Every year the Blackhat/Defcon one-two punch of hacker info-sharing makes some headlines. Three years ago was Ciscogate, two years ago Spot the Reporter, and last year Maynor/Ellch and Apple got busy. Here are some stories that made the rounds this year.

Presenters banned from discussing how to beat the Boston subway system. While they were banned, the materials were still available to every attendee and even mirrored online. The presentation looks fun, by the way. Nonetheless, we are hopefully slowly learning that supressing information/truth does not improve security. Fix the shit rather than cover it up.

French reporters booted from Blackhat for sniffing passwords of other reporters. I think I agree with how this was handled, based on what I’ve read. The reporters are not new to the cons, know what the Wall of Sheep is supposed to be, and knew the rules of the press area. That press area does need to remain a safe place in what is otherwise the most hostile network any of us will ever likely be on. Of course, on the other hand…the victims at least got a first-hand lesson in how to fail at protecting your logins… I somewhat disagree that the sniffing of those passwords should be illegal…again, while that network does need to have some semblance of security, in the end it is still an open and hostile network with hosts you can not fully trust. It should have been ethically respected, if not legally bound.

I haven’t even read the full-disclosure threads yet, but it looks like several people had accounts hijacked over the past week (pdp from gnucitizen and Alan Shimmel). I wonder if this is related to possibly using the network at Black Hat and either having your system pwned or a gmail session hijacked. This is easy to do if you stay logged into gmail and open a browser to it on accident while on a hostile network. There have been at least two recent presentations on the topic, one involving sidejacking with Hamster from Erratasec and another from Jay Beale this year at Defcon. More reason to respect the hostility of the networks at these two events.

Security Monkey beat me to the punch on a post like this, and he has more info on his post.

Now that I have a new phone with an actual keyboard that I enjoy typing on, and seeing as Twitter accepts text messages, I think I need to get back on Twitter and see if I like it better now. Just in time for Vegas!

Is your IT/security team largely firefighting? If not, I’d love to know!

This rumination was prompted by a blog comment I read, and I was kinda dumb-founded. Are there IT shops that are *not* firefighting? Pray tell, where are they?

I conjecture that top-down, and outside-in we have this tendency to think IT/security is better than it really is.

I also conjecture that the only shops that are not firefighting are the ones so large that all those things that would be “firefighted” in small shops end up falling into the black holes of processes and separated teams. “Oh, I know that’s a problem, but that’s for the virtualization team,” or “That’s not something my manager wants me to touch, that’s a code issue for dev team 83,” or “I’m just the consultant/security advisor, it’s up to the desktop team to figure out how to properly implement that DLP.” It’s not that they’re getting done, as much as being buried in a field full of freshly dug holes.

I will be at Defcon this year! I will be hanging around like a normal creepy hax0r starting Wednesday morning. I’m still attempting to figure out what laptop to bring, but I think I am settled on my primary one. I’ll just swap out my hard drive for an older one and put a patched Win XP and Ubuntu install on it. Win XP because ease of use on the road is paramount. Ubuntu just to keep the g33k cred rolling. This way the system is expendable on the cyber side.

The biggest annoyance on the trip? Trying to figure out what I can and cannot bring on the damn plane. My cell and laptop and pmp charger cables can be used as a garotte! And I’ve removed the batteries on my vibrators so they don’t turn on and get flagged by the baggage handlers.

Jeremiah Grossman has posted the results and his own commentary on his regular Web App Security Professionals survey. I typically don’t post to surveys because they tend to be self-serving for vendors, but I think Jeremiah has something better than that, especially when profiling the habits of the experts.

Two years ago (estimated), the security industry started making ground on the rift between management/business and the geeks in the security operations center. This rift is being reduced much to everyone’s relief.

But I wonder if this is at the expense of a rift growing between the security experts involved with the business side and the geeks in the security operations center…

This whole business about the DNS exploit smacks of a fundamental breakdown change in priorities, or a very distinct rift between two groups who used to be very much in agreement.

Profitability of crime is a result of the maturation of the malicious attacker. Is this rift a result of the maturation of the security industry?

It could be the result of a stronger focus on risk, which itself appears to be a juxtaposition of a business sense and technical background.

It could be the result of an aging (but not old) set of geeks growing into more business-side positions, similar to those hackers who fought against The Man growing up, taking a job, and becoming The Man.

Nonetheless, I’m convinced there is some rift or change that has subtly occurred that is resulting in this not-so-subtle dogmatic difference. I’m just attempting to better understand it so I won’t be so easily peeved about it. 🙂 And so I can make sure that I, as a person and a security guy, can act consistently no matter how unhyped or overhyped an incident is. (If you know my personality type, you’d understand that sentiment; or as Emerson would say, “Know thyself.”)

The other day I talked about my new Cowon A3 and I was still trying to figure out how to get a movie from a DVD to the device to play. After a buddy did it on the first try with his Mac + Handbrake, I decided to give Handbrake a second try.

I used DVD Decrypter to rip Hackers to disc. Basically this is a one-click transfer.

I then followed these directions to use Handbrake. I chose the “Classic” preset with H.264 encoding. This resulted in 900MB file. I copied it over to the Cowon, and played it.

Everything worked like a charm, great resolution (most likely I can play it on my television with little loss, though I have yet to try), sound, and playback.

My PSP was disappointing with movies (UMD), as it just can’t keep up with anything even close to fast moving; it ghosts and blurs. The Cowon is beautiful!

Additional note that the forums on iAudiophile have a great section of the Cowon A3.

There are way too many great points and posts and thoughts about the Dan Kaminsky/DNS/exploit release issues flying around right now. There are even plenty that really rankle my tail feathers. Hence a quick rant to throw down my opinion.

Could Dan and HD Moore/I)ruid have handled things better/differently? Sure, but that’s hindsight for us, ain’t it? Whether it could have been better or not, the reality is already upon us and done. Stop whining. Your blog isn’t going convince security researchers to play nicer. (And quite frankly, I’d rather they continue to break shit.)

We all need to keep in mind that much of our lives as security geeks is a direct result of exploits being developed and released, no matter who develops or releases them. From actually getting action from our vendors to showing our dumb users the folly of their ways to actually getting mainstream awareness so that we can improve our budgets. All of that can likely trace roots back down to some exploit or in the wild POC or a better piece of software because someone poked a stick at it hard enough and long enough.

It’s almost sickening to see security professionals tripping over each other decrying so-an-so’s disclosure or so-and-so releasing an exploit. It almost feels like several people are trying to take the high road while saying “look at me, look at me!”

Isn’t that part of our game? Isn’t that a risk we face every single day? Neither this incident nor this exploit (and others like it release publically or privately) ultimately change anything. It was readily apparent from reading the speculation and confirmation of the DNS vuln to know that writing an exploit wasn’t going to be difficult and many people could/would do it. Hell, knowing Dan accidentally discovered it and that it was a design flaw should have been clue enough that this was not going to be something only 10 hackers in the world could write. The vendor response should have been clue enough…

And before decrying the ones who developed and weaponized it, remember that whether a white hat built it or not, the risk was still there. I for one would rather have good guys (or anyone) write an exploit and get the knowledge out there, rather than sit in a corner and pretend the cyberworld is happy and filled with laughing puppies and frollicking kittens. Again, this is part of our game as security professionals…again stop whining.

By the way, saying it is greed means you don’t understand the hacker or even IT ethic, and you probably aren’t really in touch with Internet culture nearly as close as you think you are. Sure, it might have been greed, but unless you know the person personally and for a fact that it was, pipe down; you just look jealous.

There are some Big Deal stories floating around this summer in the security space.

Dan Kaminsky and our DNS security: Big vendor patching! Dan withholding details. Details leaked on accident. Exploit developed by white hats. (Note: I take little sides here, but I can say, “Get over it,” to most of the naysayers.

Terry Childs holds San Fran network hostage. And now the fiasco surrounding this whole mess. I still feel this holds some good lessons and precendent when it comes to just how far we can secure and run things before we’re mistaken for holding it hostage. Couple that with some vicious head-butting between managers and employees…

Just read through an informative article on one of the more well-known wireless security researchers, Renderman. That white hat security guy who wears all-black clothing. 🙂

Ignore the “I don’t know what I’m talking about but I like to comment on everything” comments after the article. The price you pay for being published in a non-technical venue!

I)ruid and HD Moore have released exploit code for the recent DNS vulnerability.

I see Andy ITGuy has posted about the release of this exploit code:

But I think that HD stepped over the line with releasing this exploit at this time. There is NO valid reason for it to be released… As security professionals we have to be responsible in how we practice our profession. If not then we are putting ourselves and our users at risk. We are even putting others at risk with our actions when we are irresponsible.

This caught me a bit by surprise, and since I respect Andy and know he’s a smart guy, I thought I would jump into the discussion. While I’m fully pasting my comment below, if anyone wants to react to it, I urge you to do so on Andy’s blog rather than here. 🙂

My response (with emphasis added):

With or without Druid’s exploit, our users were at risk. And rather than sit in the dark and not want exploit code, I certainly don’t mind having it around to learn from it. I’d even contend that we’re better off researching exploit code; write more, learn more, write better ones, learn yet more, and so on.

So, you would probably come back and say that HD Moore shouldn’t have released it “at this time.” But, what basis is there for when a time is appropriate to release exploit code? One year after the disclosure/patches? One month? After a committee of CISSPs gets together an votes on it? After 75% of servers are patched? Ever?

And how does exploit code differ from vulnerability details? Should we not disclose details that could lead to exploit code for 1 month, 1 year, or ever?

This set of questions simply cannot be answered, and never will. And since they can’t be answered, I’d have to err on the side of reality: Exploit code is exploit code, and when it is released it is released. And then move on. 🙂

Andy, I fear you are arguing the side that is actually indefensible. 🙂 Acting “responsibly” is far too relative to ever apply to such a set of people as security-aware geeks.

Here’s another way to tackle it. Should we manage our security posture based on whether exploit code is known or not? Yes, a vulnerability/patch does have a different value based on whether code is known or not, but when no known exploit code is in the wild, is it ok to put off the patching of your servers?

It might be argued that distributing details and exploit code will actually stimulate a more secure digital world. If your timeframe for patching DNS was a month after the patches because the vuln wasn’t known or the exploit created, but is now immediately because an exploit has been released…is that not a desirable state? Obviously the presence of code prompts action, and as such, this might be a benefit to us all…

The case of the San Francisco net admin who locked everyone out of their FiberWAN network continues to be interesting.

“This is an affront to the people of San Francisco and a miscarriage of justice,” said Crane [Childs’ attorney], who told the judge in a court filing that the city’s technology department was riddled with “mismanagement, negligence and corruption.”

This brings back memories of Kevin Mitnick: “His bail was set five times higher than a murder defendant after his July 13 arrest amid fears he could unleash a wave of system failures if freed.” So, does this mean that digital power is mightier than the sword?

Up next: The modern day Red Scare is upon us: The Hacker Scare! Hackers are infiltrating your networks remotely! Your next net admin may be aligned with a hostile national, planted to take down your network upon command!

I got passed a link to this picture which made me smile during an otherwise smile-unworthy morning.

Pictures like this can put the plight of IT operations, even security, into a fairly realistic light. There are plenty of DIY/homebrew solutions simply because Doing It Right unfortunately Costs Money. (And sometimes Doing It Smartly doesn’t work with Unsmart Admins!) Besides, few organizations are in the business of having perfect IT operations or security; it is more about Getting By.

This is really why I’m not always very surprised by most security incidents. I think our general perception of security operations is far better than the reality, even with all the media babbling about it. We have this sense that businesses are doing their best to keep systems up and secure, when in fact there is an oscillating fan keeping a critical server cool. Then again, we also have this weird sense that we’re secure in our homes, when in fact we do even less to actually provide security.

One caveat to progress and technology and gadgets is the way one’s habits need to change and adjust to conform to the gadget’s purpose or build. Some of my most satisfying purchases, however, are gadgets which are suited to my already-existing habits.

Received my new toy this week, a Cowon A3 80GB portable media player (PMP). This is basically a competitor to things like the Creative Zen or iTouch. It has inferior management interfaces, playlisting, and no touchscreen, but it has a far superior ability to play a vast assortment of media formats with no fuss, and is dead simple to manage on any system capable of recognizing a USB removable drive (yay I can manage it from Linux!).

Connecting the Cowon – Umm, plug it into a powered USB slot. Wait for the OS to recognize and mount it (or mount it if your OS needs a poke). That’s it, no drivers or software needed, even on Windows. This was really by far my biggest reason to purchase the Cowon, and I’m absolutely satisfied with it.

Music Philosophy – My music needs are less mainstream these days. I’m getting old and as such I am pretty biased against DRM-related media. I am fine with throwing away tangible products (CD discs) and keeping my media digital-only, but I don’t want someone or something else managing my access to that media. Screw that! Therefore, using things like iTunes or DRM-friendly devices is really not an option for me.

Music Organization – The Cowon shows up on a computer as a removable drive with some default folders (MOVIES, MUSIC, PHOTOS…). Drag-n-drop folders/files onto the device, and that’s it! Playback either plays every music file it finds, limits itself to the top level folder the song being played shows up in, or to a subfolder. This fits with how I manage my music quite perfectly. I have about 40GB of mp3 files all categorized in just one of 6 folders based on rough genres (hard rock, lighter rock, trance, chill, etc). So basically when I listen to my music, I choose everything in folder “3” and shuffle through it. That’s it! Which basically means the simplicity of the Cowon is exactly fitted to my use. No fancy playlists or tagging or organization by year, artist, album, and so on. And to populate the device with changes, I just plug it into any of my systems, mount my mp3 share, drag-n-drop whole folders, and walk away.

There are limited playlist functions, but I have not delved into them deeply. If I want to listen to just one album, I can add the 13 files to an on-the-fly playlist in the Cowon and limit playback to that. I’ve played with managing playlists on my previous ipod but really found extremely limited need: only had playlists for workout music and car music when I want the windows down and the bass up. I’m just not too concerned with playlists and managing them. Simplify, simplify…

Movies – Initially I copied 4 different types of video files to my Cowon (avi, mpeg, divx…) and every file played immediately. I’m still trying to find a format that I can rip a DVD to that will play, but I think that is not a limitation on the Cowon so much as my limited knowledge on formats and digital ripping. 🙂 I’m using VLC to copy the stream to usable files, and will find the right combination eventually. Oddly, I had it on my first try, then decided to get cute and up the quality, at which point I then lost track of what I did initially…

Cons

• Stop? – I haven’t figured out how to stop a movie file from playing, short of starting up something else or powering off the device. Not a big deal, but still a weird problem. You know, in thinking about it, really why would I ever want to stop a media file without starting up something else instead? Do I want the device to sit doing nothing while turned on and eating batteries? This might in fact be a curiously well thought out setup!
• Joystick – Pressing the joystick inward gets ragged on a lot in tech reviews, but I think many people don’t realize you rarely need to actually press the joy down. If you’re on a folder, you can press it right, and it will drill down. Highlight a file, press right, and a context menu appears with Play highlighted by default. Press right again and it plays.
• No stand – I’m only slightly annoyed there is no stand to keep the player face upright or tilted towards me during the day.
• Bulky – It’s a bit bulky, but for 80GB I really can’t be picky. It still fits in my pocket if I want it to, but I am well aware this device is going to mostly be in my backpack, on my desk, or sitting nearby while I relax. Not when I’m walking or mobile or running. I am not one of those people who needs my own soundtrack playing through my headphones while I walk to the mailbox.

Tips

• – When plugging the USB cable in the first time, be sure to use the correct USB slot on the Cowon. I spent 20 minutes using 3 systems before I realized my computer-to-Cowon USB connection was plugged into the wrong USB slot on the Cowon (use the one nearest the power jack). The other USB input is to plug other USB devices into the Cowon like a digital camera (an uplink).

Dan Kaminsky recently announced a “major weakness in DNS. Lots of “speculation ensued as Dan decided to withhold details of the weakness until his talk at “BlackHat 2007. This riled some folks. (And someone even posted the vuln details to their blog, which then got cached in many rss readers. Oops! But thank you!)

Now, my opinion as an admin and sec geek is that Dan shouldn’t have waited to personally capitalize on this issue at BH2007, and instead should have disclosed the information necessary for me to make an informed security decision. I feel that I’m smart enough to be able to question and understand patches and vulnerabilties rather than be spoonfed vague, incomplete information about some mysterious weakness I should avoid with an unmarked pill. I am likely a minority in this regard, however. (Besides, doesn’t the hacker ethic sympathize with free disclosure [that kinda sounds better than ‘full disclosure…’] of information, especially as information tends towards being free anyway?)

But, I will never actually fault Dan for the decision he made. In fact, had it been me, I might have made the same decision. This is his decision (though this is arguable) and it likely earns him some deep cred in the DNS community and especially amongst the vendors. Instead of “black hat” cred with kids on the streets, he gets cred which could actually pay some bills. And in the middle are people like me who appreciate the work, don’t appreciate the half-disclosure, but in the end still benefit from his findings and work. A year from now, any misgivings about the approach will be gone, but the benefits to security will remain.

In the past few years, it is popular to say that black hat actions have become commercialized and criminal. Well, on the other hand white hat activities have also been commercialized.

On a side note, the whole “put up or shut up” mentality that Dan mentions is a two-edge sword (at least). On one hand, yes, it’s about security-minded people being paranoid and asking for the real details and questioning things. But on the other hand, it is the same tactic that children will use to get you to tell a secret, for instance…