Network Security Blog

I’m more than a little sad Shmoocon ’07 is over.  I haven’t had this much fun at an event in quite a while, excluding the Security Blogger Meetup at RSA.  Then again, the meetup was one night of fun, while this was 2.5 very full days of learning, meeting people and just hanging out.  There was a little partying too, but the fact that I’m from California helped a lot, since my body is still on Pacific time.  The fact I’m also old enough to know how to drink in moderation also placed me in a far better position than many of my fellow attendees both Saturday and Sunday mornings.  The fact that I was there representing Cobia and StillSecure also helped keep me out of trouble.

I have a lot to learn about traveling.  I hadn’t realized that Shmoocon started at 15:30 Friday afternoon and I traveled on Friday rather than Thursday night.  I missed most of Friday’s events, and almost missed Avi Rubin’s keynote address.  I have a lot of respect for Avi and the work he’s done, so I made up for arriving late by getting to meet him in person.  I’m not at all shy about just walking up to someone and introducing myself, which is exactly what I did.  With just a little luck, I’ll get a chance to get him on the podcast some day in the near future.

After the talk, I happened to run into Simple Nomad and tagged along to the hotel bar to meet a large contingent of attendees.  It’s a darn good thing I did, because after we’d been there for about 30 minutes, he asked me when we were going to the bloggers meetup.  I’d missed the timing on that and thought it was Saturday night.  I would have been in deep trouble if I hadn’t shown up, since as StillSecure’s representative I was picking up part of the bill for the event.  With a little help from Simple Nomad, I found the place it was being held in time and was able to uphold my part of the bargain.  I don’t know the exact number of bloggers, podcasters and readers/listeners, but I’d say a conservative estimate was 30-40 people.  Mubix did an excellent job of organizing the meetup, though once the majority of the folks left to go to a not-so-nearby bar, things got a lot more chaotic.  I finally got to meet Paul and Larry from PaulDotCom, the entire crew from Hak.5, Gene from SecThis, Obie and Brent from Cyberspeak as well as a whole host of readers/listeners.  Thanks again, Mubix.

Saturday morning I went to see Simple Nomad speak.  He’d apparently got a few hours of sleep after the night’s festivities and looked a lot more alert than most of his audience.  His talk was on a laundry list of topics, including some references to a talk he’d given last year on wireless cards in ad hoc mode at airports.  I think this was in the press again earlier this year, talking about how Windows systems will try to connect to an ad hoc network that has the same name as a legit network.  Let’s just say you’re probably better off connecting with EVDO or waiting until you get where you’re going rather than trusting any of the networks at the airport. 

Next I went to G. Mark Hardy‘s talk, A Hacker Looks at 50.  Mark talked about his long and exciting career, from high school in the early 70′s through starting his own business.  The room was packed, and I think this was probably one of the talks most of the hackers at the event really needed to hear.  His point was that he’d never seen a group with such a disparity between IQ and income has he’d seen in hackers, and most of it was due to having vision and goals.  He encouraged everyone in the room to figure out what their own goals are, write them down and start working towards them.  I met Shava Narad from Tor (remember the interview?) face to face at Mark’s talk, but unluckily wasn’t able to catch up to her again during the show.

I felt a little guilty for following Simple Nomad again, but I ended up having lunch with him, G. Mark Hardy, Jason Scott, Mubix and, of all people, Kevin Mitnick, as well as a few others I don’t know.  I had meant to go to Richard Bejtlich’s talk after lunch, but when I weighed his presentation against talking with these folks, I have to say Richard unluckily came in second and I stuck around to talk.  I barely got to say more than “Hello” to Kevin, but the conversation between Mark, Jason, Mubix, Simple and I more than made up for it.  I wanted to ask Kevin for a interview for the podcast or for Podtech, but he was already being harassed at the event and I didn’t want to add to it. 

The rest of Saturday is a little bit of a blur, since I spent it talking on Cyberspeak, doing a video interview with Brent and Obie, and then participating in the PaulDotCom podcast.  I had a blast, but I would highly suggest no one ever sit next to Nick (aka Twitchy) after he’s started sipping Mountain Dew.  There was also a few interesting games of dodge ball with Shmooballs on the showroom floor, but the blood shed and property damage was kept to a minimum.  I didn’t do to bad for being at least 5 years older than anyone else playing, but I was hot and sweaty at the end.

This morning I went to a talk on home grown and badly implemented crypto, which was interesting, but not really my specialty.  Afterwards I stuck around for Major Malfunctions talk on cloning RFID tages and ended up being part of the talk.  If you watch the video, when it comes out, you can see my back while I hold the wires on a 9 volt battery since the leads had broken.  I also helped by holding a webcam to a RFID reader so the audience could see the readout.  Oh yeah, I’m technical.

The last talk I went to was about the One Laptop Per Child project, with Ivan Krstic, Sean Coyne, Jason Scott and Scott Roberts.  Ivan talked Bitfrost and the steps OLPC is taking to prevent the misuse of the laptops, while the other three talked about all of the possible disaster scenarios it could lead to.  I should have a short video interview with Jason and Sean up later this week.

The closing remarks were a lot of fun, with Shmooballs flying all over the place and a lot of giveaways.  I managed to pick up a couple more balls, a titanium fork and small tripod, though the tripod was the only thing I really ‘needed’.  My wife will probably make me throw everything but the tripod away fairly quickly after I get home.

Shmoocon is no where near as serious an event as things like RSA.  Everyone I met was happy to be there and really seemed to enjoy being with other people.  If I can make it next year, I will and you can be sure I’ll do my best to make sure I can.  I met more fun, interesting, exciting people at Shmoocon than I thought possible.  Now I have to go sleep, in order to make my 6:30 flight for Boston.  I hope I’ll get a chance to catch up with a listener, Jack Daniels, while there.  And yes, that is his real name, not a nickname.

Technorati Tags: security, McKeay, Shmoocon

Remember last year when David Maynor and Jon Ellch were accused of falsifying the discovery of a vulnerability in the Apple WiFi drivers?  It was a messy little affair that ended in a gag order leaving the two researchers unable to defend themselves for 6 months.  George Ou provides his own perspective, including an interesting email from the Apple PR torpedo herself, Lynn Fox.

This event was a poorly handled and probably created more negative press for Apple than if they’d just ignored the entire issue.  But that’s not Apple’s way as far as I can see, attack and deny seems much more there style.  They should know by know that anything in electronic format is at risk of making it into the Blogosphere. George also points out the vulnerabilities that don’t exist were recently patched, amongst a relative flurry of vulnerability fixes.

I think a lot of people in the industry and who went to Black Hat suspected Apple’s story from the beginning.  While I don’t know any of the players in the story by more than a vague reputation, several of the blogger I trust and respect spoke in favor of Maynor and Ellch.  Between that and other kerfuffles at previous Black Hats, Apple’s story had serious weaknesses from the beginning.

I’m glad George could speak out on Maynor and Ellch’s behalf.  I hope this is remembered as another PR mistake by Apple rather than an attempt by two security researchers to fake a vulnerability. 

Technorati Tags: security, McKeay, Ou, Maynor, Ellch, Apple

I was read this on one of the more obscure mailing lists I’m on.  Did Microsoft’s X-box Live network get compromised?  I haven’t seen any details on the incident other than the this posting, so I don’t know.  If they did compromise the Bungie servers, I wonder how.

I don’t have an X-box or an X-box Live account, so I don’t even have a valid reason to call into Microsoft to find out, but I do know someone occasionally tries to change my password on my City of Heroes‘ account.  If it’s worth going after City of Heroes, it’s got to be worth going after Microsoft’s servers.  The X-box live audience has to be at least ten times the size of CoH’s. 

What can you do with an X-box account, other than deleting people’s characters?  What are the capabilities of these accounts?  Are people paying for the usage of their accounts, or is there another way to take some value from them?  I know nothing about it, so if someone wants to fill me in, I’d love to know more.

Edit:  I’m not hearing anything more about this, so it was probably a false alarm. 

It takes a bit of balls, and absolutely no brains, to take down SecList.org with almost no warning to the owner, Fyodor.  But that’s apparently exactly what the folks at GoDaddy did earlier today.  I’ve been reading different lists on SecList since before I worked in security, and Fyodor‘s was one of the very first name’s I ever heard associated with the term ‘security researcher’.  There’s this little program you might have used before, called Nmap, and he’s the one who wrote it.  Not exactly an unheard of figure in the security sphere.

So why did GoDaddy do this?  Because MySpace asked them to.  There was a large list of MySpace user accounts and passwords that were posted to a list hosted on SecList, but taking down the entire domain to get one list is completely excessive.  Especially since the list had been out for 9 days and is easily found elsewhere with a couple of simple Google searches.  Of course, you can’t issue take down orders against all those versions of the list on the Internet, so why don’t you take down the mailing list that’s guaranteed to get the list the greatest publicity possible.  Way to keep it quiet, MySpace.

I almost wish I had an account with GoDaddy so I could cancel it.  I’d never touch MySpace with a 10′ ethernet cable, so nothing to cancel there either.

Technorati Tags: security, mckeay, Fyodor, GoDaddy, MySpace

I got the award for the best t-shirt at photowalking yesterday for wearing my Zooomr shirt.  Now Alan Shimel and Michael Farnum have something to work with if they’re feeling creative. . In case I didn’t mention it before, the train museum was a great place to go and the kids loved it.  I’ve been told several times we’re going back in the future.

Technorati Tags: security, mckeay, photowalkig

If I didn’t have to go into a meeting in a few minutes, I’d sit down and listen to episode 10 of the Silver Bullet podcast.  I’ve interviewed Gary McGraw and Matt Bishop and would like to interview most of the other people on Fortify’s advisory board in the future.  I wonder how many of them will be at RSA?  I imagine Marcus Ranum will be there, but I don’t know about the rest. 

That reminds me, now that the new year is here, I need to start organizing some new interviews.  Anyone you’d really like to hear from?

Technorati Tags: security, mckeay, silver bullet podcast

Michael Santarcangelo has launched the Catalyst Community forums.  These forums are for security professionals to peruse and use, but there will be a number of members of the security blogging community hanging around in there from time to time.  I know Michael will be there, I’ll review the forums as time allows, AndyITguy, Michal Farnum, just to mention a few of the names. 

I have no plans to host my own forum, so this is where I’ll be spending my forum time.  This forum is meant as a place to ask questions and get answers.  The community is off to a good start, but could use a few more security people to join the conversation.

Edit:  The standard naming convention is going to be firstname.lastname.  If you don’t want to disclose that information, you’ll probably still be given an account, as long as the information is in the application some place.  Anonymity is not an expectation for this forum. 

Technorati Tags: security, McKeay, Catalyst Community, Santarcangelo

Purpleslog asks:

In case you’re not fluent in ‘acronym’, GSNA is GIAC Systems and Network Auditor, GCIA is GIAC Certified Intrusion Analyst, GCIH is GIAC Certified Incident Handler and GIAC is Global Information Assurance Certification.  At least I think Purpleslog meant GCIH

I took the GSNA courses in Redondo Beach, CA at the end of September.  Our company knew we had to have penetration tests and auditing done, and at least some of the requirements could be met by audits from internal resources.  I have friends in the pen testing community, but even a low end pen test can cost many thousands of dollars.  I pitched it to my boss and hence upper management that it would be cheaper to send two people from the company to training for a week than it would to have two pen tests run against the company or a site we manage.

I had an ulteriour motive though: I’d spent months trying to get my co-workers to understand why I thought so many of the ways the company was doing things were insecure and they thought I was overreacting.  No matter what I said or did, they thought I was just the paranoid security guy and my own IT department made it hard to do my job.  By taking one of my fellow managers with me on this training, not only did I help him by prying much needed training funds from management, I also opened his eyes to many of the things I’d been saying for months.  It’s one thing when a co-worker tells you you’re doing things insecurely, it’s another when your teacher explains some of the most insecure situations she’s run into and you realize you’re all of those rolled into one company.  After that week he became one of my strongest allies in the battle to secure the network.

We took the week long training course, and I’d do it again in a heartbeat.  This wasn’t about getting a certificate, that just happened to be a nice side benifit.  The training itself was the draw for me, especially for my co-worker.  I wanted both of us to be able to sit down in a class and concentrate on learning from someone, rather than trying to read from a book between emeregencies.  I love to have books available for referrence material, but for real learning I prefer to have a person to talk to and ask questions.  I draw on their experience in real world situations.

So the short answer is that I took the GSNA because it met with the company’s business needs.  I took the in-person class because it gave me an opportunity to learn from someone who’d been there, multiple times. I’d love to take the GCIH or GCIA if I had the money and time to spare, but I don’t.  The one mistake I made as far as this cert goes was waiting so long to take the tests; I should have taken them within a month of taking the class, while the information was still fresh in my mind.  I will say the practice tests that you get as part of the package are probably what saved me; I was able to use those questions to re-familiarize myself with the subject matter.

When I passed my CISSP, it was after over six months of hard studying.  When I took the CCNA exam, it was after two semesters of official courses at the local junior college, which included a lot of hands on work.  Of the two, I’d prefer to do the instructor led courses again.  I like the combination of reading, discussion and hands on for real learning.  Anyone can pass a test after cramming in information.  The true value of earning a certificate is how much of that information you can retain once you’ve passed the test.

I don’t know about you, but I have two little superheroes that can’t wait for tonight!  And just in case you don’t recognize them, they’re Dash and Superman.  And me, I’m just an imp, minor creator of mischief.  Or someone who was too lazy to create a real costume.

                        

I’ve never been a fan of DRM and Amazon Unbox sounds like the worst aspects of all previous DRM schemes rolled into a single bundle.  Cory Doctorow, former EFF lawyer, takes the time to go through the Unbox EULA one paragraph at a time, and he’s pissed!  From what I’ve read, only install Unbox if you’re willing to give up your system, your privacy and your money.  And not get much in return.

My biggest fear is that this is a plan by the movie industry to desensitize the public.  If the next DRM scheme some company puts out is only half as restrictive as this one is, people might be willing to accept it.  My only comfort is that the movie industry is not well known for thinking that far ahead and that logically.

Technorati Tags: security, mckeay, DRM, Amazon Unbox