I had a meeting last week with one of my former employees about the sheer exodus of people who were leaving the company. Without solid evidence of it that we could relay in a public scenario (without disclosing internal dirty laundry), we had a few key indicators, that anyone could see. Namely social networking sites that the company employees belonged to were a buzz. It got me thinking about ways in which you could actually predict future market conditions based on key information derived from one of the most powerful and insecure corporate assets - the employees themselves.

So I threw up a short white paper discussing how to mine out certain elements that can help investors know what may or may not show future market fluctuations. This was not at all meant to be a thorough list of recon methods, however, it was designed to get people thinking about and talking about the vast amount of information that is leaked openly by the companies in question. Hopefully it makes everything at least stop and think a little.

Yesterday was my very last day at my old day job, so I was swamped with goodbye meetings. It’s good to be doing security full time. This isn’t going to be a technical post as a result. Anyway, a few weekends ago, I thought through what it would take to graph out some of the thoughts I’ve had about some of the more bizarre stats I’ve got, bot in my logs, as well as other sets of data that I could get a hold of. I spent at least 5-6 hours looking through various types of graphs as well as graphing programs to help visualize some known attributes. This is more eye candy than anything but I thought I’d at least share some of the cool stuff I found like Visual Complexity and the site on Data Mining, both of which I think are highly relevant to some of the stuff I’m working on.

Unfortunately I can’t find any good free software to do this sort of work for me that doesn’t require a full fledged programming language, so I think I’ll just have to stick to my mental theories since I can’t quickly draw it out by hand. Specifically I have some thoughts on how robot activity can be demonstrated and proven using known patterns, and how certain signatures relate to other signatures, both for passive and active scanning. It’s too complicated to go over in a single post, but anyway, just some cool graphs!

I don’t know what was wrong with my finger this morning but I simply could not get my finger print scanner to work on my laptop. I probably tried at least 100 times. Yes, I was frustrated. My finger hurt, and I was yelling at my laptop. Finally magic happened and whatever random thing I was doing that was causing it to fail stopped happening and I got in. Time for the finger print scanner to go and switch back to passwords. Finger print scanning isn’t super secure anyway. So there, I was, trying to remember an admin password for my account that I set up the day I built my laptop, but had not used once since then. Forget it, my passwords are simply too complex for me to remember if I don’t use them regularly. So what to do? Sure I could crack the password - the thought went through my head, but I really didn’t want to go mess with cain & abel at 6 in the morning.

As an administrator on my Windows NT box I can make other administrator accounts, and change anyone else’s password, just not my own. So instead I created a new admin user, switched to that account, and then changed my original admin user’s password, switched back to that account and then got rid of my second admin account. Herein lies some serious irony. Why can I create admin account that have the ability to modify my own admin password but I don’t even have the power to do that? I’ve seen a different philosophy on UNIX systems. As root I can create new users, chmod, chown, change other people’s passwords, put them in administrator groups and give them sudo access. So it makes sense that when I type passwd I should be able to change my own administrator password without a password prompt.

While it may not make sense for root users to have that much power without having to authenticate to insure they aren’t being hijacked at least it’s consistent with the rest of the security model. I think the same thing applies in lots of different types of web applications too. Administrators should have total access over their users, and should be able to create other administrators, but ultimately they should be asked for their password to perform any function that could subvert their user (or not at all). Either way it should be consistent with the rest of the security model. Maybe this is all academia, but it sure was annoying this morning!

Wade sent me a link to a paper he’d written on Inter Protocol Exploitation. If that sounds vaguely familiar, it’s because it is. We have been talking about that on and off for a while now, specifically around the JavaScript spam technique we’ve talked about, and the IMAP3 XSS. This time he does a good job of explaining not just how to execute a function, or how to get it to error out, but rather he talks specifically about how to run buffer overflows against servers using XSS. Yes, you heard me.

In the paper he talks about a theoretical buffer overflow against a tiny C script that is listening with an open socket. While interesting, it’s also theoretical. Then he whips out a working buffer overflow for Asterisk (VOIP) server. Wow! So add buffer overflows to the sum of things we can now do against servers with XSS and intranet hacking. It’s the first time MetaSploit and XSS have really met on the same proving grounds. This gives credence to something Jeremiah’s been saying for a while - JavaScript is the new shell-code. Well maybe not the new shell-code, but definitely the transmission mechanism for the shellcode! Very cool paper, and I highly recommend the read.

I ran across this domain name (Tonic.to) when I was looking through one of the forums. I’m sure some of you have heard of this, but it was news to me. Not only does it do a good job of hiding your information, but it basically makes whois useless for people attempting to locate and stop spammers:

$ whois tonic.to
Tonic whoisd V1.0
tonic
$ whois hack.to
Tonic whoisd V1.0
hack ns.freewebtown.com 198.78.81.43 ns2.freewebtown.com 198.78.81.44
$ whois blah.to
Tonic whoisd V1.0
No match for blah
$ whois test.to
Tonic whoisd V1.0
test ns.soontech.co.kr 61.100.1.232 ns2.soontech.co.kr 61.100.1.236
$ whois hide.to
$ whois asdfasdfasdfasdf.to
$ whois viagra.to
$ whois tonic.to
$ whois hack.to
$

As you can see after just a few attempts it completely blocked my IP from doing more whois lookups. Spammers delight! I’d expect this TLD to get on everyone’s blacklist pretty quick, if it isn’t already. Thankfully you can do as many nslookups as you like as well as traceroutes to find the upstream to shut the whole thing down. Looks like another fun spammy TLD.

I ran across this article today discussing how people should be criminally prosecuted or at least have internet privileges taken away for propagating malware. I really have no idea if this guy is supposed to be an expert or really has no clue how malware works, but frankly this means almost every man woman and child should be in jail or at least be unable to use the Internet. That means 1MM users who got hit with Samy and another 1MM or so from MyYearBook.com worm should be off the net forever (some might actually agree those users aren’t doing much for the progress of the Internet, but I disagree).

While, lots of the garbage of the Internet seems to stem around social networking sites, and people who do nothing but visit pr0n and war3z sites all day, it does not mean that that is entirely true. There are lots of otherwise hard working, smart and honest people who get hit by viruses all the time. They just know zero about security. And even if they did, in this day and age with JavaScript malware all you have to do is visit a site to get infected anyway, allowing the remote attacker to use your browser to hack into other machines, send spam or any number of other bad things.

I’m not sure why people still think killing off the dumb will change security on the Internet. It’s not the dumb people that are causing these issues, it’s the security of the websites and the browsers that us smart people are in charge of! Granted, we are less likely to propagate those viruses, and we are quicker to shut them down, but we have to stop blaming our consumers for our own inability to solve complex computer security problems. I just really don’t see putting victims behind bars or fining them solving the issue. That’s like putting a burglar in jail but keeping your window open. How does that solve your problem of the fact your house is still trivial to get into? Anyway, I’ll get off my soap-box now.

Awesome Andrew pointed us to the fact that posting images on other people’s site to deceive them or otherwise put pornography on their website can get you jailtime in the US. The law is pretty specific and includes up to 10 years in jail for deceit and up to 20 for pornography.

As Awesome Andrew suggested this is pretty timely due to the deep linking image theft conversation. This is the first law of it’s kind that I’m aware of, and could have fairly wide reaching ramifications. The interesting part is that it doesn’t specifically prohibit linking to other people’s websites. So while it protects the people who steal content from having bad things happen to them, it doesn’t protect the people who’s content/bandwidth are being stolen. Interesting anyway.

I ran across this link on cognitive psychology regarding a study that finds that 17 is the most random number. Or at least that is what people most often choose when they are picking a random number between 1 and 20. It’s an interesting study (I’ve heard of this before but never in quite this way).

The reason this is interesting is not just related to a random number, but in picking passwords, secret questions or any other “what you know” type security mechanisms in applications. It’s also true that people tend to pick prime numbers more often than computers when asked to create a random number. Apparently people tend to think of randomness as being associated with being indivisible by 2.

In direct opposition it appears that the number 20 is the least random number, in that the fewest people picked it (sounds backwards because it is). It’s an interesting study anyway.

I guess this has been around for a while, but I just recently started seeing it on TV, but the McGruff the Crime Dog campaign is now targeting identity theft. This probably wouldn’t be a big deal except for the way the commercial is worded it sounds like what they are showing is how identity theft works. What they show in the commercial is someone taking a camera phone picture of a credit card. Sure, that would disclose the credit card number and the name and the expiration date, but not a lot more.

Firstly, the amount of crime that camera phone skimming makes up, is got to be fractions of a percent over people swiping numbers out of trash cans at gas stations and restaurants and online identity theft. Secondly, the information you get by only looking at the front of the card is only enough to do certain types of credit card transactions - especially because it’s missing the CVV2 number. Lastly, explaining identity theft in this way is missing a rather huge issue, which is phishing and hacking databases.

While I think it’s interesting to market to kids on ways to spot one form of identity theft that there is no chance of them being able to stop, it’s unfortunate that there are no commercials targeting them on ways to protect their identity online. COPPA laws are interesting but they only apply if you are a scrupulous company. Unfortunately phishers and hackers don’t particularly care about people’s age. I dunno, it seemed like it may be doing more harm than good in explaining identity theft in this way, and misguiding people’s understanding of the real issues.

I was perusing the forums and tr1pp33 asked an interesting question about ethics in testing. The second half of his question actually got me thinking. It’s kind of interesting regarding the ethics of testing remote sites are although we’ve gone though that conversation. However, the second half of his question was if testing is illegal and how do you prove intent. It got me thinking is around how do you prove that you’re innocent if you actually didn’t do it, but someone else forced you to hack on their behalf.

If I force someone else to hack on my behalf, how can I prove that I didn’t intentionally do it. But then that brings up a second question which is if I can prove it wasn’t me by saying I’ve got spyware on my computer, perhaps it’s worth installing spyware in the off chance I do get caught so I can plead innocense. Okay, but back to the problem, how do you prove it in the case of CSRF or session riding?

The only obvious thing I could think of was logging. If you log everything you do (either on the local host with something like slogger (thank you to Jordan Wiens for the link). You could also log at the proxy level (you may miss https traffic unless you use an SSL accelerator MITM to slow down/log/process the results). Ultimately though, even that doesn’t show intent, because I could have had every intention on clicking on links that would force my browser to do something. If I can coordinate to get others to infect me with a virus or XSS worm or something else, I can somehow absolve myself of the crime. It’s a tricky subject, certainly.