What is it about the Internet that has most changed our lives and society? Well, I would surmise that it is our ability to self-serve information-finding. In 1990, what did we depend upon for information? Today, I can self-serve by looking it up.

What is the next “Web?” Well, probably immersive virtual environments, even though it seems a bit counter-intuitive on some levels. For instance, Sony’s Home will be interesting to watch develop. On some levels virtuali environments work, like online training experiences or meetings. On some levels I imagine it doesn’t work, go to an arcade in Home just to play a game…why the extra lobby/step?

For future reference, SourceMap: “SourceMap is designed to scan to a port from multiple different source ports, to aid in finding weaknesses in firewall rule sets. It is possible to scan ports on a host from all 65535 source ports, somthing that nmap could not do. SourceMap is a mutil threaded perl wrapper arround nmap.”

Blog post from Abe Getchell to create a covert channel over SMTP by using the X-Spam-Report (and related) email header to enbed a message in what otherwise can look like spam messages. Adding value beyond just the issue itself, Abe drops a Snort rule to detect his example at the end of the post.

PacketLife.net has a January contest posted. From the packet capture given, determine the IOS version of one of the systems.

Well played indeed. In my posts discussing the recent MD5 hack that led to a rogue CA, I neglected to give the utmust credit to the researchers involved. These guys did an amazing job to not only recognize and develop the attack, but to actually execute it, dodge the legal questions, and present their findings at CCC.

And you gotta wonder what it would feel like to have in your hands a rogue CA that can break the trust people have in the web. That definitely has to be an awesome feeling, and I think we all owe the guys a weekend a beer!

I invariably seem to hear about the hacker challenge stories on the EthicalHacker site only after the deadlines have passed. I’m not sure if I’m the one who is behind or if it has anything to do with the headache-inducing site they have which looks like a freakish juxtaposition of a forum with news script software from 1998 (yet powered by Joomla!). Great books! Messy site!

At any rate, their latest challenge is up and hopefully the chosen answer sometime soon!

Lee Hinman has a post on writequit.org about “De-gooling” himself, i.e. using tools other than those provided by Google. I commend this effort! Ever since Google went public I’ve trusted them far less (much like Yahoo) but have to grudgingly admit their tools are speedy and good for what I need. Unlike Lee, I’m not so open to accepting that Google has stuck to their “Do no evil” mission, but what can you expect when you suddenly have so many stakeholders holding your feet to the fire of profit? I completely share Lee’s concerns over privacy with the Google-machine.

I’ve never heard of Scroogle as a search tool. I’m sold!

Note to self: Open a new account someday just as an RSS feed reader. Bonus points if I find a way to permanently proxy to it.

Read the rest of Lee’s article for more ideas on replacing some Google tools.

I’ve long enjoyed my 2 year-old Wi-Spy. I see they will soon be coming out with a Wi-Spy DBx “soon” for $799. If you sign up, I guess you get a coupon for $200 off when it is released.

Sadly, the price point moves this out of the “geek gadgets” realm and into an area meant for people who professionally test, monitor, or manage wireless networks. I actually do not manage a wireless nework at my current job, so this gadget would really just be a for-fun deal. Even with the coupon, $500 is too high for a toy for me. But I wanted to mention it to remind me it is there, and give someone else the idea if they could use it and afford it.

Another lesson from the MD5 / SSL CA hack: We’re now stronger for the issue being exposed.

Someone could have exploited this weakness already, or someone could have exposed it in a year of five from now. But because this has been exposed to the public, we’re now collectively stronger and more informed for it.

This is an agnostic approach where I don’t have to say we should be throwing exploits out full disclosure-style without giving anyone a chance to fix or mitigate the issue. But rather, simply exposing the issue to the public with enough detail to be actionable is what I want. If that involves partial disclosure or even full disclosure with POCs, I’m fine with that.

Would I sing the same tune if the researchers had released their rogue CA? Yes, although it might be tainted with a, “That’s pretty short-sighted of you to do that.” But being able to react to what is disclosed is part of the lifestyle, even if we don’t agree with the actions. (Gosh, if only attackers would disclose to us their tools first before they go on the offensive! That would be the professional thing to do, right?)

I’ve seen plenty of talk these days about audits, compliance, pen-testing, and security-reviewers and how they are canned or unskilled or unknowledgable. (Auditors who understand they lack understanding are exempted as there is a place for checklist checkers.)

To me, it is pretty simple to tell when someone or some group knows what they’re talking about and are qualified to help with security. There are two traits:

1) Ability to discuss (accurately!) a scan or pen-test report. Don’t just hand the report back and/or quote it verbatim in a meeting. Be able to casually talk about the issues, and if necessary, be able to reword them for understanding by managers and techies alike. Being a fellow geek, I can usually quickly figure out when someone’s knowledge is limited or outright bullshit.

2) Ability to discuss the pros and cons of security measures. This takes practical knowledge on how business and IT works, including practical knowledge in implementing protections or workarounds. Is it responsible to demand an entire web application be wrapped in SSL? In a way, empathize with the IT manager, the techs, and the business as a whole.

The bottom line: Be able to add something beyond just the deliverable report! The unfortunate reality of this is the need for security persons to have some practical implementation experience in business. The more you can basically make decisions for a manger, the more she will like you!

In the long term, there are two more traits one can evaluate sec geeks/groups by.

3) Ability to learn new techniques and tools. This ability still leaves open the option to use automated tools, but forces testers to be open and able to learning new things, including code, other automated tools, or manual options. I’m not one to rag on people who run automated scanners,* but I would rag on someone whose entire repetoire is an automated scanner.

4) The depth and breadth of their knowledge. It is hard to be both deep and broad in security, but the more you can be both, the more value you have. Practice, practice, practice! (And for god’s sake, manage expectations properly and admit when you are in over your head rather than flounder and deliver less value.) As an alternative, be extremely deep in your chosen area.

* It is my observation that there are three main phases to automated tools use. First phase is developmental where automated tools are fun and awe-inspiring. Then there’s the in-between phase which is where people start crying and yelling at “script kiddies” because they use automated tools. Then there is the third phase where realization sinks in that automated tools, even skiddie tools, can have value. Strive for phase 3!

More information about recent MD5/CA Root attacks (links from SANS):

in the authors’ words
powerpoint slide deck
microsoft advisory (…ok)

Very few entities can actually do anything about this, and it takes quite the effort and knowledge on behalf of an attacker (not surprising for a weakness pointed out in part by academics). But the impact seems pretty big, if I’m reading the details correctly (I’ll be the first to admit PKI and cert signing and trusting makes my head spin). All an attacker needs to do is collide and forge one rogue CA, and everything crumbles after that.

From my brief look there is one objective from this attack: Be able to MITM SSL connections using a rogue CA cert that the browser will trust because it matches what comes with the browsers (this assumes you can MITM the traffic in the first place).

From my brief look, this is the impact: You can potentially not trust every SSL cert out there. The holy grail, if I may call it that, of browser SSL/cert security lies in the strength of the root CAs that are shipped with the browser. Even a single weak one means any SSL can be forged and then implicitly trusted by that browser. Combine that fake trust with the ability to redirect and MITM traffic and you break down SSL trust.

Biggest issues for consumers #1: Phishing sites would probably love to get their hands on a rogue but trusted CA because that would mean they could forge their own certs and avoid that annoying popup about a cert being untrusted. Governments might want to pocket this information for cyberwarfare purposes. If you can redirect all traffic from a hostile entity to your servers, you can then MITM SSL quietly. I bet China would pay dearly for a trusted rogue CA…

Biggest issues for consumers #2: In limited situations like a small network or wireless hotspot, an attacker can redirect all traffic to his server. If he has a trusted CA with which to sign his own certs, he can actually MITM the banking domain you know, and host a cert that your browser will trust. The old habits still hold true: do not do sensitive things on a wireless network or a network you do not trust.

Lesson: MD5 collisions were discovered years ago, and while theoretical, only required massive amounts of time and computational power to make reliable collisions. While MD5 was and is still useful, you can’t pile trust on top of a broken process and still trust it.

There is a bit of chatter today about an undisclosed weakness in something that potentially affects all netizens. Yeah, I can only guess as well right now, but I expect it to be a routing or network infrastructure issue. I guess we’ll find out tomorrow from the CCC. Read HD Moore’s related post about it, including the far bottom with the preso schedule and links to video streams.

Their research combined a known weakness in one area with a massive resource investment in another to show that a third party was vulnerable to a practical attack that affects the security of all Internet users.

This post from Scott at SecurityViews got me thinking. Here is a snippet:

People desperately need help in sorting out what security information is relevant to them. Which vendors and technologies to trust, which browsers to use, which updates are important, which sites to give personal information to… it’s not getting any easier.

Weighty, but true. How do you get and/or give the best information out there when you have some knowledge to give?

As Scott points out without quite saying as much, it is about interaction.

It is not about blogs, wikis, written policies, Google searching on a topic, papers, research, etc. It is about grabbing an expert, asking the question, and getting a response back. And in a broader community, getting 5 answers back which can be of differing degrees of correctness which collectively improves everyone.

And that expert needs to be willing to answer the same question 20 times (which web browser should I choose) along with the whole argument to explain the decision. Ask the question, get an answer..

I wonder how many individuals or businesses are out there that would readily ask questions to an expert if they had a few moments to do so? And I’m not talking about, “What would you ask Schneier at dinner,” but common questions that nag like, “Should I worry about IE in my enterprise?” “How bad is vulnerability X?” “Is cloud computing a big deal to me right now?”

What sorts of interaction is there?
– In person; i.e. allow people to ask you questions, even stupid ones.
– forums
– mailing lists
– IRC
– social community sites (ExpertsExchange, ITToolbox types of places)

Blogs are a one-shot deal and then they move on. Wikis are only as good as they are kept updated, kept in scope, searchable, and chunkable…

Via Dan Morrill I learned that the Google Hacking Database on johnny.ihackstuff.com is possibly no more, replaced instead by a video? Undeterred, I threw my own Google search at the topic and came up with this page that takes you back into the Google Hacking Database. If it really is going away, might want to copy stuff now?