L0phtCrack 6 to Be Released at Source Boston

L0phtCrack, the original and still the best password auditing tool for MS windows based systems, will be re-released at Source Boston by the original authors! That’s right Mudge, Dildog and Weld Pond have required the rights to the original L0phtCrack and plan to release a new version at the upcoming conference. The new L0phtCrack will have support for 64-bit windows and upgraded rainbow tables. Woohoo! Details on potential additional new features, and pricing have not yet been released but you can bet that it will be better than Symantec’s.

Source Boston 2009
L0phtCrack.com

HNN Archive Posted

I don’t really know who actually owns the Hacker News Network anymore. I own the domain now but the original content was part of the sale of L0pht to @Stake which was then sold to Symantec. At this point though I don’t really care anymore. If they want it they can come and get it and suffer the negative publicity as a consequence.

Therefore I am putting all of the old HNN files back online. I figure the files don’t do anyone any good wasting away on my hard drive. So if you want to check out the news from any day between September 10, 1998 and March 30, 2000 just click on one of those links and then change the date in the URL to the day you are looking for.

A couple of notes, these are just the raw news files, no pretty pictures or other chrome. If you find duplicate files, those were the weekends. I think I have all the days but some of them may be missing, I know the last few months are not there. These were all originally written in in raw html with no spell check, and my grammar ain’t no good neither. Almost all of the links will be broken (hey, its been ten years) but a few like CNN’s might still work.

On an unrelated note, WordPress is now at 2.6.3 (yeah, I know big deal) and you can now leave comments with your OpenID!

Standing on the Shoulders of Giants

In February of 1676 Sir Issac Newton wrote in a letter to Robert Hooke “If I have seen a little further it is by standing on the shoulders of Giants.” implying that while he may have come up with the final idea he was only able to do so because of the work of those that had gone before him.

Weld Pond (Chris Wysopal) accurately points out that this also applies to security researchers. Seldom is a major security flaw discovered that isn’t related to the previous work of an older technology. His case in point is the recent flaw patched by Microsoft of a almost decade old vulnerability. The original vulnerability has been widely credited to Sir Dystic (Josh Buchbinder) but Dystic’s research was based in part on work by DilDog (Christien Rioux). Dildog wasn’t the first to find the flaw either as it was mentioned in a earlier paper by Dominique Brezinski. Weld argues that this is why credit for security research is so important.


On a completely unrelated note Mudge (Peiter Zatko) was recently quoted by Mass High Tech (again) on the subject of voting machine security.

Prototype This! premiers Wednesday Night

Former L0pht member, Defcon Badge Designer, Triathelete, new father, and urban clothing designer Kingpin (aka, Joe Grand) can now add yet another title to his resume, TV Star! The premier of the Discovery Channel’s new show Prototype This! debut’s Wednesday October 15 at 8PM. Sort of a cross between Junkyard Wars and Myth Busters Kingpin acts the groups electronics wizard. For the first episode the team builds a mind controlled car. Be sure to check your local listings!

Hope someone throws this up on the Bay ’cause I don’t get cable.

Fake Story Still Fake, Media Still Clueless

About eight years ago a media story broke about how some “hackers” took over a British Ministry of Defense Satellite and were holding it for ransom. Anyone who knew anything about Command and Control systems for satellites knew this would be almost impossible especially for a military satellite. That didn’t stop Newsbytes, Yahoo News, ZDNet, even Reuters from running the story and sensationalizing the crap out of it. None of the ‘legitimate’ media questioned the story at all. They just reran the original Sunday Business story. The only website that I know of that questioned the story at the time was The Hacker News Network.. It was the questioning of that story that prompted Brock Meeks of MSNBC to label HNN as “the voice of reason”. As it turned out no confirmation of the original story was ever obtained, the Ministry of Defense flat out denied the event ever took place and the Sunday Business never revealed where the story came from.
So? Big deal? What’s the point of this walk down memory lane? Well, here it is eight years later and the same crappy media is republishing the same bullshit story as truth and fact. Evidently Corinne Iozzio over at PC Magazine, nor her (his?) editors can be bothered to do basic journalism, simple research or check facts. No, can’t let facts get in the way of a good headline and increased page views and ad impressions. So now this supposed ‘hack’ that as far as I can tell never actually happened, is the second most mysterious unsolved cyber crime. I suppose, on the Internet, if you repeat something enough times it magically turns into fact?

For reference here are the old HNN pages from March 1, 1999 and March 2, 1999. Unfortunately the chrome is gone and none of the links work anymore but the content is unchanged.

UPDATE: Thanks to Google’s 10th Anniversary Archive from 2001 and the Internet Archive a few quick searches help to confirm that the original story was fake. (Hey, Corinne, this took me all of about ten minutes.)

ZDNet – via Internet Archive “Our Satellites are Hack Proof”
Geek.com – via Internet Archive “Satellite hack is impossible, says UK”
Reuters Retraction – via Shmoo.com “British Defense Ministry Dismisses Hacker Report”

Honey Dipped Patch Tuesday

I have never really understood Microsoft’s Patch Tuesday from a security perspective. Sure from an IT management perspective it makes a lot of sense. The ability to actually plan for events and effectively allocate resources in IT is a rare commodity. So much of IT management is reacting instead of planning that Patch Tuesday almost becomes a calming ritual performed once a month that can be rather comforting. Download, Test, Apply, eat your donut, repeat next month. From a security perspective though it makes absolutely no freaking sense.
So what happens when a hole is discovered on the Wednesday after Patch Tuesday? Thats right, nothing happens until the next patch Tuesday. Well, at least you hope nothing happens. You hope the bad guys haven’t already found and are actively exploiting the hole.
Some companies like Apple, Sun, HP, OpenBSD, etc., do not patch on a schedule, instead they patch when needed. From a security point of view this is preferred as it greatly minimizes the time you are at risk. Unfortunately this can also lead to the situation where you are rolling out patches for five of the last ten days, like Apple did earlier this month. Patching every other day from an IT perspective is bad, it means your fighting fires, it means you can’t plan, or allocate resources. It means you actually have to do your job and manage your IT! It means no honey dipped for you! Oh no, the horrors!
The reporters over at ComputerWorld evidently felt like it was a good time bring up this ancient argument again and found a couple of clueless Windows Admins who claim to be “Security Researchers” who wanted to bitch about how they actually have to do work and manage Apple’s patches. Waaaaah. It must be Apple who is not ready for the Enterprise. Since Apple is the one making them do work and apply patches on a Thursday it must be Apple who is wrong. Sun, and HP and OpenBSD, and everyone who patches when needed, according to these “security researchers”, must be wrong.
Most people in the security industry understand the double edge sword of patching on a schedule and making the enterprise IT drones happy versus patching when needed and making the (real) security guys happy. There really is no right or wrong answer, it depends on which side of the fence you stand and what is more important, being secure or having time on Wednesday to eat your honey dipped donut.

Mudge Cover’s Mass High Tech

So I get into work this morning and grab my snail-mail and throw it on my desk and go grab my morning oatmeal and glass of water. I get back to my desk and start eating my oatmeal as I go through my mail. Things like fake domain name renewal bills, pleas from wireless phone companies to switch services, a copy of Information Week, the normal crap that finds it way into the IT Managers inbox. Then I get to this weeks (August 22-28) copy of Mass High Tech and oatmeal spews out of my nose! Why? Freaking a big ass above the fold picture of Mudge’s fat smiling face staring back at me. Seriously his face takes up like half the damn page.

The online version is much smaller. Here is a scan of the front cover [PDF]. Just make sure you have finished your oatmeal before you open it.

Oh, the story? It is about finding security holes in heart defibrillators. Which is important I guess, and I suppose I would find it more interesting if I or someone I know actually had one of these implanted. Personally I can’t wait until someone starts looking at wireless utility meters.

More USB idiocy

I have written about really stupid USB security more than once but this has got to be the absolutely stupidest thing ever. (or if your the guy selling it I guess it is pure brilliance.) The previous USB security measures I wrote about claimed to be one thing and turned out to be another like using XOR when you claim to be using AES or just not using anything at all. In this case however there are no extravagant claims just a simple combination lock to physically lock your USB drive. A combination lock with only three digits, a combination lock that a three year old could probably open inside of five minutes. Granted this things only costs $7 but just how rock hard hard stupid do you have to be to use something like this even if it was free?

The Information Security Infantry

As a low-level, gravel crunching, grunt there are a few things that get drilled into your head through constant repetition, things like the only defense in an ambush is offense. If you’re caught in the middle of a well planned and executed ambush your pretty much dead so you might as well turn and run towards the hail of bullets coming at you and hopefully either run through them or scream loud enough to scare the guys shooting at you to stop shooting. Yeah, like I said, in an ambush your pretty much dead.

One of the other things that get drilled into your head is that obstacles must be kept under observation or they will be circumvented. You cannot spend all day in the hot sun setting up triple strand concertina wire and then walk away, the enemy will just cut through it. Sure it might slow them down for a while but it won’t stop them. However, if you’re standing there on the other side of the wire and the tanks come rolling along you will have more than enough time to call in the Warthogs before they can cut through the wire.

It is sometimes amazing to me how this simple principal of observation of obstacles is lost out here in the real world. Things like people installing a firewall and then never checking the logs. An attacker will bang on that firewall all day long until he finds a hole if he knows no one is watching. If you don’t observe your obstacles they will be compromised.

The folks over at Country Wide Home Loans evidently did not know of or understand his simple fundamental (to me anyway. Thanks Drill Sergeant!) security protocol. As a method to prevent dataloss by physical means they glued closed all the USB ports on their computers. Except evidently they forgot one machine. Of course the bad guy found this one machine and managed to siphon off personal information for 20,000 customers every week for two years!.

So an obstacle was put in place, the gluing closed of the USB ports, but there was no observation. No one checked the machines on a routine basis to see if rogue USB cards had been added to the system, no auditing of data transfer logs (assuming there were logs) for suspicious activity. No, just blind faith in super glue and the $14.00 an hour employee tasked with using the glue to get every single machine and not slack off early on a Friday afternoon.

Remember most security measures are just obstacles, all obstacles can be overcome given enough time and resources. Obstacles are nothing more than a deterrence, some obstacles are a bigger deterrence than others. So you can either run like a madman into the hail of bullets or keep your obstacles under observation.

Hackernews.com 10 Years Old Today

The registration info for hackernews.com says the domain was first registered on July 29, 1998. Ten years ago, today. wow. You know, long strange trip and all that. News wasn’t actually posted to the site until a month or so later but July 29th is as good day as any to celebrate. (or should that be commiserate?) HNN was only around for a little under two years but I like to think the site had a pretty big impact, not just on the hacker underground it reported on, but the security industry as a whole. Hell, at one point MSNBC claimed that HNN was “the voice of reason” amongst all the hype. When HNN started search engines were just starting to aggregate news, hell even Slashdot was new, by the end the ‘security portal’ was all the rage. The site existed during that formative stage of the security industry before which security was something seldom thought of and after which Venture Capitalist where throwing money at it.

For a walk down memory lane take a look at the first news day September 10, 1998 (Spelling mistakes and all, ahhh Spaceronics!) and the last day I posted the news June 16, 2000 (What is really amazing is that the links to CNN on the 1998 page STILL WORK! ten years later. Kudos to whoever built that site.)