SPACE ROGUE

So about nine years ago Tan at the L0pht first wrote about the creation of a Cyber Underwriters Laboratory. Like the real UL the Cyber UL would be tasked with independently testing and evaluating software, specifically security related software without the influence of vendors. At the time no one paid much attention and the idea went pretty much nowhere. Since then, in the wake of broke non-secure USB drives and people still using XOR encryption, such luminaries such as Bruce Schneier and even myself have commented that such an organization is sorely needed.
Well Tan has now responded himself with a followup to his original paper. The new paper Cyber Underwriters Laboratories – Reloaded takes a look at the PCI compliance required by VISA as a possible starting ground or model for such an organization.
Lets hope that this time people realize that the importance of such software evaluations is critical not just to the future of online commerce but is critical to the future of simply being online.
 

I have a list of websites that I read as part of my morning ritual just like everybody else. It helps fritter away the first few minutes of the day as I wait for my tea to cool to a drinkable temperature. Like most of the people who visit my little blog here you probably also read Slashdot. The stories are usually interesting enough to hold my interest while waiting for the aforementioned tea. (Red if you must know.) Today however, was posted a very rare treat, (for /. anyway) an extremely interesting and informative comment thread regarding Security Ethics. An important topic that isn’t discussed very often outside of vulnerability disclosure. Considering just how valuable Security people and IT workers in general are to a company (despite what your boss might think) it is important to maintain a high level of ethical behavior while at the same time remaining gainfully employed. Especially when all to often those two tasks seem diametrically opposed. This balancing act has forced myself to change employment more than once. The discussion thread on Slashdot provides some interesting horror stories, sage advice, and ammusing ancedotes about what really goes on during those SOX, SAS-70, 404 etc.. audits that the big companies (and governments) are so fond of.
 

One of the more popular features of HNN (The Hacker News Network) was the daily list of web page defacements that was maintained at the time by Attrition.org. Maintaining such an archive soon overwhelmed Attrition and the task was taken over by Alldas. After the demise of Alldas, a small (at the time) upstart security site in Austria, Zone-H took over. They have been maintaining the defacement archive for years and years slowly adding to it over time as new websites get compromised. Their archive now encompasses over 2.6 million web page defacements. The amount of data they have collected is invaluable and is an amazing resource for security researchers to gain a historical perspective on the frequency and methods of attacks used over the years.
Lately Zone-H has had some rough times, their founder has been arrested in relation to an Italian spying scandal and they have been coming under increasing criticism from people who think their archive is actually promoting web page defacements. As a result they are actually thinking about discontinuing the defacement archive.
This would be an unfortunate occurrence if it was to happen. They are currently running a poll on their front page, (in the left column) as to whether they should continue hosting and updating the archive or not. I urge you to cast your vote and help save a valuable security research tool.
 

I had been waiting for the folks at Source Boston to update their website with relevant materials before I posted a recap but they are probably waiting until Monday and I know I won’t have time to post anything then. So be sure to check their site for presentation slides, videos, and whatnot, but in the meantime here is what I have.

First of all I don’t think I have been to a better con since HoHoCon ’92 or maybe SummerCon ’97? (Was there a SummerCon that year?). So what made it so great? The excellent talks for one thing. You had to make hard decisions for three days straight about where you wanted to spend your time. All of the talks I listened to were extremely high caliber, better than most talks at Blackhat, Defcon, RSA or elsewhere. Then throw in just enough socializing to make it interesting without going overboard (i.e. Defcon), not to many pushy vendors trying to sell stuff (i.e. RSA), and the small (by Blackhat standards) number of attendees and you had a really intimate setting of knowledge sharing for three days straight.

For a recap of the whole conference check out Jack Daniel’s blog post over at Uncommon Sense Security and check the individual talk write-ups at the Source Boston Blog. So far I have only found slides for Sinan Eren’s talk on Information Operations. Dan Geer’s keynote speach is posted here (If you read nothing else read that!). If you want to relive the con vicariously check out the tweme feed as several people (myself included) were microblogging the whole thing.) Other than that you can check out all the photos posted to Flickr so far.
Oh, and videos of all the talks should be available at Media Archives real soon now. I can personally recommend James Atkinson’s talk about telephone defenses, Andrew Jaquith’s talk about problems with AV software, Matt Moynahan’s talk about software inspections, Carole Fennelly’s talk about Incident response plans, and Frank Reiger’s talk on cell phone security. Oh, and there was a little thing near the end about the L0pht you might want to watch as well.

Anyone got more links? Post in the comments. Thanks.
 

I’m still busy recovering from the excellent Source Boston conference and I will post a recap soon but I wanted to get this out there.

Last week I wrote about RFID enabled external hard drives that supposedly offered secure encryption of your data that turned out to be simple XOR. Well now USB thumb drives with integrated fingerprint readers have been found to be just as much Snake Oil. Hiese Security has reviewed several of the devices and have found it very easy to bypass the security of all of them. Companies that make crap like this should be found criminally responsible for fruad.

People see biometrics and automatically think they are secure, same thing when they see the word ‘encryption’. Your fingerprint is not a secret, you leave thousands of copies lying around everyday. In addition once the attacker has physical access to the device then your security will be compromised, fingerprint or not.

Oh, and I hope everyone had fun on Pi Day yesterday.
 

Yesterday I unfortunately missed James Atkinson’s talk at Source Boston but evidently it scared a few people and pissed off a few others. I did manage to catch Carole Fennelly’s talk about Incident Response Plans which was very informative even for me. And of course people are still talking about Dan Geer’s keynote. Still great talks lined up for today, listening to Frank Reiger right now telling me how insecure all my cell phones are, scary. Oh, yeah, I have a little talk scheduled later as well, at least thats what their telling me, after last night’s pub crawl I’m not sure I remember right now.

Videos of the talks are said to be available at Media Archives at some point real soon now. If you missed the con be sure to pick up a couple of these.

P.S. If you ever get to sit down with James Atkinson ask him to empty his pockets onto the table. Trust me you won’t be at a loss for conversation.
 

Sometimes I wonder if people who are revered in their field are really all that smart. I am pretty sure that some people have achieved their positions not because they know their subject matter but because they are just charismatic people who are adept at politics and manipulation. However, as I sit here listening to Dan Geer at Source Boston talking about the dangers of a computing mono culture and the coming digital pearl harbor I realize that yes, some people really are that smart. Dan has said that his remarks will be available after his talk. I can’t wait to examine his words more closely.

This is one of the best cons I have been at in a long time. Just the right mix of serious technical talks, socialization and of course a little alcohol. Looking forward to talks today about the tug of war between business and security, Critical Infrastructure Protection, Study on Security Training Programs, and of course Developing an Incidence Response plan.

I’m pretty sure day passes are still available.
 

SourceBoston 2008 Going on now and for the next two days. If your anywhere near Cambridge MA you should head over. The shear number of smart security people in this hotel is mind boggeling. Seriously, you can’t turn around without seeing someone else who is a major industry luminary.
Already listened to talks by Tito Jackson (no, not that Tito), he’s the Director of IT from state of MA. He basically said that Mass is great and that jobs are growing and all hail Gov. Deval! Woohoo! I kid, but it was some interesting opening remarks and good to hear that things may not be all doom and gloom as the economy suggests.
The official keynote was given by Richard Clarke the former head anti-cyber terrorism dude at the White House he runs a consulting company now, oh, and he has a book or two out. He asked a very interesting question about wether the government should disclose software vulnerabilities that it discovers or should it keep them for use in the next ‘cyber war’? IMO my tax dollars paid for it so yeah, I should get a copy!
Then Matt Moynahan from from Veracode spoke about how hard it is to quantify the security in software. A subject I have wrote here many times. Lots of good points, companys don’t want to give up their IP, there are no uniform standards, etc… Of course his company (andcformer L0pht peeps company) Veracode has the answer but it seems like a pretty good answer to me.

Oh, and I set up a Twitter account. Not sure if I will use it after the con but there it is.
 

Think that cool USB thumb drive you just bought with the word of ‘encryption’ written in big letters all over the package is really secure? Think again. ComputerWorld recently reviewed seven ‘secure’ USB drives and basically found that they are all crap. Either they have no security or all or they use AES in ECB mode (which is worthless) or they claim their security is ‘proprietary’ (i.e. snake oil).

Once again I have to ask how is the end user consumer supposed to know this? Why do we (consumers) have to wait for some third party to review a product before we know that the product will not do as it claims? When I go to the hardware store and buy a lamp I know it has been tested and meets certain requirements. I know that it won’t catch fire and burn down my house. Why can’t I have those same assurances when I buy a security product? I should be able to look at the product packaging and see that the product meets some sort of security standard or has been tested by some agency and meets certain criteria. If it can be done for electric pencil sharpeners it can be done for ‘secure’ USB thumb drives.
 

When I see something labeled tamper-resistant or even tamper-proof I don’t assume it is secure I just think that it is a little more difficult to break into than something that isn’t tamper-resistant. Three researchers at the University of Cambridge have figured out that PIN entry keypads used for Chip+Pin transactions in the UK are anything but tamper-resistant. They have published a paper to show just how easy it is to break them open and record customer data as they swipe their cards and enter their pin numbers. I applaud their effort but all they had to do was look at what happened to Stop & Shop Supermarkets a few short months ago.

Here is some advice which you can use, at least here in the US, don’t trust those card swipe and pin entry machines at the checkout counter. Most Debit cards from US banks will also work as a VISA or MasterCard. If your at WalMart and you whip out the ATM card and the machine asks you for your PIN, hit cancel. If the checkout lady at the supermarket asks “Debit or Credit” always, always say credit. If that little machine at the checkout stand is secretly recording your card number at least you won’t also be giving it your PIN and complete access to your checking account. While this won’t stop fraud it will make the bad guys work a little harder. Hard enough perhaps that they skip your card and go to the next one. Not to mention that VISA and MasterCard probably offer a bit more fraud protection than your local bank.