In past years I never attended the RSA conference; it always came across as too much of a vendor show to me. This year I didn’t think I would go, until rsnake convinced me otherwise. So I bought myself an Expo Only pass. I had a lot of fun, meeting old time buddies from Foundstone and Mandiant, a bunch of clients, and partners. But I had the most fun just watching the show on the Expo floor. Must have been 300 booths and a gazillion sales people swarming them with those annoying mics trying to outspeak each other like barkers outside a souvenir store at a tourist destination. Companies doing raffles at their booths - I’ve seen that, but arcade car racing games like those at Dave & Busters, security “Jeopardy” shows every hour being hosted by ”slick” sales people, cheesy whack-a-fraudster, wannabe Houdinis showing off card tricks and free beer made the cut too. I wondered, do clients actually walk the floor to learn about new products? I think not. They do so for the free entertainment, adulation, and giveaways.  Makes one wonder, are the RSA booths worth their price tag? The smallest, and furthest ones, which you would see if you were really looking for, are worth an arm and leg. VC money well spent? Oh what a circus it was!

 - Rohyt

On Friday afternoon, I headed off to the airport for a trip to Chicago to visit a friend. I should have checked the flight status, because it turns out my flight was canceled. All other flights to Chicago were on time, and full. The über-helpful lady at Continental advised me to wait on stand-by. The end result was that I had to wait until 6AM Saturday for a flight to Detroit and a connection to Chicago. Damn. <sarcasm>On the bright side, my bag made it to Chicago by 11PM that night.</sarcasm>

I went home to sleep, and set my alarms for a 4AM wake up to make it back to the airport for my 6AM flight. I assumed I would get there in reasonable time, since I didn’t have to check in or check any bags. Unfortunately, I also didn’t pay any attention to the four S’s on my new boarding pass. At 5:50AM I was being molested by Boris, one of the TSA’s human pen-testers at Newark Liberty. Lucky me, I was selected for additional screening because I had made changes to my itinerary. Lady luck continued to shine on me since Boris, at 250+LB’s, is a gentle giant.

I don’t think my writing thus far as conveyed the anger and frustration I felt during this whole ordeal. And when I realized I had to endure additional security screening, my blood had begun to boil. However, at some point during my personal security assessment, my mind drifted into my happy place, and I had a moment of clarity.

Who else is more deserving of a more in depth security review then someone who is already pissed off at your airline, and could possibly snap with the next minor inconvenience or crying baby?

Any passenger traveling on an air plane is considered a threat. As individual passenger scenarios fluctuate, so does the individual passengers threat potential. In my particular situation, it was up to the airline to indicate to the TSA that I require additional screening, and they did this via the “SSSS” on my boarding pass.

Inside me there is a glimmer of hope that TSA folks have some ability to identify behavior patterns in people that could indicate an elevated threat potential in real time (like when I’m waiting inline to get screened). However, they most likely rely heavily on their technology/tools (metal detectors, xray machines, that crazy air blast thing, etc) for such dynamic analysis.

It’s really no different then a highly-skilled pen-tester being given a large number of applications to test in a very short period of time. In this case, the pen-tester would rely heavily on tools. There is no shortage of content on the Internet discussing the quality of such tools, so I’m not gonna go there in this post. However, I must ask the question, how good of an assessment can you perform on a web app using only the tools available on the market today?

What all this reminds me is that security in I.T. is no different then security in every other aspect of life. Threats are dynamic, and constantly in flux. Countermeasures deployed to protect us from threats must also be dynamic, and able to keep up with an ever changing threat landscape. If our tactics are static, threats will eventually go un-noticed, and we will get pwned.

At least, that’s what Boris softly whispered in my ear…

-Schmoilito

I’ve been mouthing off about the much anticipated arrival of my new EEE PC, and when it arrived at work for its glorious unboxing, my wonderful co-workers were ready to own me with a samba exploit -locked and loaded. Reference: ASUS Eee PC rooted out of the box

That’s what you get when you work in this industry. I had it coming I suppose. The EEE PC is just too damn cute. How could anybody forcibly overflow its cute tiny little heap! That’s just cold hearted pwnage.

A series of updates were released for the Asus EEE PC today, pdf reader, messenger, firefox, openoffice, the samba daemon of course, and some other tweaks.

Recognize! My EEE PC is patched like a mug now! Leave my lil’ EEE PC alone!

-higB

1. I would be very busy the week of Christmas, while IT security staff is probably operating at 20% normal strength. Not only is it the weakness in numbers, but also the holiday mood.  How many of you are actually working full days? IDS logs - thats probably the last thing on your mind now that you have Guitar Hero III in the breakroom.
2. I would get busy if I heard that a company was being acquired. From my experience, most companies put a freeze on all discretionary spending from the time a deal is announced untill it closes. Unfortunately, security is often thrown into that discretionary spending budget, making it easy on the bad guys for several months!
3. If I really wanted to spend Christmas with my family, I would just come back another time and phish employees…that works irrespective of season.

Wishing you all a very Happy New Year! Stay safe.

-Rohyt

I have a few big boxes of computer crap that I haven’t been able to part with. (because you never know when a ZIP drive will come in handy) The other night I was rummaging through one of these boxes and stumbled upon my Radioshack pocket tone dialer modified with a 6.5536mhz crystal. The memory floodgates opened and I reminisced about the days of BBSes, Tradewars 2002, ANSI art packs, The Jolly Roger’s cookbook (remember thermite? good times), and countless phreaking texts. I got my initial fix via 1200 baud. After mowing lawns for a summer I was able to hook up the leet 2400 US Robotics.

Back in high school I was quite the ladies man. I had an 85meg hard drive and leech status on all the local bulletin boards. After girls found out I had an SVGA monitor, sound blaster 16, and a 1x CD-ROM, they all wanted me. I used to think it was because I could draw boobs on my TI-85 graphing calculator but it the real reason for the XX chromosome attention was my crazy mad-ill tight soldering skillz.

Just like all teenage boys growing up I had an unhealthy infatuation with the phone company. (that’s normal right?) I read on a BBS text about making free phone calls from pay phones by simulating the sounds that are transmitted when coins are dropped in. (more about redboxes and phreaking here) So with a soldering iron, a 6.5336mhz crystal, and a radio shack 43-141 pocket tone dialer I went to work and built a working redbox.

After spending 30 dollars in parts I couldn’t wait to defraud PacBell of 25 cents. I remember the nervous feeling I had riding my bike over to a local church try out my new babe-magnet redbox.

There was one small problem with my plan, for some reason, I didn’t have any friends outside of my area code to call.

Enjoy the video I posted on youtube: http://www.youtube.com/watch?v=AXZMgHKhefk

–higB

I was doing some security research this morning and was quite alarmed to find out that SECURITY VENDORS are vulnerable to CSRF. DarkReading has the story here: CSRF Bug Runs Rampant

Being a curious person I thought I’d try to find some CSRF vulnerabilities of my own. I was shocked to find out that the most used search engine was vulnerable to CSRF! Using this vulnerability a malicious attacker can force people search for the word “balls” without explicit permission.
Normally blog.phishme.com believes in responsible disclosure and would never release a 0-day. Due to the urgency of this threat and details that must be disclosed to communicate about it we thought it best to forgo waiting 30 days for a vendor response. Due to the widespread use of google.com this information should be communicated immediately. Blog.phishme.com will be releasing 0-day proof-of-concept code in the advisory below:

———————————
Date: 6/28/2007
Advisory #: PHME-2007-01-BALLS
CVE #: CVE-NO-MATCH
06/28/2007 Vulnerability discovered on google.com
06/26/2007 blog.phishme.com releases advisory and POC 0-day code.

{ Introduction }
The popular internet search engine, “Google“, is vulnerable to cross site request forgery (CSRF) attack. This vulnerability would allow an attacker to force victims to search for the term ‘balls’.
Due to this class of exploits being relatively new, we suspect that there are other strings an attacker could force a search on, but we only tested the first thing that came to mind. Other search engines may be vulnerable but were not tested.

{ Risk }
blog.phishme.com used STRIDE and DREAD to classify this vulnerability as Medium Rare Risk.
This attack requires the attacker to know how to send URLs via instant messaging, email, or online forms.

• Alternate attack method #1: An attacker could call the victim and ask them to type the URL into their browser.
• Alternate attack method #2: An attacker could get a bumper sticker printed and affix it to their car. A curious victim would see this URL on the bumper sticker and type it in a browser when they get home.

{ Fix / POC code }
There is no fix or workaround at this time. A fully patched system running anti-virus and a firewall can still fall victim. Until this vulnerability closed, internet users all over the world may be forced to search for ‘balls’.
In the meantime, blog.phishme.com offers up steps users can take to safeguard themselves forceful balls searching. Please be aware that attackers are crafty so we might not be able to cover every potential vector.

• Users of google should be skeptical of email subjects that read: “Dude, you really have to check out this link, after that deep conversation we had last week I think this would really interest you: http://www.google.com/search?hl=xx-hacker&q=balls
• Internet users of google should be skeptical of instant messages or internet forums that read: “I was thinking about your problem and I think I found you the answer on this website: http://www.google.com/search?hl=xx-hacker&q=balls
• myspace.com users should be skeptical when their friends post a message that reads: “I’m glad you had a good time at my barbeque, here is that chocolate dessert recipe you wanted: http://www.google.com/search?hl=xx-hacker&q=balls

{ Advanced Exploitation }

Savvy internet users may not fall for the forceful ball search CSRF attack. Members of the security community would be even harder to trick. Crafty attackers may obfuscate this attack to evade IDS.

Demonstration POC Code:
Normal CSRF method: http://www.google.com/search?hl=xx-hacker&q=balls

Advanced IDS evasion Obfuscation method: http://www.google.com/search?hl=xx-hacker&q=%42%41%4C%4C%53
I will now demonstrate this attack in a skype chat room full of security experts in the fields of penetration testing, secure coding, and incident response:

{ Conclusion }

This is a damaging attack that may take some time to fix. Internet users should proceed with caution.
———————————

End Advisory.

* Google lawyers, this is a joke, don’t get excited.