[updated/edited] As a B-Sides sponsor, we’re rather concerned about the post from attrition regarding B-Sides, but we’re certainly glad it came out. We are pulling our, admittedly limited, sponsorship of local B-Sides events until such time as the matter is resolved to public satisfaction, or the entity known as B-Sides is provided with adequate management. We will continue to support local events with time and money, even one’s with a B-Sides logo, but will do so only through direct funding.  To that end, and to ensure B-Sides DE carries on, we’re committing $500 to the next B-Sides DE event.

Here’s hoping for speedy resolution to this situation.

Adding centralized controls for corporate browser settings and locking down security settings to increase security is a great idea, as opposed to letting users do whatever they please. It shows attention and dilligence.

However, doing so while still permitting lax passwords and not alerting on security failures demonstrates a distinct lack of focus. Fine detail settings in the browser won’t help your organization if a bad guy can roll up on your Internet presences and run THCHydra with impunity.

Your internal controls don’t amount to much protection if your external controls are stuck in the 1980’s. Failure to fix the obvious is an invitation to being hacked.

Don’t forget about the simple stuff, and have your systems tested by people that will do more than just point a vulnerability scanner at the address space. Use some sense and focus on what’s going to be most effective, not what was in the news last week.

One of our clients received a check from a financial institute in the mail last week, a check they weren’t expecting. Given that they don’t even do business with the company who’s check it was, they were quite aware that some mistake had been made. They contacted the company and found out that they weren’t the only stranger getting a hefty check in the mail. At least a dozen checks had been received, and several cashed. The company had suffered some sort of breach and lost banking information, checks, and their FedEx account codes. Not only were they dealing with the fraudulent checks, they had to pick up the bill for the overnight shipping.

Ironically, my client had, just one week prior, received an email regarding an item they posted on Craigslist. The “buyer” stated he would send a check to cover the item and the shipping plus a little extra just in case and my client was to send whatever was left after all the shipping and packaging back to the buyer.

Luckily, our customer was educated (we offer seminars) about various fraudulent scheme’s and called us after the first incident. We had them send a stock response to the mystery buyer that discourages further contact.

Then this check showed up at their office. It could be coincidence.

What’s not coincidence is the use of a fraudulent Craigslist transaction to locate targets for fraudulent schemes. It’s not Craigslist’s fault, this happens with every public forum, like eBay, Gunbroker, chat channels, bulletin boards, and listmails. Before the Internet and computing, it was classified ads in news papers.

It’s been said often enough: the Internet makes everything faster and more efficient, especially crime.

Should you receive an unexpected check, contact the company in question. Even if they sound convincing on the phone, there’s no guarantee who you’re talking to is who is actually attached to the bank account. It’s just a string of numbers; there could be anyone’s name printed at the top of the check. Contact your local FBI office and report the situation.

Here’s one that may be a first, calling cell-phone users about their overdue bills and extracting credit card info, bank account info, personal information, or some combination of these.  You get a call about your overdue bill.  If you blindly proceed to pay, the scam is simple enough, but what about if you know it’s been paid?  Then they drag you through a series of question and answer checks that will (they hope) get you to confirm (reveal) credit card or bank account information.  Both options also allow for obtaining other information, such as passwords, through verbal manipulation.

So be careful and spread the word.

Should organizations require and validate a government issued form of identification before granting network access? It’s easy enough to do. Costs a bit for the comparison books and an hour of training, but it will catch the majority of bad identification.  Of course, what to do with it after you’ve caught it…

But how much bad identification, as opposed to high quality forgeries, is seen in any business? No data.

More importantly, as has been pointed out by some bright people in the industry, the secretary is not a security guard, and the security guard is not a security professional.  Some small percentage of false identification is going to result in violence.  Better the guard than the HR representative.

Regardless of whom, outside of the government, nobody without a Treasury department background is going to catch the good forgeries.  So we can at best reduce a risk, but not eliminate it.

Given the possibility of violent confrontations, would a business be better served by a validation after the fact? It depends on the business, but in general, giving network access to the bad guys for any amount of time is a bad idea.

How do you test effectiveness when the mere act of copying a form of identification can be a Federal crime?

It makes perfect sense, wanting to identify persons with access to the network, but the process does not make perfect sense.  In the meantime, businesses will go on accepting fake identification and getting taken by fake ID holders.

Are you tired of news outlets, official, mainstream, counterculture, blogosphere, or militant (did I miss any?) spouting nonsense about hackers and security in general?  While they’ll likely never get the moniker “hacker” used precisely right, we can at least hold them accountable for the crap they peddle as “news” about “hackers”.

Let’s start with foreign government “hackers”.  If a government sponsored agent is attempting to break into  a foreign government computer system, they are “hacking”, but they are not “hackers”.  They are espionage agents.  Criminals in one country, patriot in another.  Some portion of foreign activity is state sponsored, and hence, is not hackers.  Could we argue that these official or unofficial subcontractors in hostile security are in fact “hackers”?  Sure, but then how to differentiate the regular hackers, the non-government sponsored bunch?  We’d need to start clarifying them all as State Sponsored Hackers or Non-State Sponsored Hackers, with further breakdowns for official and unofficial.  It’s easier just to call them agents, criminals, or spies who are using hacking techniques.  But don’t call them hackers, because they’re not.  While hackers have a variety of reasons for hacking, state activities is not one of them.  It crosses a line.  It’s like saying a police agent using Metasploit is a hacker.  They’re not.  They’re cops.  Or police.  The FBI does not employ “hackers”, it employs agents and uses subcontractors who use hacking techniques, but who are not hackers.  Except maybe on the weekends, but that’s like having a secret identity, and if they get caught, they lose their official jobs.

Now lets look at the idiocy that is numerical misuse.  To state that Company X is attacked 600,000 times a day is like saying that my internal combustion driven automobile explodes 20,000 times on my way to work.  You reporters and bloggers peddling this plotz are IDIOTS.  We mostly knew that already, but this is low hanging evidence that you’ll spew just about anything to fill space or drive revenue, regardless of sensibility.  You’re terrible at the job of reporting and wouldn’t know a fact check if it ran up and bit you on the nose.  Using the logic that produced “600,000 times a day” we can look at almost ANY WEBSITE ON THE ‘NET and find similar figures.  So why didn’t you report that?  Because Company X will drive more traffic, or is more impressive, or is what one person was truly interested in, and the rest of the blogosphere just gobbled it up and reprinted it to fill their pockets.

And by the way, 600,000 times a day for illicit access attempts is lightweight given the size of that particular company and its profile.  A better story would have started with “Why does Company X only get 600,000 attempts at password breaking each day” when comparable sites can be hit millions of times in one day.  That’s news, them not getting attacked more often.  Finding out they get attacked is not news.  Thinking that it is a high amount is not news, it’s just an indicator of the condition (IDIOCY in case you forgot).  Checking on norms and numbers and arriving at a startling realization that is backed up with facts, now that is news worth printing.  And plagiarizing.

So instead of just spewing drivel, make a decision.  Either get out of the IDIOCY business you’re in or start doing some meaningful reporting.  And this is copyrighted 2011 Digital Trust, LLC, in case you forgot.


As with all new technologies, cell phones continue to create ripples in the legal landscape.  Here’s a smattering of information on the subject:

  • A California law is in force by default.  More on the spineless veto by Governor Jerry Brown, with more here.
  • One in Michigan, completely in the realm of Big Brother.
  • And one in Oregon, of all places, usually a bastion of civil liberties.

It is this company’s patriotic opinion (not legal opinion, we are not lawyers) that searching a cell phone without a warrant or probable cause or immanent threat is decidedly unconstitutional.  What next, invasion of our computer via police-state root kits?  Cell phone content is clearly not “in plain sight” given the need for special equipment to turn it into evidence.  Write your legislators and fight for your right to privacy.

Thanks to JohnC for tracking this down.

We talk a lot about layered security, but what about it’s nemesis, layered stupidity? That’s when you see badness at so many levels in a business structure, that there really is no point in testing or evaluating security, because until change happens, they’re like a bank with no locks, guards, or cameras.

So there’s this company, who shall remain nameless…

First layer, basic security. People have got to do the simple stuff, and at least make an attempt at the SANS Top 20.  If your security neglects even the simplest checks, you well deserve your fate.  Why was nobody in the company howling about this when hacking is in the news every single day?

The second layer in the cake is outsourced infrastructure and security.  The hosting / security provider responsible, somehow managed to run a regulated security business with no log file retention.  How can a security company not keep log files?  It’s so fundamental that the absence is absurd.

Layer three is the auditors.  Both of these companies, the provider and the client, are subject to regulatory security requirements.  Both of these companies are required to utilize outside security auditing, so what went wrong?  Did they hire incompetent auditors creating the perfect hat-trick of stupidity?  Perhaps the auditors noted the deficiencies, and thanks to lax governmental oversight, nobody bothered to fix anything because they knew unless something went wrong, nothing would be done.

Four goes to the board members of both companies, at least one of which reads a newspaper or watches the news.  Did they really think hacking is a golf affliction?  Board members are supposed to be wise advisors providing oversight and advice about things like security and regulatory compliance, otherwise, why are they paid to be the board?  If you’re a board members anyplace, ask about security and know enough to be able to spot fruit-loopery when you see it.

Lastly, the customers of both companies should have noticed something was amiss.  Both have been in business for a fair amount of time, have large client lists, most of whom are also regulated, yet none of them noticed the glaring lack of security to either company.

This, then, is a perfect storm of stupidity.  Every single link in the chain of responsibility is weak or broken.  Every layer of the cake is rotten.

Solutions are so easy.  Hire good people.  Ask questions.  Put some effort into it.  Demand your vendors adhere to security standards at least as rigorously as you do.  Make sure it’s right.  Security isn’t difficult if it’s done right.  It’s a money saver.

Anytime in a security review that a password is obtained, whether it is simply a default setting or cracked after 8 days of crunching (or anything in between) there are some important things as the tester that need to happen.  First, notify the client and recommend they force change the password. Don’t just have them set it to force change at next login, specify that they change it and then, if necessary, notify the user.  This is because the account may already be compromised.  Just forcing a change may permit a bad guy to continue to access the account.  Second, if you must disclose the passwords to anyone, do so using partial masks.  Show only the first two characters or something similar, to disclose as little as possible, but still prove you have the password.  This is because the password in question might be used for other things, like personal banking.  Disclosing the full password could permit 3rd parties to obtain access to accounts other than the one being examined.  Judgement is important, since even two characters can be enough to identify a full password.  Above all, never release the passwords and accounts in any transferable format, such as a pdf or as part of the report.  Make sure your contracts indicate the client must change the passwords within a time frame and be able to show that your practices do not put the account credentials at risk, such as by sharing them with co-workers on a file sharing site.  Should anything go wrong, you want to be able to demonstrate that your people are not at fault.  Never retain credentials, and don’t add any of them to your dictionary unless you’ve filtered them closely for any which might indicate origin.  Something like “ih8COMPANYX” can indicate origin and may be used by another user at some future date, and if your dictionary ever gets questioned, you might be liable.  As always, check with a lawyer for real legal advice on the contracts and other legal subjects; Digital Trust is not a legal authority.

This post was largely inspired by a conversation from the SANS pentesting forum.

Recently we received a notice from our one ISP that one of our machines might be infected, and please clean it up or we’d be shut down. Well, we explained the situation to them, and it’s good to know someone’s watching our traffic (It’s 1984?), but we’ve been doing this for nearly six years from this location. And they only just now noticed? We’ve run huge attacks against large customers, it’s our business after all, for six years, and they only just now noticed we “might” have an infected computer? Sort of makes you wonder. What about all the other domains we traverse, like Sprint and AT&T? Are they going to start sending us hate mail? What happens if they start dumping the packets? We’ll have to find another ISP, I suppose, but eventually, if things went that way, the core would be filtering as well, and nothing would work. We’d practically be out of business. Ironically, the bad guys wouldn’t. Because the bad guys would just invent new ways to circumvent the security. Which would let us stay in business as well; we’d just need a new toolset. So if nothing’s going to really change, can we establish right now that filtering anything is a really bad idea, except during attacks? Because all it’s going to do is raise the price tags on security. You have to pay for the filters, you have to pay for the new security to counter the new threats. While standing still doesn’t prevent new threats from becoming a reality, it does allow us lots of ways of tracking people. They may have a new attack, but they probed on high ports first, which might let us locate them. Or at least shut them off from here. But don’t restrict traffic in the middle. It’s like putting a stop sign in the middle of the Atlantic. All you do is make shipping more expensive and annoy some little fish. So keep it open. Please.

Or would they?  Here’s a fantastic example of the lengths one can go to, to obtain system access.  Many clients don’t believe things like this happen; that their competitors would ever attempt such a thing.  It really depends on how much value is in it.  If the payoff for a data thief is greater than the cost+risk, your data is greatly at risk.   If a group of security specialists (no affiliation) can do this for a set fee (in all likelihood low five figures), then criminals will jump at the chance.  Sure, they have to find someone to program and do technical stuff, and those are rare and expensive commodities.  Wait, no they aren’t.  Since the US exported a bunch of technical stuff overseas, you can obtain high quality technical assistance for a song.  From people that have zero reluctance to engage in activities that might be illegal someplace else on the globe.

You think your company isn’t at risk?  Are you sure?  What’s in your corporate bank account?  Your password protected file servers?   Your laptops?  If you aren’t 100% positive of any outcome from a computer compromise, you need to get professional help to evaluate your situation and put a focus on what’s really at risk.

If security folks will do this stuff for normal working wages, criminals will jump at the chance for a big payday.  So, yes, somebody will go to that much trouble.

PS: kudos to Netragard for an awesome job.