The first days of a new year are “resolutions” days for some, defining goals for others. Time to realize how hardcore procrastinator you are, time to plan too.

I keep up a Google Calendar security events calendar (XML ICS) since early 2007 with major hacker / security conferences I stumble upon. Last update in UTC, change history so you can see what was added, pretty simple. Some people are specially interested in CFP (Call For Papers) deadlines, so the next step is a new calendar just for CFPs.

This is not a comprehensive list of events but a list of relevant events - great speakers, great papers, events with some reputation in short. Want to see your country in the calendar? Tell me what’s important in your area: securitycalendar at gmail.com. BTW, please let me know if you find any worthless conference in the calendar.

I´ve been to 2 DEFCONs. Today my goals are ShmooCon, LayerOne, Toorcon, CanSecWest and CCC. What are your favorite conferences? What would be your picks if someone asked you to choose only, say, 3 conferences a year?

Sometimes I dislike how media deals with security news, always looking for the next scoop. Take the buzz around “WiFi Epidemiology: Can Your Neighbors’ Router Make Yours Sick?” paper, by Indiana University researchers. Excerpt from Network World article:

Although the researchers did not develop any attack code that would be used to carry out this infection, they believe it would be possible to write code that guessed default passwords by first entering the default administrative passwords that shipped with the router, and then by trying a list of one million commonly used passwords, one after the other. They believe that 36% of passwords can be guessed using this technique.

I think this is a dejavu. I remember Renderman (Church of Wifi) suggested a similar scenario in his talk “New Wireless Fun From the Church Of WiFi“. At DEFCON 14 (2006). Including the usage of third-party-firmware.

The guys over at Indiana University didn’t develop any exploit for that, so I think I can develop all this theory a little bit. For good.

What about a Wi-Fi healer instead of a attack, a World Wide WEP Wipe (WWWW) or something like that? A wardriving device which breaks into WEP WAPs and “heals” it with WPA-PSK / WPA2-PSK using a database of known administration interface URL (for  popular models, for most firmware versions). Maybe it would not be necessary to even change the WEP key since breaking WEP is a matter of resouces and time and breaking WPA-PSK is a matter of luck (bad, easy guessable keys + cowpatty “classic”, cowpatty with lookup tables, aircrack-ng). Some users wouldn’t even notice the new security scheme once you keep the same key

Via:

• WiFi flu: viral router attack could hit whole cities (ars technica 01/02/08)
• A Wi-Fi virus outbreak? Researchers say it’s possible (Network World 01/04/08)

2007 was the brazilian Christmas for laptops, definitely. Finally the prices are reasonable in retail stores, now one can buy a basic laptop for about R$1.600,00 (about US$950). That’s expensive for a 256MB / 512MB Celeron PC, but hey, that’s much better than feeding the parallel market of “contrabando”.

As a side effect, more Muni Wi-Fi and similar initiatives are emerging in the last few months. The last one came to my attention yesterday: Wi-Fi in Copacabana beach.

Sounds cool, huh? Caipirinhas, lots of hot girls in fio dental, and Wi-Fi (you geek!). Don’t do it, man.

Burglars in Brazil are smart, so be a ninja with your laptop in Brazil. Let your Targus bag at home, it looks like “hey I have a laptop, please steal it from me Mr. Bag Guy”. Be a ninja with other gadgets like iPods, digital cameras and cell phones too. Nothing in your belt too, Mr. Batman.

Wi-Fi in malls is relatively safe, just take care when you’re leaving the place, looking back is always good. Airports are safer, but take care in your way to the hotel, when you’re waiting for a taxi. Recently a gang was arrested, they were specialized in laptops. You know, it’s easy to know you have a laptop because people help burglars a lot: suits and backpacks (specially Targus and other mainstream brands) don’t mix.
Another tip: the vast majority of hotspots in Brazil are associated to Vex, so purchasing some credits before you leave your country in a safe network would be interesting. Another tip, actually a homework before you leave your country: backup your data, protect your HD with a password if available, encrypt the file system, have your VPN set.

Via: Praia de Copacabana deve ter rede Wi-Fi até junho (FolhaOnline 01/02/2007)

Howdy ho from Brazil, folks.

Remember that vulnerability in Gmail filter feature reported by Petko D. Petkov in September? Google fixed this vulnerability a few days after it was disclosed, but something was missing: end users should be noticed about that.
Early this week I was made aware of someone who was hit hard by this vuln months after it was fixed. David Airey’s domain was hijacked and this vulnerability helped on that.

But Google fixed that, what’s the problem? They should have noticed all users about that. New filters could not be injected anymore after the fix, but filters injected before the fix were still there. A simple “please check you filters” Web two-dot-oh notice would be enough, only if new filters were added in the days between the vuln was disclosed and the fix. End users don’t read the same blogs, lists and security resources that we read. Users are not supposed to know the nuts and bolts of the vulnerability, but they should know what manual actions should be taken.
I don’t know about you, but I thought about some solutions for that:

1. Anything under settings should require password, in every change. I guess Yahoo! Mail works like that;
2. Filters that forward messages should be handled in a different way, maybe under “Forwarding and POP/IMAP” tab.

Another simple mitigation action that people should use for any online service is something like a privilege separation (I don’t have a better name for that). Use different accounts for different purposes, have a master account and child accounts that forward every message to the master account.

If you are a moderator in a Yahoo! Group don’t use your main personal profile for group management, for example. Reducing the lifetime of the session to 15 minutes and log in only on trustworthy networks are other paranoid measures that could be considered. If there’s a targeted attack against your account probably your less critical account will be affected.
Do you have any insight about this Gmail vuln? Comment.
More info:

• Google GMail E-mail Hijack Technique (GNUCITIZEN 09/25/07)
  
• New cracks in Google mail (The Register 09/26/07)
• Google Fixes Gmail Cross-site Request Forgery Vulnerability (Netcraft 09/30/07)
• WARNING: Google’s GMail security failure leaves my business sabotaged (David Airey Blog 12/24/07)