I got sent this link today and I actually laughed out loud when I saw it - Todd Davis (CEO of LifeLock) had his identity stolen. I completely understand and can feel for the poor CEO who probably genuinely thought that his company could protect from all forms of identity theft, but the harsh reality is it didn’t. My favorite quote from the article:

“There’s nothing to indicate my identity has been successfully compromised other than the one instance.”

Other than the one instance, that is, but it was just that once. Annnyway, the biggest problem I have is with the $1,000,000 protection they have, which, unfortunately has absolutely nothing to do with the kind of thing that Davis faced. It has to do with technology breakdowns in the system - a far less likely occurrence.

Our service guarantee is simple, but it is limited. We will pay up to $1,000,000 to cure the failure or defect in our service…

Not only that but on their site it’s highly deceptive:

What LifeLock doesn’t stop, they fix at their expense up to $1,000,000.

Nooo… what Lifelock doesn’t stop you are on your own for. It’s too bad, because I really wish this company were squeaky clean. There are so many people who actually could benefit from it. Maybe if Davis just hadn’t plastered his information all over the place…

I had some very disturbing news today from one of the forum users - he had just been fired by TJX for whistle blowing on their security issues. CrYpTiC_MauleR, who’s posts on TJX can be found here was fired today by TJX for talking about the company’s security flaws. This is the same company who recently lost millions of credit card numbers, for those of you who don’t recall. They tracked him down by IP (we’re still not completely sure how they did this, but we think it may have to do with a DynDNS account he uses), contacted his ISP to find out who he was, brought him into the office, questioned him about what he found, asked for him to write down his thoughts on how to fix the issues and then promptly fired him.

I completely understand why a company would want to reduce their risk, but this doesn’t bode well for future would-be whistle blowers, or for the future state of security for TJX. CrYpTiC_MauleR has been a long time poster on sla.ckers.org and has made a lot of contributions. I, for one, feel terrible about what happened, and I implore the community to reach out to him on sla.ckers.org, especially if you are looking for someone to help out in any open positions you might have. I think the best possible outcome of this would be that he gets a better job for caring about consumer security at large. Only time will tell.

But as a side note, I must caution everyone who prefers full disclosure as a rule, to be particularly cautious when posting that information, especially when it’s under your own name or a name you use elsewhere that may be tied back to you. Many of the largest companies on earth post to or read this site regularly, and no doubt someone will take personal offense at your actions, so I encourage everyone by way of example to please protect yourself - especially from those who would claim to care about security. Only actions matter in this world.

It must be a Wednesday because it’s feeling a lot like “pick on Google” day! Let’s see here, what’s in the news today? Oh! Google Health - from the same company that brought you countless vulnerabilities both fixed and unfixed, with a policy of not alerting people to security issues comes a new service that asks you to input all your most sensitive personal health records! “But it’s medical records,” I can hear people saying, “surely they’ll be as secure as any HIPAA compliant entity.” Except, legally not so much… (from their terms of service):

Google is not a “covered entity” under the Health Insurance Portability and Accountability Act of 1996 and the regulations promulgated thereunder (”HIPAA”). As a result, HIPAA does not apply to the transmission of health information by Google to any third party.

I think it’s a shame Google found a legal get out of jail free card to absolve themselves from securing consumer medical records in the same way everyone else who handles this kind of data does. At least Google gives you advice on how to protect your personal data. By uhm… protecting it!

You are responsible for the security of your passwords and for any use of your account. You must immediately notify Google of any unauthorized use of your password or account by following the instructions at this link: http://www.google.com/support/accounts/bin/answer.py?answer=48601

Incidentally my favorite line from their form is:

Google Accounts: I think someone else is using my Google Account. Tip: In most cases, this problem can be resolved by resetting your password. Please do so before completing our form.

Resetting your password will recover your stolen personal data and make you and your family whole again, I guess. As a side note, a year has come and gone and silently the Google security blog has had its first birthday. Has anyone noticed? I recall a year ago I said to a number of people I’d be surprised if anything interesting came out of it, and here we are a year later, with about 13 posts (one a month) and pretty much nothing of note about any actual issues/flaws has been discussed. There were two brief non-technical posts about “Lemon”, a year ago, to be fair. Maybe someone learned something from it, but it sure wasn’t me or any researchers I’ve talked to. Happy belated birthday, Google Security! Another year has come and gone, and the redirects still aren’t closed - how about a post about that?

As another noted security expert pointed out to me two days ago - Google represents the single greatest travesty of our generation. You gather the largest collection of the most brilliant minds you can possibly find, for the sole purpose of displaying ads next to search results. Remember, this is the same company who just a few short months ago was ranked the single worst in privacy of all the top Internet sites. Great - just who I want to be the keeper of my apparently non-HIPAA regulated medical data.

Okay, enough picking on poor Google for today.

This may seem painfully obvious to some people, but I looked around and couldn’t find a reference to it, so I apologize ahead of time for anyone who already knew this. When we normally think of how attackers use proxies they are almost always just trying to hide their IP addresses. id and I have written papers on bypassing content restricting firewalls using proxies, etc… Those are all fine topics, but that’s not what this post is about. I was pouring through my logs a few weeks ago and came across a number of people attempting to see if I was running an open proxy. Obviously I’m not, and the reason someone would likely check is that it is a robot looking at large swaths of the web for open proxies.

I ran into an open proxy after that and started poking around with it. The obvious way to look for it was to type in “GET http://www.yahoo.com/ HTTP/1.0″ and see if it shows you Yahoo’s homepage. But then it occurred to me that this could be used for Intranet hacking as well. The open proxy doesn’t have to point out to the web. It can, in fact, be pointed inward, to internal addresses. Here’s a diagram of what I’m talking about:

Click to enlarge

The first scenario is what most bad guys use proxies for. They connect back out to the Internet, to hide their real IP addresses. The second scenario, however, would allow them to use that same proxy server to hack other machines on the same network, including the firewall itself. The funny part is that there are tons of machines out on the Internet who have already been compromised, and the bad guys have intentionally placed proxies on these machines for other nefarious purposes. But it can also be used for internal reconnaissance, or worse. And yes, I have found this in the wild. By quickly enumerating the most likely places within RFC1918, it’s fairly easy to spot where the majority of devices are in most networks (note that this kind of internal scanning will become more difficult with IPv6).

If there are internal machines with critical vulnerabilities on them, the proxy can be used to connect back into that network, to exploit those vulnerabilities which may give a bigger foothold or uncover other sensitive information. If you haven’t scanned your own network for open proxies, you probably should. This is yet another reason to limit what your web servers have access to within your own networks.

This post is a few months overdue but here it is. I’ve been heavily involved in the security industry in one respect or another for well over a decade, and until recently, I had the luxury of being able to talk about whatever I pleased, especially when I got myself out of a few handcuffs that I was bound by a few years ago (around the time I started this blog). I had a lot to say and henceforth you had this website in all it’s glory. However, since I started my own company, I’ve had the fortune or mis-fortune, however you want to look at it, of being exposed to a lot of things I wouldn’t have been able to see otherwise.

That means, I am now under contract with lots of the same companies I have talked about in the past. These same companies I have talked about in positive and negative ways both. Clearly I’m not out to screw anyone, the negative stuff was mostly about my feelings regarding certain technologies. If you have seen me suspiciously not talking about things, it’s probably because I’m either too busy to talk about it or I have a reason I’m not talking about it. Long ago I used to say that I talk about 1/3 of what I know. Another 1/3rd was stuff that could only hurt people with no positive gain and the last 1/3rd was stuff that was just too theoretical or too out there for people to understand since it wasn’t yet provable. Unfortunately, the first 1/3rd (the stuff I can talk about) has been shrinking rapidly and being replaced by a fairly large percentage of things I cannot discuss. That means I’m less fun to read in blog posts, in interviews and at parties.

Rest assured, my knowledge has increased a lot since starting this website due in large part to how much more I have had the privilege of being exposed to. So the irony is, I know more but I can talk about less than ever before. Jeremiah and I were talking about this exact thing last week - he had the same feelings. Which means this blog is going to get more and more watered down with time, and there’s just nothing I can reasonably do about that, save quit and take up writing full time and I know how poorly writers get paid.

That’s the down-side. The up side is that I am not going to stop blogging, but it might not look like it has in the past, if you read my earlier posts. I thought this was an important distinction that I make public, just as I did when I told everyone that I was starting my own company so I could no longer be considered an unbiased source of information.

I started this site because of my family. I wanted a chance to make the Internet a safe place for them to interact with. What better way than to scream from the mountain top that is ha.ckers.org about the issues I see on a daily basis? I can, with lots of quantifiable evidence, say that things are worse now than they were when I started this site. But at least now people are finally aware of the problems, enough to carry that torch without my direct input. The topic of Webappsec was esoteric and lame to most people even two years ago, but now it’s finally come into it’s own, and not just because I decry it, but because there are dozens of websites and many companies devoted to the topic now. My hope is that maybe one of the readers of this site will pick up where I left off and do what I have I as of this moment been incapable of doing - make the Internet a safe place for all our families. I will continue to do the same with a slightly diminished vocal profile than before.

I apologize if this post seems like any sort of betrayal, as that’s sincerely the last thing I would want. But in the spirit of full disclosure, I wanted to at least let you know why things may seem a lot slower now than they did even a year ago. Although I can’t tell you what I know, I will tell you this - things are far worse than they appear, and there are no shortages of extremely vulnerable applications out there as I find zero-day vulnerabilities regularly. It’s simply amazing how bad things really are.

Lastly, I will talk about this more in the coming months, but I am writing a book that will probably be one of the few highly technical documents I put out to the public for a while. Even though it might appear that I’m writing less than ever, in actuality, I’m writing more. O’Reilly has tentatively agreed to publish it (contracts are not yet signed so no promises yet) and I’m really looking forward to getting it out into the hands of the people who do want to make a positive change towards the security of the Internet. If you’re one of those people I invite you to read the book when it’s finished. I’ll give more details at a later date.

I looked at my Google feedfetcher stat today in my logs - over 3,800 subscribers on Google news alone with over 7,000 total subscribers through various feed readers alone! For those of you who have followed this blog for the two years or so since I started it or for any substantial time, I really appreciate your readership. Thank you, everyone. I mean it! You’re like family to me - you know, like that close-talking crazy aunt that no one likes, who has all those cats.

I was looking at a phishing email last night for OANDA FXTrade. At first glance I could see something a little different about it. Instead of linking directly to the phishing site in the email, it contained an attachment (an html file) that you are supposed to double click on. The page is a flat HTML page, with nothing of substance on it, other than a form that tries to get you to submit your data to http://0x47f865c1/webview/images/fxtrade.php (which automatically redirects you to the correct website, if you go there directly).

That’s a fairly clever implementation of a phishing email, because the phishing page is actually on your local computer, not on the web. So it’s harder for anti-phishing researchers to find anything of interest on the remote computer, or even verify that it is a phishing site. But I think I must be getting a little jaded because as soon as I saw the html file I was actually disappointed. While clever since the HTML file contains the phishing site, why on earth wouldn’t they put malicious code in it? Think about it, if someone is dumb enough to open a HTML file on their local computer, why wouldn’t you use it to install malware or something equally bad? To me it just seemed like a no-brainer. I suspect these malicious techniques will eventually converge, but for now, I don’t think the phishers understood exactly what power they had.

There’s an interesting link talking about the lawsuit that Rite Aid just settled regarding their accessibility issues. In part it was in regards to their in-store issues, but it was also about their online accessibility, specifically around CAPTCHAs. So I spent a little time doing some more research into other issues around CAPTCHAs and the blind and in fact there are even concerns around the audio CAPTCHAs for the deaf-blind users.

One thing that was interesting is that many of the sites that have been targeted for law suits and angst have been either online retailers or websites that are heavy text based websites (Typepad, Livejournal, etc…). I guess that makes perfect sense, I just hadn’t thought about it before. I would expect there to be a lot more of this in the future, so if you use CAPTCHAs I’d consider at least getting an audio version, as I’ve discussed countless times. An interesting thought though: spammers have made it harder on the blind. Yet another reason to hate spammers, I guess.

This news is coming in a little late but I thought it was worth talking about. PayPal apparently is going to start blocking older browsers that it deems as a security risk to it’s own users. Pretty funny in a way - consumers can’t protect themselves so PayPal is having to tell them to upgrade to something that doesn’t come from the Paleozoic era.

There’s an upside to doing this and a few downsides. The obvious upside is that people will be using more current and theoretically more secure browsers that support EV certs and anti-phishing technology. The downsides are that some people seriously cannot afford to buy new equipment, or have chosen older browsers that are less likely to be exploited because no one is writing exploits for them any more. And the worst downside to the browser eco-sphere is an even more homogeneous browser base. I’m not sure if I’m completely in the “this is a good thing for security camp” but it’ll be interesting to see how it plays out over time.

I was pointed to an interview with Ed Foy of eFashion. It’s a pretty interesting interview about how companies are reeling in a post TJX world. The good news is obviously people like Mr. Foy are paying attention to the problem and trying to do their best to fix it. The issue is everything mentioned into the article has nothing to do with the problems TJX faced. He mentions network access control and Hacker Safe. Hrmm… my personal feelings about the validity of Hacker Safe being anything other than a marketing gimmick aside, security this does not make.

TJX was compromised through WEP, poor network access controls and poor infrastructure, not web compromises. Not that you should ignore the web, definitely not, but throwing a Hacker Safe logo on your site doesn’t do anything for your security other than make you a bit of a joke. Sure, explaining to your customers that you care is important, network security is important, and sure, even a logo on your site explaining that is okay. But it’s no substitute for real security, as TJX found out. I have absolutely nothing against eFashion but just as TJX themselves found out just because you embrace security doesn’t mean you’re good at it.