Defacement Archive May Close

One of the more popular features of HNN (The Hacker News Network) was the daily list of web page defacements that was maintained at the time by Maintaining such an archive soon overwhelmed Attrition and the task was taken over by Alldas. After the demise of Alldas, a small (at the time) upstart security site in Austria, Zone-H took over. They have been maintaining the defacement archive for years and years slowly adding to it over time as new websites get compromised. Their archive now encompasses over 2.6 million web page defacements. The amount of data they have collected is invaluable and is an amazing resource for security researchers to gain a historical perspective on the frequency and methods of attacks used over the years.
Lately Zone-H has had some rough times, their founder has been arrested in relation to an Italian spying scandal and they have been coming under increasing criticism from people who think their archive is actually promoting web page defacements. As a result they are actually thinking about discontinuing the defacement archive.
This would be an unfortunate occurrence if it was to happen. They are currently running a poll on their front page, (in the left column) as to whether they should continue hosting and updating the archive or not. I urge you to cast your vote and help save a valuable security research tool.

More USB Snake Oil

I’m still busy recovering from the excellent Source Boston conference and I will post a recap soon but I wanted to get this out there.

Last week I wrote about RFID enabled external hard drives that supposedly offered secure encryption of your data that turned out to be simple XOR. Well now USB thumb drives with integrated fingerprint readers have been found to be just as much Snake Oil. Hiese Security has reviewed several of the devices and have found it very easy to bypass the security of all of them. Companies that make crap like this should be found criminally responsible for fruad.

People see biometrics and automatically think they are secure, same thing when they see the word ‘encryption’. Your fingerprint is not a secret, you leave thousands of copies lying around everyday. In addition once the attacker has physical access to the device then your security will be compromised, fingerprint or not.

Oh, and I hope everyone had fun on Pi Day yesterday.

More secure products that aren’t

Think that cool USB thumb drive you just bought with the word of ‘encryption’ written in big letters all over the package is really secure? Think again. ComputerWorld recently reviewed seven ‘secure’ USB drives and basically found that they are all crap. Either they have no security or all or they use AES in ECB mode (which is worthless) or they claim their security is ‘proprietary’ (i.e. snake oil).

Once again I have to ask how is the end user consumer supposed to know this? Why do we (consumers) have to wait for some third party to review a product before we know that the product will not do as it claims? When I go to the hardware store and buy a lamp I know it has been tested and meets certain requirements. I know that it won’t catch fire and burn down my house. Why can’t I have those same assurances when I buy a security product? I should be able to look at the product packaging and see that the product meets some sort of security standard or has been tested by some agency and meets certain criteria. If it can be done for electric pencil sharpeners it can be done for ‘secure’ USB thumb drives.

Tamper Resistant Point of Sale Machine Isn’t

When I see something labeled tamper-resistant or even tamper-proof I don’t assume it is secure I just think that it is a little more difficult to break into than something that isn’t tamper-resistant. Three researchers at the University of Cambridge have figured out that PIN entry keypads used for Chip+Pin transactions in the UK are anything but tamper-resistant. They have published a paper to show just how easy it is to break them open and record customer data as they swipe their cards and enter their pin numbers. I applaud their effort but all they had to do was look at what happened to Stop & Shop Supermarkets a few short months ago.

Here is some advice which you can use, at least here in the US, don’t trust those card swipe and pin entry machines at the checkout counter. Most Debit cards from US banks will also work as a VISA or MasterCard. If your at WalMart and you whip out the ATM card and the machine asks you for your PIN, hit cancel. If the checkout lady at the supermarket asks “Debit or Credit” always, always say credit. If that little machine at the checkout stand is secretly recording your card number at least you won’t also be giving it your PIN and complete access to your checking account. While this won’t stop fraud it will make the bad guys work a little harder. Hard enough perhaps that they skip your card and go to the next one. Not to mention that VISA and MasterCard probably offer a bit more fraud protection than your local bank.

Less Than Two Weeks to Source2008

So I was having lunch with one of the organizers of the Source Boston 2008 conference yesterday (Spicy Beef Bowl, mmmmm) and realized that this is going to be one really great conference. Not only are there big name speakers like Richard Clarke, Steven Levy and Dan Geer there are some well respected security industry luminaries as well like Carole Fennelly, Frank Rieger, James Atkinson and a host of others. But I think the big thing that will set this conference apart from the big ones like BlackHat or RSA, (besides that the fact that it is within driving distance for me) is the size. There won’t be tens of thousands of people in attendance meaning you will probably be able to get a lot of one on one time with some of the smartest security minds in the country. If your in the Boston area at all you should probably stop by for a day or two or even all three.

Oh, and the L0pht renion panel is scheduled for Friday, the day after the Pub Crawl, which ought to be interesting.


AES = XOR = Secure? WTF!?!

I don’t have time for all of the stupidity out there but this is just to stupid to let pass by. Easy Nova a German company that makes a variety of computer storage accessories, recently released a hard drive case with hardware data encryption with 128-bit AES and access control via an RFID chip. Which on the surface sounds really really cool. Portable secure data, what more could you ask for? As it turns out you still need to ask for it to be secure because according to Heise Online and c’t Magazine that despite the claims of AES hardware encryption the product actually uses XOR encryption to write your data! Evidently the AES is only used to encrypt the RFID signal between the drive and the key fob. AES for the RFID chip but XOR for the data? I mean WTF! How about some truth in labeling. I suppose we should be happy they didn’t use double XOR.

This is yet another example of a security product that isn’t secure. How is the consumer supposed to know? Not everyone has diagnostic labs and forensic tools at the their disposal to test each and every product they buy for security. I’ve mentioned the formation of a Cyber UL before and clearly it is sorely needed.


Responsible disclosure for vendors?

If a vendor finds a vulnerability in a competitors code are they obligated to tell them? What exactly is ethical and or responsible disclosure when it comes to competing vendors? Among security researchers the general consensus these days is to notify the vendor and then wait a reasonable amount time for a patch to be developed before going public. While this scenario is for the most part agreed upon and followed it is by no means a perfect solution. Now through in competing vendors and it gets even stickier.
Recently the Mozilla group was notified of an exploit in their code which they dutifully fixed. In the process they evidently realized that the same hole effected the Opera browser. Like good net citizens they notified Opera of the hole but did not wait around for Opera to fix it.
So is Opera justified in being a little miffed at Mozilla for not waiting for a fix or should they be happy that they got notified at all? Should vendors be held to the same ethical standards as researchers when it comes to vulnerability disclosure even if it is with a competitors product? Why have we had this same problem for decades without some sort of solution?

Most Security is Useless

Looks like I missed this the first time around but there is an article about a speech recently given by Peter Tippet, a VP at Verizon and a scientist at ICSA labs, who talks about how useless most security actually is. Most of his points are ones that I have been making for years like the uselessness of long complex passwords, all your doing is inconveniencing the user. Or how ineffective the continuous search for, reacting to, and patching of new software holes really is when you consider that only a small percentage of those holes are ever exploited. Do you want the highest rate of return on your security dollar? Spend it on the weakest link, the people. Security awareness training, while hard to quantify, will provide the biggest return in terms of security. If you can train your users to think about security as part of their everyday work lives your overall level of security will increase dramatically.


Feds Use Spyware

Ever hear of CIPAV? It is some pretty bad-ass spyware that tracks every website, every chat, every email that you send from your computer. Maybe you know it by its more common name Computer and Internet Protocol Address Verifier. Sounds pretty official for a piece of nefarious software. Guess what, it is the software used by the FBI. Which is Ok I guess, I mean the FBI needs investigative and forensic tools don’t they? But what do they do with all this data they collect? Who are they collecting it from? Do they need or even attempt to get a warrant when they use it? Why is it such a big secret? These are just a few questions about this secret program that have come up since its existence was first discovered. Now it looks like the FBI actually asked the FISC court (Thats the secret court that rubber stamps eavesdropping warrants for the FBI) if they could use the software. Looks like they have been using this stuff since 2005! No idea of how it gets installed or if AV software will catch it. I’m all for the FBI and other agencies having the tools they need to do their jobs but there is no reason why it needs to be all secret and cloak and dagger, how about a little oversight?

PWN to Own Take 2

The folks over at CanSecWest will once again be hosting their popular PWN to OWN contest at this years con. I wrote about last year’s contest that was won after a spl0it was found in Quicktime that allowed the attacker to PWN the Mac laptop. This year they are also putting up an Ubuntu and Vista box. They haven’t mentioned what the configuration will be, what aps will be installed etc… but it doesn’t really matter. This exercise will prove nothing other than that the CanSecWest organizers know how to be media whores (hey, even I’m writing about it). Even if one or two of the boxes get owned it will not prove that one OS is more secure than the other. OS Security is proven (or disproved) over the types and severity (not number or frequency) of vulnerabilities found over the long term. So while this contest will likely get a lot of press, especially if someone is successful and owns one of the boxes, in the long run it really doesn’t mean anything.