Category Archives: General Security

The Story of a Security Guy at the Marketing Conference

Filed under General Security, Social Networks
Tagged as , , , , , , ,

Last week I was asked by some of my social media acquaintances to be a panelist on a end of the day keynote at the Online Marketing Summit (OMS) held in Cleveland, OH.  The first thing you are probably wondering is “What the hell is a security guy doing at a marketing conference”?  Let me explain.  This isn’t the first time I have done something like this and it probably won’t be the last.  Read on.

In many companies the marketing, public relations, HR and other “business” functions really don’t want anything to do with security.  It’s true.  We always get in the way by stopping money making and/or great marketing ideas with phrases like “If you do that…the hax0rs are going to pwn us!” or “No you can’t, that’s against our security policy.  Go away now.”  Unfortunately, all it takes is one bad experience from the “security people” and they won’t want to work with you ever again.  I’ve seen it happen many times and I’ve even been “that evil security guy” at various times in my career.

It’s because of this bull headed attitude that these departments start finding ways around your policies, procedures, website blocking and more.  Why? Because security people are increasingly impossible to deal with.  Too much red tape, policies, rules and most of all…lack of communication.  That’s right, I said it.  Lack of good communication.  When was the last time you talked to these people in your company?  When was the last time you offered to help them with a compromise or solution rather then saying no?  This might be a shock to some of you but these are the people helping make the business money.  All of us in security are just an extra expense to the business.  Don’t make our jobs harder!  Here are three steps to help communicate to these people better:

1. Get out of your shell
We love to hang out and network at security conferences and user groups.  It makes sense because we are comfortable around our own people.  However, take a step back and think about what the “business needs” for a minute.  You are there to help the business succeed.  So go out and help them!  One way to do this is to attend a marketing conference.  Seriously.  You get to meet and talk to people that want to help the business make money and know how to do it.  You also get to learn what the business wants.  This will get you thinking about how you as the “security person” can help make that happen while keeping the business and its information safe.

2. Learn something new
What does marketing have to do with security?  All kinds of things!  SEO, blogging, social networking, social media, brand reputation, monitoring and more.  These are hot topics right now and there are serious security and privacy issues to be concidered.  You need to be involved!  The best way to do this is to attend their conferences, read their blogs and communicate.  One good way to get involved is to look for a local social media club in your area.  We have a great one in Cleveland and there are others in cities all over the US and probably the world.  Attend, learn and network.  It can only benefit you and your company.  Same goes if you are a consultant.  Meeting marketing people is a great way to get new business because they usually have a direct line to upper management at a company.  They will also be so impressed that a security person actually took the time to show up to a marketing conference…they might call upper management for you. 🙂

3. Teach and Educate
We have all “beaten the horse to death” regarding security awareness.  Many in security say it doesn’t work and is a hopeless battle.  While there is no patch for human stupidity, you still need to make an effort.  If anything, by you as the “security person” showing up at the marketing departments monthly meeting it shows that security wants to be involved with what they are doing.  This alone says volumes!  Especially to management of those groups.  Get out there and explain why you have certain policies, how the security team functions or better yet…how you can help them market the business and do it securely.

Social Zombies: Your Friends Want To Eat Your Brains Video from DEFCON Posted

Filed under General Security
Tagged as , , , , , , , , , , ,

The video from the talk Kevin Johnson and I did at DEFCON 17 called “Social Zombies: Your Friends Want To Eat Your Brains” is now up on Vimeo.  If you missed us at DEFCON Kevin and I will be presenting an updated version at OWASP AppSec DC in November.

The Security Bloggers Network has Moved!

Filed under General Security
Tagged as ,

You may have noticed that I removed the SBN (Security Bloggers Network) badge from my blog and that the SBN Feedburner site has not been updated in several weeks. Well, Alan Shimel has officially moved SBN over to Lijit. Lijit is kind of like FriendFeed but is really more about searching, linking searches, and putting your socnets together. It should be interesting to see how Lijit will improve distribution of the SBN site content. You can check out the new SBN here. If you haven’t checked out the large list of blogs that belong to the SBN…you really should! Lot’s of great security bloggers are on the list.

Subscribe to the SBN from here via RSS or OPML.

MI6 camera sold on eBay? 007 is pissed!

Filed under General Security
Tagged as ,

This article was just too good and worthy of a blog post…apparently a MI6 digital camera went missing and went up for sale on eBay…for only $30. The kicker is that the camera’s memory card contained the following information:

Via Reuters:

“Its memory had names of al Qaeda members, fingerprints and suspects’ academic records as well as pictures of rocket launchers and missiles, the Sun newspaper reported.”

Opps… So did the camera have a “If lost, please call the following MI6 number” sticker on it? 🙂 That is one big mistake for the British intel boys…

Black Hat/Defcon 16 Recap from Vegas

Filed under General Security
Tagged as , ,

I am on my way back from Black Hat and Defcon 16 in Las Vegas with a three hour delayed flight so this is probably a good time to talk about Black Hat and Defcon 16.

To start off…this was one busy and eventful week! I met so many people this week it was crazy. I am officially overflowed with business cards! I got lots of opportunities to not only meet some of the people that I admire in the security industry but also had a chance to network with a great many others that I just met. There were some really good parties (umm..networking opportunities) at both Black Hat and Defcon. Some worth mentioning that I was at were Mozilla, Core Impact, Ethical Hacker, and I-Hacked. I also attended a Security Twits meetup on Friday night at Sushi Roku and got to meet many of the Security Twits in person which was really cool. Thanks to @quine for organizing this event!

I attended several talks at both Black Hat and Defcon. I was able to attend everything that I wanted at Black Hat and even attempted to “live tweet” the Dan Kaminsky talk. You can see my updates through TweetScan or other Twitter search tools by searching for #blackhat and #defcon on my Twitter ID (agent0x0). Most of my time at Defcon was spent watching my wife win the Guitar Hero 3 Medium contest…(first woman to win this contest at Defcon) and improving my lock picking skills in the lock picking village. I have to say that I focused a lot of my time at Defcon just enjoying the contests and meeting new friends. I absolutely love Defcon. It’s the greatest meetup of the good, bad, and everyone in between. One talk that was a highlight for me was Jay Beale’s talk on “Owning the users with the Middler”. I interviewed Jay on the Security Justice podcast about a week ago where he talked about the tool. Jay’s talk was packed! Standing room only (goons were sent in to crowd control). He did a good job even though he couldn’t finish his talk because time ran out. If you get an opportunity to see Jay speak, I highly recommend it! Speaking of goons…I have to hand it to the Defcon goons this year for doing a great job with crowd control! I overheard one goon say that he was doing crowd control for a “f***ton” of people! Oh, and the badges were pretty cool as well…once I waited in a long line for mine on day 2. The badge is actually a “tv-b-gone”…I could turn the TV on and off in my hotel room with the badge. Neat!

Speaking of podcasts…I was fortunate to participate in the live podcast at Defcon 16 right before the I-Hacked party in one of the Sky Boxes. I podcasted with Chris and Jay from Securabit, Larry from PaulDotCom, Matt from SploitCast and Martin McKeay from the Network Security Podcast. Rob Fuller (@mubix) coordinated and hosted the event. Hopefully some of you were able to tune into the live video and audio and chat via IRC. Not sure if the recording will be released or not. I’ll post a link if it is.

Finally, lots of pictures were taken!! I will be posting mine to both my personal and the Security Justice podcast web site Flickr account soon.

It looks like my plane just arrived…I hope to post more stuff on Black Hat/Defcon in the coming days.

Talks to attend at Black Hat USA ’08

Filed under General Security
Tagged as , ,

I thought I would throw my list into the mix of other Security Twits that are posting about talks they are either going to or wish they were going to at Black Hat this week. Most of my picks have a pentest perspective to them (a lot like CG’s over at Carnal0wnage). Here is my tentative list of talks I plan on attending:

August 6th
10:00 to 11:00

Nmap: Scanning the Internet – Fyodor Vaskovich

If your a penetration tester, don’t miss this one…Fyodor is a legend (heck, even some girl at (NSFW!) thinks so…the man has stalkers! 😉 ) and I’m looking forward to hear about new and unique ways to use Nmap.

11:15 to 12:30
Black Ops 2008: Its The End Of The Cache As We Know It – Dan Kaminsky

Unless you have been living under a rock for the last month then you should know about this one. It will be crowded (like all of Dan’s talks) but well worth attending.

13:45 to 15:00
Client-side Security – Petko D. Petkov

Another not to miss talk in my book. Petko or better known as pdp heads up GNUCITIZEN which is one of the sites that I closely follow. GNUCITIZEN releases some amazing security research and are always on the cutting edge. As a bonus it looks like pdp will provide details of a QuickTime 0day for Windows Vista and XP.

15:15 to 16:30
Bluetooth v2.1 – a New Security Infrastructure and New Vulnerabilities – Andrew Lindell

This one should be different. I recently started gaining more of an interest in Bluetooth vulnerabilities. Andrew will “show that it is possible to pair with a device that uses a fixed (but unknown) password, even when the password is random and reasonably long”. Sounds interesting.

16:45 to 18:00
MetaPost Exploitation – Val Smith

This is one I am really looking forward to. This is one just for penetration testers. I saw Val Smith and HD Moore present last year on “Tactical Exploitation” and it was outstanding.

After hours…
The Pwnie Awards 2008

If I’m not totally beat I plan on attending this. Should be fun to check out before hitting some of the parties.

August 7th
10:00 to 11:00
Satan is on My Friends List: Attacking Social Networks – Shawn Moyer and Nathan Hamiel

I was tossed between this one and “Encoded, Layered and Transcoded Syntax Attacks”. However, I am really on a social network security kick as of late so I think I will attend this one. If it is lame, I’ll jump in the other talk.

11:15 to 12:30
Threats to the 2008 Presidential Election (and more) – Oliver Friedrichs

While not pentest specific…this one looks pretty interesting. The synopsis notes the following: “…we will discuss domain name abuse, including typo squatting and domain speculation as it relates to candidate Internet domains. We will present and demonstrate how widespread this activity has already become. Secondly, we will discuss the potential impact of phishing on an election.” Sounds cool!

13:45 to 15:00
Hacking and Injecting Federal Trojans – Lukas Grunwald

The “infection proxy” demo seems worth seeing! The other talk that sounds cool is the one Joanna Rutkowska is doing. I saw her talk at Black Hat last year. Joanna is a brilliant mind, but a *fast* talker…with the amount of technical detail she usually covers…it’s tough to keep up.

15:15 to 16:30
…Continuing “Hacking and Injecting Federal Trojans”. If it seems to suck, I’ll be at the following:

The Internet is Broken: Beyond Document.Cookie – Extreme Client Side Exploitation – Nathan McFeters, John Heasman, Rob Carter


Get Rich or Die Trying – Making Money on the Web, the Black Hat Way – Jeremiah Grossman, Arian Evans

I can’t decide between these two, perhaps I will attempt to see a little of both! 🙂

16:45 to 18:00
Methods for Understanding Targeted Attacks with Office Documents – Bruce Dang

We all have seen a rise in this type of attack over the last year. It’s true…there isn’t a ton of information about the technical details of these types of attacks. Hopefully this talk sheds some light on what’s behind them and help with introducing some new prevention methods.

Wow. Packed schedule with lots of great talks! Looking forward to Las Vegas as well! Always a good time (if I can break even…it would be better). Oh, and hopefully I will be able to hook up with some of the other Security Twits during the week. I’ll be at Defcon as well so if anyone wants to have a beer hit me up on Twitter…or, just stop by the Podcaster/Blogger Meetup at Defcon 16. I’ll be there representing the Security Justice podcast.

Stay tuned for my Defcon 16 “talks to attend” post in the next few days.

McCain is a technology n00b

Filed under General Security

McCain can't use a computer

Yes, it’s true. Presidential candidate John McCain is just now learning to use a computer. He also has said that he doesn’t use email (he has staff and consultants to do that for him). So what does this say about him and how he would handle technology issues? In particular, security issues related to technology and national security. As someone who has embraced technology and social media I have some mixed feelings about this.

I guess in a way it’s good to be a bit “old fashioned” but if he was to become the president don’t you think that he should at least be competent with basic computer technology (like reading and responding to at least some of his email)? Perhaps we should send him a copy of this book to help him along?

What’s behind online banking guarantee’s?

Filed under General Security

100% Guarantee!

Wow…I’m really on this banking kick as of late…

So I was watching TV tonight and saw a commercial for WaMu (Washington Mutual Bank) advertising their “Online Banking Guarantee“. What I found interesting was the whole scenario that played out in the commercial…

Woman: “Hey, I’m using WaMu Online Banking…”
Man: “Online Banking?? That’s not safe!!”
Woman: “It’s safe…I have WaMu’s Online Banking Guarantee!”
Man: “Oh…cool.”

(Note: this wasn’t word for word but pretty close…you get the idea.)

As a security professional I find it disturbing that you would “guarantee” something (like online banking) is safe and secure without a ton of terms and conditions (I’ll get to this in a minute). We all know that nothing is 100% secure. Sure, online banking in general is safe to use..we all know banks are regulated to provide customer safeguards…etc…So how does WaMu pull this off? Here’s the deal:

“For any fraudulent or unauthorized transaction that has been initiated during an online banking session at, WaMu will provide 100% reimbursement of the transaction amount plus any related account charges imposed by WaMu or lost account interest resulting from such transaction.”

Sounds good right? Here is the kicker…you as the customer have responsibilities which if you don’t live up to, you get no guarantee…check these out:

“You have protected your password by creating one that would be hard for others to guess and do not write down or share your password with anyone.”

Customer: Hard to guess password? So my dog’s name isn’t hard to guess?

“If you suspect a fraudulent or unauthorized transaction has occurred, you must contact WaMu within 60 days…”

Customer: I’m on it…I never, ever procrastinate about anything!

“If you knowingly share your username and/or password information with others, we will consider any direct or indirect transaction initiated online by this person as an authorized transaction.”

Customer: My wife knows my username/password does that count? Damn…I’m getting a ton of these pop-up’s on my PC…weird.

and…buried deep in the Online Services Agreement & Disclosure:

“You are responsible for the installation, maintenance, and operation of the Computer and browser software. The risk of error, failure, or non-performance is your risk and includes the risk that you do not operate the Computer or software properly. The Bank is not responsible for any errors or failures from any malfunction of the Computer or the software nor is it responsible for any electronic virus, viruses, worms, or similar software that you may encounter. The Bank has no liability to you for any damage or other loss, direct or consequential, which you may suffer or incur by reason of your use of the Computer or the software.

Thus…no guarantee. Enjoy!

Blizzard offers two-factor authentication, why doesn’t your bank?

Filed under General Security

World of Warcraft

Lots of buzz on the net about Blizzard (creators of World of Warcraft) offering a $6.50 two-factor authentication token for customers that want an extra layer of protection for their account. Yes, if you didn’t know account theft in WoW is on the rise! I commend Blizzard for taking this extra step to help protect their customers…sure two-factor authentication isn’t perfect, but regardless it’s a step in the right direction.

So why don’t more banks and financial institutions set this up for their customers? PayPal was able to do it right (not perfectly, but close)? It comes down to customer support and cost. One of the many ways a bank or financial institution makes money is by offering products that are user friendly and can be used by just about anyone. For someone using a two-factor authentication token with some technical skill it’s a cake walk…unfortunately, the average bank user (think about your mom or the person in your family with the least amount of technical skill…yes, the one that calls you to fix their computer…) will most likely be confused as how to use the device and that will be a call to the bank’s customer support center (calls cost $$) and lets not forget about the back end infrastructure (servers and IT staff cost $$) and all the additional red tape the institution has in regards to advertising and putting a friendly spin on it to customers.

Martin McKeay and Michael Santarcangelo on the Network Security Podcast (Episode 110) had some good discussion about this. In a nut shell the conversation was about how banks offer many different easy to use services and tying a two-factor solution to all of these products is just not worth the cost, time and effort (except for high wealth customers). Also, what happens when you have multiple accounts at multiple banks? Do you carry around multiple tokens? My opinion? Until there is something easier to use and more secure, I don’t see most banks or financial institutions going two-factor anytime soon.

Blogsecurify: New WordPress Security Scanner

Filed under General Security

Looks like GNUCITIZEN and have joined forces to create a online WordPress security scanner. From GNUCITIZEN:

Blogsecurify was created to help individuals and organization to secure their blog infrastructures by testing them against a set of security tests. The project is still in alpha stage although I am quite happy with the actual framework which I believe is the only one of its kind. The same framework will be used for several other initiatives but I will talk about them when their time come.”

I tested it out and it works as advertised. Just make sure you enable/disable the template plugin that is required. I used the old security scanner that was on and didn’t get a ton of value out of it in the past so this is great news! Actually, the old scanner told me that the WordPress installation that I was scanning was out of date and vulnerable even though I had the latest version installed! has some really good resources for hardening your WordPress installation by the way. I recommend that if you have a WordPress blog you download the paper they have on hardening your WordPress installation. While some of these tips are easy (change the admin account name and use role based access) others are a bit complex and may break most of your plugins (.htaccess modifications) without significant testing. Either way, it’s worth checking out to make your WordPress installation more secure.