The startup VoIPShield is changing its disclosure policy to stop giving out VoIP bugs for free and start charging vendors for it. CEO Rick Dalmazzi writes:

Avaya doesn’t “have to” pay us for anything. We do not “require” payment from you. It’s Avaya’s choice if you want to acquire the results of years of work by VoIPshield. It’s a business decision that your company will have to make. VoIPshield has made a business decision to not give away that work for free.

I can totally see his point. While we would like to see all vulnerabilities out in the open, for free, companies and researchers that have worked hard to find security vulnerabilities should be compensated.

But I do think Rick is taking the long and hard path by asking the vendors directly - there’s still a long way to go there. We’ve been helping researchers sell their research to organizations who wanted to pay for 0-day vulnerability information through our SSD (SecuriTeam Secure Disclosure) program and the main conclusions so far are that there are organizations willing to pay for this information to protect themselves, but those are not the vendors (yet).

What we see is that organizations use this information as leverage on the vendors. Since they have information about undisclosed vulnerabilities, they can easily exercise this (better than we can, as researchers) to force the vendors to plug those holes. After a while, maybe vendors will choose to drink upstream and subscribe for this information. But that may take a while (a friend of mine that is responsible for product security for a very large vendor says that will be a cold day in hell).
In any case, good luck to VoIPShield and their new paid-disclosure program. If they are successful I think security researchers will benefit, and in the long run customers will be more protected as vendors get direct access to zero-day vulnerabilities.

0x01 Introduction
0x02 Phrack Prophile on The PaX Team
0x03 Phrack World News
0x04 Abusing the Objective C runtime
0x05 Backdooring Juniper Firewalls
0x06 Exploiting DLmalloc frees in 2009
0x07 Persistent BIOS infection
0x08 Exploiting UMA : FreeBSD kernel heap exploits
0x09 Exploiting TCP Persist Timer Infiniteness
0x0A Malloc Des-Maleficarum
0x0B A Real SMM Rootkit
0x0C Alphanumeric RISC ARM Shellcode
0x0D Power cell buffer overflow
0x0E Binary Mangling with Radare
0x0F Linux Kernel Heap Tempering Detection
0x10 Developing MacOSX Rootkits
0x11 How close are they of hacking your brain ?

You can check it out here.

Now we have something to keep us busy while the net neutrality debates are going on…

Following on from the previous 2 posts that have been put up here and here, after seeing the post about the T-Mobile hack on Full-Disclosure, and then T-Mobile admitting that it has happened, really got me thinking.

To the best of my knowledge this will be the third high profile security breach at T-Mobile in the last 4 years, the first one being Paris Hilton’s SideKick getting hacked. Now the SideKick episode was more down to user error that T-Mobile’s fault, but this one could have been prevented by using strong password complexity rules. Which I thought was something that most major organizations would have already picked up on by now, especially the big corporates. Password complexity is not complicated to implement, and it does tend to prevent these little things like brand damage from occurring.
Speaking of brand damage, now that T-Mobile have been hit a second time, where does this leave them with Companies such as Google and Apple?

T-Mobile is currently doing really well with the addition of the Google Android and Apple iPhone handsets to its portfolio, but do Google and Apple really need this sort of publicity? These are the types of incidents that make companies think twice about their partnerships.

I’m completely aware that these type of incidents happen all the time, but most people expect that mobile operators would have stronger security measures in place.

Couple this with the fact that at present T-Mobile is gearing up for a class action law suite due to charging customers termination costs, this is another company that has me wondering how long….

The T-mobile data breach that jbrown wrote about has been confirmed by T-Mobile.
I guess not everything you read on Full Disclosure is fake after all…

From the looks of it, T-Mobile has been hacked and the goods stolen.

They also seem to love running HP-UX.

Open Security Foundation’s DataLossDB has announced the winners of oldest incident contest.

One of the oldest documented issue is TRW incident from 1984, when the database of credit history of 90 million American citizen was breached.
Link here.

Update: The winner is an incident from August 1953, when SSN’s were lost.

OK, this has got nothing to do with computers (except that the SkyTrain is completely automated).

For the past three years, Cambie Street, a major thoroughfare with at least four different shopping and business areas on it, has been almost completely shut down for the construction of the RAV (Richmond-Airport-Vancouver) SkyTrain line (aka Canada Line).  (Since it is located almost dead centre in Vancouver, the city has been pretty much bisected for that time, and the traffic hassles have been enormous.)  Originally the line was supposed to be a tunnel, but that was going to take too long and cost too much, so they dug up the entire street.  For three years.

Most of the businesses along Cambie have gone bankrupt in that time: others have moved.

Now a lawsuit for damages has been won by a business owner.

This will, of course be a precedent, and will undoubtedly lead to more judgements (I think other cases are already before the courts) and more lawsuits.

I’ve got to admit to an uncharitable glee over this turn of events.  The RAV line was not prompted, but the decision to actually build it was undoubtedly influenced, by the 2010 Olympics.  The provincial government has been absolutely gaga over having the games here, and has launched a number of “vanity” projects and other measures.  (Latest on the list: for the games, security personnel won’t have to undergo the minimal training and licencing that already exists.  They can get a special certificate which seems to merely verify that they are breathing.)

According to ITWorldCanada, C-level executives are pushing for greater access to social networking sites and facilities, while even IT managers and security specialists are unprepared to deal with the full range of risks from this type of activity.

In order to get some traction with senior management on this issue, you might want to remind them that, when they take off with funds they’ve obtained via fraud, it’s best not to post boasts on Facebook.

The oldest documented vulnerability in computer security world is password file disclosure vulnerability from 1965, found by Mr. Ryan Russell.

Open Security Foundation - an organization behind OSVDB and DataLossDB has launched a competition to find the oldest documented data loss incident.

The last day to make a submission is next Friday - 15th May.
The link is easy to remember - datalossdb.org/oldest_incidents_contest.

An exploit for the denial-of-service-considered remote SCTP vulnerability in the linux kernel has been released.

http://sgrakkyu.antifork.org/sctp_houdini.c

The exploit contains multiple targets and covers 32/64 bits architectures… play time started this morning =X

Continuing from Hiring Hackers - as speakers (part 1):

Are those who conduct breaches and intrusions of computer systems important sources of information?

I suppose it seems intuitively obvious that the answer is “yes.”  After all, these are the people who are breaking into the things we want to protect: surely they know how.  However, with a little consideration, the “obvious” answer evaporates.

First of all, in purely logical terms, it is not necessary that those who break into systems know all possible ways to do so.  In practice, it is true that many attacks these days involve multiple vulnerabilities, but logically it is only required that the attacker knows one.  This truism is well known, in slightly different form, in relation to testing and systems development: testing can be used to prove the presence of bugs, but never their absence.  Or, as I frequently point out in relation to system security, the attacker has a much easier job than the defender.  The defender must be correct in every single instance and activity.  The intruder only has to be right once.

Therefore, the interloper has the easier job, and can afford to be lazy.  If they can be lazy, they probably will be lazy: that is human nature.  (After all, a number of people would argue that blackhats have already shown themselves to be morally lazy.)  As the proverb has it, everything is always in the last place you look.  Once you’ve found it, why keep on looking?

(Oh, curiosity, you say?  Well, curiosity is great: it keeps us learning.  But it is hardly the exclusive preserve of those on the wrong side of the law  In addition, properly identifying, researching, and documenting what you find, in such a way that it will be useful to others, tends to require a lot of boring work, and discipline.)

So, at the very least, we can say that attackers have no advantage in terms of scope and a comprehensive view of vulnerabilities, and may be at a disadvantage.

Do intruders have any advantage in depth of knowledge?  This is almost impossible to answer in any meaningful way, of course.  Individuals vary in knowledge, comprehension, analytic ability, and creative or imaginative thought.  Despite years of attempts to create testing instruments and metrics for cognitive processes, we have only the most general ability to predict a specific person’s accomplishments in the real world.  We do know that ability varies widely, and it would be foolish in the extreme to contend that all whitehats would be as able as any given blackhat.

However, that said, I would suggest that it should be possible to assert that, collectively, security professionals are more knowledgeable than intruders.  This is due to my earlier argument: those people who have had more demands (even sometimes arbitrary demands) placed upon them will have more discipline (and more background) to address the problem.

The argument is sometimes made that we should study “successful” exploits.  The hypothesis here is a bit harder to dissect: after all, a “successful” exploit is simply one that works.  It is true that certain attacks are more effective in a given environment, and that intrusions or infections which work over very large numbers of systems tend to involve a number of factors, not all of them technical.  Historically, though, it seems to be that the most astounding and newsworthy of attacks are as much a surprise to their authors as they are to the rest of us.  It is unlikely, in the extreme, that our adversaries have these events fully planned, or understand all the determinants of an overpowering offensive.

It is a truism that two heads are better than one: this is recognized by fields as diverse as auditing and extreme programming.  This statement is formalized, in the open source community, by Linus’ Law: with sufficiently many eyeballs, all bugs are shallow.  Most systems professionals would recognize that the more people examine a system, the better (in terms of identification of vulnerabilities).  The “Hire a hacker” crowd tends to jump on this in advancing their cause: why not listen to the attackers when they come up with a new exploit?

This, however, is a spurious argument.  There is no choice between listening to an intruder or not knowing about the vulnerability at all.  Once a vulnerability is known, it can be explained by anyone who understands it, and can present it accurately and clearly.

Which brings up a final point.  As I said in the earlier piece, blackhats tend to have more-than-healthy egos.  Yet their opinion of their own prowess is seldom supported by the materials they produce in evidence.  I’ve read a great many “zines” produced by those in that community (and even the occasional book ostensibly written by a reformed or active hacker) and almost never have I found anything worth reading either for the technical content, or in regard to readability.  (Yes, those who have read my book reviews will know that I don’t think highly of all technical books, but sometimes I do find one worth reading.)  And, in fact, reading the books by professional authors who base their text on “as told to” information from those on the dark side gets to be very boring as repetitive as well.

Writing is a skill, and not everyone can do it well.  Teaching is a skill, and not everyone can do it well.  (Presenting at conferences is a slightly different skill and, as anyone who has ever attended a conference can tell you, not everyone can do it well.)  Both writing and teaching require, as well as certain technical competencies, a feeling and empathy for a large and often ill-defined audience.  Since criminal hackers have clearly demonstrated, by their actions (and continue to demonstrate, in subsequent interviews long after their intrusions, conviction, and even release), a lack of consideration for their victims, it is unlikely that they would make good teachers.

Or conference speakers.

By the time you read this, CIO magazine will probably have already done its “In Cloud We Trust” Webcast.

The ISSA, ready to provide links to any security related activities, inadvisedly advertised the Webcast.  I say inadvisedly, because the Webcast, or at least the promotional material, features Kevin Mitnick.  This juxtaposition created a bit of a furor over the fact that a prestigious security institution was promoting a former computer criminal.  (It is entirely possible that Kevin Mitnick rather enjoyed the discomfiture of ISSA, since ISSA had the affrontery, in 2003, to turn down Kevin Mitnick’s application for membership.)

All of which sparked yet another debate, in at least one venue, over the advisability of hiring or attending to (for the purposes of security), those formerly convicted of computer crimes.

Feelings are strong, and tempers rather short, when this topic comes up for discussion.  Passions are surprisingly high on both sides of the debate.  However, I would like to attempt to present some opinions on the matter.

(I’m not going to speak about the Webcast itself.  As chance would have it, I’ll have to be getting on a bus at about that time in order to go downtown.  To speak to an ISSA meeting.)

Those who feel that hackers can and should be hired suggest that those best qualified to protect systems are those who have broken into them.  We, in defence of our systems, should not let foolish moral quibbles stand in the way of gaining the best information and advantage that we can.

I am on the side that opposes the use of former criminals.  I do not disagree with the risk management analysis of those on the pro side, but I feel that it is based on faulty assumptions.  My objections to the hiring of hackers are practical as well as moral, and, in terms of ethical analysis, lies in the area of practical morality.

In order to address the practical issues, I have to clarify, and separate, the different types of help we think we are going to get from cybercriminals.  Do we employ them for security management and administration?  Do we hire them for penetration testing?  Do we use them as security consultants?  Or do we just listen to them in seminars, webcasts, and conferences?

This last is the most difficult to oppose.  What is the harm in listening?  Should we not take every opportunity to learn all that we can about security?  Why block ourselves off from an important source of information?

So, I’ll address this first.

What is the harm in listening?  Well, we aren’t just listening, are we?  First off, most “reformed hackers” aren’t exactly doing this out of the goodness of their hearts.  Those who are on the lecture circuit generally make pretty good money out of it.  A lot of them make more than most legitimate security researchers, analysts, and consultants.  Then there are the spin-off benefits in books, workshops, and just plain advertising for John Q. Hacker’s Security Consulting.

Money isn’t the only benefit, though.  I’ve always been interested in the social side of technology, and for more than twenty years I’ve been studying those on the dark side.  Most of these people are charter members of Egos-backwardsR-Us.  Not all of them, but certainly enough to make it pretty much a defining characteristic.  Given a choice between money and a chance to grab the limelight, they might have to stop and think about it.

Regardless of whether we are paying cash or just stroking egos, one thing we are definitely doing is tacitly promoting the importance of what they have done.  We are saying that it is better, in the sense of obtaining security information, to break into systems than to study in other ways.

And I’ll address that later.

What could be worse: a vague and hastily thrown together mashup of security protections masquerading as a security framework or standard, or having the government get into the act?  Now you don’t have to choose: you can have the worst of both worlds!  Follow the US Congress hearings on PCI!  Or, follow the commentary into the hearings on Twitter (which is fairly random and noisy, but probably makes just as much sense).

Those in the Australian state of Queensland are having a cull of cane toads, a pest.  I don’t know whether it would work, but the mass reduction of a pest population is, generally speaking, a good thing.  It may not eliminate the problem once and for all, but a sharp decrease in population is usually better than a constant pressure on a species.

So, is there any way we can get some support going for a mass cull of computer viruses?  Most currently “successful” viruses are related to botnets, and botnets are often used to seed out new viruses.  Viruses are used to distribute other forms of malware.  Doing a number on viruses would really help the information security situation all around.  (I have, for some years, been promoting the idea that corporations, by sponsoring security awareness for the general public, would, in fact, be doing a lot to reduce the level of risk in the computing and networking environment, and therefore improving their own security posture.)

0day exploits for Internet Explorer, Firefox, and Safari were used to own machines at the Pwn2Own contest @ CanSecWest 2009. Is now the time for someone to port Windows 3.1 to MIPS and install a good telnet client? Roffles.

Credit www.dailygalaxy.com for the fierce FF/IE photo

Getting real money for computer security research is making its way from early development and ideas to mainstream, and bug hunters probably have mixed feelings, like teenagers. Its an interesting concept that might actually work. What will become of the vulnerability market when something like this becomes popular?

Either way, these guys are basically saying no more freeloading, Mr. Vendor.