Defacement Archive May Close

One of the more popular features of HNN (The Hacker News Network) was the daily list of web page defacements that was maintained at the time by Attrition.org. Maintaining such an archive soon overwhelmed Attrition and the task was taken over by Alldas. After the demise of Alldas, a small (at the time) upstart security site in Austria, Zone-H took over. They have been maintaining the defacement archive for years and years slowly adding to it over time as new websites get compromised. Their archive now encompasses over 2.6 million web page defacements. The amount of data they have collected is invaluable and is an amazing resource for security researchers to gain a historical perspective on the frequency and methods of attacks used over the years.
Lately Zone-H has had some rough times, their founder has been arrested in relation to an Italian spying scandal and they have been coming under increasing criticism from people who think their archive is actually promoting web page defacements. As a result they are actually thinking about discontinuing the defacement archive.
This would be an unfortunate occurrence if it was to happen. They are currently running a poll on their front page, (in the left column) as to whether they should continue hosting and updating the archive or not. I urge you to cast your vote and help save a valuable security research tool.
 



SourceBoston WrapUp

I had been waiting for the folks at Source Boston to update their website with relevant materials before I posted a recap but they are probably waiting until Monday and I know I won’t have time to post anything then. So be sure to check their site for presentation slides, videos, and whatnot, but in the meantime here is what I have.

First of all I don’t think I have been to a better con since HoHoCon ’92 or maybe SummerCon ’97? (Was there a SummerCon that year?). So what made it so great? The excellent talks for one thing. You had to make hard decisions for three days straight about where you wanted to spend your time. All of the talks I listened to were extremely high caliber, better than most talks at Blackhat, Defcon, RSA or elsewhere. Then throw in just enough socializing to make it interesting without going overboard (i.e. Defcon), not to many pushy vendors trying to sell stuff (i.e. RSA), and the small (by Blackhat standards) number of attendees and you had a really intimate setting of knowledge sharing for three days straight.

For a recap of the whole conference check out Jack Daniel’s blog post over at Uncommon Sense Security and check the individual talk write-ups at the Source Boston Blog. So far I have only found slides for Sinan Eren’s talk on Information Operations. Dan Geer’s keynote speach is posted here (If you read nothing else read that!). If you want to relive the con vicariously check out the tweme feed as several people (myself included) were microblogging the whole thing.) Other than that you can check out all the photos posted to Flickr so far.
Oh, and videos of all the talks should be available at Media Archives real soon now. I can personally recommend James Atkinson’s talk about telephone defenses, Andrew Jaquith’s talk about problems with AV software, Matt Moynahan’s talk about software inspections, Carole Fennelly’s talk about Incident response plans, and Frank Reiger’s talk on cell phone security. Oh, and there was a little thing near the end about the L0pht you might want to watch as well.


Anyone got more links? Post in the comments. Thanks.
 



More USB Snake Oil

I’m still busy recovering from the excellent Source Boston conference and I will post a recap soon but I wanted to get this out there.


Last week I wrote about RFID enabled external hard drives that supposedly offered secure encryption of your data that turned out to be simple XOR. Well now USB thumb drives with integrated fingerprint readers have been found to be just as much Snake Oil. Hiese Security has reviewed several of the devices and have found it very easy to bypass the security of all of them. Companies that make crap like this should be found criminally responsible for fruad.

People see biometrics and automatically think they are secure, same thing when they see the word ‘encryption’. Your fingerprint is not a secret, you leave thousands of copies lying around everyday. In addition once the attacker has physical access to the device then your security will be compromised, fingerprint or not.

Oh, and I hope everyone had fun on Pi Day yesterday.
 



Last Day for Source2008

Yesterday I unfortunately missed James Atkinson’s talk at Source Boston but evidently it scared a few people and pissed off a few others. I did manage to catch Carole Fennelly’s talk about Incident Response Plans which was very informative even for me. And of course people are still talking about Dan Geer’s keynote. Still great talks lined up for today, listening to Frank Reiger right now telling me how insecure all my cell phones are, scary. Oh, yeah, I have a little talk scheduled later as well, at least thats what their telling me, after last night’s pub crawl I’m not sure I remember right now.

Videos of the talks are said to be available at Media Archives at some point real soon now. If you missed the con be sure to pick up a couple of these.

P.S. If you ever get to sit down with James Atkinson ask him to empty his pockets onto the table. Trust me you won’t be at a loss for conversation.
 



Smart People

Sometimes I wonder if people who are revered in their field are really all that smart. I am pretty sure that some people have achieved their positions not because they know their subject matter but because they are just charismatic people who are adept at politics and manipulation. However, as I sit here listening to Dan Geer at Source Boston talking about the dangers of a computing mono culture and the coming digital pearl harbor I realize that yes, some people really are that smart. Dan has said that his remarks will be available after his talk. I can’t wait to examine his words more closely.


This is one of the best cons I have been at in a long time. Just the right mix of serious technical talks, socialization and of course a little alcohol. Looking forward to talks today about the tug of war between business and security, Critical Infrastructure Protection, Study on Security Training Programs, and of course Developing an Incidence Response plan.


I’m pretty sure day passes are still available.
 



Source Boston 2008 Going on NOW!


SourceBoston 2008 Going on now and for the next two days. If your anywhere near Cambridge MA you should head over. The shear number of smart security people in this hotel is mind boggeling. Seriously, you can’t turn around without seeing someone else who is a major industry luminary.
Already listened to talks by Tito Jackson (no, not that Tito), he’s the Director of IT from state of MA. He basically said that Mass is great and that jobs are growing and all hail Gov. Deval! Woohoo! I kid, but it was some interesting opening remarks and good to hear that things may not be all doom and gloom as the economy suggests.
The official keynote was given by Richard Clarke the former head anti-cyber terrorism dude at the White House he runs a consulting company now, oh, and he has a book or two out. He asked a very interesting question about wether the government should disclose software vulnerabilities that it discovers or should it keep them for use in the next ‘cyber war’? IMO my tax dollars paid for it so yeah, I should get a copy!
Then Matt Moynahan from from Veracode spoke about how hard it is to quantify the security in software. A subject I have wrote here many times. Lots of good points, companys don’t want to give up their IP, there are no uniform standards, etc… Of course his company (andcformer L0pht peeps company) Veracode has the answer but it seems like a pretty good answer to me.

Oh, and I set up a Twitter account. Not sure if I will use it after the con but there it is.
 



More secure products that aren’t

Think that cool USB thumb drive you just bought with the word of ‘encryption’ written in big letters all over the package is really secure? Think again. ComputerWorld recently reviewed seven ‘secure’ USB drives and basically found that they are all crap. Either they have no security or all or they use AES in ECB mode (which is worthless) or they claim their security is ‘proprietary’ (i.e. snake oil).

Once again I have to ask how is the end user consumer supposed to know this? Why do we (consumers) have to wait for some third party to review a product before we know that the product will not do as it claims? When I go to the hardware store and buy a lamp I know it has been tested and meets certain requirements. I know that it won’t catch fire and burn down my house. Why can’t I have those same assurances when I buy a security product? I should be able to look at the product packaging and see that the product meets some sort of security standard or has been tested by some agency and meets certain criteria. If it can be done for electric pencil sharpeners it can be done for ‘secure’ USB thumb drives.
 



Tamper Resistant Point of Sale Machine Isn’t

When I see something labeled tamper-resistant or even tamper-proof I don’t assume it is secure I just think that it is a little more difficult to break into than something that isn’t tamper-resistant. Three researchers at the University of Cambridge have figured out that PIN entry keypads used for Chip+Pin transactions in the UK are anything but tamper-resistant. They have published a paper to show just how easy it is to break them open and record customer data as they swipe their cards and enter their pin numbers. I applaud their effort but all they had to do was look at what happened to Stop & Shop Supermarkets a few short months ago.

Here is some advice which you can use, at least here in the US, don’t trust those card swipe and pin entry machines at the checkout counter. Most Debit cards from US banks will also work as a VISA or MasterCard. If your at WalMart and you whip out the ATM card and the machine asks you for your PIN, hit cancel. If the checkout lady at the supermarket asks “Debit or Credit” always, always say credit. If that little machine at the checkout stand is secretly recording your card number at least you won’t also be giving it your PIN and complete access to your checking account. While this won’t stop fraud it will make the bad guys work a little harder. Hard enough perhaps that they skip your card and go to the next one. Not to mention that VISA and MasterCard probably offer a bit more fraud protection than your local bank.
 



Less Than Two Weeks to Source2008

So I was having lunch with one of the organizers of the Source Boston 2008 conference yesterday (Spicy Beef Bowl, mmmmm) and realized that this is going to be one really great conference. Not only are there big name speakers like Richard Clarke, Steven Levy and Dan Geer there are some well respected security industry luminaries as well like Carole Fennelly, Frank Rieger, James Atkinson and a host of others. But I think the big thing that will set this conference apart from the big ones like BlackHat or RSA, (besides that the fact that it is within driving distance for me) is the size. There won’t be tens of thousands of people in attendance meaning you will probably be able to get a lot of one on one time with some of the smartest security minds in the country. If your in the Boston area at all you should probably stop by for a day or two or even all three.

Oh, and the L0pht renion panel is scheduled for Friday, the day after the Pub Crawl, which ought to be interesting.

 



AES = XOR = Secure? WTF!?!

I don’t have time for all of the stupidity out there but this is just to stupid to let pass by. Easy Nova a German company that makes a variety of computer storage accessories, recently released a hard drive case with hardware data encryption with 128-bit AES and access control via an RFID chip. Which on the surface sounds really really cool. Portable secure data, what more could you ask for? As it turns out you still need to ask for it to be secure because according to Heise Online and c’t Magazine that despite the claims of AES hardware encryption the product actually uses XOR encryption to write your data! Evidently the AES is only used to encrypt the RFID signal between the drive and the key fob. AES for the RFID chip but XOR for the data? I mean WTF! How about some truth in labeling. I suppose we should be happy they didn’t use double XOR.

This is yet another example of a security product that isn’t secure. How is the consumer supposed to know? Not everyone has diagnostic labs and forensic tools at the their disposal to test each and every product they buy for security. I’ve mentioned the formation of a Cyber UL before and clearly it is sorely needed.