Who Do You Trust?

Over and over people tell me that a product, service or other item is secure because someone else important uses it, and they are sooo important that they would never ever use or do anything insecure. So basically what they are saying is that “I trust them so I will do what they do.” The problem with this is they don’t really know how that other person uses a particular product. Perhaps they made a change to make it more secure or made a change and unknowingly made it even worse, or made no changes and it is just a crappy product to begin with!

Lets take for example the millions of people that run their credit cards through POS systems all over the country. Those systems must all be secure right? Banks wouldn’t let those swipe machines be easily hackable would they? Well they would if they were the brand used by Stop & Shop Supermarkets. The POS systems you normally use where secretly replaced by (Folgers Crystals!) hacked POS systems that still validated your purchase but recorded the information for later retrieval. (Pretty cool hack if you ask me.)

But, but, but thats a small company, I only trust big companies since they would never leave their data unsecured! They would if they where TJX who had people rumageing through their network for over 17 months before the breech was discovered.

But those are brick and morter shops, they always have problems. Reputable online companies don’t have those sorts of problems. Maybe not, unless you use products from Intuit whose online TurboTax filing system temporarily exposed tax returns including social security numbers and bank account numbers to anyone who asked. While the time between discovery of the hole and its closure was pretty short it is unknown if it was discovered and abused but not reported even earlier.

Hardware, I trust hardware. All that software stuff is easy to break but give me some good strong hardware anyday. You mean hardware like the Secustick, a USB flash drive that automatically encrypts its contents and supposedly self destructs if tampered with? So secure that even the French governement trusts it? Thats the kind of hardwrae you trust? Not so fast, its pretty trivial to break that as well.

So be careful who you trust, and don’t depend on others to make the decision for you. Treat your data and personal information as sacred. Trust no one.

Stupid Surveys

Ok, this is just to funny not to write about. As a previous Blackhat attendee (and speaker) my name is on the mailing list of whoever owns the conferance these days. Anyway, I get an email that was appropriately routed to my spam folder, asking me to complete a survey for some magazine called ‘Dark Reading’ which looks llike a TechWeb property that deals with security. Now normally I don’t waste time with such survey’s but I was bored at the time so I figured what the hell. Talk about entertainment! Check out this sample question….

11. What’s the first thing you typically do when you discover a vulnerability in an off-the shelf hardware or software product?
– Report it to the vendor
– Post it/share it with other crackers/researchers
– Begin developing ways to exploit it for financial gain
– Begin developing proof-of-concept code to expose the vulnerability to a broad audience
– Find out who would be willing to pay the most for it
– Contact law enforcement

I can not wait until the FUD filled article they write based on this survey comes out. Of course I checked off “Find out who would be willing to pay the most for it” Bwahahaha. Yes, I somehow get a weird sort of personal satisfaction by becoming an outlying value in a statistical survey. hehehe…. I especially like the questions with an ‘other’ option that allow me to enter in my own answer. Like…

13. Many law enforcement agencies have developed computer crime units to investigate computer break-ins. Of these, which do you think has the best chance to catch you?

My answer? “None. I can not be caught!” Hahahaha

If anyone notices the article they write from this survey let me know. It aughta be good for a few laughs.