So, I blogged about it here, initially. This week I’ve been playing with keyloggers. I had my keyloggers setup on win2k3 and winxp machines and I was accessing them via RDP. I made the mistake of keeping my RDP session nailed up. A few days later, I note tons of entries being displayed within the keylogger GUI. Of course, since the clipboard auto-synchs between the client machine and the RDP server, the keylogger on the virtual machine had been logging the clipboard contents from my home machine. I had been doing tons of code edits, so every cut-and-paste was captured and displayed by the keylogger software. Pretty embarrassing!

Now, what would I find if I setup a machine on a stub network, installed a keyboard logger, and let the hackers come on in? For everyone attaching to my machine, I would be snagging their clipboard. That might be interesting data.

!Dmitry

AmitimA referred me to an interesting fact. Bank Hapoalim, the largest bank in Israel, has a warranty notice (Hebrew only) on their web site regarding Internet transactions.

Contrary to my (cynical?) expectations the warranty says as follows (apologies for the rough translation):

“This is to certify,
that bank Hapoalim provides you a warranty on money transfers out of your account, that were done over the Internet, maliciously, by a 3rd party that was not authorized to operate your account and has done so without your knowledge and without your consent, your approval or with you.

The bank hereby declares that it will credit your account in the identical sum of the amounts that were taken out of your account, within 28 days from the day you sign the event form…”

The only obligation is that you notify them within 28 days of the event, and that you give them reasonable help to assist them in investigating. There is no fine print, no disclaimers and no hidden catches as far as I can tell.

I know this is already the informal policy in the Internet-based banking world. It makes sense: Banks want to encourage people to use their Internet banking that is cheap to maintain and support and to do that they swallow online fraud and phishing as the cost of doing business. But this is the first time I’ve seen a bank step forward and declare this unequivocally.

It seems new to me – when I signed up to online banking with Bank Hapoalim a few years ago I signed a waiver that placed all responsibility on me and practically none on the bank.

Are there any other banks out there that have a similar official policy on their web site? I’m not asking about the de-facto policy which is obviously the same as above for most banks. I’m talking about putting a clear and simple notice that they take full responsibility for losses caused by phishing.
Has the online-banking world changed while I wasn’t looking? Go check your bank’s official warranty and post the result in the comments below.

Cisco has released an updated version of its Cisco Security Response: Rootkits on Cisco IOS Devices document after the EuSecWest presentation of Mr. Sebastian Muniz (Core Security).

Hardening, best practices etc, it appears.

Thanks Gadi E. for pointing this on mailing lists.

So, I’m back and now have some time to write about my travel in two amazing security conferences:
Hack in the Box in Dubai and Troopers in Munich

Both conferences are really well organized and with an amazing content! (I’ll not give my opinion about the each talk, mainly because I have not paid enough attention in important talks).

In HITB the after-conference party was sponsored by Argeniss and was in a boat - amazing drinks and view around Dubai Marina… In troopers we went to a typical Germany
place (old era) to eat an amazing meat (pay attention, please… I’m Brazilian and I’m saying it’s an AMAZING meat over there), sponsored by ERNW.

Back to conference content, in both conferences I had enough time to exchange ideas with attendees and speakers… Troopers received a lot of system administrators from
companies around Germany, which was important to me to better understand the security ideas they have in Germany. Also, some legal discussions about the new laws in this
country (I’m better informed now).

HITB Dubai this year was bigger then in the past year, but the CTF game was not so funny (there is no money involved, hehehehe)… Our team at Scanit (Oger Systems R&D Lab) won
(to be honest, Chaitanya Sharma from Scanit India passed the Zone-h web challenges steps and Julio Auto the reverse engineering steps - I just gave a lucky hint in the latest one - a off-by-a-few overwrite).

Lots of well known names went to Dubai this year, just to tell some: Skyper, Cesar Cerrudo, Alexander Kornbrust, Raoul Chiesa, pdp…

Troopers surprised me!! Really… It’s a new conference, but lots of important guys went there: Alexander Kornbrust, Andrew Cushman, Dan Berstein, Raoul Chiesa, Ariel Waissbein…

Anyway, now I’m back to Brazil (yeah, I left Scanit) to work @Check Point… good luck to me, hope to see you guys in some conference (why not Hackers 2 Hackers Conference in Brazil? - http://www.h2hc.org.br).

OK, I’m sure that, as usual, I’m a day late to this party…but, I’m having lots of fun with Wikiscanner . It’s pretty fun to browse around companies that you’ve worked for and seeing what edits they have been doing on Wiki. One of the cool things is to look at a company and see when and where they have been editing their Companies wiki (it’s also funny to see when and where they have been editing their competitions wiki). Companies want to ensure that the Wiki article reflects well on their company. After all, a google query for company X will almost always have the Wiki article as one of the top hits. I’m pretty sure that this can be used to an attacker’s favour. For instance, if you know that the PR folks are monitoring and editing a certain page on the Internet at regular intervals, then you can inject malicious links, code (?), etc. and use it to target the internal user. What if the wiki page for a large software vendor contained a link to where they could download a demo of the software for free? Would the PR person know better than to download the software and see what it was?
!Dmitry

As far as facebook is concerned, your email is your identification. This is true for other social networks like linkedin, and is slowly catching on to many other Web 2.0 services. It actually makes a lot of sense that your unique identifier (your “ID”) would be your email - it’s unique by definition, it’s easy to remember and most services need the email information anyway (for example, to send you a password reset). So combining the ‘email’ and ‘username’ fields makes a lot of sense.

Unlike in the past where users switched emails frequently, we now have hotmail and gmail and personalized accounts that we can take with us as we switch jobs or ISPs. Email is private (at least, as private as snail mail) and if my bank feels comfortable sending me alerts and other information over email, than it is definitely secure enough for the rest of us.
So if email is destined to become the equivalent of your social security number or identification number (depending on which country you live in) how do we proof check that the email address we typed does not contain any typos? Most identification numbers have a controlling digit that acts like a checksum to make sure the ID was typed correctly. With email, we don’t have that and so you’re sending an email with the newest Vista joke to your coworker friend Bill Howards over at the Vista team and your finger slips and the mail goes to billg@microsoft.com.

Or worse - with gmail I’ve been receiving emails that belonged to some other Aviram that was too slow to catch aviram@gmail before I did. Most of this misguided email ranges from boring to funny, but today I got a purchase confirmation with the order number, amount and last 4 digits of the CC number. Since I “own” the email that is associated with this account, what prevents me from logging in to this guy’s account (have the e-commerce site send the password to “my” email due to my temporary amnesia) and redirecting the order to another zip code that happens to be my house?

Sure, I would never do that to a fellow Aviram. But what happens when our possible-future-Internet ID,  our email, is typed wrong into some government database and all our IRS information, special Internet-voting code and who-knows-what-else is sent to our alternate identity, the guy that lives right by us on the keyboard? Not good.

My receiving another person’s order information is an obvious lesson for web sites: Make sure you verify the email address. Sending a test email and waiting for confirmation is good security practice since you’re not only confirming the person typed his email address correctly but you’re also confirming he did not sign up his mother in law to your wonderful daily adult joke service as pay back for last thanksgiving.

Some of the best security solutions come from people who have a passion for security and want to make the Internet a better/safer place. We started SecuriTeam as a place for people like us, who want to read security information that was collected, processed and edited. The OSVDB team wanted to answer the need for a standard, open catalog of information. Nmap, nessus, snort and many many other useful tools and projects were all passions that turned into something millions of security professionals use regularly.

And then there’s the money. Most of these projects need money to keep on going. The people behind them need to pay the bills. Sometimes just a little ad or sponsorship is enough, and other times the writers want to be compensated for their hard work and make a living (or get rich) from the project they gave so much time and energy to.
This is where the lines get blurry: Fyodor insists on keeping nmap open source and non-commercial. Tenable closed nessus in a very controversial move and SourceFire is able to carefully do the open-source/commercial tango with snort. In Beyond Security, we have a constant struggle on how to keep the commercial products and the community services separate, but in synergy. I don’t even know if we’re doing it right (but god knows we’re trying).

But other times the line isn’t blurry at all. Like watching a train wreck in slow motion, we are regularly seeing how a good project morphs into a twisted corporate disaster. PCI-DSS is probably the best example.
PCI-DSS started with the good idea of forcing web sites to check themselves for security holes on regular basis, a notion initiated by the credit card companies in an honest attempt to improve the security of web sites (since they had the most to lose; credit card fraud hurts the issuer no matter who ultimately pays for it). But this good idea went to bad and then to worse as the PCI-DSS went completely commercial - on one hand the organization wanted as many vendors to sign up for their PCI-DSS certification services so that they can make their money and on the other hand the web site operators were paying money to get the PCI certification without really caring what that meant as long as someone was willing to give it to them for some dough. Russ has a good writeup on where PCI-DSS is going. I agree with everything he’s saying.

And now there’s CVE - one of my favorite projects of all time. I know the project well, and we even got the “CVE Certification” a while back. True, not something that will help you get laid, but on the other hand getting the certification was one of the most pleasant experiences we had in that area. Nobody likes to be judged and thus nobody likes to be ‘certified’ by others - but the CVE certification process really wasn’t about ‘judging’ us. At least that’s not what it felt like.

This morning I asked the guys in Beyond Security who were involved in the certification process what made the good feeling that remained. Their answer was that people we talked to at Mitre weren’t sales people (CVE certification is free, they don’t even charge for the picture frames) but rather technical people from the CVE team that actually wanted CVE to be “good”. Talking to someone who both has a clue and cares enough to show it is the difference between Mastercard’s SDP and the new PCI-DSS.

So why am I worried about CVE which is still alive, kicking and putting some sanity in the dozens of weekly security hole announcements? Because just last week we got this:

Date: Wed, 7 May 2008 10:40:49
To: xxxxx@beyondsecurity.com
Cc:”Doe, Jane”
Subject: CVE

XXXXX,
SAIC received confirmation from NIST that SCAP CVE and OVAL testing will be operational by the end of May 2008. By the end of this week, NIST will issue the updated requirements document that will add more requirements for CVE testing.

When SCAP first went operational CVE and OVAL were deferred because the test requirements in those areas were not complete. Historically, MITRE conducted CVE testing. CVE testing has now transitioned over to SCAP laboratories.

If you desire further SCAP information or about CVE and OVAL testing, or a cost proposal, please contact me.

John Doe,
SAIC AT&E Laboratories Communications Director
410.XXX.XXXX

I’ve got to admit I had to read it a few times just to understand what they actually want (although I’m still not sure). Let me make a few wild speculations:

1. NIST will release an updated requirements to make sure all existing CVE certified products are no longer certified. It will not be exactly clear from the new requirements, so they will change the name to MVP just to make sure.

2. The new CVE will be a set of incomprehensible requirements for anyone without a law degree and will make the PCI requirements document look like a children’s book.

2. SAIC will suddenly realize they are not a not-for-profit organization and charge $10,000 for a CVE certification and a $7,500 renewal fee to cover the cost of the “SCAP” lab.

3. CVE certification will be open to everybody: Consultants will hurry to get “CVE certified” and while nobody will really know what that means, as soon as the check clears the certification plaque will be FedEx’d to them. Linkedin recruitment messages will read “need CVE expert to help pass a CVE certification test”.

4. John Doe from the email will call, mail and snail-mail to sign us up at “special terms” and “before the cost goes up”

5. Sponsorships to the annual CVE conference in San Francisco will sell like hotcakes. The MITRE team will not be invited, but the Director of Lab Services in SAIC will be the keynote speaker.

Of course, I’m probably wrong. Too much fiber for breakfast and not enough red meat for lunch makes me cranky and negative.
Here’s the more likely scenario: CVE certification will remain free and open and the SAIC guys doing the testing will be excellent security professionals who are regular bugtraq contributors. The PCI council will release the re-re-reclarification of section 6.6 of the PCI 1.1 and that re-re-reclarification will be a one-liner with no references to other requirements. The Ozone layer will heal and electric cars will roam the streets. Real soon now.

I’m hyped! The much-anticipated Maltego version 2.0 is out. I had previously alluded to maltego here. To the 1% of you who haven’t heard of Maltego, it’s a tool for determining relationships between domains, users, email addresses, etc. I can’t think of an Infosec or traditional corporate security group which wouldn’t benefit from this tool. Check out new features here and here.

OK, everyone is probably familiar with the riddle put forth by Samson. e.g. “From the eater came forth food; and from the strong came forth sweet.”. The answer to that riddle was hidden. Who could have guessed the meaning? The strength of the riddle was in the fact that it was based on subjective knowledge that only Samson possessed. Of course, the story ends badly due to philistine subterfuge…but, I digress. I know that the security industry puts forth much effort in solving the riddle of “spam”. Question one, would a person, solving the spam riddle, be best served in keeping the answer to himself? It would seem that any sort of public solution would give the spammer equal opportunity to adjust their attack vector.

I don’t know much about spam. Google (and their gmail app) seem to know a lot about spam . Joe Stewart over at Secureworks knows a lot about spam. He claims that the top botnets can send over 100 billion spams per day. I have a few more ignorant questions:

2) Spam is a nuisance. Can the power of spam be harnessed and used against ones enemies? If spam is the “eater”, how can it be used to ones advantage?

3) The sending of spam seems highly automated. Can the power of spam be turned inward? Like a child scooping cuploads of black ants on a red ant mount, is there a way of causing a “war” between spambots? Would such a war benefit anyone?

!Dmitry

The Daily WTF has a good story that may sound a little too familiar to some:

How the aptly-named Super Hacker had managed to shut down the system remotely and provide a fix so quickly intrigued Kiefer. After poking around the network, he finally found the Python file that contained the Super Hacker’s fix:
#!usr/bin/python
# Paying someone $10 to pull a power cord for $3500
print “(C) [Name Removed] 2008.”

The moral of the story: when all else fails, use social engineering.