Archive for March, 2008

Mar 31 2008

Safari Update in the bar

Published by under Apple/Mac

I was sitting in a bar in Chicago near Wrigley Field here in Chicago. I looked over my shoulder and saw a video screen with the iTunes Update screen telling the user that they needed to update iTunes and Safari. The bartenders hadn’t even noticed the screen was there. Oh, and there’s a Windows Update icon sitting in the corner waiting to be clicked on too.
Installing Safari using the iTunes update functionality is dishonest of Apple. And all the people who think that users should know enough to unclick the Safari installation are unrealistic. The average user is just going to click on ‘install’ and trust that Apple is updating properly. Expecting the average user to understand that Safari is a separate application that has nothing to do with iTunes is dishonest and disingenuous. And by including Safari in an iTunes update Apple is proving that they’re no better than Microsoft.

4 responses so far

Mar 28 2008

The Real secret origins of the RSA Security Bloggers Meetup

Published by under Blogging

Earlier this week Stephen Toulouse reminded me via twitter of an event that was precursor to what is now the RSA Security Bloggers Meetup, a lunch for bloggers put on by Microsoft and Sunbelt Software. It wasn’t a real meetup, but it was one of the first times a company like Microsoft recognized bloggers at a major event such as RSA. Given the growth we’ve had in blogging by security professionals since then, I can only wonder what next year’s event will be like! Just make sure to RSVP early next year; we had to close the doors because we’re already full and then some for this year’s event.

Security Bloggers Meetup in 2008: The Seed was Sown in 2006

No responses yet

Mar 25 2008

Network Security Podcast, Episode 99

Published by under Podcast

Wow, episode 99. It really didn’t sound like all that much until Rich said it while we were recording. But it’s really been over two years since I started talking into a mic in the vague hope someone would listen to what I say on a weekly basis. And now there are approximately 2000 people who listen on a regular basis. Thank you very much for coming back week after week.

There won’t be a podcast next week since I’ll be on the road in Chicago. The week of RSA Rich and I will be doing some micropodcasting, but the real episode 100 will be the live video feed from RSA. I’m nervous, because I know that if anything can go wrong, this is the place it’ll happen. So wish us luck.

[display_podcast]

Show Notes

2 responses so far

Mar 23 2008

Blogito, ergo sum

Published by under Blogging

Hope everyone’s having a good Easter. Time to take the family out to the coast and fly a kite. Or at least have a picnic.

No responses yet

Mar 22 2008

Someone call MCWResearch, their site’s been compromised

Published by under Blogging,Hacking

Update: The issue’s been fixed over at MCWResearch. Someone got in touch with the author and he fixed the problem before going to get belay certified. That’s rock climbing terminology if you don’t know, and I’m jealous. I haven’t been in any shape to go climbing in a few years. And I’ve been told I need to update some of my own code too, which may be what I spend this afternoon doing.

Update 2: Why didn’t I update sooner? It took me all of 30 seconds after I logged in to find the link for an update, click on it and be done. Thanks BlueHost!

Update 3: Thanks to Garrett Gee for walking me through some minor code changes to fix the search.php function in the blog’s template.[end updates, no, really this time]

I like MCWResearch; I’ve been following the site for quite a while. But the truth is, I really don’t know for certain who’s behind the curtain and the site’s pretty obviously been compromised. I’m barely willing to open the page, let alone use the contact page that requires me to trust a script, so I don’t know how to get in contact with them. If anyone knows the guys behind the site, give them a call and let them know someone’s taken over their site and is using it for spam postings. And don’t click on any of their links in the mean time.

4 responses so far

Mar 21 2008

Apple upgrading Safari, even where it’s not installed

Published by under Apple/Mac

Yesterday a friend of mine posted in a chat room “Hey, why’s Safari upgrading? I don’t even have Safari installed.” Most of us figured it had been installed alongside Quicktime or iTunes and let it go. But it turns out that wasn’t the case; in a bid to increase Safari’s marketshare, Apple is pushing out Safari to anyone and everyone who’s got Apple Software Update on their computer. And that means all Mac’s (obviously) and anyone who’s ever installed Quicktime or iTunes. If you’ve got an iPod, you’ve probably installed iTunes, despite your better judgment.

I wouldn’t go as far as to call this evil, but it’s definitely a questionable tactic on Apple’s part. Most users aren’t going to know Safari from the Sound Recorder in Windows, and they’ll just download it because it’s from Apple. They’ll probably never fire it up, but Apple will be able claim a big increase in the number of Safari installations. I’d say this ranks pretty high on the list of questionable business practices.

I have iTunes installed on my PC, but the Apple Software Update service is set to manual, since I want to be in control of my upgrades, not Apple. Most people should have it running, since patching is not something the average user ever willingly thinks about, let alone does. But the way Apple is abusing this service is reminds me of the tactics malware writers use to get their software on your computer; promise one thing and then load a number of other programs onto your computer when you’re not looking. Is this really the type of reputation Apple wants to garner?

Update:  Here’s Andy’s own take on the Apple Safari “upgrade”.

6 responses so far

Mar 20 2008

The Good, the bad and the ugly: WordPress, Scribefire and Wireshark

As a security professional, I have a number of things I consider bad habits. One of these is that I let Firefox remember many of my passwords for me, at least when it comes to my low security sites. And for better or for worse I consider the blog one of the low risk sites, therefore I let Firefox keep the password for me and just know that I can log in with a click of the button. Until tonight that is; I upgraded to Firefox 3 beta 4 and for whatever reason, it lost the password to the blog.

At first, I didn’t think this was a big deal; after all I was pretty sure I remembered the password. But after trying the password I thought it was and half a dozen of my other passwords I use on low risk sites, none of them worked. I figured that was not a big deal either, since I could just use the reset password function to … well, reset my password. But that module told me I had a valid account name but an invalid e-mail address. This made me panic a little because I know that I sometimes get a little tricky with my email addresses and add a few descriptive characters then redirect to my active email address once the email hits my mail server. None of the standard email addresses worked, neither did some of the non-standards, and eventually I exceeded the allowed attempts.

That’s when I remembered the one other place I knew I had the password stored, Scribefire. I have been using Scribefire in one form or another for several years now, and in fact I’m writing this posting in it. It’s a great tool for WYSIWIG editing and life would be harder without it. One of the things they’ve done right is to make sure that you can’t recover the user name or password from inside Scribefire, a security measure I appreciate. Or usually appreciate, that is.

That’s when I remembered that for all the things WordPress does right, the login is done over plain vanilla http. There’s no encryption, no use of SSL, nothing. And since Scribefire has to log into WordPress to do some of the magic it does, that means the user name and password would be flowing across the ethernet cable in plain text. I had an older version of Ethereal, now Wireshark, on my system, fired that up, played with Scribefire for a couple of moments and examined the capture. Sure as snot, there was my user name and password, plain as day. Turns out I’d had the proper password, but I’d forgotten a character that’s supposed to capitalized in the user name. D’ooh.

The real lesson here is not that you shouldn’t rely on your browser to remember your password. Okay, that is a lesson, but it’s not the real lesson. The real lesson is that all too often, our passwords, user names and other sensitive information is flowing across the network unencrypted. It’s open for anyone with a little bit of curiosity. They just need one of the first tools any aspiring security pro or hacker learns to use, a sniffer. In properly switched and segmented networks, this may not be a problem, but there are probably more poorly setup networks than properly configured ones. And I don’t want to rely on the work of a network administrator I don’t know to keep me safe, I want my programs to do it themselves. I’m currently looking at Login Encrypt as a WordPress plugin to solve the problem, but I’m going to keep looking before I bite on this one. But this only solves the problem in WordPress; what about all of the other sites I use that allow unencrypted login?

3 responses so far

Mar 19 2008

Sequoia voting machines can’t do simple addition

Published by under Government

It’s no secret that I’ve never been a big fan of electronic voting machines. The fact that none of the manufacturers have been anything approaching transparent in how these machines can be audited and verified is just one of the many issues with them. Now it appears that the Sequaia machines that were used in the New Jersey primary elections can’t even do simple addition. 1+13+40+3+4=61 as Ed Felten points out. This isn’t higher math, it’s simple addition my six-year-old can do.

And to add insult to injury, Sequoia’s legal council is threatening to sue Professor Felten if he releases any information he gains by looking at Sequoia’s machines. Citing things like trade secrets and licensing agreements, the hope is that the Prof will buckle under rather than show how poorly designed Sequoia’s e-voting machines are. This guy must not have done much research, otherwise he’d know that this tact would never work and will in fact evoke the Streisand Effect as bloggers around the country get the story into their hot little hands.

We can’t let something as important as our voting infrastructure be a ‘trade secret’. It’s not just Sequoia, Diebold and other e-voting machine manufacturers have all had their fair share of mistakes over the years. The whole process these companies go through to create the voting machines is deeply flawed and the security and integrity of the process is an afterthought, if it’s even being thought of at all. No number of lawsuits is going to fix that.

Here’s a humorous little video concerning how insecure these machines really are.


Diebold Accidentally Leaks Results Of 2008 Election Early

4 responses so far

Mar 18 2008

Network Security Podcast, Episode 98

Published by under Podcast

The countdown to episode 100 continues! Tonight Rich and I were joined by one of the main organizers of this years RSA Security Bloggers Meetup, none other than the Mediaphyter herself, Jennifer Leggio. She and Rich were at SOURCE Boston last week and I was able to follow at least some of their exploits via twitter. This whole social media thing is starting to take on a life of it’s own and it seems that security professionals are a disproportionately large part of it. I’m looking forward to seeing both Jennifer and Rich again at RSA and you’ll be able to see it yourself, seeing as we plan on having a live video stream from the Meetup.

Show Notes

[display_podcast]

Network Security Podcast, Episode 98, March 18, 2008

No responses yet

Mar 18 2008

Hannaford Brothers hacked, but there’s a silver lining

Published by under Hacking,PCI

A grocery store chain of about 1500 stores, Hannaford Brothers and Sweetbay, reported on February 27th that they’d been compromised and 4.2 million credit card and debit card numbers had been stolen. While the details in the InfoWorld article are scarce, one interesting factor of this compromise is that the card data was stolen in the authorization phase of the process. This means the attackers either compromised a border system responsible for the authorization or they compromised the network itself and were able to capture authorization traffic directly. These are the only two places credit card data should be appearing unencrypted.

There has been some identity theft associated with this compromise, but here’s the silver lining: Hannaford does not associate card numbers and expiration dates with the cardholder names and addresses. This in a day when your local grocery store offers you a discount if you’ll just enter your phone number at the PIN pad so they can track every single purchase you make and send you a personalized weekly ad. Most stores would have had card numbers, your home address, the names of all of your relations and possibly the name your teacher in first grade. Well, maybe not the last one, but they would have a record of every embarrassing purchase you’ve ever made. The downside to this lack of association between card numbers and cardholder names is that they have no way of knowing who should be contacted in the breach. I’m not sure if that will absolve them of having to contact anyone or make it necessary for them to contact all of their customers. They probably haven’t figured that one out yet either.

I’m glad to hear that at least one company has disassociated the data in this way, making it harder on the attackers. I can only assume that this is because the chain is owned by a Belgium company; the European laws concerning privacy and the data collected on customers is much stricter than anything we have in the US. What I’ve chosen to view as a bit of forward thinking by an American grocery chain may be nothing more than an attempt meet with European Union laws. In either case, it’s to the benefit of Hannaford Brothers’ and Sweetbay’s customers.

6 responses so far

Next »