lying to your policy servers to promote usability?

Is there anyone yet who doesn’t understand that Apple is a consumerland company and still fails as an enterprise-friendly company? Oh well, from InfoWorld are details on recent iPhone updates silently fixing problems (again), only this time they were problems Apple was masking in order for users to circumvent policies.

As usual, security can be measured in “WTF’s” per arbitrary unit. This one gets several.

a consumer review of the cowon iaudio 7 mp3 player

A year ago I picked up a Cowon A3 portable media player (music and movies). My goal has been simplicity in my electronics; something the iPod/iTunes empire cannot give me. I’ve been exceedingly satisfied with the A3 in my year of use.

I have stuck with the Cowon brand and just yesterday received my Cowon iAudio 7 ($139). This little guy is basically the equivalent to an iPod Nano; meant to be stuffed in a pocket or worn on the arm. At 16GB, it fits the bill nicely for an on-the-go sort of device. It won’t hold all my music, by far, but it will hold most of the music I use for such purposes (hard rock, techno, breaks).

Using it the first time cannot be easier. Unpackage. Plug the USB cable into a computer. Drag-n-drop files into the Music folder just like any USB flash stick. Unplug, hit play. Done! I copied 13GB of music (3GB were large files) from a networked system to the iAudio in less than 3 hours, so that’s not terrible at all.

The playback is simple as before. Browse to a song to play, and hit play. You can then have the iAudio play back all the songs in that folder, or play all the songs in that folder and subfolders, or all songs on the device. All three of those options can be sequential or shuffled playback. You can loop through your chosen song or loop through the random/sequential setting. My use is to just browse to the folder of music I want (I only have 3 on this), hit play, and hit forward to get the first shuffled song. After that, I just let it go for days without needing to adjust anything other than a pause here and there.

There is rudimentary support for an on-the-fly playlist that you can build, but that’s not something I really use.

The controls take about 15 minutes of use to get used to, but after that are amazingly friendly. If you think they’re a bit sensitive, you can not only turn that down a bit, but also just set the Hold and all buttons will lock.

A few caveats. The device does not have a built-in loop for an armband (though it does have a small loop for a carrying strap). Armband use will require a special case (cheap). There is no AC power cable (it gets power off USB), but this can be bought cheap as well. The earphones are also normal fare (but decent sounding). If you plan on running or being active with them, you’ll probably want something that won’t fall out of your ear.

There are additional features on this than I expected. It has surprising sound recording quality with the built-in mic (not that I’ll use it). It has FM radio support. It does some bookmarking on music files (basically set a bookmark and you can always start the track on that spot; might be useful for full album rips or break sets). Supposedly it can also do some movie playback, but you’ll need to use the Cowon media software to encode the video in a format the iAudio can read. Nice to include, but shouldn’t be the point of this device.

taking control of your flash cookies

Care about your privacy and take diligent action to clean out your browser cookies? Don’t overlook Flash cookies.

The SANS Forensics blog goes into a quick primer on what Flash cookies are and how to find them. This is all in response to research that Wired posted about in August that is pulling the wool back a bit from these little-known buggers. Comments in the SANS article can lead to more research sources.

steps for first responder evidence collection

Quite often someone’s first experience with evidence handling/collection and first-responder forensics is, well, during a live incident. It really helps to read (and later role-play either on your own or just pretend small-time incidents are major ones and go through the motions!) what someone *should* do in a real envidence collection situation.

Personally, I probably know enough to first evaluate whether the incident at hand will ever see the inside of a courtroom or will end in my HR or manager’s office. If a courtroom is possible, I’ll likely try to defer to an experienced professional, if possible. If not, document everything and get uncontaminated copies of everything before diving into the guts of your *copies.* Better yet, it might not hurt to video record the damned thing. It might be the most boring thing in the world, but someone may love you for it a year later.

you gave me the keys, and when I used them…

This article on Wired (via LiquidMatrix) discusses how an intelligence analyst is being charged with unauthorized access even though he was given valid credentials, had access to use those credentials, but was simply told not to. Someone fucked up, but it’s not necessarily this guy.

This could be fun. I mean, remind me to put up some signs advertising a garage sale at my place. Allow me to prop open a door and put out a table with cookies and lemonade on it. Oh, don’t worry about that sign in the corner that says if you get within 5 feet of my cookies I get to whack you mercilessly with a whiffle bat until you leave. You should have read the sign, silly fool. Oh, and I get to cackle with glee during the flogging.

Or the EULA. Or the TOS.

Or remind me to give you my gmail account and password with a note saying not to use them if you’re not me. Yeah, that sounds like a great idea!

daniel suarez (daemon) on pauldotcom 165

Daemon is an excellent book (despite a couple minor annoyances on my part, which are very minor!). So I wanted a quick pointer over to Daniel Suarez interviewed on PaulDotCom episode 165. An excellent listen for anyone who enjoyed the book.

I’ve heard talk about movie rights, and it’d be interesting to see what comes of that. I’ll skirt around one issue I have since it is a bit of a spoiler, but I would most hope that this doesn’t fall into the PG-13 range and keeps the hard edge to it. There should be a certain adult gravity to this that just is not possible while maintaining that teen-friendly color (besides, who over the age of 13 doesn’t eventually see the good R movies anyway?).

illustrating a compromise of rbs worldpay

Via LiquidMatrix, a demonstration on some vulnerabilties have been disclosed against RBS WorldPay over on the rather sobering unu1234567 blog. This brings up a couple comments:

1. If a breach occurs and no one notices it, is it a real breach? (I mean this sarcastically and rhetorically; of course it is a real breach, but it illustrates something that blows my mind: vulns that linger for weeks, months, *years!* and then get discovered. And how long have we had this hole in the ass of our pants and not known it?)

2. I hope RBS WorldPay is going over their logs to make sure their databases haven’t been siphoned off already. And good luck trying to find all the permutations…it would be fun to take such logs and start carving them up, kicking out obviously valid calls, and collating items of interest for manual review. And if they don’t have reasonable logs saved, fail.

3. I don’t care if RBS WorldPay will say this is a development box. It’s externally accessible. It contains valid logins. As Heartland will attest, even satellite, non-critical apps/servers can act as a launching pad for deeper attacks. Unless you purposely hang a box (honeypot) out there to be attacked, there is no such thing as a valueless target for an attacker.

4. Clearly, this system either has never had any security review of the app, or their external assessments are failing to detect that this was externally accessible, or their change control sucks to let this system get configured to be external in the first place. Lots of fail here, really. Lots of head in the sand issues no matter what the story.

4. Congrats on the free security lesson, RBS WorldPay.

so you want to be a security rock star?

This is still begging to be produced. Christopher Hoff recently posted lyrics for Security Rockstar (to the tune of Nickelback’s Rock Star). And a portion of it bookended the Network Security Podcast episode 161 (the version at the end does the first verse and chorus).

Strangely, the music is far more painful than Hoff’s singing. 🙂 And does contain some nice lines. I especially dig the rhyme of “…ubuntu” and “…can hack into.” It really should include something about being the target of kiddie hacks, once you get to be a security rock star (maybe kiddies want to be the rock star but then rage against them in the next breath).

informationweek lessons learned from breaches

InformationWeek’s August 31, 2009 issue included a nice article from the folks at Neohapsis (Greg Shipley, Tyler Allison, Tom Wabiszczewicz) titled Breach Diaries: 5 lessons learned from the front lines of today’s major data thefts. I’d link to the article, but InformationWeek wants you to register first. Lame, because the article hits key points very well which I’ll very briefly list. Some of the thoughts are my own below, but many are yoinked from the article. I share this because, as the article states in the beginning, the business tendency to shut up about breaches is making it harder for security to improve.

1. Get serious about web security. Web apps are being widely used as attack vectors. WAFs buy time, but the root issue is code. Review apps and incorporate security into dev cycles.

2. Add secondary controls. This includes internal firewalls, network segmentation, encryption, database monitoring. Implementing them is not enough. Implement them with a purpose, audit the settings/policies/configs, and watch the logs. Arguably weighted in the reverse order!

3. Know your limits. Most (hell, all!) security technology has limitations. Know them and lean on those techs only as much as they should be leaned on. Fill in the gaps with other solutions (usually watching events, traffic, anomalies, etc) and diligence. I really think this is where staff will make or break you, not the technology.

4. Trust but verify. Wake up every morning and say this until you live this.

5. Plan for incidents. This is another “duh” item, but a tougher one when you get down to it. For instance, how often does a security breach happen compared to a simple system outage/issue/mistake? A vast majority of the time an admin attends to an issue, the response is to rebuild or do things that destroy data. I’d argue that once an incident is truly suspected, then IR policies come into play, but for day-to-day work, I would usually suspect that systems or evidence may get destroyed or at least tainted. Really, this might come down to being careful to keep logs and audit trails and events separate from day-to-day ops.

more news on xp and ms09-048

Bejtlich has been far more active on this than I, so I’ll defer to his updates here and here.

I’ve heard from a couple places now that reference a report last year in regards to the TCP/IP dos vuln CVE-2008-4609 that Microsoft, Cisco, and others coordinated patch releases for this week (one of the the dos parts to MS09-048). This is probably accurate since Outpost24 (Jack C. Louis who passed away earlier this year) is credited in the Microsoft bulletin.

Here are the key points:

1. Windows XP is vulnerable to the two dos issues in MS09-048 when it has a listening service open.

2. Windows 2000 is vulnerable to the two dos issues in MS09-048, and will not be patched.

3. Windows XP currently has no MS09-048 patch, and may not get one for the same reason Windows 2000 is not getting one: the change is too big/hard/impacting to the underlying TCP/IP (NDIS) implmentation.

4. So far this just deals with a vulnerability that leads to a low-cost DOS attack (i.e. you don’t need 10,000 distributed systems). There may still be a potential for r00t code to be developed, or malware payload that may be used to storm through a network and just repeatedly down every XP/2000 box. Better yet, if you need a box rebooted as part of your attack, this could be a sure way to do it, or to get an admin’s attention to then log into the box and snag some credentials while he investigates.

rich mogull and bob russo back-n-forth on pci

Quick pointer over to some nice postings. Rich Mogull pointed to and responded to an article by Bob Russo from the PCI Council. Bob also responded back in the comments. My feelings are also in comment form, there.

Bottom line: PCI is a great value, an excellent value, as long as you don’t think it is the only thing you need to do, or lash back at it in some odd hatred of “best practices” because, god forbid, they’re not perfect. It is the kind of guideline that so many companies need, and so many of us experts can use to make our cases. It doesn’t end with PCI, but for many it does start with PCI.

ms09-048 affects windows xp, but how deeply?

Thank you Bejtlich for posting about this and making me revisit this for what is probably the fifth time in 2 days. I fully blame Microsoft poor wording for the confusion.

Yesterday, my first reaction (heck I even Tweeted it) to MS09-048 was to call it a Big Deal. Truly, it should be: On affected systems, any listening service exposes the system to at least one of the vulnerabilities.

Microsoft played dumb with Windows XP, however, stating the default configuration for XP SP2 and SP3 has the Windows Firewall turned on and not allowing any listening services.

But I think anyone who has even a smidgen of tech-sense in them knows that once you network the box (or basically even just use it, it seems), listening services are started and maintained or the Windows Firewall is flatly turned off.

So, the question remains: Let’s stop playing dumb and just say XP SP2 and SP3 at least potentially should be considered vulnerable. Does that mean XP is vulnerable to just the DOS/reboot vulnerabilities or also the part that allows remote code execution?

A big fail on Microsoft’s part for basically omitting this information.

Update 1:00pm: I can also confirm that there are no patches at all for XP systems relating to ms09-048 in WSUS or Windows Update. This could mean a few things. Maybe XP is en total not affected (but why the asterisk?). Maybe no patch was ready (of course, this could mean Microsoft just indirectly released their own 0day once what was released is reversed). Or maybe something screwed up. But the bulletin certainly reads like XP is potentially vulnerable if you, god forbid, expose listening services.

Update 1:37pm: Fabs has released details on one of the dos vulns, CVE-2009-1926

seamonkey alternative web browser and “internet suite”

Since Firefox has gone down the same path as IE (bloated, trying to do everything, untrusted, slow-loading, and being so big that it just can’t, alone, be the “more secure” option anymore which, along with speed and trust, catapulted it up into contention with IE in the first place!), my loyalty to Firefox is entirely hinged on add-ons like NoScript.* This means I’m open to new tools that may be simple and get back to what I really want: speed, trust, simple, and reasonably secure largely through that simplicity.

I just read about SeaMonkey’s new release. While it’s a new option, I don’t like the idea that it is trying to be an “Internet suite” of tools (really, HTML editor?) with a browser, email client, news client, IRC client, etc. In that regard, I’m not tripping over myself to try it, but though I’d share the link in case it does become a legit contender as the new upstart (just like Firefox and Google once were…oh how the popular forget what made them popular). Besides, in trying to do all that stuff, can it ever possibly satisfy my security desires enough in any one part to best dedicated individual clients? Yeah, if I get around to trying it out, I’ll try it out. If not, I’m probably not missing much.

* Strangely, IE7 loads faster, at least in perception, than any instance of Firefox that I run anymore, Windows or Linux. But, I like that I can really reduce the toolbar footprint of Firefox down to like one bar, and it sucks that IE’s bar has gone the way of being a pain in the ass to customize in the same way. Still… really it’s NoScript that keeps me locked to Firefox.

firemaster brutes firefox password manager password

I’m not a fan of password managers in browsers; it makes me feel even worse about how OS-like the browsers are getting (and how far from Firefox’s “we’re secure because we’re simple” roots they’ve strayed), but I’ll have to remember this Firemaster tool (article by Lifehacker) if I ever find a need to break into a Firefox password manager store. (via

In-browser password management is something people looking for efficiency and shortcuts want to use. In my opinion, most of those people are probably the same people who re-use passwords and use simple passwords. I would suspect most people choose simpler passwords for their in-browser management tool, making Firemaster a risk. (Of course, you’ll never learn what your passwords are if something always puts them in for you!)

Then again, one should always expect some method of cracking or brute-forcing passwords, and thus always choose reasonably complex ones.