Full paper here .  iSecPartner’s recommendations are good.  However, while comprehensive and technically accurate, I think it would be beneficial to have an accompanying set of “triage” recommendations (Use GPOs to disable LANMAN hashes; perform egress filtering and alerting; never EVER EVER login with admin credentials – use sudo or runas; migrate to token based authentication).

1. Theft (not accidental loss) is the biggest vector both in terms of # of incidents and total records compromised
2. The endpoint, NOT the datacenter, is your weak link

The picture is a bit different with respect to financial information and PII (application and endpoint security), but time after time we’ve shown that if I can pop your desktops, I can use them to pop your datacenter.

Screencap of the phish email

If you view the mail headers, you’ll see that the email was bounced off (yet another) open .edu relay, copeland.udel.edu.  Update your blacklists – in this case, MXLogic didn’t catch it.

eMail headers

• built a USB MultiPass (I call it my U3-SwissBlade) with gParted, CloneZilla and several other nifty tools
• broke the RAID on my Maxtors
• Resized my partitions to fit on the 128G SSDNow using gParted
• Installed my SSDNow as my primary SATA drive
• used CloneZilla to do a disk-to-disk partition copy from the Maxtor to the SSDNow (this took a few tries since I had failed to move all partitions to the right after resizing and free up slack space — you really CAN’T get 160G onto a 128G drive!)
• Went through a few boot sequences until I discovered that my fstab was referencing root by UUID and thus GRUBbooting from the SSDNow and immediately mounting the old Maxtor for the rest of the OS Load.  Grrrrrgggggggggggh.  (Note, get confortable with the vol_id utility so you can find the unique UUIDs for all your drives and update your fstab to use UUIDs instead of device sequence numbers like sda, sdb, etc).
• uuidgen
  tune2fs /dev/sdb1 -U <numbergeneratedbyuuidgen>
  verify with vol_id /dev/sdb1
  vol_id /dev/hdaX

Performance is excellent.  My VMs load near instantly and no more disk thrashing.

I put one of the SSDNows in my old Dell D630 and it has made significant improvements in performance as well.  I may get another year or two out of this laptop after all.  Well worth the $230 I spent.

I’m interested in getting a SSDNow V+ to see if the write performance justifies the increased cost, but not until I do some benchmarking of my system to see if I am write-bound or not.

SYSLINUX 3.72 2008-09-25 EBIOS copyright (cc) 1994-2008 H. Peter Anvin
Unknown keyword in configuration file: UI
Could not find kernel image:  linux
boot:

FIX:   Use a current syslinux or syslinux.exe (version 3.82 at the time of this writing, download here) to re-prep the USB stick:

Where z: is the drive letter of the USB drive.  This will install the newer version of syslinux on the USB drive and resolve those keyword issues.

syslinux z:

Ingredients:

• 12″ thin crust
• 6 oz finely shredded mozarella
• 5 oz pizza sauce (or tomato sauce)
• 1 roma tomato, halved and sliced into 1/8″ slices
• 1/4  red onion, sliced in 1/4″ rings and quartered
• 1/4 cup pepper rings
• 1/3 green pepper, diced
• 2 TBsp Feta cheese
• Sliced Pepperoni
• 8 oz Chorizo, cooked, crumbled
• 8 oz spicy Jimmy Dean sausage, cooked, crumbled
• 1/2 cup mushrooms, sliced
• 3 cloves garlic, minced
• 3 pieces thick cut bacon, crumbled
• 2 Tbsp  capers
• 1 jalapeno, seeded, halved and sliced

1. Preheat oven to 450
2. Spread sauce on crust to within 1/2″ of outer edge
3. Evenly distribute mozarella
4. Evenly spread all other ingredients (meat first, then veggies, then feta cheese)
5. Cook in 450 degree oven for 9 minutes

Remove pizza.  Let cool for 7 minutes.  Slice.  Serve.  Enjoy.

1. Go into the application’s Options (i.e. click the Office Button  and select “Options”)
2. Select “Advanced” from the navigation pane on the left.
3. Find the “Show add-in user interface errors” checkbox and unselect it.
   
4. Click the OK button.

Outlook operates a little differently:

1. Start Microsoft Office Outlook.
2. On the Tools menu, click Options.
3. In the Options dialog box, click the Other tab, and then click Advanced Options.
4. In the Advanced Options dialog box, select Show add-in user interface errors, and then click OK.
5. Click OK to close the Options dialog box.

Welcome!
Note: During your chat session, Delta agents may be able to view your delta.com transactions. Additionally, chat conversations are recorded and monitored by Delta Air Lines.
Please wait while we contact the next available agent…
You are now speaking with Morris!
Morris: Hi! My name is Morris. How may I help you?
Morris: Hi! How may I assist you today?
Steve Goldsby : I just checked in online, and tried to print my boarding pass . When I do, I get a “page not found” error from the website. If I go back to my itinerary and try to “reprint” boarding pass, I get the same “page not found” error. Can you fix this or email me my boarding pass in PDF format so I can print it and avoid the lines at the airport? SkyMiles #: <xxxxxxxxxxxxxx>
Morris: Steve, I apologize for the inconvenience you faced on Delta.com; please give me a moment while I look into the matter for you!
Steve Goldsby : thanks.
Steve Goldsby : i also notice the flight is oversold. if you have seats on an ealrier flight, I would be happy to consider an earlier flight.
Morris: Let me check that for you. Just one moment.
Morris: I see on your reservation that you have already checked in, be rest assured you will get a print of the boarding pass at the airport.
Steve Goldsby : right. i don’t want to wait in line.
Morris: I will not be able to send a print of the pass via chat.
Morris: Did you receive my last response?
Steve Goldsby : i did.
Steve Goldsby : since the flight is oversold, is there an option to move to an earlier flight?
Morris: On the seat map I see that two seats are available 33 B and 36 F.
Steve Goldsby : okay. when i checked in the website said:
Steve Goldsby : Your flight is oversold. Delta is seeking volunteers with flexible travel plans to exchange their seats for compensation. Go ahead and check in below. If interested in volunteering see your gate agent at the airport.
Morris: To check in, print your boarding card and check your bags online, please go to our home page, click on the Itineraries and Check In under the tab Traveling and Check In, retrieve your reservation with your name and the confirmation number or ticket number, on the trip details page you will see the area at the top that says Check In, please click on that link and follow the instructions. You will also be able check in your bags online.
Steve Goldsby : I did that. website returns this error page at the “print boarding pass” page
Steve Goldsby : Requested Page Not Found The requested page could not be found on delta.com: * We may have removed the page or changed its web address. * Bookmark or link you clicked on might be incorrect. * Web address may have been mistyped. Recheck it to make sure it’s correct. How to Find Your Page: Use our Search tool to help you find what you’re looking for, or start again from our home page. If you still need assistance, try our Live Chat option with a customer service representative, or contact us for help.
Steve Goldsby : so I contacted you  for help.
Morris: please call our Online Customer Support Desk at 1-888-750-3284 and our Representatives will be glad to help.
Steve Goldsby : What’s the vector victor? Roger roger.
Steve Goldsby : i’ll call customer support.
Morris: Is there anything else I may help you with?
Morris: Thanks for choosing Delta have a nice day.
Morris left the chat.
Your chat has ended.  Thank you for speaking with us.
Please help us improve our service by clicking on the following link to take a short survey: CLICK HERE

emailaddress@<br>icsinc.com  to   emailaddress@<em>icsinc.com

Easy fix is to change the following line in goorecon.rb

response.scan(/[\w.-]+@<b>#{target}/o) { |t|

to

response.scan(/[\w.-]+@<[^>]+>#{target}/o) { |t|

This will keep the code flexible enough so that if google ever changes the highlighting tag (formerly <b> but now <em>) to some other html tag, goorecon will still correctly draw out emaill addresses.

Sometimes when you’re right, you’re wrong.

Why am I posting this? I can’t explain why, but I haven’t seen anything this bizarre in a long time, and I see some bizarre stuff. Apparently he lives on Long Island and has proclaimed himself the head of that nation. He also has these “micronations,” which consist of a rock in the ocean with a pelican sitting on it. This guy is comprehensive in his delusion – his Amazon Store has books on how to start your own nation, pirates (“arrggh matey” not “ihackstuff”), and a field guide to mushrooms.

If nothing else, I entertained myself for 30 minutes

Check out a snippet of the audio version of the book at: http://www.securitycatalyst.com/innovation/security-catalyst-podcast/

Checkmarx Research Labs present a novel way to protect .NET assemblies against reverse-engineering and recompilation. By injecting them with commands that are activated only at the recompilation stage, the application retroactively detects the reverse-engineering process and acts upon it.

http://checkmarx.com/NewsDetails.aspx?id=18&cat=3

The scam works like this: The criminal calls a target, claiming to be the fraud department of the target’s bank calling to alert the mark to potential unauthorized activity. The recipient of the call is then told to please hold while a fraud specialist is brought on the line. The perpetrator then calls the victim’s bank, and bridges the call, while placing his portion of the call on mute.

When the bank’s fraud department asks various questions in a bid to authenticate the victim, the criminal records the customer’s answers. Depending on the institution, the answers may include the victim’s Social Security number or national ID number, a PIN or password, and/or the amount of last deposit or location of the last transaction.

The criminal then calls the bank back (ostensibly reaching a different customer service representative), supplies the personal information needed to access the victim’s account, and begins to initiate a series of wire transfers out of that account into another that he controls.
http://voices.washingtonpost.com/securityfix/2009/07/high_crimes_using_low-tech_att.html

H4×0r humor

• First, read the research summary: http://www.cmu.edu/news/archive/2009/July/july6_ssnprediction.shtml
• Then, discover that the “death master file” is $14k plus update costs: http://www.ntis.gov/products/ssa-quarterly.aspx

Likely copies of this running around the “blackhat” underground, and it would only take a few identity thefts to cover the cost of the database, but the script kiddie populace should effectively be excluded.

Great article on one of the outcomes of a good logging and compliance program. Moral of the story? Blowfish, UUencode then tunnel everything through SSL! $400k a year wasn’t enough? #fail

Nobody Is That Dumb … Oh, Wait XII

Many, many moons ago I had this brilliant series “Nobody Is That Dumb … Oh, Wait“ (the last one was back in March) where I made fun of people making dumb security claims with apparent – and often scary! – seriousness. Somehow I neglected this series, but a few days ago I was shown a super-shining example of sheer stupidity of immense proportions.

It all started in a remote country of Norway where one particular journalist discovered a horrible evil (mmm… Evil!) that threatens all life in the Universe (mmmm… Multiverse!): honeypots. Specifically, the English translation of the printed original from their “Aftenposten” newspaper starts like this:

“Unethical and unacceptable, says computer experts.”

Reeeeally? OMFG, thanks for enlightening me that an idiot in Norwegian is spelled “c-o-m-p-u-t-e-r e-x-p-e-r-t”

Looks like Twitter has been mass suspending accounts today. From what I can piece together, it’s holiday-related spam barrage, probably nimrods out there tinkering with their new knowledge from Month of Twitter Bugs.

The article references a measure sponsored by Sens. John “Jay” Rockefeller (D-W.Va.) and Olympia Snowe (R-Maine) that would direct the Commerce Department to “develop or coordinate and integrate a national licensing, certification and periodic recertification program for cybersecurity professionals.” Notable quote: “It would then become unlawful for a person lacking the proper license and certification to provide cybersecurity services to an agency or for an information system or network designated as critical infrastructure” (emphasis mine).

I think we all see the problems with this.

Problem 0: “Unlawful” is a land-mine. My COO has a catch-phrase that I like: Don’t run FROM something, run TO something. His point is that fear-based decisions are nearly always bad decisions. By introducing terminology in a requirement such as “unlawful” you are creating a big red flag for anyone that might even be remotely interested in your problem.
Problem 1: Certification doesn’t necessarily imply capability. Certifications only prove that at a particular point in time you had the knowledge required to pass a test. It is not an indicator that you retained the knowledge, that you understood the material you tested on, or that you are able to do the job currently on the table. We all know “paper tigers”, those consultants that have multiple certifications but lack the applied and practical skills to return significant value. I have personally been involved in follow-on engagements to clean up after a highly-credentialed vendor whose deliverables lacked actionable recommendations, parity with budget constraints, or a realistic implementation timeline. It is important to be able to properly qualify vendors and team members before engaging them.

Problem 2: Certifications provide a false sense of security if considered out of context. I have seen cases where HR was screening candidates based solely on a laundry list of Security and IT certifications. The business unit couldn’t understand why they couldn’t get qualified candidates until we discovered that HR was filtering out highly qualified consultants who simply lacked the ‘appropriate’ number of certifications. Too many organizations rely on certifications as exclusive evaluation criteria but provide little weighting to other items such as past performance, experience in their vertical, background checks, or depth of technical ability.

Problem 3: Certification requirements may introduce barriers that exclude highly qualified talent. I agree that certifications are a good differentiator when selecting a vendor or a solution. That is, when all other factors are equal, certifications make good “tie breakers”. However, they are poor discriminators – they are not unique to any vendor or solution. We all know highly qualified consultants that cannot or will not spend money on a certification costing thousands of dollars when they know it provides on value to their clients. For instance, the PCI Qualified Security Assessor certification costs over $25,000 to achieve and $10,000 per year to maintain. My firm chose not to pursue this certification and focuses instead on pre-audit services such as control selection and risk mitigation to help our clients pass the audit.

Problem 4: Certification Lifecycle is Short. I may be a little over-dramatic here, but the point is valid. The pace and velocity of change in IT is dramatic. Very few certifications provide foundational knowledge that survive over time. The CISSP is one exception as it does a deep dive into many axiomatic areas (think role-based access controls, risk models, etc).

Problem 5: Vendor Certifications are Problematic in Information Security. Many certifications are vendor centric. While this is a good thing for network- and systems-administrators (i.e. the ‘wrench turners’), its value erodes in the information security disciplines. Vendor-centric certifications often skew security theory to their product lines, and there is no independent oversight body. You are better served by balancing a combination of a technical degree, certifications and real-world experience rather than having a checklist of certifications. Consider that University degrees communicate that the candidate has a broad range of exposure to the discipline, has the ability to self-teach new material, and buckle down to achieve goals they really don’t want to (anyone remember Music Appreciation class?).

Problem 6: These requirements will trickle down to and strangle industry. The federal government has the ability to get their fingers into just about everything. In this case, the Commerce Department can pull levers like interstate trade to impose their will on business. Also, as the largest single customer in the nation, the Federal government can, has, and will continue to impose these requirements on a large percentage of commercial enterprises through contract flow-down provisions Having served the federal government for over 12 years, I continue to see such onerous requirements creep into solicitations and contract vehicles, making the cost of serving our customers untenable. We are so handcuffed by ‘checklist’ requirements that there is little funding left over to return real value to our customer, squeezing our margins, and degrading our service delivery.

Every day I see clients make these kinds of mistakes and pay the consequences. Clients who don’t understand their own needs and copy-and-paste someone else’s requirements into their solicitation. Clients who think compliance equals security. Clients who release requests-for-proposal (RFPs) where the “successful bidder must assign a to this project”.

I’d be interested in other’s thoughts on this one.

There’s also a nice Google API interface. If you have a little spare time and want to see the size, scope and intensity of malware infected sites, you can use the SafeBrowsing site and search for patterns like

“Malicious software is hosted on”
or
“Yes, this site has hosted malicious software”

Because it’s all built on the google search engine, you can do nifty search modifiers too, like this query:

“Yes, this site has hosted malicious software” inurl:site=*.com

Of course, I find it suspicious that

“Yes, this site has hosted malicious software” inurl:site=*.gov

doesn’t return any .gov sites in the USA, especially considering that I know there are dozens of them. Maybe this is a safety filter that google built in to protect our national critical infrastructure?

McAfee says it’s not evil but I’m not convinced. I’ll continue to check this out this week.

Warning sign #1 – unsolicited call
I was driving to an appointment and the OnStar line in my Tahoe rang. This is is unusual because I only use that line for the occasional outbound call when I’m stuck in traffic, and only a couple of people have it, none of whom bother to call it. I answered the call, and after a couple of seconds…

Warning Sign #2 – AVR
I got an automated voice response system (AVR), one that appeared to be very very old. It sounded, in fact, like the old Software Automatic Mouth. I didn’t have a recorder going, but the general message that came out of this was “Your credit card shows suspicious activity. Press one to verify this activity or two to leave”. Intrigued, I pressed one.

Warning Sign #3 –
After pressing 1, the AVR moved on. The AVR never told me anything to help me identify which account it might be talking about (e.g. by giving me the last 4 of an account number). What the AVR *did* do, however, was ask me to enter my credit card number. Since I was in the Tahoe, I didn’t have a keypad. Trying to use the OnStart AVR to enter a (bogus) credit card number was less than successful, so the call ultimately dropped.

I suspect that the system is driven by some public record data sources, or partially complete transaction data pilfered from a commercial database, and that the AVR is simply robo-dialing for the missing pieces. For instance, if the AVR had my name and address, it would need to acquire the CC#, expiration date and verification number. You can imagine other scenarios based on various data sources (an e-tailer transaction log with everything except the credit card number which was encrypted?)

This is an interesting attack model. Mildly more expensive than e-mail, less obvious as an attack as it used AVR (albeit a crappy one), and the ability to automate.

If anyone out there has experienced this ‘retro-phishing’, I’d sure like to know.

phone