, and most of the new eCards are designed to infect computers to make even more zombies."
Some of the pump-and-dump activity may have been the result of efforts by the botnet owners to rent out their network to others, but the original group is the one that appears to be continuing to reap the profits of Storm, the researcher said.
Putting a stop to the threat isn't going to be an easy process for anyone, but in order to quell the attack large ISPs need to get more involved in the hunt, Abrams contends.
"Eventually maybe this group will move on to a different worm, maybe they will be forced to change tactics as technology evolves to slow it down, but right now with the size of this botnet and its P2P delivery model there's not a head to cut off," he said. "Eventually the ISPs will need to do some serious filtering, but part of the problem is that in some countries [notably France] they're not even allowed to do that; some of these countries need to review their privacy laws."
Unsurprisingly (given his title) Abrams believes that the only way to help stop the spread of such attacks is to begin doing a better job of educating younger people about social engineering techniques, perhaps even going so far as to do so when they are elementary school aged children, the expert contends.
"With the advent of computers and massive anonymous communications the social engineering threat is always going to be more prevalent, and we really need to make people aware of this as early on as we can," he said.
Posted by Matt Hines on August 17, 2007 01:56 PM
August 16, 2007 | Comments: (0)
Countdown to database timing attacks
I didn't have a chance to see Core Security Researcher Ariel Waissbein's presentation on database timing attacks at Black Hat, but he promised to explain it to me in detail when we bumped into each other here in Boston last week at the Usenix Security Symposium.
The affable researcher's approach -- a proof-of-concept exercise that allows an attacker to extract private data from a database by performing mere record insertion operations -- is a pretty interesting, and fairly low-tech example of how someone can potentially scoop credit card numbers or passwords from a commercially-available database by using not much more than their own smarts and a little technical footwork.
Carried out successfully thus far in Core's labs against a MySQL database, Waissbein said that the company is currently testing the same technique against popular Oracle and Microsoft databases, among others, to see if it will work, but he said he thinks it should.
Core is also developing similar test attacks that may find their way into future iterations of its automated pen testing products.
Here's how it works, according to Ariel:
"Usually the way that a database works with applications is that it holds the information and can be searched, but has only a few controls that can be carried out by unprivileged users, such as for creating new users accounts."
"We created attacks that create new tables, and by doing this and measuring the timing of the insertion process, an attacker can deduce where the secret entries might be, such as for usernames and passwords."
"So, say you register to a site supported by the database several times. By inserting a table and storing several passwords -- you can then essentially measure the timing and get access to all the passwords."
"You could try to do the same thing using a brute force attack, but this is far less time consuming."
Basically, Waissbein highlights the fact that databases are typically designed in a way, using so-called B-Trees, the most common indexing data structured used by database engines, to make sensitive information -- such as credit card data in an e-commerce transaction database -- available for use by applications in the most efficient manner possible.
All the entries in a particular column in the database typically have the same values, so they can be unearthed by going after the stored information in the different nodes of a tree.
Those structures can then be exploited to guess how many values there might be in one node -- with each node typically storing several hundred passwords or credit card records.
By narrowing down the possible values for each node and starting an attack by giving all the possible values, one can pretty easily get a fix on where the values/records are located, he said.
By repeating this process over and over again, you can narrow it down to a set of possible values and pick one that's most likely to hold the data the hacker is after.
One of the challenges in carrying out the technique is that it becomes harder to do in databases where there is a lot of user noise, so a savvy hacker using the approach might try to determine when there is little activity in a database to make their move, such as when a company's business day is over.
There also needs to be a fair amount of customization of the attack for each type of database, but someone could do the work fairly easily once they decide what company they want to attack and monitor their database activity, he said.
Once that groundwork is completed, the attack itself could be carried out in as little as ten minutes, said the researcher.
"Every user has option not to use B-Trees, there are a lot of alternative structures, but B-Trees work very efficiently," Waissbein said. "Sometimes being inefficient is more secure, this technique takes advantage of a lot of features that have been in use for over 30 years."
Posted by Matt Hines on August 16, 2007 10:37 AM
August 15, 2007 | Comments: (0)
What we're (not) learning from TJX
When TJX companies first reported its massive data breach at the beginning of this year, many financial and industry analysts predicted that customers would provide the most painful form of punishment for the misdeed and simply do their shopping elsewhere.
Once again, the so-called experts appear to have been wrong.
Beyond the harsh financial penalties that regulators, lawmakers and business partners would deliver upon companies such as TJX, we were told, the sound of customers' feet marching out of the retailer's stores would be the most painful result of the incident.
As we found out yesterday when the company reported its second quarter earnings -- that simply has not been the case.
While TJX has upped the overall expense of handling the systems intrusion -- believed to be initiated by a war driving wireless hack of its point-of-sale systems -- to a total of approximately $215.9 million -- including the cost of carrying out a painstaking forensic investigation, providing credit monitoring services to affected consumers, and paying off and legal defense fees and other fines -- its core business remains massively profitable.
In a time when many retailers are reporting soft numbers by industry estimates -- including industry bellwether Wal-Mart -- TJX reported on Tuesday that in-store sales and profit margins are on the rise and its management upped their expectations for the company's earnings-per-share for the year.
The implicit lesson has to be that consumers are either oblivious to the whole cycle of news reports and research being produced about the nature of corporate information leakage and its relation to identity theft (which has actually come under question), or that they simply feel there's nothing they can do about it, so why change their lifestyles to deal with the issue.
The companies that have to be the most upset are the credit card issuers and banks that have been forced, thus far, to eat the costs of sending out new cards to customers who may be among the estimated 46 million people whose information may have been stolen by the hackers -- but it remains to be seen how much money they're going to get from TJX by suing the firm over the incident.
At the same time, TJX is still ringing up heavy sales, and a lot of those transactions are likely being carried out using credit and debit cards, so, that has to make the banks and issuers happy on some level.
So who wins, and who loses most, is the biggest question in the end with this type of scenario. I'm sure TJX would like to have their $215.9 million back, along with their reputation as a trustworthy company, but as usual, it appears the little guy -- the one who gets their ID stolen based on the incident -- is the one who gets stuck -- not that they seem to care.
Posted by Matt Hines on August 15, 2007 03:31 PM
August 14, 2007 | Comments: (0)
Facebook users often pass ID info to strangers
It's apparent that people's understanding of online ID theft and the threat of personal data loss from so-called Web 2.0 sites has not yet taken leaps and bounds forward.
As part of an exercise aimed at finding out how many people it could get to send their Facebook profiles -- which often contain significant amounts of personally identifiable data -- to a dummy account set up to gather such details, security software maker Sophos lured roughly 40 percent of those it sent invitations to on the site into swallowing its bait, which was frog legs.
The invitations were linked to a profile that offered details about "Freddi Staur," a clever anagram of the term "ID Fraudster," who was represented in his profile on the site as a small green plastic frog -- one who in turn offered up very little personal information about himself.
Sophos, which has its headquarters just outside Boston, said that it sent invitations to link to the profile to 200 random users of Facebook, the social networking site that began as a virtual space for college students to share info with one another but which has been expanded to include just about anyone.
According to the company, some 87 of those people it queried responded to its toy reptile's invites, including 82 people, or 41 percent, whose profiles divulged personal information such as their e-mail address, date of birth, address or phone number.
In total:
-72 percent of respondents divulged one or more email address
-84 percent of respondents listed their full date of birth
-87 percent of respondents provided details about their education or workplace
-78 percent of respondents listed their current address or location
-23 percent of respondents listed their current phone number
-26 percent of respondents provided their instant messaging screen name
While Sophos researchers admitted that it would typically take some additional legwork to assail those who replied to the invites, such as luring them into downloading a spyware program or tricking them into visiting a phishing site, many handed over enough info to give an aspiring fraudster a good idea of who they are, including a good number who passed along pictures of themselves or their family members.
"It's extremely alarming how easy it was to get users to accept Freddi," said Ron O'Brien, senior security analyst at Sophos. "While it's unlikely this will result directly in theft, it provides many of the essential elements needed to gain access to people's personal accounts. Additionally, it reveals specific user interests, enabling hackers to design targeted malware or phishing e-mails that they know the user is more likely to open."
There's still some debate as to just how much identity fraud results from such online data leakage, or even massive records thefts such as the one encountered by retailer TJX Companies. However, the report does illustrate the seemingly gullible nature in which many users of sites like Facebook go about their online interactions.
Posted by Matt Hines on August 14, 2007 08:39 AM
August 10, 2007 | Comments: (0)
There's hope for stopping mobile malware
With all the air miles that F-Secure Chief Research Officer Mikko Hypponen has been racking up traveling from his hometown of Helsinki to security events in the U.S. over the last several weeks, he may soon outrank countryman and star F1 driver Kimi Raikkonen as the world's most prolific "Flying Finn."
But if he's wiped from all the travel -- which has included trips to Black Hat and Defcon in Las Vegas last week, a quick dip home to see his family, and a return over the pond to speak at the Usenix Security Symposium in Boston this week, where he presented yesterday -- it certainly hasn't infected his outlook.
Because after years of warning the world about the imposing threat of viruses designed to target mobile devices -- an effort which F-Secure has been involved in since as far back as 1999 -- Hypponen said he actually feels that there's a good chance that the threat of mobile malware may not be as severe as it was once believed to be.
F-Secure jumped on the handheld security bandwagon early in the game because its headquarters is roughly 2 miles away from that of Nokia, said the expert, whose home collection of stand-up arcade video games wowed the Usenix crowd almost as much as the depth of his research.
But all things considered, he said, there may now be more proof than ever that mobile malware will not be as troublesome as the threats that have assailed our PCs.
"The message that I'm passing along is that if we play our cards right, things really might not be so bad on mobile devices," Hypponen said in a sit down with InfoWorld. "There will be attacks, but since the industry hasn't waited ten years to do something about it, as we did with PCs, the problem shouldn't be nearly as bad."
The researcher said he's been spending a lot of time with handset manufacturers and wireless carriers testing for security problems in the field, and that those companies have become very comprehensive in addressing the potential for malware attacks.
Based on what he has observed in those companies' plans, and their existing technologies, he said that the average handheld is actually far more secure today than any other type of widely-adopted computing device.
Even the Symbian operating system -- which has been assailed by far more malware threats than any other mobile platform on the planet -- is far more secure than something like Microsoft's PC-based Windows platforms, and many other less porous technologies, he said. And for the record, so is Microsoft's own Windows Mobile OS.
"I'd compare Symbian favorably to any other OS on any type of device in terms of security," he said. "It has a lot of features that don't exist in other operating systems that make it very effective to that end, such as the fact that there's no capability for applications to install themselves without user interaction by default, which has proven to be pretty effective."
If technology providers continue to make such smart decisions in designing their products-- which he believes to be a reasonable possibility -- Hypponen said that mobile malware might not ever be that bad after all.
"I'm pretty confident that if things continue to progress as they have we might be able to keep this whole issue at bay and keep these devices secure," he said.
Alas, that doesn't mean that mobile devices will get off the hook completely. As with the types of viruses seen already on Symbian, there will be many attempts to fool end users with social engineering attacks that try to trick them into downloading troublesome programs, he said.
The expert believes that many of these will involve scams that try to lure users into paying for pricey text messaging programs or that download automated phone dialers which ring toll numbers controlled by fraudsters. Unfortunately all the good technology in the world can't save people from their own stupidity it would seem.
In parts of Asia where mobiles are already being used as wireless RFID payments tokens, the biggest threat has been physical theft, Hypponen said. As those types of systems arrive in the west, there will be more people who try to steal the handhelds or find ways to hack the payment systems, he believes.
And watch out iPhone users, Hypponen contends that there is a 90 percent chance that there will be viruses developed to target the popular devices based on the amount of security research being devoted to the platform and the knowledge that users of the $500 Apple handhelds probably have something to steal.
Hypponen flew out of Boston Thursday night and he'll arrive back in Finland sometime Saturday morning if everything goes as planned. You can say whatever you want to about the guy's research conclusions, but there's no question that he's an expert in mobility.
Posted by Matt Hines on August 10, 2007 06:20 AM
August 08, 2007 | Comments: (0)
Fighting click fraud through trust
The issue of click fraud continues to haunt the online advertising space as advertisers and their distribution networks struggle with methods of verifying the legitimacy of the traffic they receive, but the situation could be improved quickly if the companies figure out a way to convince end users to offer small amounts of contextual information about themselves that would help weed-out automated hits and other problems, researchers said.
Presenting at the ongoing Usenix Security Symposium in Boston, Ari Juels, a researcher with EMC's RSA Labs division, outlined his concept for fighting click fraud through "premium clicks."
With shady syndicates using scripting programs to boost traffic using software that mimics user ad impressions, or tapping into botnets to carry out similar scams, online advertising remains as questionable as ever in terms of proving the legitimacy of its traffic, Juels said.
However, by simply shifting their model away from trying to determine which types of traffic appears to be fraudulent to a plan where advertisers can qualify hits as legitimate by correlating traffic with individual users or browsers, the industry could greatly improve its reputation, the researcher said.
"If people could use filters to identify browsers uniquely, things like rapid fire clicks from scripting programs could become easily detectable," Juels said. "We need something that doesn't rely on an IP address -- such as a token -- that could help identify honest users over click fraud."
As an example, Juels said that if end users could be convinced to keep some trace of their previous transactions in their browsers, such as proof that they have paid for a subscription to a site or carried out an online transaction of some kind, it would become infinitely easier for advertisers to determine which types of traffic are real, versus fake.
Truly ingenious botnets that are programmed to copy the tokens themselves might still prove troublesome using such a model, but companies could more easily identify who the truly valuable visitors to the sites may be.
In turn, the advertisers could financially reward syndicates that deliver them the highest quality traffic and lowest rates of click fraud, Juels proposed.
While many end users might be scared-off by the privacy concerns involved with sharing some of their Web surfing history, the researcher contends that people could be convinced to participate via marketing programs that offer discounts on e-commerce transactions or systems that promise to cloak any data made available in the browser.
Another manner of applying the model could involve qualifying certain online businesses to serve as "attesters" that provide secure proof that users are for real and not just spam-fueled botnet machines, he said.
As an example that some consumers might be open to participating in premium traffic programs the researcher pointed out that Google was able to convince large numbers of people to hand over their phone numbers to gain access to its Gmail Web mail application. Gmail also uses contextual information derived via data mining of end users' e-mail messages to present them with advertising.
"Unfortunately in advertising there is very little incentive to the user to participate, but it could be possible for users to engage voluntarily in attestation if they are somehow paid for sharing their information," said Juels. "I think some people could be convinced as it relates to trading demographic information for some commercial benefits, that sort of thing could easily be embodied in such a system."
Posted by Matt Hines on August 8, 2007 01:15 PM
August 06, 2007 | Comments: (0)
At Defcon, hacker hobbies turn into careers, and careers support hobbies, writes contributor Andrew Brandt
At the 15th Defcon computer security conference in Las Vegas, hackers, computer security professionals, and government cybercrime experts from around the world converged on the well-worn Riviera Hotel and Casino to share secrets and prove, once again, that none of us are as safe as we think from prying eyes.
[ See slideshow: Inside Defcon 15 | Plus: Dateline NBC 'mole' outed and booted from Defcon ]
But as important and technically sophisticated as the training sessions and panel discussions are, many who attend this annual gathering come primarily for the friendly competitions, the social gatherings, and the chance to show off their really cool gizmos and creations. Some never attend a single training session, opting instead to spend three days and nights hunched over glowing laptops in a virtual competition of Capture the Flag, where the "flag" is a computer server the participants attempt to break into over an internal network and, once inside, secure against attack from the other players.
Other extra-conference competitions include Coffee Wars, where hacker-roasted beans slug it out in a taste-off; the Lost @ Con Mystery Challenge, a complex puzzle where teams must employ a wide range of research, codebreaking, and lockpicking skills in order to open a haphazardly-wired, circuit-boarded, padlocked, and welded box made of quarter-inch-thick steel; Defcon Bots, in which teams of robotics engineers teach and tweak computer-controlled pellet guns to aim at and shoot plastic pellets at targets autonomously; a Guitar Hero contest(played on an appropriately-modified Xbox 360); a wireless hacking challenge, featuring a tower built out of 11 Linksys wireless access points and network switches; and the LPCON, a timed lockpicking and lock cylinder disassembly/reassembly contest for those hackers more interested in physical security than computer security.
To accommodate this level of obsessive-compulsive computing, a support network of vendors sells everything from clean clothes to caffeinated mints as well as a wide array of surplus military-grade electronics, tools, lock pick kits and books, and other hacker essentials. Many vendors attend the conference year after year with most selling out of their most popular items in the first 36 hours of the conference.
Some of the most entertaining moments at the conference have nothing to do with the conference at all but come from attendees who bring their hobbies to the 'con. One attendee who works in the energy industry, proudly showed off his creation -- a hand built laser display system capable of rendering both text and animated graphics.
Another walked the conference halls in full regalia of a Ghostbuster, including a highly detailed homebuilt Proton Pack of the type worn by the actors in the movie.
But the conference yielded its own share of surprises this year. In one talk by security expert and Defcon Goon (staff member) Zac Franken, he described and demonstrated a device he built that can manipulate the access control systems used in thousands of office buildings by exploiting the Wiegand protocol, which those access control systems use to communicate with card readers, keypads, or biometric devices.
Another speaker, a woman with shocking pink hair who goes by the hacker handle Neonrain, described how she and her conference partner designed and built a Tetris-like video game that can be controlled with a biofeedback device called the Wild Devine Lightstone. The blocks in the game fall at a rate that varies as the player's pulse rate changes, so players who can maintain a steady heartbeat can more easily manage the game than can a player who gets excited.
Even the conference badges were a hacker's work of art. For the second year in a row, electronic engineer Joe Grand, who runs his own electronics design firm called Grand Idea Studios, designed and built elaborately contrived electronic badges. This year's badge featured an array of LEDs that users could program with their own scrolling text messages. Buttons were cleverly disguised as symbols printed on the front of the badge; The instructions and details about how the badges were designed and built were included in the form of a poem, also written by Grand, and printed in the conference schedule booklet, which began:
170 hours of total time spent
2 nights of my honeymoon (oh, how I lament!)
3 circuit board revisions to get it all right
863,000 total components bring them to light
6800 hackers wearing the badge in all its glory
If you want to learn more, please read this fine story
Posted by Mike Barton on August 6, 2007 04:30 PM
August 06, 2007 | Comments: (0)
Of spineless TV producers, WEP cloaking and blocking WiFi
I wasn't able to stick around Las Vegas after Black Hat last week for Defcon so I didn't get to see Dateline NBC associate producer Michelle Madigan run for the hills after getting outed by the shows "goons" (see Bob Garza's previous post), but here's my take:
If Madigan had understood anything about the nature of the show and the hackers she was trying to cover she should have known that A: there was a pretty good chance that someone would catch her, and B: if she had just admitted what she was up to when identified, taken a bow and given the Defcon folks credit for doing their homework and then stuck around, she probably would have gotten herself a good story, earned some respect and even made some friends.
Now, maybe she wouldn't have gotten the underground "hacker-for hire" angle she and her bosses wanted, but there would have been a lot of interesting things to talk about anyway, like how the Defcon people knew about her whole gig before she ever landed in Nevada. Funny that. Kudos to Black Hat/Defcon founder Jeff Moss and company for handling it all very professionally from the sound of it.
The fact that she completely missed the "gaming" nature of the event illustrates the fact that people outside the IT security space still don't understand the vibe that drives a lot of the hacker/researcher set. They love a good stunt. Play along and you'll learn something about them and they'll respect you. Run away like a non-vertebrate and you'll forever be a laughing stock.
WEP non-cloaking
In addition to missing the Dateline Debacle, I wasn't able to listen-in on a pair of interesting wireless security sessions being led by researchers from vendor AirTight Networks, but thankfully they briefed me anyway.
One of the presentations was related to the whole concept of WEP cloaking - the art of obfuscating (easily hacked) WEP-protected wireless transmissions by adding a bunch of extraneous traffic into your signals to try and confuse/overwhelm wireless decryption tools that have been proven to crack the system.
While I doubt that a lot of enterprises have embraced WEP cloaking to help bandage their wireless systems, especially with a spate of other secure wireless alternatives available, the folks at AirTight claim to have proven why cloaking doesn't work anyway.
According to AirTight, the transmission frames generated by individual access points and the inserters used to generate the cloaking signals are slightly different -- which makes it easy for anyone trying to defeat the system to catch and filter the actual data.
Rick Farina, an enthusiastic white hat hacker and wireless security engineer at AirTight, also noted that the types of people looking to steal wireless traffic know enough about the protocols and keys used in WEP to find the real data they're looking for despite all the excess noise from cloaking technologies.
"We can devise filters that will crack WEP cloaking as easily as someone can crack plain WEP, no matter how much excess noise you mix in, they key can still be broken," Farina said. "Cloaking doesn't actually protect you at all it just gives you a false sense of security."
(It's worth noting that the practice of WEP cloaking was first publicized by Air Defense, one of AirTight's biggest competitors)
Stopping Muni-fi
A lot of people are excited about the promise of municipal WiFi systems such as the one currently being built in San Francisco, but do not count enterprise IT administrators among that group.
While the systems may provide a nice back-up for workers connecting on the street or when network connections fail, the notion of securing a company's sensitive information is hard enough already without offering every worker unmanaged access to the Internet.
For financial services companies and the like there are sure to be new compliance issues introduced by muni Wi-Fi, for instance. What good is it blocking access to Gmail on your network when people can simply connect to the closest municipal hotspot?
Enter wireless intrusion prevention systems (WIPS), which promise to help companies block such access to WiFi systems to prevent such scenarios. However, AirTight claims those won't stop smarter wireless attackers from finding a way in to your company over the air.
Hackers often use "evil twin" wireless networks to attempt to lure workers to connect for the purpose of breaking into their devices and their employers' networks. WIPs tools promise to prevent such access, but by simply using multiple access points for their attacks, said AirTight CTO Pravin Bhagwat, hackers can easily failsafe their threats.
When a WIPs system blocks access to one access point, the signal merely swaps over to another, creating a layered effect that continually offers access in what AirTight has coined as a "multipot' attack. In a network that crisscrosses an entire city, for instance, it will be impossible to block out enough access points to completely prevent people from logging on, Bhagwat said.
"This type of thing is already happening and the wireless vendors don't seem to care about it," said Bhagwat. "If you test WIPs in this type of environment it's easy to see that the signal merely swaps over to the next closest access point when one is blocked; hackers already know about this technique and countermeasures need to be developed, it's an arms race at this point."
Posted by Matt Hines on August 6, 2007 10:49 AM
August 03, 2007 | Comments: (0)
DefCon - Undercover reporter outed while trying to entrap hackers
Las Vegas - An NBC Dateline reporter was outed at the DefCon security conference today as she was trying to seemingly entrap people in admitting to committing a crime.
Photo courtesy of Humphrey Cheung, Tom's Hardware Guide
Wearing an undercover camera and posing as a regular member of the convention (instead of admitting to being press), Michelle Madigan, associate producer NBC/Universal, ran out of the DefCon 15 security convention this afternoon while trying to covertly film attendees of this notorious security conference.
Is it unethical for a reporter from a major television show to try and out a hacker admitting to a felony? Or to out an undercover member of the US military or US Government (which could endanger their life or their ability to do their job) attending this conference? While these members of the federal government may not be strictly undercover, posting their picture without their authorization could endanger them unnecessarily.
From what I hear Ms. Madigan was trying to get undercover footage of conference attendees for an expose show like Dateline NBC: To Catch a Predator. Specifically, she was trying to film an attendee admitting to committing a crime.
Priest, a senior staff member at DefCon, and the public face of DefCon, stated that Ms. Madigan wanted to get the footage of the hacker underground and the feds that learn from them. Supposedly, Ms. Madigan stated that a whole bunch of people here at the conference are criminals and that our government is learning how to be criminals from these individuals.
Additionally, Ms. Madigan was quoted as saying that people in Kansas would be very interested in what's happening here at DefCon.
I wholeheartedly believe that last sentence. I believe that everyone should be interested in what's happening here. Many of the people that are, and will be, insuring the security of our critical infrastructure are learning from speakers at this conference and the speakers at the just completed BlackHat security conference.
As a member of the press we here have to put up with the restrictions that DefCon imposes. We have to sign waivers that we will respect the privacy of individuals present at this conference. No cameras, photos or recordings without explicit permission. No group photos or filming. The members of the press here have to wear a badge that identifies them to other attendees. We put up with these restrictions and hassles because of that small percentage of the press that disregard the rules.
Twice on the phone, and twice on site, Ms. Madigan was offered press credentials and refused them. She was heard stating that she didn't think that those would be necessary, nor did she want to speak to Jeff Moss, organizer of the BlackHat and DefCon conference as she was registering.
It became obvious to conference staff that she was going to go through with her assignment as she went to the bathroom to put on her camera. She came out with a small bag that she carried as anyone would a normal video cam.
Conference staff we alerted to what she was trying to do "as soon as her plane left the ground bound for Las Vegas". As she was covertly filming a crowd of people in a session, Jeff Moss essentially flushed her out and asked her if she wanted to walk up on stage and admit to attendees as being a member of the press. Instead she chose to bolt out of the session with 150 people following her as she left the conference.
What's the takeaway here? People attending this conference are obviously smart and value their privacy. The members of the press here respect the individuals who come to this conference to learn from the speakers and attendees, many of which are top researchers in their fields. Should that environment be threatened by someone trying to up their TV ratings?
Obviously, conference attendees feel otherwise.
Posted by Victor R. Garza on August 3, 2007 05:18 PM
August 02, 2007 | Comments: (0)
Websense to unveil "honeyjax" malware tools at Defcon
Just as honeypots have long been used to attract samples of the latest malware code floating around the Web, researchers with filtering specialist Websense plan to unveil a new set of tools dubbed honeyjax that promise to reach out across the Internet to seek out the latest social engineering attacks.
Meant to serve as a magnet for malware and scams leveled at so-called Web 2.0 applications and programming techniques, honeyjax instead uses active client software to seek out malware, phishing kits and other threats, said Dan Hubbard, vice president of security research at Websense.
Hubbard will detail the tools in a presentation at the Defcon hacker conference at the Riviera hotel in Las Vegas on Sunday.
Also tagged with the product name Threatseeker, the tools have been used by Websense over the last year to unearth malware and scams being carried out on sites that utilize user-driven content -- such as MySpace -- and applications built using emerging programming techniques such as AJAX, he said.
The researcher plans to show-off three different flavors of the honeyjax tools (whose name is derived from blending the words honeypot + AJAX) -- labeled as active, passive, and passive aggressive versions of the technology.
The passive iteration of honeyjax is used to set accounts at user content sites such eBay and lure nefarious parties seeking to somehow subvert the systems. When any changes are made to the accounts or Web pages, the tools automatically notify the researcher. Building the tools to navigate sometimes complex end user licensing agreements (EULAs) was no easy task, he said.
As an example of what the technology can turn up, Hubbard said that a recent mock eBay auction he placed using the passive tools was won by an individual who attempted to trick the researcher into handing-over his bank account details via e-mail. The system automatically sets up accounts that are likely to draw suspicious activity, he said.
The active version of the tools tests for attacks being carried out across social networking sites using Web 2.0 technologies -- such as the AJAX-oriented Samy worm that attacked MySpace in 2006.
And the passive aggressive honeyjax tools promise to combine the two techniques, setting-up accounts at social networking sites such as the Eons.com retiree site and actively searching for threats being carried out against users
Scammers are increasingly using social network ing sites such as Eons to trick unsuspecting end users, he said. Eons.com has become a target because its users, who are over 50, tend to be less technology savvy and have investments and other savings to pilfer, said Hubbard.
The researcher claims that in addition to luring malware attacks and scams being carried out on the Web sites, the tool may also come in useful in hunting down online predators by enticing them into attempting to make contact with various types of seemingly legitimate Web 2.0 site users.
The tools should also be of interest site owners, security researchers and security software vendors, he said.
The tools could even prove useful for enterprise customers, the expert contends.
"Many companies used to ban social networking sites like MySpace and LinkedIn because of the potential for misuse, but now many want to open up to the sites to allow workers to use them for business purposes," said Hubbard. "We think this is a whole new way to identify these types of attacks and try to identify where they come from."
Posted by Matt Hines on August 2, 2007 02:39 PM
August 01, 2007 | Comments: (0)
It appears that the official site of the Black Hat security conference has come under attack, as the URL was not available as of 12:30 pm PST on Wednesday.
Show officials had no comment on the matter on site in Las Vegas, and could not confirm if the site had indeed been taken down in some form or was merely broken for some reason -- but it's not unusual that at some point, or multiple times, during the annual hacker conference that the BlackHat.com site comes under fire.
While show founder Jeff Moss highlighted in the show's keynote address that the conference has become increasingly corporate, with higher numbers of business users showing up every year, the site hack illustrates that the core audience of Black Hat -- both ethical and nefarious hackers -- remains intact.
A show representative further warned that attendees should avoid connecting to the Web via the show's network "unless you abolsutely have to."
Consider me a guinea pig.
Posted by Matt Hines on August 1, 2007 12:37 PM
August 01, 2007 | Comments: (0)
Black Hat kicks off to largest audience
The Black Hat 2007 security conference is under way and in full swing on Wednesday at the Caesar's Palace convention center in Las Vegas.
Jeff Moss, the founder and godfather of Black Hat, kicked-off the busy briefings stage of the show in a morning keynote that followed four days of hacker training sessions.
Among those joining vulnerability researchers and hackers on stage at the briefings are representatives from the law enforcement community, federal government, security technology vendors and the ever-present media horde.
Moss reported that Black Hat 2007, which is to be followed by the annual DefCon hacking confab, is the largest iteration of the show ever, drawing an estimated 4,000 attendees, a 10 a ten percent gain compared to the 2006 show.
Overall, the conference continues to become more business-focused and mainstream, Moss said.
"We're seeing more vertical organizations getting interested in security, last year was a breakthrough in that regard with people attending from different enterprises like storage and telecommunications," said Moss. "Traditionally we've been focused on the security researcher, but more people are paying attention to what researchers are doing in other verticals, so [the conference] is broadening."
Moss emphasized that Black Hat's content remains driven by show attendees and the hacking community -- even though the show has more corporate ownership than in the past in the form of CMP media, which purchased the conference in Nov. 2005.
The 2007 iteration of Black Hat offers the most briefing tracks in the show's history, he said, such as a new group of sessions related to fuzzing technologies and techniques, an area that has drawn considerable interest already, he said.
Ina nod to the growing international flavor of Black Hat, Moss noted that 50 different countries are represented among the crowd, including people from every continent, save Antarctica.
Among the far-flung countries sending attendees to the show are Ireland, Guatemala, The Netherlands Antilles, Russia, Thailand, Croatia, Hong Kong and even Gibraltar, said Moss.
After encouraging attendees to use "common prophylactics" to protect themselves against potential attacks carried out over the show's wireless network, Moss detailed one of the other new additions to the conference, it's first ever set of vulnerability research and hacking awards, dubbed the "pwnies" (pronounced "ponies").
Categories included in the prize-giving include Best Server-Side Bug, Best Client-Side Bug, Most Innovative Research, Lamest Vendor Response and Most Overhyped Bug.
Judging the competition will be well-known security researchers including include Dino Dai Zovi, HD Moore, Dave Aitel, and Alexander Sotirov, with the awards being announced on Aug. 2.
One of those slated to judge the event who won't be able to participate is Thomas Dullien, the German-born security researcher better known as Halvar Flake.
Dullien was not allowed to enter the United States based on a technicality in his immigration paperwork based on the fact that he had procured permission to enter the country as private individual, but not as a representative of his company, Sabre Security.
Moss attributed the problem to strict border enforcement, not any effort to stop hackers from attending the show. However, the plight of Dullien -- who has previously served as a reverse engineering and security training consultant to the DoD and Depatment of Homeland Security, among other federal agencies -- must be considered by the security and hacking community as a whole if it is to make progress in getting its message out at events like Black Hat.
"Unfortunately Halvar couldn't make it, and we want to use that to illustrate that if we're building a global community, it will depend on our ability to invite foreign speakers to events like this to get you the best content," Moss said. "If we're going to have a hard time getting people into the country, we're all going to suffer."
Moss encouraged attendees to contact their political representatives to ensure that researchers aren't stopped from meeting at Black Hat and other locales.
"We're a community, and if the community can speak out we can have a real effect," he said.
Stay tuned for two days of full Black Hat coverage.
Posted by Matt Hines on August 1, 2007 11:10 AM
| ZERO DAY PODCAST |
| Listen to the latest podcast: |
MP3
•
•
•
Archive
•
![[VoiceIndigo Mobilize - Listen to podcasts on your mobile phone]](http://www.voiceindigo.com/ht/images/mobilize_logo_sm.gif){kind=logo}
|
TOP STORIES
WiMax OK for commercial useAgile mgmnt for small teams
Why developers avoid Vista
CBS to buy CNET Networks
Icahn's letter to Roy Bostock
Yahoo opens up Search Monkey
AT&T limits iPhone purchases
Silverlight gets put on Linux
Intel to develop PC with Alibaba
Cybercriminals can rent a botnet
ADDITIONAL RESOURCES
- Virtualization: A Step by Step Approach to Success
- Dialing up Agility with Business Transformation
- 5 Things You Need to Know About Storage Virtualization
- Is your smaller organization ready for High Availability?
- Is system maintenance doing more harm than good?
- Virtual Test Lab Automation: Manage development infrastructure
