Criss-cross Client Gaps

What would a consultant do if they had two clients, both of which had the same gap in safe practices, who were each other’s business partner?  As consultants, we’re typically bound by confidentiality agreements.  If one client is doing something that puts the other at risk, it is difficult to advise the one and still maintain confidentiality with the other.  Even if the consultant can refrain from indicating the source of the problem, by remediating, the other client is likely to find out about the other client’s gap, and it may become an issue.  One where they will bring up the consultant’s role in the change.  This may mean losing one or both clients, depending on their inclination.  Yet directly informing either or both has even larger risks.

On the other side of the coin, the consultant, if they have professional morals or some perceived real duty to the clients, cannot let the issue go.  They must somehow prepare both clients.  A subtle hand can press the issue on both sides without letting either part know that there was a conflict.

“The difference between stupid and intelligent people – and this is true whether or not they are well-educated – is that intelligent people can handle subtlety.” – Neal Stephenson


Big Brother Will Help You Mail That Package

While trying to find out how much a medium flat rate box would cost to ship earlier today, we spotted a strange item that roused our privacy hackles.  That other users wouldn’t see unless they happened on this site with their flash settings locked down.  It seems the government, in the form of the USPS, in the form of somebody called, wants to TAKE YOUR PICTURE  just to tell you what a flat rate shipment might cost.  Isn’t that interesting?

can i takez u picchur?

Hey, “might” doesn’t mean they actually *want* to take my picture, just some sloppy flash coding, right?


While we don’t have time to ferret out if it’s a goof or who’s responsible, we do find it interesting that in this day and age, anything like this can see the light of day.

The price of freedom may be eternal vigilance, but this impingement on it is free.


B-Sides & Business

[updated/edited] As a B-Sides sponsor, we’re rather concerned about the post from attrition regarding B-Sides, but we’re certainly glad it came out. We are pulling our, admittedly limited, sponsorship of local B-Sides events until such time as the matter is resolved to public satisfaction, or the entity known as B-Sides is provided with adequate management. We will continue to support local events with time and money, even one’s with a B-Sides logo, but will do so only through direct funding.  To that end, and to ensure B-Sides DE carries on, we’re committing $500 to the next B-Sides DE event.

Here’s hoping for speedy resolution to this situation.


Adding centralized controls for corporate browser settings and locking down security settings to increase security is a great idea, as opposed to letting users do whatever they please. It shows attention and dilligence.

However, doing so while still permitting lax passwords and not alerting on security failures demonstrates a distinct lack of focus. Fine detail settings in the browser won’t help your organization if a bad guy can roll up on your Internet presences and run THCHydra with impunity.

Your internal controls don’t amount to much protection if your external controls are stuck in the 1980’s. Failure to fix the obvious is an invitation to being hacked.

Don’t forget about the simple stuff, and have your systems tested by people that will do more than just point a vulnerability scanner at the address space. Use some sense and focus on what’s going to be most effective, not what was in the news last week.

Check Fraud

One of our clients received a check from a financial institute in the mail last week, a check they weren’t expecting. Given that they don’t even do business with the company who’s check it was, they were quite aware that some mistake had been made. They contacted the company and found out that they weren’t the only stranger getting a hefty check in the mail. At least a dozen checks had been received, and several cashed. The company had suffered some sort of breach and lost banking information, checks, and their FedEx account codes. Not only were they dealing with the fraudulent checks, they had to pick up the bill for the overnight shipping.

Ironically, my client had, just one week prior, received an email regarding an item they posted on Craigslist. The “buyer” stated he would send a check to cover the item and the shipping plus a little extra just in case and my client was to send whatever was left after all the shipping and packaging back to the buyer.

Luckily, our customer was educated (we offer seminars) about various fraudulent scheme’s and called us after the first incident. We had them send a stock response to the mystery buyer that discourages further contact.

Then this check showed up at their office. It could be coincidence.

What’s not coincidence is the use of a fraudulent Craigslist transaction to locate targets for fraudulent schemes. It’s not Craigslist’s fault, this happens with every public forum, like eBay, Gunbroker, chat channels, bulletin boards, and listmails. Before the Internet and computing, it was classified ads in news papers.

It’s been said often enough: the Internet makes everything faster and more efficient, especially crime.

Should you receive an unexpected check, contact the company in question. Even if they sound convincing on the phone, there’s no guarantee who you’re talking to is who is actually attached to the bank account. It’s just a string of numbers; there could be anyone’s name printed at the top of the check. Contact your local FBI office and report the situation.

Here’s one that may be a first, calling cell-phone users about their overdue bills and extracting credit card info, bank account info, personal information, or some combination of these.  You get a call about your overdue bill.  If you blindly proceed to pay, the scam is simple enough, but what about if you know it’s been paid?  Then they drag you through a series of question and answer checks that will (they hope) get you to confirm (reveal) credit card or bank account information.  Both options also allow for obtaining other information, such as passwords, through verbal manipulation.

So be careful and spread the word.

Identification Identity Crisis

Should organizations require and validate a government issued form of identification before granting network access? It’s easy enough to do. Costs a bit for the comparison books and an hour of training, but it will catch the majority of bad identification.  Of course, what to do with it after you’ve caught it…

But how much bad identification, as opposed to high quality forgeries, is seen in any business? No data.

More importantly, as has been pointed out by some bright people in the industry, the secretary is not a security guard, and the security guard is not a security professional.  Some small percentage of false identification is going to result in violence.  Better the guard than the HR representative.

Regardless of whom, outside of the government, nobody without a Treasury department background is going to catch the good forgeries.  So we can at best reduce a risk, but not eliminate it.

Given the possibility of violent confrontations, would a business be better served by a validation after the fact? It depends on the business, but in general, giving network access to the bad guys for any amount of time is a bad idea.

How do you test effectiveness when the mere act of copying a form of identification can be a Federal crime?

It makes perfect sense, wanting to identify persons with access to the network, but the process does not make perfect sense.  In the meantime, businesses will go on accepting fake identification and getting taken by fake ID holders.

All The News That’s Pfffffft To Print

Are you tired of news outlets, official, mainstream, counterculture, blogosphere, or militant (did I miss any?) spouting nonsense about hackers and security in general?  While they’ll likely never get the moniker “hacker” used precisely right, we can at least hold them accountable for the crap they peddle as “news” about “hackers”.

Let’s start with foreign government “hackers”.  If a government sponsored agent is attempting to break into  a foreign government computer system, they are “hacking”, but they are not “hackers”.  They are espionage agents.  Criminals in one country, patriot in another.  Some portion of foreign activity is state sponsored, and hence, is not hackers.  Could we argue that these official or unofficial subcontractors in hostile security are in fact “hackers”?  Sure, but then how to differentiate the regular hackers, the non-government sponsored bunch?  We’d need to start clarifying them all as State Sponsored Hackers or Non-State Sponsored Hackers, with further breakdowns for official and unofficial.  It’s easier just to call them agents, criminals, or spies who are using hacking techniques.  But don’t call them hackers, because they’re not.  While hackers have a variety of reasons for hacking, state activities is not one of them.  It crosses a line.  It’s like saying a police agent using Metasploit is a hacker.  They’re not.  They’re cops.  Or police.  The FBI does not employ “hackers”, it employs agents and uses subcontractors who use hacking techniques, but who are not hackers.  Except maybe on the weekends, but that’s like having a secret identity, and if they get caught, they lose their official jobs.

Now lets look at the idiocy that is numerical misuse.  To state that Company X is attacked 600,000 times a day is like saying that my internal combustion driven automobile explodes 20,000 times on my way to work.  You reporters and bloggers peddling this plotz are IDIOTS.  We mostly knew that already, but this is low hanging evidence that you’ll spew just about anything to fill space or drive revenue, regardless of sensibility.  You’re terrible at the job of reporting and wouldn’t know a fact check if it ran up and bit you on the nose.  Using the logic that produced “600,000 times a day” we can look at almost ANY WEBSITE ON THE ‘NET and find similar figures.  So why didn’t you report that?  Because Company X will drive more traffic, or is more impressive, or is what one person was truly interested in, and the rest of the blogosphere just gobbled it up and reprinted it to fill their pockets.

And by the way, 600,000 times a day for illicit access attempts is lightweight given the size of that particular company and its profile.  A better story would have started with “Why does Company X only get 600,000 attempts at password breaking each day” when comparable sites can be hit millions of times in one day.  That’s news, them not getting attacked more often.  Finding out they get attacked is not news.  Thinking that it is a high amount is not news, it’s just an indicator of the condition (IDIOCY in case you forgot).  Checking on norms and numbers and arriving at a startling realization that is backed up with facts, now that is news worth printing.  And plagiarizing.

So instead of just spewing drivel, make a decision.  Either get out of the IDIOCY business you’re in or start doing some meaningful reporting.  And this is copyrighted 2011 Digital Trust, LLC, in case you forgot.


Personal Phones Subject to Unconstitutional Search

As with all new technologies, cell phones continue to create ripples in the legal landscape.  Here’s a smattering of information on the subject:

  • A California law is in force by default.  More on the spineless veto by Governor Jerry Brown, with more here.
  • One in Michigan, completely in the realm of Big Brother.
  • And one in Oregon, of all places, usually a bastion of civil liberties.

It is this company’s patriotic opinion (not legal opinion, we are not lawyers) that searching a cell phone without a warrant or probable cause or immanent threat is decidedly unconstitutional.  What next, invasion of our computer via police-state root kits?  Cell phone content is clearly not “in plain sight” given the need for special equipment to turn it into evidence.  Write your legislators and fight for your right to privacy.

Thanks to JohnC for tracking this down.

Layered Stupidity

We talk a lot about layered security, but what about it’s nemesis, layered stupidity? That’s when you see badness at so many levels in a business structure, that there really is no point in testing or evaluating security, because until change happens, they’re like a bank with no locks, guards, or cameras.

So there’s this company, who shall remain nameless…

First layer, basic security. People have got to do the simple stuff, and at least make an attempt at the SANS Top 20.  If your security neglects even the simplest checks, you well deserve your fate.  Why was nobody in the company howling about this when hacking is in the news every single day?

The second layer in the cake is outsourced infrastructure and security.  The hosting / security provider responsible, somehow managed to run a regulated security business with no log file retention.  How can a security company not keep log files?  It’s so fundamental that the absence is absurd.

Layer three is the auditors.  Both of these companies, the provider and the client, are subject to regulatory security requirements.  Both of these companies are required to utilize outside security auditing, so what went wrong?  Did they hire incompetent auditors creating the perfect hat-trick of stupidity?  Perhaps the auditors noted the deficiencies, and thanks to lax governmental oversight, nobody bothered to fix anything because they knew unless something went wrong, nothing would be done.

Four goes to the board members of both companies, at least one of which reads a newspaper or watches the news.  Did they really think hacking is a golf affliction?  Board members are supposed to be wise advisors providing oversight and advice about things like security and regulatory compliance, otherwise, why are they paid to be the board?  If you’re a board members anyplace, ask about security and know enough to be able to spot fruit-loopery when you see it.

Lastly, the customers of both companies should have noticed something was amiss.  Both have been in business for a fair amount of time, have large client lists, most of whom are also regulated, yet none of them noticed the glaring lack of security to either company.

This, then, is a perfect storm of stupidity.  Every single link in the chain of responsibility is weak or broken.  Every layer of the cake is rotten.

Solutions are so easy.  Hire good people.  Ask questions.  Put some effort into it.  Demand your vendors adhere to security standards at least as rigorously as you do.  Make sure it’s right.  Security isn’t difficult if it’s done right.  It’s a money saver.

Pentester Reporting on Cracked Passwords

Anytime in a security review that a password is obtained, whether it is simply a default setting or cracked after 8 days of crunching (or anything in between) there are some important things as the tester that need to happen.  First, notify the client and recommend they force change the password. Don’t just have them set it to force change at next login, specify that they change it and then, if necessary, notify the user.  This is because the account may already be compromised.  Just forcing a change may permit a bad guy to continue to access the account.  Second, if you must disclose the passwords to anyone, do so using partial masks.  Show only the first two characters or something similar, to disclose as little as possible, but still prove you have the password.  This is because the password in question might be used for other things, like personal banking.  Disclosing the full password could permit 3rd parties to obtain access to accounts other than the one being examined.  Judgement is important, since even two characters can be enough to identify a full password.  Above all, never release the passwords and accounts in any transferable format, such as a pdf or as part of the report.  Make sure your contracts indicate the client must change the passwords within a time frame and be able to show that your practices do not put the account credentials at risk, such as by sharing them with co-workers on a file sharing site.  Should anything go wrong, you want to be able to demonstrate that your people are not at fault.  Never retain credentials, and don’t add any of them to your dictionary unless you’ve filtered them closely for any which might indicate origin.  Something like “ih8COMPANYX” can indicate origin and may be used by another user at some future date, and if your dictionary ever gets questioned, you might be liable.  As always, check with a lawyer for real legal advice on the contracts and other legal subjects; Digital Trust is not a legal authority.

This post was largely inspired by a conversation from the SANS pentesting forum.