Trust me, I didn’t look right as I typed this …

‘Lying eyes’ are a myth – looking to the right DOESN’T mean you are fibbing.

“Many psychologists believe that when a person looks up to their right they are
likely to be telling a lie.  Glancing up to the left, on the other hand, is said to
indicate honesty.

“Co-author Dr Caroline Watt, from the University of Edinburgh, said: ‘A large
percentage of the public believes that certain eye movements are a sign of lying,
and this idea is even taught in organisational training courses. … The claimed link
between lying and eye movements is a key element of neuro-linguistic

“According to the theory, when right-handed people look up to their right they
are likely to be visualising a ‘constructed’ or imagined event.  In contrast when
they look to their left they are likely to be visualising a ‘remembered’ memory.
For this reason, when liars are constructing their own version of the truth, they
tend to look to the right.”

“Psychologist Prof Wiseman, from the University of Hertfordshire, said: ‘The
results of the first study revealed no relationship between lying and eye
movements, and the second showed that telling people about the claims made by
NLP practitioners did not improve their lie detection skills.’

However, this study raises a much more serious question.  These types of “skills” are being extensively taught (and sought) by law enforcement and other agencies.  How many investigations are being misdirected and delayed by false suppositions based on NLP “techniques”?  More disturbingly, how many people are being falsely accused, dismissed, or charged due to the same questionable “information”?  (As I keep telling my seminars, when you get sidetracked into pursuing the wrong suspect, the real culprit is getting away free.)

(I guess we’ll have to stop watching “The Mentalist” now …)

LinkedIn as a recruitment resource

I’m working on an article about the risks in social networking right now, and I’ve come across yet another blog posting about how to use LinkedIn (and Facebook, and Twitter, etc.) to look for job candidates.

I’ve never quite been able to figure out the attraction of using LinkeDin as a source of employment candidates.  The one thing you know about active socnet users is that they are active socnet users.  If you are at all concerned about your employees wasting time at work, you know right off the top that this is a person who will do that.

Of course, if your company is trying to “get into” the socnet world, you might think this is a good thing.  But it’s quite a leap of faith to think they would do it for you, rather than themselves.

(For us in infosec, there would be the added concern that this person is either telling way too much about themselves, or “tailoring” the facts.  So you either have a failure of confidentiality, or integrity.)

Interview with Charlie Miller

For those of you who don’t know who Charlie Miller is (really, you don’t? Maybe it’s time to get out from under the pile of paperwork for a change then.) He’s the guy who’s managed to pwn 3 Apple products at Pwn2Pwn over the last three consecutive years. I got to thinking recently, and the last person that I interviewed for the SecuriTeam Blogs was Fyodor, and that feels like a lifetime ago! So I dropped Charlie a line to see if he’d be up for it, and thankfully he was.

xyberpix: How and what got you get started in vulnerability discovery?

0xcharlie: It was back at the NSA so I can’t really talk about it.  But I really like the concept of vulnerability analysis.  Its slightly adversarial in nature.  Smart people write software and I have to try to find mistakes that they’ve made.

Also,it appeals to me in the same way that collecting baseball cards does to people.  I like having a bunch of bugs that only I know about.  There is something intellectually satisfying about that.

xyberpix: What made you pick OS X as what seems to be your primary target?

0xcharlie: I had never owned, or really even used, a Mac until I started at ISE 4 years ago. ISE got me a Mac as my primary computer since that is the standard company issue. We also had some clients that were interested in Macs and OS X so I was forced to learn a bit about how they worked.  So I was in a position to play with a Mac, which I actually learned to like once I got used to it.  I quickly found it was rather easy to find bugs in it and I like to go after the easy targets.  Another thing is I take joy in ruining the day of the fanboys.  One interesting point is that exploitation is very OS (and even application) dependent, but vulnerability analysis is basically OS independent.

xyberpix: What tools do you typically use to find bugs on OS X?

0xcharlie: Mostly home brewed fuzzers.  But I also do source code analysis when available and occasionally reverse engineering.

xyberpix: What does your testing setup consist of for vulnerability research?

0xcharlie: I have a Win XP box with IDA Pro on it.  I also use this box for Windows bug hunting, so it has a bunch of debuggers (Olly, WinDbg, ImmDbg), hex editors and stuff on it.  I have an old Linux box that I mostly use for Source Navigator.  I also have a bunch of Macs, obviously.  My main computer is a 4 year old MacBook. Its got everything I need on it as well as every bug or exploit I’ve written at ISE. It also has various fuzzers I’ve written (Python), bunches of fuzzed test cases, PyDbg, PaiMei, etc.

xyberpix: You’ve mentioned on Twitter recently that you have quite a few exploits for OS X, have you considered selling these, and if not, why not?

0xcharlie: No.  My employment contract forbids it.

xyberpix: As you have a stockpile of exploits for OS X, what made you choose to use the one that you did for Pwn2Pwn over the others?

0xcharlie: It was the easiest one to exploit.  As you’ve probably noticed, I’m basically lazy which is why I like fuzzing.

xyberpix: Will you be bringing out any more books in the near future?

0xcharlie: No plans at the moment.  Its a huge endeavor to take on.  At one point Dino Dai Zovi, Ralf-Phillip Weinmann (one of the iPhone Pwn2Own guys) and I were signed on to write an iPhone security book, which would have been pretty awesome, but it never materialized.

xyberpix: How’s it feel to have won Pwn2Pwn 3 years in a row now, and will you be going for 4?

0xcharlie: It felt a little anti-climatic actually.  It was way more fun the first year when it was a bit more of a surprise.  For the last month or two I’ve been saying I’m retiring after this Pwn2Own.  Its a lot of stress and the rules are always changing so its tough.  Also, Snow Leopard exploits are much harder to write than Leopard exploits, to the point it isn’t much fun.  But maybe I’ll reconsider next year. Call me the Brett Favre of hacking.

xyberpix: Have you thought of offering a training course to developers to teach them how to find bugs, if so would this be internationally available?

0xcharlie: Yes, I’ve thought about it.  Again, this would be a big time investment to develop the course which I’m too busy to undertake at the moment.  Of course, I work for a consulting company so if enough people throw money at them, they’ll make me do it!

xyberpix: How would you advise someone starting from scratch on how to identify vulnerabilities and write exploits for them?

0xcharlie: I get this question a lot and I don’t have a great answer for it.  I went to the NSA for 5 years but not many people have that option.  Make sure you understand C/C++, then assembly, then reverse engineering for starters.  For bug finding, find out about all the bugs that are being discussed and what they look like so you know what to look for.  Then start fuzzing and trying to triage all the crashes.  For writing exploits, find some good exploits and see how they work.  Then start trying to write some for known vulnerabilities or ones you’ve found.  If you’ve got the cash, take
Dino and Alex’s training course.  My main advice is to get your hands dirty and just jump in and do it.

xyberpix: On a scale of 1-10 how would you compare the skill level required to identify and exploit security vulnerabilities in the following Operating Systems Windows, OS X, Linux?

0xcharlie: This is one of the reasons its hard to get into this field these days.  10 years ago it took a skill level of 2, 5 years ago a skill level of 6 and now a skill level of 8 or 9.  As for the various OS’s I’d say something like a 9 for windows and an 8 for the others.

xyberpix: You started the No More Free Bugs Movement, what was/is your reasoning behind this, and have you had much success with selling vulnerabilities/exploits to the vendors? Would you say that the vendors are reacting positively or negatively to this?

0xcharlie: The idea was that finding bugs is hard work.  Big vendors have teams of researchers and QA people who are paid lots of money to find bugs.  So, on the rare event one slips by and puts their users at risk, vendors should be falling all over themselves to get this information and get fixes available for their customers.  Instead, they expect researchers to give them the bugs, deal with them, convince them the bugs are real, provide POC’s, take legal liability, etc and all for charity.  Well, as a professional consultant, I get paid to find bugs by our customers, so I started to wonder why my customers paid me and for the same work, vendors don’t.

As for what’s come out of it, hopefully researchers have begun to ask this question too.  I’d like to think I’ve helped ZDI to get more researchers participating, although I don’t know for sure.  Vendors pretty much ignore the whole NMFB’s
movement.  They only care about their bottom line and NMFB doesn’t affect it.  The only positive thing I’ve seen is someone from Mozilla recently said they were thinking of raising their bug bounty from $500 and wanted to know what I thought was a fair amount.  That made me happy.  Besides Mozilla, I’ve never heard of anyone who sold a bug to a vendor, although Chrome offers a program.

xyberpix: What do you feel the greatest risk to Web Browsers is at the moment, and why?

0xcharlie: Probably the biggest weakness is that web browsers are a big attack surface and the attacker has a lot of control.  The attack surface includes html, JavaScript, images, plugins (Java, Flash, Silverlight, etc).  Attackers can manipulate the heap using the languages at their disposal.  These make for a powerful combination for attackers.

xyberpix: What do you feel the greatest risk on the Internet is at this point in time, and why?

0xcharlie: The biggest risk is how companies store your personal information and then lose it. I can manage my own computer (most of the time) but when sites lose my info, I’m powerless to do anything about it (or prevent it).

xyberpix: If you were to give one bit of advice to developers that they’d all listen to, what would that be?

0xcharlie: Just to think defensively.  Every time you write a line of code or a function, think about ways bad guys might try to present data to it to cause an error.  Think about all the things that could go wrong and then you can think of ways to try to prevent them from happening.

xyberpix: You and Steve Jobs are sitting have a cup of coffee, tell me how how that conversation would go?

0xcharlie: Great question!  First I’d have to tell him who I was because he’d have no idea. I’d try to tell him that eventually this security thing is going to bite him in the ass when the malware authors notice enough Macs.  I’d then patiently listen to his explanation of why I’m wrong and how its going to all play out.  He’d probably convince me.  Finally, I’d bitch that iPad doesn’t have Flash.  Lame.

Thanks again to Charlie for taking the time out to answer these questions, it really is appreciated.

Insecure Managazine – December Edition

It’s good to see that my challenge from yesterday to write a blog post a day for the next week seems to have got some people blogging on here again, so c’mon, let’s try and keep this up for the week.

If no-one’s ever read the INSECURE magazine before, then now is a great time to start reading them, and go through the back issues as well, as the information held within this magazine is usually really worthwhile.

To give you an overview of what’s contained within this months issue, here’s the index.

  • The future of AV: looking for the good while stopping the bad
  • Eight holes in Windows login controls
  • Extended validation and online security: EV SSL gets the green light
  • Interview with Giles Hogben, an expert on identity and authentication technologies working at ENISA
  • Web filtering in a Web 2.0 world
  • RSA Conference Europe 2008
  • The role of password management in compliance with the data protection act
  • Securing data beyond PCI in a SOA environment: best practices for advanced data protection
  • Three undocumented layers of the OSI model and their impact on security
  • Interview with Rich Mogull, founder of Securosis

You can download the magazine from here:
Hats off to the guys and girls at Net-Security for working so hard on a top quality magazine.

Update: Corrected link