Notice how I’m always fashionably late to the party? Well anyway, this time is no different, but I highly recommend if you are heading out to Blackhat this year you try to hit up the Breach/OWASP/WASC party on Wednesday night. The details are on Jeremiah’s blog.

Think about it like this - Dinis Cruz is drinking and yelling at the top of his lungs something about creating a worhol worm to “show them all”, Jeff Williams is yelling something about how whitebox scanning is the only answer, Ivan Ristić is talking so quiet I can’t hardly hear him, Jer’s wife does some MMA on the Whitehat Security newbies, Portswigger is yelling something in some crazy cockney accent that I can hardly understand - but I’m sure I’m agreeing with him on whatever it is. It’s just a great time. I hope to see you all there!

In the wake of a few different speeches by Jeremiah Grossman and Billy Hoffman on logic flaws, I thought this was pretty appropriate. I got an anonymous message today explaining how an interesting logic flaw popped up in the search engine marketing portion of Yahoo’s website. According to them, the site allows you to send them $30 for future spending with their advertising program, and in return you get $50 free SEM advertising as a promotional offer. The problem lies in the logic.

When a user signs up, the logic should state something like “if money is deposited then give a credit, if not then fail”. Unfortunately, according to them it doesn’t work that way. Regardless if your deposit is valid or not or if it fails or not, it will still credit your account $50. Whoops. I haven’t tested this or tried it, but according to them at least a few people have already been able to use this trick, and of course that’s then tied to spamming or traffic arbitraging.

If the title of this post sounds awfully spammy, that’s because it is. Someone sent me a link to allbots.info and imagetotext.com today. Both of which are tied together into one system that allows someone to purchase a robot and the human CAPTCHA breaking necessary to create accounts in some of the largest social networking sites out there.

These include MySpace, Hi5, Facebook, Youtube, Gmail, and on and on… This reminds me a lot of XRumer which is also designed for the same purpose, but more for message boards and the like. Making hundreds of accounts, for spamming is getting more commonplace and accessible. Just plunk down your stolen PayPal or Google Checkout IDs and you’re off to the races! CAPTCHAs aren’t working folks - we’re just creating another micro-industry.

I’m with Bruce Schneier. I never really spent enough time on airplanes to be particularly annoyed by the entire process until last year. I actually wrote the majority of this on a flight to Las Vegas for the SANS conference today as a matter of fact. While cumbersome and obnoxious in many ways, I’ve managed to isolate myself from the majority of those annoyances with things like off line email (won’t off line enabled JS apps rock your world - you’ll be able to hack as you fly!), mp3s and noise canceling headphones. Further, packing light (see onebag.com) makes my life just a lot easier.

But, and here comes the big but, why in this day and age are we still turning off portable electronic devices as we take off and land? The stewardess was making a joke that that includes wristwatches, pace makers and hearing aids. I’ve inadvertantly left my cell phone on during a flight last year, we must have narrowly escaped our death on that one. Somehow the terrorists haven’t figured out this critical weakness in our security yet though, thankfully. Anyway sarcasm aside, I’m with Bruce.

Some of these rules and security precautions are just complete nonsense. A knife that’s 3 1/2 inches is fine, but four inches and you’re a terrorist! Thankfully, I don’t really look like a trouble maker, if you could even articulate what a trouble maker did look like. So in all but one occasion I have managed to escape the involuntary TSA rub-down. All they’re missing is the oil and the sleazy seventies music!

Anyway, I’m speaking at SANS in Vegas then flying to Orlando for GFIRST/US-CERT and then to Denver for OWASP. I’ll get plenty of chances to be annoyed by the safety threat that I present by using noise canceling headphones between now and then I’m sure.

I’m not exactly sure why, but this reminds me of when I was doing a speech for the OWASP chapter in Minnesota. It was on a University campus. Being nice enough to host the event they also gave us an AV person. The AV person decided that I was an idiot upon only looking at me and made it clear that I shouldn’t touch her computers, yet she didn’t have anything installed despite the fact that she said she had MS office, the projector was having problems and it was clear she was pretty clueless. Yet she was still obviously annoyed at my gentle questioning. My friend was ready to rip her head off and was surprised I didn’t tell her who I was and where to shove her attitude. Sometimes it’s better to let people think they know what they are doing until they prove it to themselves that they don’t. She eventually gave up and let me do it myself (my own laptop and a non faulty cable later and we were up and running). I’m still waiting on the airline industry to come to the same conclusion as our beloved AV maiden.

Yesterday, my gfnd got a SMiShing text to her phone against Key Point Credit Union. The obvious tip off that this was an attack was that she doesn’t have an account with Key Point, not to mention the other clues. This is the first instance of it in the US I’ve heard of, although I’d be surprised if this was the first example of it. The number it was from was 905-392-8040. Unlike normal phishing though, it’s much harder to report the issue. Most people wouldn’t have the first clue how to log, forward or respond to the SMiShing attack.

Dear Key Point Credit Union Customer, we regret to inform you that we had to lock your bank account access. Call 800-482-0452 to restore your bank account.

Just another thing to be worried about. I have no idea what the lift on SMiShing attacks are compared to their online variants, but it’s an interesting phenomena. Since email addresses of SMSs are fairly easy to predict, it’s fairly simple to re-purpose spam gateways that are designed exactly for this purpose. The only trick is gathering enough mobile phone numbers.