Network Security Blog

Both Black Hat and Defcon are incredibly hectic and for the most part unplanned.  I have a few interviews that I’ve arranged and a lot of parties, but most of my time is unstructured specifically so I can catch whichever talk is sounding hot this year or catch an interview with someone I happen to catch in the press room or hallways.  There’s also Security Bsides, which I have to attend (because I want to, not because someone’s forcing me).  There’s only one event I’m attending that I know I’ll be there from beginning to end: The Second Annual Podcasters Meetup @Defcon.   I’ll be showing up there for the entire show.  I’m sort of essential, or at least some of my technology is; We’ll be using my camera again for the streaming video.

If you listen to security podcasts, or even if you don’t, you’re invited to come to the event.  I have it on good authority that there are some cool prizes that are being given out at the event, though I’ve unluckily been told I’m not eligible to win anything.  Which is especially annoying, since they’re giving away a USB Monitor among other things, something I really need in order to meet with my goal of becoming a digital nomad. 

I’ll be roaming around Black Hat starting Wednesday around 11am, Rich will be working and our special guest host, Zach Lanier will be working with us to get even more interviews than ever before.  We’ll be doing our best to record and post our interviews as close to real time as we can, so if you can’t be there, at least listen to the podcast.  If there’s someone you really want Rich, Zach or I, leave a comment, drop me an email or give me a call.  If you can’t find my cell phone number, it’s probably better you didn’t go to Black Hat and Defcon anyway.

PS.  Don’t forget to use the #BlackHat and #Defcon hash tags in Twitter!

I’m sitting down to nurse a cup of coffee this morning.  Had friends over last night, a fair amount of drinking ensued, lots of male bonding through bad jokes and some rousing games of Alhambra and Saint Petersburg.  This is my idea of a good Friday night with friends, which worries me a little, since it makes me sound and feel like a middle-age geek.  Which I have to say is a pretty good description.  I guess I’ll have to overcompensate at Black Hat and Defcon next week.  In the mean time, here are some of the stories from this week that are clogging up my Firefox tabs.

• Adobe issues security advisory for Flash zero-day flaw – Rumor has it that Adobe has known about this flaw for over seven months.
• Help for internal auditors on PCI Compliance – Some of these points are going to help me as the assessor as well.  But more of them should be part of your security processes whether your trying to be PCI compliant or simply secure.
• Extending the concept: A security API for Cloud Stacks – Chris Hoff posted this concept last night and caused quite a bruhaha.  The basic idea is that the commonality of the various compliance structures should be built into a security control model that’s used to build Cloud infrastructure in a testable, open archetecture.  Very interesting concept, I want to see how Chris develops it going forward.
• Vulnerabilty scanning and Clouds: an attempt to move the dialog on – This is the post that kickstarted the Hoff’s thinking for the previous article.  Lack of vulnerability scanning is just one of the reasons that cloud computing gives compliance officers fits.
• The growing threat to business banking online – Somewhere in the last couple of years the Internet has gone from being the Wild West to the streets of Chicago in the 1920′s. The bad guys have become incredibly well organized and you’re taking your digital health in your own hands every time you go online.  Businesses and local governments are increasingly becoming targets.  After all, “That’s where the money is.”
• Mind games:  How social engineers win your confidence – Scams and grifting are as old as humanity, probably older if you want to consider some of the examples you can find in the animal kingdom.  And they stick around because once you’ve mastered the basic principals, it’s relatively easy to get what you want out of the majority of people and situations.  The best defense is to be educated and be able to recognize some of the clues you’re being social engineered without you having to consciously think about it.
• Network Solutions hack compromises 573,000 credit, debit accounts – Good job NS, you allowed code to be installed on a compromised system and gave up over half a million records, mainly of mom and pop stores.  I hope you do a better job protecting our domain names.

Just added – Matasano site compromised.  I couldn’t fault them too much for falling to a Zero Day, except for the fact that they’re a research firm that should be finding these things on other people’s sites, not their own. 

It’s coming up all to quickly!  Black Hat, Defcon and Security BSides!  Okay, if you’ve been in security for any lenght of time, you know what BH & DC are, but you may not have heard of Security BSides before.  Basically it’s an ‘unconference’, a user organized conference that will be providing an alternative for some of the talks that either weren’t accepted by Black Hat or were never submitted in the first place.  It’ll be a small conference running side by side with Black Hat, but it’s not meant to compete, it’s meant to supplement BH.  The crowd will be relatively small and you have to sign up on the wiki before hand if you’re going to show up, but it’s going to be a heck of a fun event. 

If you’ve never been to an unconference before, they’re a little different from your usual conference going experience.  The biggest thing is that audience participation in the talks is not only encouraged, it’s necessary to make the conference successful.  The people speaking will all be experts in our field, but they have as much to learn from the experience of presenting here as the audience does.  One person’s experience is great, but the ideas that are pulled from the crowd are often just as valuable as the ideas the presenters are offering. 

Last, but certianly not least, think about attending the Feathers Will Fly Panel and the Secxy Pillow Fight to benefit the EFF if you can’t make it to any other part of BSides.  Erin Jacobs, Stacy Thayer, Jennifer Jabbusch and a number of other female security professionals are going to talk about the image of female security professionals and probably embarrass themselves along the way.  This will be a fun panel and a fun event, aimed at lampooning some of the images we have of female security professionals.

Did we mention Black Hat? That’s right, this is our last episode before Rich and I are on site in Vegas for the big event. We cover a few of this week’s news items before moving to Martin’s interview with Jibran Ilyas of the Trustwave SpiderLabs team, who will be presenting the Malware Freakshow at Defcon on Saturday.

Network Security Podcast, Episode 159
Time:  39:22

Show Notes:

• Medical data breach reports streaming out of California
• Election results found on a voting machine in Honduras, but the election hasn’t happened yet (It’s possible this is a political stunt, considering the recent coup).
• Are those Pwnies in the air?
• Don’t forget to RSVP for the Securosis/Threatpost recovery breakfast.
• Tonight’s Music:  Don’t let it go to your head by Art Linton

Life has been crazy busy lately, between recovering from the FIRST conference, preparing for Black Hat and Defcon, camping with the Cub Scouts and this little thing called work.  For most of the last two weeks I’ve been running from task to task with barely a few minutes between and my blogging has suffered greatly as a result.  I wish I could say it was all going to slow down, but the reality of it is, I don’t see any end to my hectic schedule for at least a month.  The good thing is that there will be more FIRST podcasts coming out, a slew of Black Hat and Defcon interviews and then maybe a little bit of a rest from the podcast point of view at least.  Speaking of which, I have to find the time for another pre-Black Hat interview tonight.

First off this morning, three stories about PCI:

• The Man Behind the Standard – Troy Leach gives training to QSA’s on behalf of the PCI Council, so he probably has just a little bit of insight into what’s going on.
• PCI DSS:  What Do You Know, Where Do You Stand? – Some interesting statistics on how merchants percieve their own PCI compliance.
• PCI-DSS compliance remains difficult for retailers – This is the real reason we need PCI:  Too many merchants have said ‘security is hard’ and used this as an excuse to ignore it.

If you own a pair of budding geek kids like I do, you’ll want to check out the following pair of high-level programming languages your kids can use to create their own games:

• Scratch – From MIT, my son was refered to this site by one of his teachers.  He and his brother have spent countless hours animating stick figures and making them say things that weren’t always appropriate.  Scratch is free and has an active community.
• Kodu – Another security professional with a geek kid suggested this one to me last week.  One of the things I like about it is that it is that it’s playable on the Xbox 360.  There is a trial version and a full version, but the full version is only $4 through Xbox Marketplace.  We haven’t tried this one yet.
• Hello World – A Slashdot review of a book on computer programming for kids (and other beginners).  The book uses Python and I’m tempted to get them a copy just to see what they’d do with it.  Would they take it and become budding hackers or would the book become shelfware?

Finally some miscellaneous stories about vulnerabilities, the Twitter compromise and something to feed my own paranoia:

• The anatomy of the Twitter attack – TechCrunch’s story of how the Twitter compromise happened.  Repeat after me:  “‘Password’ is never an acceptable password!”
• Report:  Hacker broke into Twitter e-mail with help from Hotmail – Didn’t we learn from Sarah Palin that the answers to your security questions really aren’t that far away thanks to the power of the Internet?
• The Firefox vulnerability that may not be – Firefox 3.5.1 is vulnerable!  No it’s not!  eEye reported a vulnerabilty in FF, but the folks at Mozilla say the information is inaccurate and there is no vulnerability.  They’d better be right or they’ll lose a lot of credibility.
• Report:  NSA surveillance program too secret for it’s own good – Waitaminute!!  You mean they really have been spying on us for the last seven years and lying to Congress, not to mention lying to the public??

The bulk of this episode is an interview I did with Steve Ocepek, one of my Trustwave coworkers who is presenting at Black Hat this year. But before we get to the interview, we do spend a little time talking about some of this week’s security headlines. And if you are attending Black Hat, don’t forget to look us up.

Network Security Podcast, Episode 158
Time:  45:35

Show Notes:

• Wardriving passports
• Microsoft and Firefox vulnerabilities (some unpatched) being exploited in the wild.
• What a shock, the DDoS attacks probably weren’t from North Korea. I think their entire Internet connectivity is a phone line with an acoustic modem.
• Tonight’s Music: Impact at 1000mph by LtMeat

Peter Allor is one of the two people who tapped me cover the 21st FIRST Conference in Kyoto.  Pete is a member of the FIRST Steering Committee and the Conference Liaison and took a couple of minutes out of the conference to speak to me on how the conference was going. 

Episode 8: Peter Allor, FIRST SC and Conference Liaison

Toby Weir-Jones from BT gave a talk titled “Deriving information from raw data: making business decisions with logs”.  We consider why it’s so hard to translate our log files into something that we can use to communicate with other business units who don’t speak the same language.

Episode 9: Toby Weir-Jones, VP Product Development, Managed Security Solutions Group, BT

Some encounters are almost too strange to believe.  That doesn’t make them any less real.

I was walking down the street in San Francisco at lunch time Friday afternoon.  As I came up to a busy street corner I saw a paper grocery bag sitting on a bench with no one around it.  I walked up to the bag and peeked in to find three external hard drives, one Maxtor and two brands I didn’t recognize.  The drives looked like they were either well used or the product of a dumpster dive.  I knocked on the door of the one business nearby, but no one answered.  After a few minutes someone came out who worked in the building; he said there’d been a break-in recently but that he didn’t know anything about the drives.  I tried to call Rich for advice, but he was busy so I decided I’d finish my walk to lunch and think on the situation for a little while.

One burrito later, I walked up on the scene again.  This time a homeless man in dirty, ripped slacks was surveying the bag of hard drives.  He looked around much like I had done thirty minutes earlier, then scuttled up to the bag and pulled out one of the external hard drives.  After sniffing it for a second, he licked one side of the drive and put it back in the bag.  He then ran over to a parking meter and licked it, licked the taillights on both sides of an SUV and vanished from my sight behind the car. 

I lost any interest in the hard drives at that point.  That takes mom’s caution of “you don’t know where that’s been” to a whole new level.

Saliva incident aside, what would you do if you found a bag of hard drives in a park or public place?  Calling 911 didn’t seem appropriate, though there is a slim possiblity of explosives.  Taking the drives home and performing some forensics research on them crossed my mind; I have the technology if not much skill in the area.  I tried to turn them in to the business, but there was no one there.  I guess the gentlemen with the inquisitive taste buds saved me from a moral dilema. 

What would you have done?

I can’t entirely promise tonight’s episode makes a lot of sense. Martin is back from Kyoto, and seriously jetlagged, and I don’t think I was a whole lot better. Sure, we cover the usual collection of security news, but the episode is filled with non-sequitors and other dissociated transitions. On the other hand, we do stick fairly closely to security related topics. In other words, listen at your own risk.

[Martin]It made perfect sense before I said it out loud.  Afterward, not so much.[/Martin]

Network Security Podcast, Episode 157
Time:  25:08

Show Notes:

• Microsoft 0day being exploited in the wild.
• China is as scared of us as we are of them. See? Your mom was right.
• iPhones are vulnerable over SMS. I highly doubt the iPhone is the only phone with this problem.
• A “security guard” hacks a hospitals HVAC system. Then goes to jail for additional stupidity. Good thing most bad guys are dumb, or we’d *really* be in trouble.
• More nails in the coffin that holds your Social Security Number.

Back from the FIRST Conference in Kyoto, Japan with a dozen interviews and over 1500 pictures.  To be fair, my wife took a lot of the pictures.  I haven’t had time to blog or while I was at FIRST, but you can get a very good idea of what was going on by checking out Chris Riley’s blog.  He took awesome notes, something I’m only moderately successful at under the best of circumstances.  I’ll be uploading the interviews over the next few weeks and have several follow up interviews to do with people who didn’t have the time necessary during the conference.  But all of that has to wait until I’ve dug myself out from the pile of email that accumulated while I was on the road.  In the mean time, check out some of the photos I’ve uploaded to Flickr so far.