Hackers Need Not Apply

Back in the nineties, the glory days of Hacking, just after the golden age of the late eighties, many companies were starting to get into the whole Internet Security thing. Everyone and their brother had an Internet Security company and VC were just crawling over each other to give them money. One thing most of the early companies had in common was a staunch refusal to hire ‘hackers’. They would give speeches at conferences and say ‘We hire only the best security experts, but no hackers’ They would issue press releases that said the same thing. I remember reading these and laughing because all the hackers I knew worked at these very same companies. (The ISS XForce said this all the time, and everyone who worked there was a hacker.)

At the time this was a brand new industry that basically took shape over night. There were so many security startups you literally couldn’t through a rock without hitting one. Foundstone, Guardent, @Stake, and those are just the big names that I remember off the top of my head, there were dozens of other smaller firms all vying for a piece of the pie and for the ever decreasing pool of talent. Basically if you knew what a war dialer was, could run a file of hashes through L0phtCrack and knew how to clear your browser cache you were hired as a Security expert at a 100K a year. It was that easy.

So what did all us hackers do? Well, we got jobs naturally. We got jobs at the very same companies who said “We don’t hire hackers”. Very very few of us actually had criminal records and those who did usually had them sealed due to a juvenile status at the time. So when it came time to fill out the employment history on the job application you filled it out truthfully, Landscaper, Burger King, Tech Support, and now Security Expert. Nowhere did you write down ‘Hacker’. When we went into the job interview we did not wear a big sign around our necks that said ‘Hacker’.

At some point after @Stake acquired the hacker think tank L0pht Heavy Industries this whole ‘we don’t hire hackers’ thing started to change. A lot of companies saw that it added to their credibility to say that they had a hacker or two on staff or if they didn’t actually publicize it they definately didn’t make assinine statements like “We don’t hire Hackers”.

Well, I guess things have come around full circle. Because Enrique Salem over at Symantec has stated that “You always worry about [grey hats]. Symantec has a standing policy that we don’t hire anyone to be a part of our company who has done any kind of known hacking,” he said. “We will not employ hackers.”

Enrique has been at Symantec for 16 years now but maybe he was to busy doing whatever is was he was doing before he got the CEO job in April to realize that his company does hire hackers. Or at least they did ten years ago when they bought @Stake and its old L0pht (and CDC) members. (OK, so I guess technically they bought them and didn’t actually hire them but semantics.)(Hey, always wanted to make that pun, hehe) At least one of the old L0pht folks was still working there up until a few years ago.

But even now there are more people than I can count on one hand who I know personally that work at Symantec who are publicly well known hackers. They speak at Hacker cons, are known by their handles and call themselves hackers. They don’t go around advertising where they work but its not a big secret to those of us in the community. I don’t think they have criminal records and I doubt they go around breaking into other peoples computers but then hacker does not equal criminal.

If you want to go around and say “We don’t hire hackers” that’s fine, just realize that there aren’t going to be very many people left to hire and you sound like an idiot when you say it. (Hey, DHS, are you listening?)

PC Protect

Internet scams are a dime a dozen from pop ups for fake anti-virus software packages to cleverly designed phishing websites that look exactly like your banks login page. Internet criminals will try just about anything if they think they can get away with it. Today I think I ran into what I think is a totally new scam that definitely involves your land line telephone, and I am pretty sure it involves the Internet, but I’m not sure.

The telltale sign that you have been had is a monthly charge on your telephone bill for $19.99 for something called “PC Protect”. Now a business of any measurable size is going to a have a phone bill such that an additional charge of $19.99 is going to be barely noticeable and I suspect that this is exactly what whoever is doing this scam is counting on. Thankfully the company I work for has an eagle eyed accountant and when she spotted the extra charge she quickly brought it to my attention and asked what it was. I had no idea, but with a name like “PC Protect” my spidey sense started tingling immediately.

A quick google search turned up a snazzy one page website (which I can no longer seem to find) full of web 2.0 goodness that looked like it was just there to sign people up to some sort of anti-something service. At the bottom of the page in the tiny tiny fine print there was a statement about how people could dispute charges by calling a number. Well, obviously we called. The first time they claimed to be from quizrocket DOT com (no, I won’t actually link to the site) the second time they claimed to be usprizedraw DOT com. We complained about the charges and they basically said tough, that our employee John Smith authorized the charges. So we called Verizon who easily agreed to remove the charges.

All well and good but the question remains how did these people get the company phone number and an employee name to ping it to? Obviously I had a talk with John. John is one of those rare people who ‘gets it’ mostly from an IT perspective. He told me that he never visited either of those sites or any other site even remotely close to it, doesn’t use facebook, doesn’t fill out online quizzes and when he buys stuff online for the company he uses a fake phone number (Like I said, he ‘gets it’).

If it was anyone else I would probably just say he filled out a form somewhere and got phished, which is still possible. Or there may be undetected malware deep inside his machine that I haven’t found yet. (I will take a closer look soon). Looking closer at the company info I quickly started going nowhere, fake company names, with fake addresses etc…

I will be looking closer at this stuff over the next few days. If you have heard of PC Protect or if anything else in this sounds familiar let me know. In the meantime keep a close eye on your phone bills.

Financial Company Still Recommending Insecure Software

There are few things in this world that really piss me off and blatant ignorance is one of them. On January 31st 2006 Microsoft did the right thing and removed Internet Explorer for Mac from their available IT downloads. Considering that IE5 for Mac had ceased further development in 2003 it had become riddle with unpatched security holes by the time MS removed it from the its website. Despite Microsoft’s positive action people are still recommending the software three and half years later, and not just regular Joe Schmoe idiots but major financial corporations.

Such recommendations place these corporations, not to mention their customers, at major risk for online fraud, phishing attacks, identity theft, etc… If a company does not wish to support a specific platform that is their prerogative but if they go out of their way to recommend not only an unsupported solution but also an extremely dangerous one shouldn’t they be held liable for their negligence?

I am pasting below a recent email exchange between a local IT Manager and the technical support for paychex.com. (If anyone knows anyone in security at Paychex you might want to point this out to them.) I sincerely hope that the flunky in IT who wrote this has just been misinformed and that this is not Paychex official policy, but hey, there are a lot of stupid idiots out there.

—–Original Message—–
From: Joe Smith (j_smith@smallco.com)
Date: Monday, May 11, 2009 05:19 PM
To: section125@paychex.com (section125@paychex.com)
Subject: Online FSA – Contact Us

What are the minimum requirements to use your website?

Several of our employees are having problems accessing their accounts. Do you support Firefox? Safari? Chrome? Do users need Java or Flash installed? Which versions? Thank you.

Kind Regards,

– J. Smith
IT Manager

From: Paychex Section 125 [mailto:section125@paychex.com]
Sent: Tuesday, May 12, 2009 4:22 PM
To: Joe Smith
Subject: RE:’Paychex=007-082-074’Online FSA – Contact Us

Hello and thank you for your email,

There are certain access issues that may occur with firefox and safari and it is not recommended to use these for this website. Internet Explorer should have no issues with access or transmitting information. No additional programs are required for access how ever to request certain documents and view them adobe acrobat reader is required.

Thank you,

Paychex Section 125

From: Joe Smith (j_smith@smallco.com)
Date: Tuesday, May 12, 2009 04:48 PM
To: ‘Paychex Section 125’ (section125@paychex.com)
Subject: RE: RE:Online FSA – Contact Us

Internet Explorer is not available for Macintosh users. How do you recommend that those users with Macintosh computers access your website?

Kind Regards,

– J. Smith
IT Manager

From: Paychex Section 125 [mailto:section125@paychex.com]
Sent: Tuesday, May 12, 2009 4:22 PM
To: Joe Smith
Subject: RE:’Paychex=007-082-074’Online FSA – Contact Us

Hello and thank you for your email,

There are mac versions of internet explorer available online free of charge.

Thank you,

Paychex Section 125


Oh, and they had this stupid disclaimer on the bottom of their emails

The information contained in this message may be privileged, confidential, and protected from disclosure. If the reader of this message is not the intended recipient, or any employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. Paychex, Inc.

All I can say is that idiocy must be brought out into the light so that it can wither and die. Become enlightened. Oh, and don’t use IE for Mac.

L0phtCrack 6 to Be Released at Source Boston

L0phtCrack, the original and still the best password auditing tool for MS windows based systems, will be re-released at Source Boston by the original authors! That’s right Mudge, Dildog and Weld Pond have required the rights to the original L0phtCrack and plan to release a new version at the upcoming conference. The new L0phtCrack will have support for 64-bit windows and upgraded rainbow tables. Woohoo! Details on potential additional new features, and pricing have not yet been released but you can bet that it will be better than Symantec’s.

Source Boston 2009

HNN Archive Posted

I don’t really know who actually owns the Hacker News Network anymore. I own the domain now but the original content was part of the sale of L0pht to @Stake which was then sold to Symantec. At this point though I don’t really care anymore. If they want it they can come and get it and suffer the negative publicity as a consequence.

Therefore I am putting all of the old HNN files back online. I figure the files don’t do anyone any good wasting away on my hard drive. So if you want to check out the news from any day between September 10, 1998 and March 30, 2000 just click on one of those links and then change the date in the URL to the day you are looking for.

A couple of notes, these are just the raw news files, no pretty pictures or other chrome. If you find duplicate files, those were the weekends. I think I have all the days but some of them may be missing, I know the last few months are not there. These were all originally written in in raw html with no spell check, and my grammar ain’t no good neither. Almost all of the links will be broken (hey, its been ten years) but a few like CNN’s might still work.

On an unrelated note, WordPress is now at 2.6.3 (yeah, I know big deal) and you can now leave comments with your OpenID!

Standing on the Shoulders of Giants

In February of 1676 Sir Issac Newton wrote in a letter to Robert Hooke “If I have seen a little further it is by standing on the shoulders of Giants.” implying that while he may have come up with the final idea he was only able to do so because of the work of those that had gone before him.

Weld Pond (Chris Wysopal) accurately points out that this also applies to security researchers. Seldom is a major security flaw discovered that isn’t related to the previous work of an older technology. His case in point is the recent flaw patched by Microsoft of a almost decade old vulnerability. The original vulnerability has been widely credited to Sir Dystic (Josh Buchbinder) but Dystic’s research was based in part on work by DilDog (Christien Rioux). Dildog wasn’t the first to find the flaw either as it was mentioned in a earlier paper by Dominique Brezinski. Weld argues that this is why credit for security research is so important.

On a completely unrelated note Mudge (Peiter Zatko) was recently quoted by Mass High Tech (again) on the subject of voting machine security.

Prototype This! premiers Wednesday Night

Former L0pht member, Defcon Badge Designer, Triathelete, new father, and urban clothing designer Kingpin (aka, Joe Grand) can now add yet another title to his resume, TV Star! The premier of the Discovery Channel’s new show Prototype This! debut’s Wednesday October 15 at 8PM. Sort of a cross between Junkyard Wars and Myth Busters Kingpin acts the groups electronics wizard. For the first episode the team builds a mind controlled car. Be sure to check your local listings!

Hope someone throws this up on the Bay ’cause I don’t get cable.

Fake Story Still Fake, Media Still Clueless

About eight years ago a media story broke about how some “hackers” took over a British Ministry of Defense Satellite and were holding it for ransom. Anyone who knew anything about Command and Control systems for satellites knew this would be almost impossible especially for a military satellite. That didn’t stop Newsbytes, Yahoo News, ZDNet, even Reuters from running the story and sensationalizing the crap out of it. None of the ‘legitimate’ media questioned the story at all. They just reran the original Sunday Business story. The only website that I know of that questioned the story at the time was The Hacker News Network.. It was the questioning of that story that prompted Brock Meeks of MSNBC to label HNN as “the voice of reason”. As it turned out no confirmation of the original story was ever obtained, the Ministry of Defense flat out denied the event ever took place and the Sunday Business never revealed where the story came from.
So? Big deal? What’s the point of this walk down memory lane? Well, here it is eight years later and the same crappy media is republishing the same bullshit story as truth and fact. Evidently Corinne Iozzio over at PC Magazine, nor her (his?) editors can be bothered to do basic journalism, simple research or check facts. No, can’t let facts get in the way of a good headline and increased page views and ad impressions. So now this supposed ‘hack’ that as far as I can tell never actually happened, is the second most mysterious unsolved cyber crime. I suppose, on the Internet, if you repeat something enough times it magically turns into fact?

For reference here are the old HNN pages from March 1, 1999 and March 2, 1999. Unfortunately the chrome is gone and none of the links work anymore but the content is unchanged.

UPDATE: Thanks to Google’s 10th Anniversary Archive from 2001 and the Internet Archive a few quick searches help to confirm that the original story was fake. (Hey, Corinne, this took me all of about ten minutes.)

ZDNet – via Internet Archive “Our Satellites are Hack Proof”
Geek.com – via Internet Archive “Satellite hack is impossible, says UK”
Reuters Retraction – via Shmoo.com “British Defense Ministry Dismisses Hacker Report”

Honey Dipped Patch Tuesday

I have never really understood Microsoft’s Patch Tuesday from a security perspective. Sure from an IT management perspective it makes a lot of sense. The ability to actually plan for events and effectively allocate resources in IT is a rare commodity. So much of IT management is reacting instead of planning that Patch Tuesday almost becomes a calming ritual performed once a month that can be rather comforting. Download, Test, Apply, eat your donut, repeat next month. From a security perspective though it makes absolutely no freaking sense.
So what happens when a hole is discovered on the Wednesday after Patch Tuesday? Thats right, nothing happens until the next patch Tuesday. Well, at least you hope nothing happens. You hope the bad guys haven’t already found and are actively exploiting the hole.
Some companies like Apple, Sun, HP, OpenBSD, etc., do not patch on a schedule, instead they patch when needed. From a security point of view this is preferred as it greatly minimizes the time you are at risk. Unfortunately this can also lead to the situation where you are rolling out patches for five of the last ten days, like Apple did earlier this month. Patching every other day from an IT perspective is bad, it means your fighting fires, it means you can’t plan, or allocate resources. It means you actually have to do your job and manage your IT! It means no honey dipped for you! Oh no, the horrors!
The reporters over at ComputerWorld evidently felt like it was a good time bring up this ancient argument again and found a couple of clueless Windows Admins who claim to be “Security Researchers” who wanted to bitch about how they actually have to do work and manage Apple’s patches. Waaaaah. It must be Apple who is not ready for the Enterprise. Since Apple is the one making them do work and apply patches on a Thursday it must be Apple who is wrong. Sun, and HP and OpenBSD, and everyone who patches when needed, according to these “security researchers”, must be wrong.
Most people in the security industry understand the double edge sword of patching on a schedule and making the enterprise IT drones happy versus patching when needed and making the (real) security guys happy. There really is no right or wrong answer, it depends on which side of the fence you stand and what is more important, being secure or having time on Wednesday to eat your honey dipped donut.