Mudge Cover’s Mass High Tech

So I get into work this morning and grab my snail-mail and throw it on my desk and go grab my morning oatmeal and glass of water. I get back to my desk and start eating my oatmeal as I go through my mail. Things like fake domain name renewal bills, pleas from wireless phone companies to switch services, a copy of Information Week, the normal crap that finds it way into the IT Managers inbox. Then I get to this weeks (August 22-28) copy of Mass High Tech and oatmeal spews out of my nose! Why? Freaking a big ass above the fold picture of Mudge’s fat smiling face staring back at me. Seriously his face takes up like half the damn page.

The online version is much smaller. Here is a scan of the front cover [PDF]. Just make sure you have finished your oatmeal before you open it.

Oh, the story? It is about finding security holes in heart defibrillators. Which is important I guess, and I suppose I would find it more interesting if I or someone I know actually had one of these implanted. Personally I can’t wait until someone starts looking at wireless utility meters.

More USB idiocy

I have written about really stupid USB security more than once but this has got to be the absolutely stupidest thing ever. (or if your the guy selling it I guess it is pure brilliance.) The previous USB security measures I wrote about claimed to be one thing and turned out to be another like using XOR when you claim to be using AES or just not using anything at all. In this case however there are no extravagant claims just a simple combination lock to physically lock your USB drive. A combination lock with only three digits, a combination lock that a three year old could probably open inside of five minutes. Granted this things only costs $7 but just how rock hard hard stupid do you have to be to use something like this even if it was free?

The Information Security Infantry

As a low-level, gravel crunching, grunt there are a few things that get drilled into your head through constant repetition, things like the only defense in an ambush is offense. If you’re caught in the middle of a well planned and executed ambush your pretty much dead so you might as well turn and run towards the hail of bullets coming at you and hopefully either run through them or scream loud enough to scare the guys shooting at you to stop shooting. Yeah, like I said, in an ambush your pretty much dead.

One of the other things that get drilled into your head is that obstacles must be kept under observation or they will be circumvented. You cannot spend all day in the hot sun setting up triple strand concertina wire and then walk away, the enemy will just cut through it. Sure it might slow them down for a while but it won’t stop them. However, if you’re standing there on the other side of the wire and the tanks come rolling along you will have more than enough time to call in the Warthogs before they can cut through the wire.

It is sometimes amazing to me how this simple principal of observation of obstacles is lost out here in the real world. Things like people installing a firewall and then never checking the logs. An attacker will bang on that firewall all day long until he finds a hole if he knows no one is watching. If you don’t observe your obstacles they will be compromised.

The folks over at Country Wide Home Loans evidently did not know of or understand his simple fundamental (to me anyway. Thanks Drill Sergeant!) security protocol. As a method to prevent dataloss by physical means they glued closed all the USB ports on their computers. Except evidently they forgot one machine. Of course the bad guy found this one machine and managed to siphon off personal information for 20,000 customers every week for two years!.

So an obstacle was put in place, the gluing closed of the USB ports, but there was no observation. No one checked the machines on a routine basis to see if rogue USB cards had been added to the system, no auditing of data transfer logs (assuming there were logs) for suspicious activity. No, just blind faith in super glue and the $14.00 an hour employee tasked with using the glue to get every single machine and not slack off early on a Friday afternoon.

Remember most security measures are just obstacles, all obstacles can be overcome given enough time and resources. Obstacles are nothing more than a deterrence, some obstacles are a bigger deterrence than others. So you can either run like a madman into the hail of bullets or keep your obstacles under observation. 10 Years Old Today

The registration info for says the domain was first registered on July 29, 1998. Ten years ago, today. wow. You know, long strange trip and all that. News wasn’t actually posted to the site until a month or so later but July 29th is as good day as any to celebrate. (or should that be commiserate?) HNN was only around for a little under two years but I like to think the site had a pretty big impact, not just on the hacker underground it reported on, but the security industry as a whole. Hell, at one point MSNBC claimed that HNN was “the voice of reason” amongst all the hype. When HNN started search engines were just starting to aggregate news, hell even Slashdot was new, by the end the ‘security portal’ was all the rage. The site existed during that formative stage of the security industry before which security was something seldom thought of and after which Venture Capitalist where throwing money at it.

For a walk down memory lane take a look at the first news day September 10, 1998 (Spelling mistakes and all, ahhh Spaceronics!) and the last day I posted the news June 16, 2000 (What is really amazing is that the links to CNN on the 1998 page STILL WORK! ten years later. Kudos to whoever built that site.)

The next Last HOPE in 2010

So The Last HOPE is over and while I am still here in New York (the reason why I’ll save for another day) I have been contemplating the events of the weekend. All in all I thought the con ran extremely well which is a bit unusual in my experience for HOPE. While there were a few excellent talks that I mentioned in my previous post I found many of the talks to be… elementary. But hacker cons are sooo much more than just the talks and presentations, they are time to reconnect with old friends, friends you only see at cons and online. Time to drink bears and retel old war^h^h^h hacking stories. The fact that this is the “Last” HOPE and that 2600 the book has just been released I have been reflecting on my own travels through this underground maze. From my first real introduction to hacker culture at HoHo Con ‘92 held in Houston Texas to the ‘last’ Pump con in Philadelphia just a few years ago. In ‘92 the internet did exist but getting access to it was a bit more difficult. I remember making a modem call from my HP95LX from my hotel room to post news from HoHo con back on the hometown BBS. By the time of the first HOPE in 1995 the Internet was much more prolific but still new and shiny. The First HOPE captured that excitment of newness and the possibilities that it presented. Here at The Last HOPE people are live twittering (tweeting?), disecting talks and heckling in real time from behind keyboards. Change is of course inevitable but I think what I am seing here is a change in the culture itself. Sure parents are now bringing their kids to the same cons they snuck out of the house to go to, but I think it is more than just the core population growing older. There is a definite shift in how people interact and react to each other and technology. I haven’t quite been able to put my finger on it but I have been feeling it all weekend. Much like the first HOPE opened a new chapter I got the feeling that this last HOPE is closing a chapter in hacker history and culture. It makes me wonder what comes next?

P.S. Rumour has it that the Hotel Pennsylvania will not be torn down due to the poor economy. In which case, if it is still standing, the next HOPE will be in 2010. (Eternal HOPE?, HOPE Pheonix?). Personally I think if this con continues they should come up with a new name. The era of HOPE is over.


Talks at the Last Hope

After you attend more than a half dozen or so hacker cons you start to realize several recurring themes amoung presentation topics. Topics such as Freedom of Information Act requests, hacker spaces, or hacker history have been done several times at various cons. The Last Hope is no different as these topics have recurred here as well. The difference here is that the presentors of these topics have each taken a different more interesting slant and have actually presented new and useful information. The FOIA talk has actually motivated me to file a few requests myself. The Hacker Spaces presenation actually broke down many of the problems that we ran into at the L0pht and even some we didn’t have and actually codified them all with solutions creating almost a blueprint for anyone wanting to create thier own hacker space. And Sketch Cow’s talk on hacker history makes you stop and think when you realize that future historians may only have major media sources such as hollywood movies and copies of Newsweek to try to understand what all hacker culture was all about.

Looking forward today to talks on Phone Phreaking History, Copying High Security Keys, Honeypots for the Home User, and the premier of Hackateer.

Can’t be here and are missing all the action? Check out the Live twitter feed and the Flickr stream.


The Last Hope in NYC Today!

I’m sitting on the floor of the eighteenth level of the Hotel Pennsylvania at The Last HOPElistening to Karsten Nohl talk about the (Im)possibility of Hardware Obfuscation as he discuss tracing connections in integrated chip design. Heady stuff. Already ran into Lady Ada from AdaFruit Industries and Road Dancer from the old (defunct?) HDF.

So far it is a very interesting crowd mix, there are your standard hacker types but here also seem to be a lot of ‘normal’ people as well. The crowd seems sedate but there is a certain electric charge in the air present at all hacker cons. The real fun will come later tonight as people absorb all the new information presented at the talks and start to mix it up amongst themselves. Good stuff.

Check my flickr stream for pictures.


OSF to take over DLDOS from

You may have noticed over there on the right hand side of this website a link to’s DLDOS or Data Loss database. The DLDOS (despite the poor choice of acronyms, or was that on purpose?), like Attrition’s Defacement Archive before it, is an extremely useful tool that has become the authoritative archive of privacy and data security breaches and is used extensively by researchers in the field. Even to just casually browse through the over 1000 listings of data breeches is an eye opening experience. Most of these breeches never make the news or if they do are seldom on the front page. With more and more companies attempting to keep such security lapses secret such a resource becomes more and more valuable. As the database’s usefulness has grown so has the resources needed to keep it online. Resources that just does not have. Thankfully Attrition has been able to find someone else to maintain and support this valuable resource.
As of July 15th the Open Security Foundation (OSF) will take over maintenance and expansion of the database. The new system will have much more data and many more feature and be available as a free download for non-profit use. Bravo to both Attrition and the OSF not only for creating and maintaining this resource but also for making sure it does not disappear.

Check oput the new DataLoss DB here.

P.S. See you all at The Last Hope. I’ll hopefully have several blog posts from the show floor.

CitiBank Card Numbers and PINS Stolen in Server Breach

Many years ago, (like ten or more) there was a major US bank (BoA, CitiBank I don’t remember) that had a major security breach. I don’t remember all the details, and Google has been less than helpful, but the bank in question was very forth coming, they announced the incident, released a press release, and detailed what happened. They then spent millions to revamp their entire security posture to prevent it from happening again. That bank lost millions of dollars of business afterwards despite the fact that after the breach it was probably the most secure bank in the country at that time.

Looks like banks have learned their lesson and now are keeping as quiet as possible about any and all compromises in their security.

Kevin Poulsen has written an excellent article over at Wired detailing the recent breach of ATM card numbers and their PINS. Seems that someone broke into a server that controlled CitiBank branded ATMs in various 7-11s across the country and then used the card numbers and PINs to create fake cards and drain bank accounts. There are a lot of unanswered questions about this case such as who was actually responsible for this server. Citibank is pointing the finger at a third party transaction processing company and that company seems to be denying any involvement. No one is being very forthcoming with the details, probably afraid of bad publicity and the loss of business that may result from it.

Consumers of course are protected by law from actual monetary losses but the hassle of having to get a new card number can’t be fun. Unfortunately there isn’t much the consumer can do to protect themselves against this sort of attack. You can try to avoid those stand alone ATM kiosks like those found in convenience stores and rely solely on ATMS at actual banks but in many cases that is just not practical. So keep a close eye on those statements, verify every line item and call your bank at the first sign of anything weird.

UPDATE: Thanks to NR for sending me a link to the CitiBank breach from 1995 that I referenced above.

Only You Can Prevent ID Theft

I was at Autozone yesterday getting a set of Upper Strut Mounts for my 167K mile old Saturn when the sales guy asked me for my phone number. I didn’t hesitate a bit and just rattled off ten digits. The same ten digits I always give out. Ten digits which in fact are not my phone number.
While I waited for the cashier to finish ringing up the pair of $42.99 parts I overheard the guy next to me arguing with the cashier about having to give up his phone number in order to complete his purchase. (Didn’t Radio Shack try this years ago?) The cashier assured him that the number would go nowhere other than Autozone and was only used to identify his purchase for warranty purposes. However, I didn’t see any privacy policy posted or offered for the customer to read, not that privacy policies are legally binding or anything. Once Autozone (or anyone else) has your info they can do whatever they please with it including selling it to someone else.
So what does this have to do with anything? Hopefully it serves as a reminder that the only one who is going to protect your identity is you. Some people obviously think they can hire some other company to protect their identity for them. A company like LifeLock which promises to “guarantee your good name.” Since the company’s founder publishes his own social security number on its web site and in print advertisements they must be able to protect people from identity theft, right? Why worry? Just pay Lifelock and your good name is guaranteed!
Well come to find out the company is currently being sued by customers in at least three states who say that LifeLock did anything but protect their identities. In the course of gathering information for the trial the lawyer for the case found 87 instances where people have tried to steal the identity of the CEO of the company, 20 of which were attempts at obtaining fake drivers licenses. And one instance of fraud being perpetrated in the name of the CEO! (I wonder if the CEO can get a refund?)
So what is the lesson to be learned? You can either pay your $10 a month and live in blissful ignorance until you get burned or you can expend a little effort and protect yourself. Don’t give out personal information to people who don’t need it (which is just about everyone), don’t use your PIN in point-of-sale machines, check your credit reports once a year, and don’t do what the CEO of Lifelock did and publish your social security number on your website.