About Space Rogue

Space Rogue is widely sought after by journalists and industry analysts for his unique views and perceptions of the information security industry. He has been called to testify before the Senate Committee on Governmental Affairs and has been quoted in numerous magazine and newspaper articles as well as appeared on such TV shows as News Hour with Jim Lehrer, CNN Nightly News, ABC News Online with Sam Donaldson, and others. A recognized name within the industry, Space Rogue has written articles that are often quoted or refered to by other major media outlets. He has spoken before numerous audiances including the Digital Messageing Association, Defcon, Pumpcon, HOPE, H2K, and others. As a former member of L0pht Heavy Industries, Space Rogue ran the widely popular Hacker News Network which quickly became a major resource on the Internet for daily information security news. Before HNN he ran the The Whacked Mac Archives, which at the time, was the largest and the most popular Macintosh security site on the net. Currently Space Rogue does consulting for various companies.

PC Protect

Internet scams are a dime a dozen from pop ups for fake anti-virus software packages to cleverly designed phishing websites that look exactly like your banks login page. Internet criminals will try just about anything if they think they can get away with it. Today I think I ran into what I think is a totally new scam that definitely involves your land line telephone, and I am pretty sure it involves the Internet, but I’m not sure.

The telltale sign that you have been had is a monthly charge on your telephone bill for $19.99 for something called “PC Protect”. Now a business of any measurable size is going to a have a phone bill such that an additional charge of $19.99 is going to be barely noticeable and I suspect that this is exactly what whoever is doing this scam is counting on. Thankfully the company I work for has an eagle eyed accountant and when she spotted the extra charge she quickly brought it to my attention and asked what it was. I had no idea, but with a name like “PC Protect” my spidey sense started tingling immediately.

A quick google search turned up a snazzy one page website (which I can no longer seem to find) full of web 2.0 goodness that looked like it was just there to sign people up to some sort of anti-something service. At the bottom of the page in the tiny tiny fine print there was a statement about how people could dispute charges by calling a number. Well, obviously we called. The first time they claimed to be from quizrocket DOT com (no, I won’t actually link to the site) the second time they claimed to be usprizedraw DOT com. We complained about the charges and they basically said tough, that our employee John Smith authorized the charges. So we called Verizon who easily agreed to remove the charges.

All well and good but the question remains how did these people get the company phone number and an employee name to ping it to? Obviously I had a talk with John. John is one of those rare people who ‘gets it’ mostly from an IT perspective. He told me that he never visited either of those sites or any other site even remotely close to it, doesn’t use facebook, doesn’t fill out online quizzes and when he buys stuff online for the company he uses a fake phone number (Like I said, he ‘gets it’).

If it was anyone else I would probably just say he filled out a form somewhere and got phished, which is still possible. Or there may be undetected malware deep inside his machine that I haven’t found yet. (I will take a closer look soon). Looking closer at the company info I quickly started going nowhere, fake company names, with fake addresses etc…

I will be looking closer at this stuff over the next few days. If you have heard of PC Protect or if anything else in this sounds familiar let me know. In the meantime keep a close eye on your phone bills.

Financial Company Still Recommending Insecure Software

There are few things in this world that really piss me off and blatant ignorance is one of them. On January 31st 2006 Microsoft did the right thing and removed Internet Explorer for Mac from their available IT downloads. Considering that IE5 for Mac had ceased further development in 2003 it had become riddle with unpatched security holes by the time MS removed it from the its website. Despite Microsoft’s positive action people are still recommending the software three and half years later, and not just regular Joe Schmoe idiots but major financial corporations.

Such recommendations place these corporations, not to mention their customers, at major risk for online fraud, phishing attacks, identity theft, etc… If a company does not wish to support a specific platform that is their prerogative but if they go out of their way to recommend not only an unsupported solution but also an extremely dangerous one shouldn’t they be held liable for their negligence?

I am pasting below a recent email exchange between a local IT Manager and the technical support for paychex.com. (If anyone knows anyone in security at Paychex you might want to point this out to them.) I sincerely hope that the flunky in IT who wrote this has just been misinformed and that this is not Paychex official policy, but hey, there are a lot of stupid idiots out there.

—–Original Message—–
From: Joe Smith (j_smith@smallco.com)
Date: Monday, May 11, 2009 05:19 PM
To: section125@paychex.com (section125@paychex.com)
Subject: Online FSA – Contact Us

What are the minimum requirements to use your website?

Several of our employees are having problems accessing their accounts. Do you support Firefox? Safari? Chrome? Do users need Java or Flash installed? Which versions? Thank you.

Kind Regards,

– J. Smith
IT Manager

————————————-
From: Paychex Section 125 [mailto:section125@paychex.com]
Sent: Tuesday, May 12, 2009 4:22 PM
To: Joe Smith
Subject: RE:’Paychex=007-082-074’Online FSA – Contact Us

Hello and thank you for your email,

There are certain access issues that may occur with firefox and safari and it is not recommended to use these for this website. Internet Explorer should have no issues with access or transmitting information. No additional programs are required for access how ever to request certain documents and view them adobe acrobat reader is required.

Thank you,

Paychex Section 125
————————————-

From: Joe Smith (j_smith@smallco.com)
Date: Tuesday, May 12, 2009 04:48 PM
To: ‘Paychex Section 125′ (section125@paychex.com)
Subject: RE: RE:Online FSA – Contact Us

Internet Explorer is not available for Macintosh users. How do you recommend that those users with Macintosh computers access your website?

Kind Regards,

– J. Smith
IT Manager

—————————————
From: Paychex Section 125 [mailto:section125@paychex.com]
Sent: Tuesday, May 12, 2009 4:22 PM
To: Joe Smith
Subject: RE:’Paychex=007-082-074’Online FSA – Contact Us

Hello and thank you for your email,

There are mac versions of internet explorer available online free of charge.

Thank you,

Paychex Section 125

———————————————-

Oh, and they had this stupid disclaimer on the bottom of their emails

The information contained in this message may be privileged, confidential, and protected from disclosure. If the reader of this message is not the intended recipient, or any employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. Paychex, Inc.

All I can say is that idiocy must be brought out into the light so that it can wither and die. Become enlightened. Oh, and don’t use IE for Mac.

L0phtCrack 6 to Be Released at Source Boston

L0phtCrack, the original and still the best password auditing tool for MS windows based systems, will be re-released at Source Boston by the original authors! That’s right Mudge, Dildog and Weld Pond have required the rights to the original L0phtCrack and plan to release a new version at the upcoming conference. The new L0phtCrack will have support for 64-bit windows and upgraded rainbow tables. Woohoo! Details on potential additional new features, and pricing have not yet been released but you can bet that it will be better than Symantec’s.

Source Boston 2009
L0phtCrack.com

HNN Archive Posted

I don’t really know who actually owns the Hacker News Network anymore. I own the domain now but the original content was part of the sale of L0pht to @Stake which was then sold to Symantec. At this point though I don’t really care anymore. If they want it they can come and get it and suffer the negative publicity as a consequence.

Therefore I am putting all of the old HNN files back online. I figure the files don’t do anyone any good wasting away on my hard drive. So if you want to check out the news from any day between September 10, 1998 and March 30, 2000 just click on one of those links and then change the date in the URL to the day you are looking for.

A couple of notes, these are just the raw news files, no pretty pictures or other chrome. If you find duplicate files, those were the weekends. I think I have all the days but some of them may be missing, I know the last few months are not there. These were all originally written in in raw html with no spell check, and my grammar ain’t no good neither. Almost all of the links will be broken (hey, its been ten years) but a few like CNN’s might still work.

On an unrelated note, WordPress is now at 2.6.3 (yeah, I know big deal) and you can now leave comments with your OpenID!

Standing on the Shoulders of Giants

In February of 1676 Sir Issac Newton wrote in a letter to Robert Hooke “If I have seen a little further it is by standing on the shoulders of Giants.” implying that while he may have come up with the final idea he was only able to do so because of the work of those that had gone before him.

Weld Pond (Chris Wysopal) accurately points out that this also applies to security researchers. Seldom is a major security flaw discovered that isn’t related to the previous work of an older technology. His case in point is the recent flaw patched by Microsoft of a almost decade old vulnerability. The original vulnerability has been widely credited to Sir Dystic (Josh Buchbinder) but Dystic’s research was based in part on work by DilDog (Christien Rioux). Dildog wasn’t the first to find the flaw either as it was mentioned in a earlier paper by Dominique Brezinski. Weld argues that this is why credit for security research is so important.


On a completely unrelated note Mudge (Peiter Zatko) was recently quoted by Mass High Tech (again) on the subject of voting machine security.

Prototype This! premiers Wednesday Night

Former L0pht member, Defcon Badge Designer, Triathelete, new father, and urban clothing designer Kingpin (aka, Joe Grand) can now add yet another title to his resume, TV Star! The premier of the Discovery Channel’s new show Prototype This! debut’s Wednesday October 15 at 8PM. Sort of a cross between Junkyard Wars and Myth Busters Kingpin acts the groups electronics wizard. For the first episode the team builds a mind controlled car. Be sure to check your local listings!

Hope someone throws this up on the Bay ’cause I don’t get cable.

Fake Story Still Fake, Media Still Clueless

About eight years ago a media story broke about how some “hackers” took over a British Ministry of Defense Satellite and were holding it for ransom. Anyone who knew anything about Command and Control systems for satellites knew this would be almost impossible especially for a military satellite. That didn’t stop Newsbytes, Yahoo News, ZDNet, even Reuters from running the story and sensationalizing the crap out of it. None of the ‘legitimate’ media questioned the story at all. They just reran the original Sunday Business story. The only website that I know of that questioned the story at the time was The Hacker News Network.. It was the questioning of that story that prompted Brock Meeks of MSNBC to label HNN as “the voice of reason”. As it turned out no confirmation of the original story was ever obtained, the Ministry of Defense flat out denied the event ever took place and the Sunday Business never revealed where the story came from.
So? Big deal? What’s the point of this walk down memory lane? Well, here it is eight years later and the same crappy media is republishing the same bullshit story as truth and fact. Evidently Corinne Iozzio over at PC Magazine, nor her (his?) editors can be bothered to do basic journalism, simple research or check facts. No, can’t let facts get in the way of a good headline and increased page views and ad impressions. So now this supposed ‘hack’ that as far as I can tell never actually happened, is the second most mysterious unsolved cyber crime. I suppose, on the Internet, if you repeat something enough times it magically turns into fact?

For reference here are the old HNN pages from March 1, 1999 and March 2, 1999. Unfortunately the chrome is gone and none of the links work anymore but the content is unchanged.

UPDATE: Thanks to Google’s 10th Anniversary Archive from 2001 and the Internet Archive a few quick searches help to confirm that the original story was fake. (Hey, Corinne, this took me all of about ten minutes.)

ZDNet – via Internet Archive “Our Satellites are Hack Proof”
Geek.com – via Internet Archive “Satellite hack is impossible, says UK”
Reuters Retraction – via Shmoo.com “British Defense Ministry Dismisses Hacker Report”

Honey Dipped Patch Tuesday

I have never really understood Microsoft’s Patch Tuesday from a security perspective. Sure from an IT management perspective it makes a lot of sense. The ability to actually plan for events and effectively allocate resources in IT is a rare commodity. So much of IT management is reacting instead of planning that Patch Tuesday almost becomes a calming ritual performed once a month that can be rather comforting. Download, Test, Apply, eat your donut, repeat next month. From a security perspective though it makes absolutely no freaking sense.
So what happens when a hole is discovered on the Wednesday after Patch Tuesday? Thats right, nothing happens until the next patch Tuesday. Well, at least you hope nothing happens. You hope the bad guys haven’t already found and are actively exploiting the hole.
Some companies like Apple, Sun, HP, OpenBSD, etc., do not patch on a schedule, instead they patch when needed. From a security point of view this is preferred as it greatly minimizes the time you are at risk. Unfortunately this can also lead to the situation where you are rolling out patches for five of the last ten days, like Apple did earlier this month. Patching every other day from an IT perspective is bad, it means your fighting fires, it means you can’t plan, or allocate resources. It means you actually have to do your job and manage your IT! It means no honey dipped for you! Oh no, the horrors!
The reporters over at ComputerWorld evidently felt like it was a good time bring up this ancient argument again and found a couple of clueless Windows Admins who claim to be “Security Researchers” who wanted to bitch about how they actually have to do work and manage Apple’s patches. Waaaaah. It must be Apple who is not ready for the Enterprise. Since Apple is the one making them do work and apply patches on a Thursday it must be Apple who is wrong. Sun, and HP and OpenBSD, and everyone who patches when needed, according to these “security researchers”, must be wrong.
Most people in the security industry understand the double edge sword of patching on a schedule and making the enterprise IT drones happy versus patching when needed and making the (real) security guys happy. There really is no right or wrong answer, it depends on which side of the fence you stand and what is more important, being secure or having time on Wednesday to eat your honey dipped donut.

Mudge Cover’s Mass High Tech

So I get into work this morning and grab my snail-mail and throw it on my desk and go grab my morning oatmeal and glass of water. I get back to my desk and start eating my oatmeal as I go through my mail. Things like fake domain name renewal bills, pleas from wireless phone companies to switch services, a copy of Information Week, the normal crap that finds it way into the IT Managers inbox. Then I get to this weeks (August 22-28) copy of Mass High Tech and oatmeal spews out of my nose! Why? Freaking a big ass above the fold picture of Mudge’s fat smiling face staring back at me. Seriously his face takes up like half the damn page.

The online version is much smaller. Here is a scan of the front cover [PDF]. Just make sure you have finished your oatmeal before you open it.

Oh, the story? It is about finding security holes in heart defibrillators. Which is important I guess, and I suppose I would find it more interesting if I or someone I know actually had one of these implanted. Personally I can’t wait until someone starts looking at wireless utility meters.