Archive for March, 2007

Mar 30 2007

A few pictures from Shmoocon 07

Published by under Blogging

I’ve posted my pictures from Shmoocon to the Cobia site.  Check my blog posting there to see when I post some of the other pictures I have from the event.  I got a decent shot of Paul and Larry from PaulDotCom Security Weekly.

No responses yet

Mar 29 2007

Network Security Podcast, Episode 65

Published by under Podcast

I’m home for the next couple days, but no rest for the weary.  I had to get this off of my plate first, but I’ve still got another podcast to edit and a few video blog entries.  This stuff all takes time.

Today’s is a short podcast, the majority of it is the interview with Dean Turner from Symantec.  There’s a lot more here than made it into the Podtech interview.  That was just a teaser for the full interview.  Besides, Podtech wants shorter segments, or so they’ve told me.

If you’ve sent me an email in the last week and I haven’t responded, please resend it.  Shmoocon was great, the press tour with Mitchell Ashly has been a learning experience, but if I didn’t respond to any email you sent in that time, it wasn’t personal.

Network Security Podcast, Episode 65, March 29, 2007

Time: 25:05

No responses yet

Mar 29 2007

How not to gain some recognition at Shmoocon

Published by under Hacking

One of the vendors at Shmoocon got some unwanted attention this weekend.  The had a nice string of USB light up hubs strung along the front of their table.  Since the hubs needed to be powered to light up, they plugged it into one of the vendor laptops on the table.

A young gentleman called Render Man noticed this and happened to have a USB toolkit in his pocket; I think he said it was from HOPE.  He was able to plug his USB key into the string of USB hubs unnoticed and retrieved it several minutes later when it had sucked down password files and other assorted goodies.

Render Man said he was going to erase the file and I hope he has.  The event was relayed to the entire audience at the Shmoocon closing ceremonies, so if you’ll probably find out who the vendor was. 

It’s important to be especially vigilant about your computer when going to events that advertise to hackers.  Turn off wireless, bluetooth and USB.  If you do bring a computer to the show, make sure it’s as hardened as possible.  Another option is to put out a computer to be hacked, but in that case you’re better off being part of one of the labs.  Better yet, don’t bring a computer to the event floor at all.
I had to fix a typo in the subject line. I wonder how long the post will show up wrong on all the replicant pages on the internet?

Technorati Tags: , ,

2 responses so far

Mar 27 2007

Where I’ll be popping up over the next couple of weeks

Published by under General

My time here on the East Coast is almost done.  It’s been a ton of fun, but I’m exhausted.  I’m flying home tonight, arriving at my house around 23:00 tonight, and then off again in the morning.  I’ll be home tomorrow night, but I still think my wife and kids would have rather I stayed home a little longer.

Tomorrow I’ll be presenting at the Secure IT Conference in Sacramento.  My talk will be on the convergence of networking and security technologies and will be starting at 3:15 in the afternoon.  The best part of this talk is that I get to spend the night in my own bed afterwards.

Sunday I’m heading down to San Diego to man the booth at the SANS San Diego 2007 conference.  I’ll be in the booth every day and will also be presenting a “Lunch and Learn” presentation on Tuesday about Cobia and exactly what we’re trying to do.  I’ll be flying out shortly after that to attend a Sonoma County Systems Administrators presentation by Danny O’Brien from the Electronic Frontier Foundation.

After that, I get about a 10 day window with no travel.  I still have to figure out if I’m going to the Web 2.0 Expo in San Fran or Storage Network World in San Diego.  I’m heavily leaning towards Web 2.0 at this point, but I’m not 100% the master of my own time. 

No responses yet

Mar 27 2007

Metasploit 3 is out

Published by under Hacking

Sure, Metasploit 3.0 is out and available, but has anyone gotten it working on a Nokia 770 or 800 yet?  Of course, since I gave mine to a friend for her birthday I can’t use it, but I may have to look at getting a new one in the not too distant future.

D’oooh! Helps to really read the article before posting. I missed the part where it says it’s running on the N800 already.

No responses yet

Mar 25 2007

Shmoocon 2007 is over

Published by under Uncategorized

I’m more than a little sad Shmoocon ’07 is over.  I haven’t had this much fun at an event in quite a while, excluding the Security Blogger Meetup at RSA.  Then again, the meetup was one night of fun, while this was 2.5 very full days of learning, meeting people and just hanging out.  There was a little partying too, but the fact that I’m from California helped a lot, since my body is still on Pacific time.  The fact I’m also old enough to know how to drink in moderation also placed me in a far better position than many of my fellow attendees both Saturday and Sunday mornings.  The fact that I was there representing Cobia and StillSecure also helped keep me out of trouble.

I have a lot to learn about traveling.  I hadn’t realized that Shmoocon started at 15:30 Friday afternoon and I traveled on Friday rather than Thursday night.  I missed most of Friday’s events, and almost missed Avi Rubin’s keynote address.  I have a lot of respect for Avi and the work he’s done, so I made up for arriving late by getting to meet him in person.  I’m not at all shy about just walking up to someone and introducing myself, which is exactly what I did.  With just a little luck, I’ll get a chance to get him on the podcast some day in the near future.

After the talk, I happened to run into Simple Nomad and tagged along to the hotel bar to meet a large contingent of attendees.  It’s a darn good thing I did, because after we’d been there for about 30 minutes, he asked me when we were going to the bloggers meetup.  I’d missed the timing on that and thought it was Saturday night.  I would have been in deep trouble if I hadn’t shown up, since as StillSecure’s representative I was picking up part of the bill for the event.  With a little help from Simple Nomad, I found the place it was being held in time and was able to uphold my part of the bargain.  I don’t know the exact number of bloggers, podcasters and readers/listeners, but I’d say a conservative estimate was 30-40 people.  Mubix did an excellent job of organizing the meetup, though once the majority of the folks left to go to a not-so-nearby bar, things got a lot more chaotic.  I finally got to meet Paul and Larry from PaulDotCom, the entire crew from Hak.5, Gene from SecThis, Obie and Brent from Cyberspeak as well as a whole host of readers/listeners.  Thanks again, Mubix.

Saturday morning I went to see Simple Nomad speak.  He’d apparently got a few hours of sleep after the night’s festivities and looked a lot more alert than most of his audience.  His talk was on a laundry list of topics, including some references to a talk he’d given last year on wireless cards in ad hoc mode at airports.  I think this was in the press again earlier this year, talking about how Windows systems will try to connect to an ad hoc network that has the same name as a legit network.  Let’s just say you’re probably better off connecting with EVDO or waiting until you get where you’re going rather than trusting any of the networks at the airport. 

Next I went to G. Mark Hardy‘s talk, A Hacker Looks at 50.  Mark talked about his long and exciting career, from high school in the early 70′s through starting his own business.  The room was packed, and I think this was probably one of the talks most of the hackers at the event really needed to hear.  His point was that he’d never seen a group with such a disparity between IQ and income has he’d seen in hackers, and most of it was due to having vision and goals.  He encouraged everyone in the room to figure out what their own goals are, write them down and start working towards them.  I met Shava Narad from Tor (remember the interview?) face to face at Mark’s talk, but unluckily wasn’t able to catch up to her again during the show.

I felt a little guilty for following Simple Nomad again, but I ended up having lunch with him, G. Mark Hardy, Jason Scott, Mubix and, of all people, Kevin Mitnick, as well as a few others I don’t know.  I had meant to go to Richard Bejtlich’s talk after lunch, but when I weighed his presentation against talking with these folks, I have to say Richard unluckily came in second and I stuck around to talk.  I barely got to say more than “Hello” to Kevin, but the conversation between Mark, Jason, Mubix, Simple and I more than made up for it.  I wanted to ask Kevin for a interview for the podcast or for Podtech, but he was already being harassed at the event and I didn’t want to add to it. 

The rest of Saturday is a little bit of a blur, since I spent it talking on Cyberspeak, doing a video interview with Brent and Obie, and then participating in the PaulDotCom podcast.  I had a blast, but I would highly suggest no one ever sit next to Nick (aka Twitchy) after he’s started sipping Mountain Dew.  There was also a few interesting games of dodge ball with Shmooballs on the showroom floor, but the blood shed and property damage was kept to a minimum.  I didn’t do to bad for being at least 5 years older than anyone else playing, but I was hot and sweaty at the end.

This morning I went to a talk on home grown and badly implemented crypto, which was interesting, but not really my specialty.  Afterwards I stuck around for Major Malfunctions talk on cloning RFID tages and ended up being part of the talk.  If you watch the video, when it comes out, you can see my back while I hold the wires on a 9 volt battery since the leads had broken.  I also helped by holding a webcam to a RFID reader so the audience could see the readout.  Oh yeah, I’m technical.

The last talk I went to was about the One Laptop Per Child project, with Ivan Krstic, Sean Coyne, Jason Scott and Scott Roberts.  Ivan talked Bitfrost and the steps OLPC is taking to prevent the misuse of the laptops, while the other three talked about all of the possible disaster scenarios it could lead to.  I should have a short video interview with Jason and Sean up later this week.

The closing remarks were a lot of fun, with Shmooballs flying all over the place and a lot of giveaways.  I managed to pick up a couple more balls, a titanium fork and small tripod, though the tripod was the only thing I really ‘needed’.  My wife will probably make me throw everything but the tripod away fairly quickly after I get home.

Shmoocon is no where near as serious an event as things like RSA.  Everyone I met was happy to be there and really seemed to enjoy being with other people.  If I can make it next year, I will and you can be sure I’ll do my best to make sure I can.  I met more fun, interesting, exciting people at Shmoocon than I thought possible.  Now I have to go sleep, in order to make my 6:30 flight for Boston.  I hope I’ll get a chance to catch up with a listener, Jack Daniels, while there.  And yes, that is his real name, not a nickname.

Technorati Tags: , ,

2 responses so far

Mar 23 2007

On my way to Shmoocon

Published by under Hacking

I’m sitting in Chicago airport waiting to board a plane to DC and Shmoocon.  If I was a more experience traveler, I would probably have flown last night and slept on the plane.  Oh well, you live and you learn.

This weekend should be a lot of fun, since this is my first convention as a vendor and a Product Evangelist.  You might ask, “What does a Product Evangelist do at an event like this?”, because I know I did.  Basically, my job is to meet people, mention Cobia when appropriate and generally just shmooze at Shmoocon.  Such a horrible job!  :-)

I’m looking forward to finally meeting a lot of people I’ve heard of and never had a chance to meet face to face.  If you’re trying to find me, I’ll probably be a big man in a black leather jacket and a Cobia t-shirt.   Look for me if you have a chance.

Time to sign off, they’ve started seating the plane.  By the way, plane food really sucks.

Technorati Tags: , ,

No responses yet

Mar 22 2007

Xbox Live wasn’t hacked, it was social engineered

Published by under Hacking,Microsoft

I mentioned some rumors going around on Monday that the Xbox Live servers had been hacked, but it now looks like it’s a case of social engineering instead of hacking.  Clans are calling into the Xbox Live support staff and even though they might not get everything they need on an account the first time, they just call back, get another tech support person and get a little more information.  After enough support calls they have enough information to completely steal the account and do whatever they want with it.

It doesn’t surprise me that this happened, what surprises me is that it’s taken this long for it to happen.  This sounds a lot like the MO that Kevin Mitnick used to get information from the telcos over a decade ago, so anyone who wants to read his book, or just do a little research into social engineering, could have done this long ago.  I’m also surprised that the folks in charge of the Xbox Live support don’t have something in place that allows them to detect this type of social engineering and raise flags to stop it.  I can think of a number of ways this might be stopped, but it all comes down to giving people the right tools and training to detect social engineering attempts.  I have to assume that they haven’t put such measures in place because it might interfere with too many legitimate users who are less tech savvy and confused.

Any community of a competitive nature is going to have people who bend the rules and cheat.  If you’ve ever been a member of any of the MMORPG’s, you’ve probably experienced this first hand.  The same distance, both physical and logical that leads a person to become a troll in forums or mailing lists creates ‘griefers’ in game.  So it’s no surprise to me that someone figured out how to take griefing beyond denying you fun in the game and start denying you access to the game at all.

Microsoft had better get on this, fast.  Griefing in-game can ruin it pretty quickly for the majority of players, but having you account stolen and your credit cards run up is guaranteed to drive away users away even quicker. 

Technorati Tags: , , , ,

No responses yet

Mar 22 2007

Happy Blog Birthdays

Published by under Blogging

A number of my blogging buddies (that sounds wrong somehow) have just reached their first Blog Birthday.  Cutaway, Mike Rothman and Michael Farnum just hit their 1 year of blogging.  That doesn’t sound like a lot, but when the lifespan of the average blog can be measured in days or weeks at most, being able to say you’ve been writing for a year is a lot.

Each of these gentlemen blog for different reasons, but each of them ends up doing the same thing, contributing to the collective wisdom of the security.  Rothman has the years of experience as an analyst, as well as the biting, caustic sense of humor he’s well known for; Farnum has a much softer sense of humor, but is much closer to the real world of day to day security; Cutaway is as in the trenches as you can get, often reminding us of what it’s like to work in a large organization where security is often an afterthought.

Congratulations guys!  I’m looking forward to seeing a lot more from you guys in the future.

No responses yet

Mar 22 2007

RIAA between a rock and a hard place

Published by under General

The judge in Elektra v. Santangelo has told the RIAA that their motion to dismiss the case without prejudice is denied.  IANAL, but as I understand it, that means that the RIAA has to either proceed to a full jury trial, which they likely don’t have the evidence to win, or they can dismiss the case with prejudice, meaning the Santangelo family can recoup attorney’s fees from the RIAA.

I know it’s not really a security story, but I’m really tired of hearing how the RIAA has targeted people who were obviously not guilty of ‘piracy’, such as Patti Santangelo and her family.  Our legal system has allowed the RIAA to sue people who obviously don’t have the resources to put up a legitimate defense against a group of industry lawyers.  If they were sticking to college students with thousands of songs on their computers or the nodes of the P2P networks sharing out tens of thousands of songs, I could understand it.  But going after a family who’s guilty of downloading a few songs or, in the case of the Santangelo family, had a friend download the songs is despicable.

In the past, the RIAA has been allowed to cut their losses when a target fights back; they’ve been allowed to either drop the case entirely or get it dismissed with prejudice.  This case could entirely change the equation; more people could fight back against the RIAA if they know there’s a chance they could win the court case. 

I’m not for piracy, but I’m not for extortion either.  The RIAA is a symptom of a whole industry that can’t see the world changing around them, and rather than adapt, they’re trying to sue the world into submission.  They’ll never succeed at it, but in the mean time they’ll ruin more than a few people’s lives.  The funniest part of the whole situation is that the RIAA has done more to re-establish the image of the recording industry as a bunch of racketeers than anything they’ve done since the 60′s. 

Technorati Tags: , , ,

No responses yet

Next »