[SecurityRatty] tag: promote

Follow Windows 7 Engineering

Thu, 14 Aug 2008 16:54:49 +0000

Seeking to promote "an open and honest, and two-way, discussion about how we balance all of these interests and deliver software on the scale of Windows," Microsoft has launched the Engineering Windows 7 blog, hosted by two senior Microsoft stars, Jon DeVaan and Steven Sinofsky. A two-way discussion probably doesn't mean they are taking orders for features, but they will listen to concerns of the technical community and respond to them publicly. They specifically ask for topic suggestions (I've already sent one in). Not too many years ago this sort of thing was unthinkable at Microsoft, but it's been moving steadily in this direction.

From one geek to another, back up your data!

Sat, 09 Aug 2008 12:02:32 +0000

Hello all, hope all is well.

Last week my wifes puter went BSOD. I ended up doing the Ghost restore back to day one. As I began to put her puter back together with her favorite programs, I hoped she had a current backup of her emails and Firefox favs put away somewhere.

She did! I was a happy toad! But for some reason, the backups were not compatible with the restore options with Firefox and Thunderbird.

So she lost all her emails for the last 2 months. The Firefox favs and settings are not a worry so much, but those emails she lost, sad.

So I come to you today thru the zeros and ones of the Internet to tell you,,,,,

Back up you data and make sure the restore options will work. Now I use Mozy and Ive had to do a restore with it in the past and it works great. So dont just be satisfied that you have backups, make sure the restore will work! Try it out. Do a backup and then right away, restore the data and check it.

Heres the Mozy link I promote on SpywareBiz.com, give it a try.

Black Hat wrap up - secure@microsoft, booth babes and bloggers

Fri, 08 Aug 2008 10:46:21 +0000

You can read plenty of other blogs about some of the great presentations at Black Hat. So I thought I would take another angle and talk about some of the other stuff that may be important to you.

1. secure@microsoft.com – This years hottest party was again the Microsoft party. This year it was at the LAX club in the Luxor. As usual there were quite a number of people at the door who thought they could talk their way in or worse yet were told they “were one the list”. I was happy to be able to go and saw many of the usual suspects there as well. I had to leave the party early to go catch my red eye flight home, so went right to the airport from the party. As I wrote earlier, Microsoft is trying really hard on security. But I couldn’t help but notice the irony of this grainy, lousy picture of the DJ booth at the party. If you can, notice the computers that the secure@microsoft.com DJs are using. That’s right they are Macs!

2. A new low for booth babes – What would a Shimel review of a trade show be without a booth babe rant. Hey I recognize it is Vegas and all, but EdgeOS went way over the line this year. A booth babe dressed as a Las Vegas showgirl or some other type of costume makes a statement. I personally don’t like exploiting woman to make that statement, but I understand. However, these guys had woman who were dressed so raunchy and classless, that I could not bring myself to post a picture of them. Come on guys! You want to resort to the booth babe thing (and BTW I think the Black Hat crowd does not respond to that), at least have a little class. These girls looked like street walkers and do you and your company no favors. Is that really the image you want to promote? Grow up!

3. The Security Bloggers Network – We are back! With the end of the Black Hat show, the SBN is going back to being the SBN. The old logo is back and our promotion with Black Hat is at an end. However, I want to personally thank so many of you SBN members who blogged about Black Hat. The Black Hat marketing folks made it a point to come over to me and thank us for the overwhelming support and help of the community. Our network delivered big time with them and they are already thinking about ways we can work together next year. I will keep you all posted on that.

We have several new promotions we are working on with the SBN and will have more on that soon. Also, we learned some valuable lessons. Next time we will work with the network members more closely in doing these affiliations. Also, for any show like this we need to have an official bloggers get together. Not because we don’t want to buy our own drinks (thanks to Chris Hoff for doing more than his share in picking up a big bar tab), but frankly we need to reserve a place that has enough space for us. Security bloggers are big time. We have a great community of people who get together. Lets make it better.

I have some other ideas around the SBN I am working on too and want to form a committee to help. If you are a member and want to get involved, please drop me a line or comment.

Anyway, another year of Black Hat is in the books. It was a good one and I can’t wait until next year!

Email Hacking Going Commercial - Part Two

Fri, 08 Aug 2008 10:31:54 +0000

Malware authors seeking financial gains from releasing their trojans often promote them as Remote Access Tools, which if we exclude the built-in anti-sandboxing and antivirus software killing capabilities, could pass for a RAT. In a similar deceptive fashion, email hacking services are pitched as email password recovery services.

Hacking as a Service sites seems to be popping out like mushrooms these days, thanks primarily due to the fact that yesterday's script kiddies are today's entrepreneurs trying to even monetize the process of bruteforcing. Here's their pitch :

"Well.. There is nothing different in our services. Like other group, we simply crack email addresses , and provide you the current password used by the victim to you for a suitable price. Nothing unique that we can brag about.... We don't hack NASA or CIA , we cannot hack a bank and steal a million dollars.. We just crack email password .. AND WE DO A HECK OF A JOB IN IT !! We cannot be as presentable as the other groups, trying to look as formal and corporate, as if they are running a Major Corporate Office. However they present it...password retrieval, online investigation.. access recovery...blah blah blah.. the most simplest way to put it is.. : Email Password Cracking: !! And since everyone else is busy faking it, or trying to be more presentable, we utilize our skills to get you what you want.. i.e. THE EMAIL PASSWORD. No buttering up, no marketing skills.. plain hardcore hacking !! So, since you now know what we do , and want us to do the job for you, please proceed to the order page for your relevant TARGET EMAIL and submit your request. All said and done, we will get the elusive password & send you a couple of proofs. You decide upon the authenticity of the proofs, and let us know if you are comfortable going ahead with the payment. PAY US, AND YOU GET THE PASSWORD !And as they say......."

How much are they charging for the bruteforcing? $150 for starters, which is prone to increase due to their bla bla bla about how sophisticated it was to obtain the password - given they actually manage to deliver the goods :

"Many groups charge a fixed price for an email cracking. We undertake more kinds of projects than anyone else. Frankly, each email is a different project in itself. We cannot charge you $100, for something which we can do for $50. Subsequently, we cannot charge you $100, for something which should be priced at $200. But we charge a minimum of $150 USD so that we end up taking orders from ONLY those who really need it. It is a small amount for the level of satisfaction, facts/truth and relief that you would ultimately achieve from this.It depends upon the nature of the job, the accessibility factor. and many other reasons likes:-

1- The email service provider
2- The target itself. How net-savvy he/she is.
3- Complexity of the password
4- Urgency of job and many other things collectively.

We will let you know our charges once we have the desired results only. Be assured, we wont charge you the moon. We charge only what we deserve, and is acceptable by you. Trust us !!"

Some of their answers to the frequently asked questions :

" - Who are you? Where are you from?
We are Hire2Hack Group. Member of our group are students in information technology, at some university in England, France, Italy, Japan, Australia, Canada, Brasilia and at United States of America.

- What services do you provide?
We can hack ANY EMAIL password for you very fast, reliable, secure and worldwide for a suitable price.

- Can you really hack password or just a making a shit scam?
Well, lot of people, lot of groups, companies do this service, but not guaranteed. This is only you can choose which group you want to Order. Be careful with these people. You can believe only on them who claims to provide proof before you really pay them.

- Is there any tool available to crack password?
Yes there is. And we are not giving it to you.

- How long does it takes to crack a password?
Each account is different and hacking time vary. On average, it might take about 1 to 3 days, but it may take anywhere from 24 hours to 30 days or more depending on how difficult is the hacking of each account.

- How can I believe you, that you got password?
We will provide you some good proofs before requesting you to pay us. The proof can be anything, you can decide what kind proof you need.

- Is there person will know that his/her email id has been cracked?
No, we provide you only the original password. That mean the current active password. Your victim/target will not realized that she/he has been hacked. NEVER, we said !

- How I will pay you, I do not have credit card or I do not want to give my credit card number on net?
Well, you can use international money transfer service such as Western Union (www.westernunion.com) or Money Gram (www.moneygram.com). These services immediate transfer money on same day or same hour. You can locate their agents in yours area from their website.

- Do I have to give you my password?
No. Any service which requires your password is simply trying to scam you out of access to your account.

- How will I know you really have the password?
We will show you the proofs.. which are mostly convincing.

- Since you have the password anyway, will you give it to me?
NO. Do not waste your time or ours. We will not release the password until full payment is made - no exceptions. We have had people request our service and once we recover the password, they reset the subject account then ask us for the original password so they can reset it back - the answer will be no. We have also had people ask if they could have the password since we've already recovered it and they cannot pay - the answer will be no. No password will be released until payment has been made in full - no exceptions.

- Will you recover more than one password? Can I request more than one email account?
Yes, but a separate request must be filled out for each one as you will only be billed for each successful recovery. If we have previously recovered a password for you and you have not paid, we will not begin any new request for you until your previous request is paid in full with exceptions for our established clientele. We charge at minimum US $100 for each account hacked.

- Do you reset or change the current password?
No. We do not try to guess the current password or the secret question's answer, we do not change their password. We give you only the Original password, which the victim is currently using.

- Is this confidential? Do you share my information with anyone else?
No, Not at all, Not in any case, its a trust between you and us. Your information will be respected as long as you abide by our Terms and Conditions and Privacy policy. We keep your personal records and requests confidential in our database but we respect your right to privacy and will not rent, share, sell, or trade any personal information unless required by law. But, if you engage in any spamming or fraudulent actives, Your information will be given to the appropriate authorities."

So you've got script kiddies cracking email addresses and probably engaging in the rest of the usual cybercrime activities, who are spam sensitive, and would expose their customers if they start spamming from the cracked emails? Now that's socially responsible, isn't it.

Targeted attacks are sexy, but bruteforcing email accounts no matter the number of proxies and wordlists that they have access to is so irrelevant, that social engineering a potential victim into infecting herself with malware through a live exploit URL seems to be the method of choice, next to a plain simple phishing email of course. In this case, what they're asking for in respect to the victim's details is the victim's country and victim's language, so that a localized social engineering or phishing attack can take place. However, this particular group seems to be using a standard bruteforcing tool.

One thing's for sure - cybercrime is getting easier to outsource, and with potential customers starting to have access to services they didn't a couple of years ago, fake scammers are also emerging in between the real ones.

Network Neutrality versus Internet Trustworthiness?

Thu, 31 Jul 2008 09:30:20 +0000

Network Neutrality requirements are being proposed to promote investment and innovation for the Internet. However, these requirements will likely affect the Internet's trustworthiness too, and there is little discussion about this. Trustworthiness experts must start contributing to the debate their expertise about how to build systems that resist attack and failure.

On Government Employees, Culture, and Survivability

Mon, 21 Jul 2008 09:46:05 +0000

A couple of months before I was activated and went to Afghanistan, I got a briefing from a Special Forces NCO who had done multiple tours in the desert. One thing he said still sticks in my mind (obviously paraphrased):

“The Afghanis, they live in mud huts, they don’t have electricity, they are stick-people weighing 85 lbs, and to say that we could bomb them into the stone age would be an advancement in their technology level. But never underestimate these people, they’re survivors. They’ve survived 35 years of warfare, starting with the Soviets, then they fought a civil war before we arrived on the scene. Never underestimate their ability to survive, and have respect for them because of who they are.”

Today, I feel the same way about government employees, even more so because it’s an election year: they’re survivors.

Now time for what I see is the “real” reason why the government is doing badly (if that’s what you believe–opinions differ) at security: it’s all an issue of culture. I have a friend who converted a year ago to a GS-scale employee and took a class on what motivates government employees. Some of these are obvious:

Pride at making a difference
Helping people
Supporting a cause
Gaining unique experience on a global-class scope
Job stability
Retirement benefits

And one thing is noticeably absent: better pay and personal recognition. Hey, sounds like me in the army.

The Companion Family Plan for Survival at Home photo by Uh … Bob.

Now I’m not trying to stereotype, but you need to know the organizational behavior pieces to understand how government security works. And in this case, the typical government employee is about as survival-aware as their Afghani counterpart.

Best advice I ever heard from a public policy wonk: the key to survival in this town is to influence everything you can get your hands on and never have your name actually written on anything.

In other words, don’t criticize, be nice to everybody even though you think they are a jerk, and avoid saying anything at all because you never know when it will be contrary to the political scene. The Government culture is a silent culture. That’s why every day amazing things happen to promote security in the Government and you’ll never hear about it on the outside.

One of the reasons that I started blogging was to counter the naysayers who say that FISMA is failing and that the Government would succeed if they would just buy their product for technical policy compliance or end-to-end encryption. Sadly, the true heroes in Government, the people who just do their job every day and try to survive a hostile political environment, are giving credit to the critics because of their silence.

Which brings me to my point:

Yes, my name is Rybolov and I’m a heretic, but this is the secret to security in the Government: it’s cultural at all layers of the personnel stack. Security (and innovation, now that I think about it) needs a culture of openness where it’s allowable to make mistakes and/or criticize. Doesn’t sound like any government–local, state, or federal–that I’ve ever seen. However, if you fix the culture, you fix the security.

Bookmark to:

Personal Internet Security: follow-up report

Tue, 08 Jul 2008 09:05:04 +0000

The House of Lords Science and Technology Committee have just completed a follow-up inquiry into “Personal Internet Security”, and their report is published here. Once again I have acted as their specialist adviser, and once again I’m under no obligation to endorse the Committee’s conclusions — but they have once again produced a useful report with sound conclusions, so I’m very happy to promote it!

Their initial report last summer, which I blogged about at the time, was — almost entirely — rejected by the Government last autumn (blog article here).

The Committee decided that in the light of the Government’s antipathy they would hold a rapid follow-up inquiry to establish whether their conclusions were sound or whether the Government was right to turn them down, and indeed, given the speed of change on the Internet, whether their recommendations were still timely.

The written responses broadly endorsed the Committee’s recommendations, with the main areas of controversy being liability for software vendors, making the banks statutorily responsible for phishing/skimming fraud, and how such fraud should be reported.

There was one oral session where, to everyone’s surprise, two Government ministers turned up and were extremely conciliatory. Baroness Vadera (BERR) said that the report “was somewhat more interesting than our response” and Vernon Coaker (Home Office) apologised to the Committee “if they felt that our response was overdefensive” adding “the report that was produced by this Committee a few months ago now has actually helped drive the agenda forward and certainly the resubmission of evidence and the re-thinking that that has caused has also helped with respect to that. So may I apologise to all of you; it is no disrespect to the Committee or to any of the members.”

I got the impression that the ministers were more impressed with the Committee’s report than were the civil servants who had drafted the Government’s previous formal response. Just maybe, some of my comments made a difference?

Given this volte face, the Committee’s follow-up report is also conciliatory, whilst recognising that the new approach is very much in the “jam tomorrow” category — we will all have to wait to see if they deliver.

The report is still in favour of software vendor liability as a long term strategy to improving software security, and on a security breach notification law the report says “we hold to our view that data security breach notification legislation would have the twin impacts of increasing incentives on businesses to avoid data loss, and should a breach occur, giving individuals timely information so that they can reduce the risk to themselves“. The headlines have been about the data lost by the Government, but recent figures from the ICO show that private industry is doing pretty badly as well.

The report also revisits the recommendations relating to banking, reiterating the committee’s view that “the liability of banks for losses incurred by electronic fraud should be underpinned by legislation rather than by the Banking Code“. The reasoning is simple, the banks choose the security mechanisms and how much effort they put into detecting patterns of fraud, so they should stand the losses if these systems fail. Holding individuals liable for succumbing to ever more sophisticated attacks is neither fair, nor economically efficient. The Committee also remained concerned that where fraud does take place, reports are made to the banks, who then choose whether or not to forward them to the police. They describe this approach as “wholly unsatisfactory and that it risks undermining public trust in the police and the Internet“.

This is quite a short report, a mere 36 paragraphs, but comes bundled with the responses received, all of which from Ross Anderson and Nicholas Bohm, through to the Metropolitan Police and Symantec are well worth reading to understand more about a complex problem, yet one where we’re beginning to see the first glimmers of consensus as to how best to move forward.

Open redirect vulnerabilities article - (IN)SECURE Issue 17

Thu, 26 Jun 2008 06:18:00 +0000

I've written a comprehensive piece on the dangers of open redirects that's been published in Issue 17 of (IN)SECURE Magazine. Page 43 for your reading pleasure.
"An open redirect is a vulnerability that exists when a script allows redirection
to an external site by directly calling a specific URL in an unfiltered,
unmanaged fashion, which could be used to redirect victims to unintended,
malicious web sites."
This issue is a giant pet peeve of mine; the article is intended to increase awareness of the dangers of this vulnerability and promote mitigation.

del.icio.us | digg

Danger in Dubai?

Tue, 17 Jun 2008 13:57:00 +0000

Those who come to Dubai could be forgiven for thinking that this is an Oasis in a peaceful desert. In reality though, they would do well to remember that this Oasis is located in the middle of a volatile region.

I came to Dubai and the United Arab Emirates a week ago to promote an International Executive Protection course that we are holding here later in the summer. While it is true that most citizens in the U.A.E. are law abiding, there is potential here for opportunists to turn that around. Anyone who spends anytime here, especially in the vicinity of Dubai, will see that it is an extremely wealthy area.

I was talking to an ex-pat business man last night at dinner and he made the comment that a friend of his could not get the attention of the Valets at a local club recently because he was "only driving a Porsche 911". The valets were too busy finding premium parking spots for the Bentleys, Aston Martins and Ferraris. This is why Sexton Executive Security is opening an office in the U.A.E. We believe it is only a matter of time before cunning criminals realize how much money they could make from kidnappings, stealing luxury cars/chop shops and a host of other crimes.

Then yesterday morning something else happened. One of the Embassies released a terrorist alert warning for the U.A.E. Despite the fact that this is the Middle East, alerts like this are not common. Afteralll, this is a shopper's paradise where vistors can spend thousands of dollars on a hotel suite for the night. Now we have begun to compile a list of Executive Protection Specialists with current passports who are available for International assignments.

Don't let the bright lights fool you. This is not Kansas Dorothy. Keep your eyes open and like they used to say on Hill Street Blues; "let's be careful out there."

Links for 2008-06-06 [del.icio.us]

Fri, 06 Jun 2008 20:00:00 +0000

Business Creativity & Innovation - How Promote an Innovative Culture
Content Discovery vs. E-Discovery vs. Content Classification | securosis.com
Enroll For: The Art of Evangelism
Event Logging (Windows)
IFTF's Future Now: Post-scientific society
So I was especially struck by Gregg Zachary's latest column in the New York Times, which asks, "might cheap science from low-wage countries help keep American innovators humming?" At least a few policy analysts and scholars studying global trends in scien
Inside Innovation with Colin Stewart » Blog Archive » 11 innovation lessons from creators of World of Warcraft - OCRegister.com
Intel Open Port: IT@Intel Blog: How do you measure something that doesn't happen?
Marissa Mayer's 9 Principles of Innovation | Fast Company