[SecurityRatty] tag: communication

Why Do I Attend BlackHat?

Thu, 26 Jun 2008 14:33:51 +0000

This post is a response to Alan Shimel’s Topic of Interest #2 for the Security Bloggers Network.

So what motivates me to attend BlackHat? The #1 reason for me is networking — meeting new people and catching up with old friends and colleagues. Despite our best intentions, we are all busy and our networks are constantly expanding, making it increasingly difficult to stay in touch with old friends in the industry. Twitter and other forms of microblogging help you chip away at the communication gaps; you get a glimpse into peoples’ lives but it’s no replacement for a real conversation.

Obviously, the briefings themselves are a major draw. Even though it’s expanded to over 10 tracks now, the quality hasn’t really suffered. This year’s experiment with allowing paid delegates to vote on speakers seems to have produced a good lineup, though I’m sure there was still a selection committee that could and probably did overrule the votes in some cases. Either way, BlackHat presentations are a decent indicator of the overarching themes that will be prevalent in information security for the upcoming year or two.

When I first started attending BlackHat, I was drawn to the talks discussing 0-day vulnerabilities, tool releases, shellcode tricks, and the like. These days, anything relating to static analysis, automation, and of course web security are most interesting to me. I also consider who’s speaking, regardless of the topic (e.g. one of these guys presents, I’m there). In general, I’ll try to gauge how much value the speaker will add to the presentation — in other words, what do I gain by attending the talk vs. flipping through the slides later? I never attend every time slot; sometimes the hallway conversation is just more interesting.

Some of my other reasons for attending, in no particular order, most of which fall under the “networking” umbrella:

The parties (duh)
The Pwnie Awards
Meeting fellow security bloggers
Recruiting speakers for SOURCE
Finding future Veracode employees
Trading war stories
Picking up vendor schwag for my kids (RSA is much better for this one)
Meeting current and former customers — and future ones, hopefully

Things I could do without:

The cigarette smoke
The heat
Quark’s

I’ve stuck around for DEFCON a couple times in the past, but I don’t anymore. I fly out Friday morning or early afternoon so I get home in time to spend the weekend with the family. Personally, three days in Vegas is plenty for me.

When it gets closer to BlackHat time, I’ll post my picks from the briefings schedule.

Management's right to employee communication: There are limits

Thu, 26 Jun 2008 04:32:30 +0000

The courts have consistently upheld business rights to information stored on company-owned information assets, including email and other messaging media. There were limits, like restricting data retrieval to items actually related to business transactions or relavant to an ongoing investigation. Now, however, a U.S. Federal court has placed messages sent via contracted services within the scope of employee expectation of privacy.

Marshall Islands Email Service Paralysed By Spam Attack

Tue, 24 Jun 2008 19:55:36 +0000

Email communication in the Marshall Islands was paralysed Tuesday after hackers launched a “zombie” computer attack on the western Pacific nation’s only Internet service provider. The Marshall Islands is a Micronesian island nation in the western Pacific Ocean, located east of the Federated States of Micronesia and south of the U.S. territory of Wake Island. The [...]

Googles Culture of Yes

Mon, 23 Jun 2008 11:21:46 +0000

Recently, Eric Schmidt gave quite an inspirational speech at the Economic Club of Washington. It was so interesting; I wanted to share this with you in case you missed it. The entire speech is rather long but here’s the section on Google’s Culture of Yes.

After hearing his speech, I thought about how Eric and Google are impacting the digital revolution after so many others have tried unsuccessfully over the last 25 years. He has led the company through a period of explosive growth from $1 Billion to over $16 Billion in the past year, while keeping the young, fun, irreverent culture intact. Considering the meteoric rise of Google’s popularity in a reasonably short period of time, to the point that the company name is now actually a verb!

The point that I found enlightening was his summary, which you can scroll to at the 26 - 30 minutes timeframe in the presentation, where he shared an interesting glimpse into the culture of Google. “Creating more luck, giving yourself more at bats, being out there… to think big and inspire a culture of YES.” The culture of Yes inspires people to aim higher and be ambitious in their reach and goals.

That is a very interesting point in which I really believe. If there is one thing that all companies and especially small companies struggle with because of natural resource constraints, it is building a strong culture of Yes. We have tried to do this from the very inception of ScienceLogic, but it continues to get harder and harder the larger the business grows. To consistently inspire a principle of Yes, without agreeing to every idea that flows across my desk is amongst the most challenging parts of our daily jobs. However if I could create the perfect scenario, we would intuitively strive for a principle of Yes and inspire our associates and our ecosystem of partners and customers to use this simple concept to confidently go forward.

Eric says, “It is possible to build a culture around innovation. It is possible to build a culture around leadership, and it is possible to build a culture around optimism.” Google is a great example, but by no means the only example. I agree with Eric’s summary and hope to lead ScienceLogic according to these very basic but essential principles. “Let’s be revolutionaries. Let’s take this opportunity, this huge change that is before us with technology and let’s change our businesses, our communication and the way we interact on some new principles that reflect the very best in America.”

ShareThis

Great article about keeping your kids safe online

Sat, 14 Jun 2008 12:02:24 +0000

Part 1 of 2 nicely written articles written by someone at Trend Micro. The article is not driven at selling you a product, just real good advice. Take the time to read em.

clipped from newsletters.trendmicro.com

Threat Landscape (Part I)

Keeping Your Kids Safe from Unwanted Content and Contact

The Internet is now an integral part of everyday life for most people. And within a short period of time, it has evolved from simply a tool for accessing information and conducting communication and commerce to becoming a significant venue for social activity and interaction. For many young people who have never known a world without the Internet, it is also a vehicle for self-expression, a source of entertainment, and a creativity and distribution tool unimaginable by previous generations. As most schools approach the summer break, young people will have more time on their hands – time to further experiment online.

The power of communication.

Fri, 13 Jun 2008 13:24:00 +0000

I think many of us fail to realize the extreme importance of communicating in a way that ensures we are understood.When I was working for the United Nations in different countries around the world, I would often be told by other UN staff that they were surprised that they could actually understand what I was saying. Apparently, they had met other Irish and could only understand a few words here and there. That was easy for me to understand. As the Deputy and later Chief of the United Nation's Special Investigation Unit, it was of the utmost importance that people could understand me. Imagine questioning a person who was facing deportation back to their country for an alleged crime. It would be unfair to them if I didn't make my self understood, even if it meant that I had to slow down my fast Irish speech and leave out the Irish slang words (that very few people around the world can ever understand).

I was in Dublin last weekend, passing through on my way to the Middle East. The big topic was the Irish referendum on the Lisbon treaty. It seems that the country was fairly evenly divided by those who were; voting yes, voting no, did not know. I wasn't that terribly sure what it was all about so I asked my sister and her husband. They had to admit that the whole thing was rather unclear and that the Politicians didn't do a great job of explaining. Then I met up with my brother. He too was not 100% about the importance of a "yes" or "no" vote. I got the impression that Ireland might lose their National identity if they voted "yes", so I left thinking that "no" was the way to go.

Apparently the rest of Ireland thought so too, as I am sitting in my hotel room in Dubai listening to the BBC and Sky news talking about the after effects of Ireland's rejection of the Lisbon treaty. That got me thinking. The only time we really ever had any problems with a client involved communicating, or a lapse on somebody's part. It is amazing how large the repercussions can be when you are talking about a whole country. Next time you are involved in a negotiation, remember the Lisbon treaty and make sure you know what is at stake. You could be avoiding a costly mistake.

Maltego Community Edition Released

Fri, 13 Jun 2008 11:05:27 +0000

From Paterva dot com:

The Community Edition is limited in the following ways:

* A 15second nag screen
* Save and Export has been disabled
* Limited zoom levels
* Can only run transforms on a single entity at a time
* Cannot copy and paste text from detailed view
* Transforms limited to 75 per day
* Throttled client to TAS communication

http://www.paterva.com/maltego/community-edition/

European Backup Services Vulnerable to Attack

Wed, 11 Jun 2008 07:49:32 +0000

Online backup is seen as a good strategy for preventing data loss, in case of a disaster at a local datacenter or on a local machine. But apparently the software used by over 100 services is vulnerable to a man in the middle attack, even though it uses SSL to secure the connection:

Tests by heise Security show that four of the six services tested were vulnerable to attack.

While all of the tested systems encrypt communication with the backup server using SSL, external attackers can sniff the access code as plain text by acting as a man-in-the-middle (MITM) if the locally installed backup software does not perform sufficiently rigorous checks on the authenticity of the server’s certificates. In the vulnerable systems, we were able to hijack the connection from the client software to the backup servers.

Four of six may not be a large test sample, but it does raise concerns about trust between customers and their service providers. If you’re providing or purchasing this kind of service, you might want to look into it closely to make sure your data is secure.

Cotton Traders confirms that their website was compromised

Wed, 11 Jun 2008 06:45:54 +0000

Technorati Tag: Security Breach

Date Reported:
6/10/08

Organization:
Cotton Traders Ltd.

Contractor/Consultant/Branch:
None

Victims:
Customers

Number Affected:
"thought to be up to 38,000"*

*Cotton Traders claims this figure is "widely inaccurate" but isn't supplying the correct figure

Types of Data:
"addresses and credit card details"

Breach Description:
"Clothing firm Cotton Traders has confirmed that customers’ addresses and credit card details were stolen during a hack on its website in January."

Reference URL:
BBC News
Information Age
CNET Networks (Silicon.com)
The Register

Report Credit:
BBC News and an informed reader of The Breach Blog

Response:
From the online sources cited above:

The credit card details of up to 38,000 customers of clothing firm Cotton Traders were stolen following a hack of its website

It was initially reported that 38,000 card details were stolen. Cotton Traders claim the number is "substantially less" but refuse to confirm the actual number.
[Evan] Why is Cotton Traders not disclosing the number of persons affected by the breach? I think they do more damage to their reputation by not appearing open and honest about the breach. I can't think of any significant risk in sharing this information.

The firm has not confirmed the size of the breach but it has acknowledged the site was attacked early this year.

Barclaycard was contacted as soon as it learned of the attack, and most cards were stopped in January

"Those involved were notified at the time and card replaced,"
[Evan] Really? In what manner were the people involved notified? Typically, when people are notified, they talk and/or share their experiences. BBC News reports about this breach ~5 months after the incident, so I wonder if people really were notified "at the time".

The payment industry's trade body said it was serious because hackers accessed details for "card not present" fraud

customer addresses were also stolen in the hack

a specialist police force was investigating the case

In a statement, Cotton Traders said all of its customers' credit card data was encrypted on the website
[Evan] Hmmm. How and where was the data encrypted? Due to the lack of disclosed details, we are left to speculate. I can tell you from my past experiences that encryption is typically used for data in transit (from the front-end web server to the client) and sometimes where data is at rest (stored in the database). It is not uncommon for data to flow unencrypted between the back-end (database) and front-end (web server). Let's assume that this was a well architected ecommerce platform (from an information security standpoint), and that data is encrypted between the front and back end components. The information still exists for a some amount of time on the front-end server in a non-encrypted state. If the front-end web server were compromised, it is completely conceivable that the information confidentiality was compromised. I am not even going to speculate where and how encryption keys could be managed, but obviously this is another critical component of the architecture.

Cotton Traders, a specialist clothing outfit founded by ex-England rugby stars Fran Cotton and Steve Smith, said the potential to misuse the data is low because the credit card information was encrypted.
[Evan] See my comments above. More information is required before a claim like the "potential to misuse the data is low" can be verified.

Earlier this year we identified a security issue. We immediately brought in industry security experts to resolve the problem.
[Evan] Who are the "industry security experts"?

"Cotton Traders have recently upgraded all security on their website which has been validated by leading Industry experts."

"We would like to reassure all our customers that their data is secure and that the Cotton Traders website meets all leading Industry security standards."

The exact method used to hack the Cotton Traders website is not known.

Cotton Traders warned that other major retailers would be vulnerable to the same attack saying its website has always met "leading security standards".
[Evan] How do you make a claim like this and not share?! If other major retailers "would be vulnerable to the same attack", then shouldn't they and the information security industry be notified ASAP? Maybe they/we have, but I don't think so. The fact that the bad guys share information so much better than us good guys has been an "industry vulnerability" that has existed for many years. This seems like another example of the communication barrier that still exists between "industry experts".

The firm has said customers worried about their cards should contact their card provider.

Security groups say the attack highlights the need for laws governing companies' response to breaches, as called for by silicon.com's Full Disclosure campaign.
[Evan] Unfortunately, we need laws to force organizations to do the right things that they should have been doing all along. If organizations were managed well globally, would we need laws like breach notification statutes, SOX, HIPAA. etc.? The chances of organizations being well managed globally is a pipe dream.

Commentary:
I don't know what irks me more about breaches like this, the breach itself or the poor response.

Past Breaches:
Unknown

Who's Behind the GPcode Ransomware?

Tue, 10 Jun 2008 05:44:53 +0000

So, the ultimate question - who's behind the GPcode ransomware? It's Russian teens with pimples, using E-gold and Liberty Reserve accounts, running three different GPcode campaigns, two of which request either $100 or $200 for the decryptor, and communicating from Chinese IPs. Here are all the details regarding the emails they use, the email responses they sent back, the currency accounts, as well their most recent IPs used in the communication :

Emails used by the GPcode authors where the infected victims are supposed to contact them :
content715@yahoo.com
saveinfo89@yahoo.com
cipher4000@yahoo.com
decrypt482@yahoo.com

Virtual currency accounts used by the malware authors :
Liberty Reserve - account U6890784
E-Gold - account - 5431725
E-Gold - account - 5437838

Sample response email :
"Next, you should send $100 to Liberty Reserve account U6890784 or E-Gold account 5431725 (www.e-gold.com) To buy E-currency you may use exchange service, see or any other. In the transfer description specify your e-mail. After receive your payment, we send decryptor to your e-mail. For check our guarantee you may send us one any encrypted file (with cipher key, specified in any !_READ_ME_!.txt file, being in the directorys with the encrypted files). We decrypt it and send to you originally decrypted file. Best Regards, Daniel Robertson"

Second sample response email this time requesting $200 :
"The price of decryptor is 200 USD. For payment you may use one of following variants: 1. Payment to E-Gold account 5437838 (www.e-gold.com). 2. Payment to Liberty Reserve account U6890784 (www.libertyreserve.com). 3. If you do not make one of this variants, contact us for decision it. For check our guarantee you may send us ONE any encrypted file. We decrypt it and send to you originally decrypted file. For any questions contact us via e-mail. Best regards. Paul Dyke"

So, you've got two people responding back with copy and paste emails, each of them seeking a different amount of money? Weird. The John Dow-ish Daniel Robertson is emailing from 58.38.8.211 (Liaoning Province Network China Network Communications Group Corporation No.156,Fu-Xing-Men-Nei Street, Beijing 100031), and Paul Dyke from 221.201.2.227(Liaoning Province Network China Network Communications Group Corporation No.156,Fu-Xing-Men-Nei Street, Beijing 100031), both Chinese IPs, despite that these campaigners are Russians.

Here are some comments I made regarding cryptoviral extortion two years ago - Future Trends of Malware (on page 11; and page 21), worth going through.