Took long enough...

No, I'm not talking about how long it's been since our last blog post, I'm talking about the iPhone.

I can't say I'm really surprised, except that maybe it took so long, but the iPhone hacking teams have announced a major remote exploit for the iPhone/iTouch. A file parsing exploit, the way we many of us expected it would happen, this is remotely exploitable via a malicious .tiff file. It appears that this was created to make it possible to remotely unlock iPhones (a dubious prospect at best).

For all the interest that the information security community had in the iPhone before it came out I've been shocked at how little has come out of our community. It's shocking how the majority of the "exploit" activity on the iPhone has been the traditional hackers, those who just seek to expand functionality. These "hacks" have been created to compensate for the lacking API, not those attempting to compromise this information rich device. Maybe good is stronger than awesome.

More info here and the actual malicious tiff here.

Bad Reputation vs Bad Assumptions

I was wandering through my blog list today and, by way of the ever enjoyable Observations of a Digitally Enlightened Mind, came across an interesting but, in my opinion, totally unfounded and flawed article related to security.

The article in question is one where PopSci published a list of the 10 Worst Jobs in Science. Many of them are truly awful and I wouldn't wish on my worst enemy. Mind numbingly, stomach turningly bad. It was #6, nearly half way down a terrifying list, that the job in question was described.

Now I've been a Microsoft hater in my day, no question. As a security type person they've been quite the headache at various times, and as an Apple fan I don't really find it an enjoyable system to use. That being said if Microsoft were to track me down and ask if I was interested in a job working with their security teams I'd jump at it. 

Now the article is very correct about one aspect of it. Microsoft does wear a big "Hack Me" sign. It'd be nonstop pandemonium. Attacks at every angle, computer criminals gunning for you every day. If it's not the operating system it's the office suite, if it's not the office suite, it's the browser. There are few pieces of code attacked as aggressively as Microsoft's, it comes with the territory when you dominate the market place in so many genres the way they do. Microsoft should wear that "Hack Me" sign proudly, maybe with a big gold chain (that they can afford) and some bling letters.

So yes, under attack constantly. While I can't speak for anyone else that's exactly why I'd want to work for them, and I think that's perfectly natural. Surgeons may not like people being sick or hurt, but they sure enjoy cutting them open, or so I'm told (by my uncle who is one). It's the same with information security. A week (like the past couple) with few large threats gets dull quickly. Now the week when the ANI attacks came out, that was fun. Would working for Microsoft be easy? Not in the least but rarely do people learn when they're "safe". They don't grow without challenges.

If I wanted easy I'd go be a security guy for a small mom and pop somewhere, nice and safe, with a small number of supported apps, a smaller number of machines, and five users I could personally beat for being stupid. The Microsoft's, Amazon's, Mozilla's, government groups and financials are in the thick of it, defending dozens of complex pieces of software, hundreds of thousands of machines, and billions of dollars. The Internet is a very dangerous place for groups like those and I believe that's the most attractive reason to work for them.

iPhone sounds alot like iPwn

So as a fairly enthusiastic Apple fan I've been getting asked often how excited I am for the iPhone ("Very"), am I going to get one ("prolly sometime in July"), and if I think it will be that great ("I do"). With someone of a basic technology background this is usually followed by some question about applications, SDKs, and if I think Apple will open it up ("I do") to third party development.

My overall take on it? I've had a number of smartphones and aside from making calls I mostly just used the browser. As for other applications after a few that I tried for experimenting I found I rarely used others, just sticking to the basic software that was included, and even that little enough.

As for the iPhone I truly believe that the killer app will be Safari itself, if it's all that Steve has tried to demonstrate it, may or may not, be cracked up to be. I'm not really sure what applications the developers who are attacking Apple for not providing an SDK think they'll create. In the years of Palm/Windows Mobile/Symbian/Blackberry smart phones I've yet to see an app that overwhelms the function of a phone to make calls, text message, and maybe, if you're lucky, get email or browse the web. All of these are functions the iPhone will do out of the box. Even on my MacBook many of the most important things I do, blogging, reading RSS feeds, getting security news, are all things done in the web browser alone. What app are Apple devs just dying for the chance to make?

Now that multi paragraph rant is not to suggest I'm peachy about the whole thing. This is a security blog after all. By not creating an SDK for creating true applications or widgets, and instead relying on Javascript/Ajax (as though you can have one without the other) you lead to a new problem, web pages can have amazing integration with your personal phone. Let me rephrase that: Advanced applications, running from remote servers, with both instructions and data, that's been shown already to have concerning security issues, will be able to run on your iPhone, and have, in some way, access to your address book, iTunes, and the ability to make phone calls. How was this a good idea?

One of the few inherent security mechanisms built into web browsers is that they, to some extent, exist in a sandbox. Most of the time Javascript can't access the OS file system, it can't control applications other than the browser, it can't access system resources, and all those are only most of the time. There are plenty of side effects to current web technology that make a security researcher pull their hair out, and that's all in the sandbox. Billy Hoffman's Shmoocon presentation discussed many of these, from keylogging to his own technique for web scanning using just Javascript and his particular brand of maniacal thought.

It would seem, based on current information, Apple is deliberately adding such features creating a potential security nightmare, deliberately adding the ability for web applications to circumvent the sandbox. So what will happened? XSS attacks that rewrite your Addressbook? A hidden iframe that calls 911 for you? Who knows really, but when "webapps" can access system functions it's hard to imagine it staying innocent. Now it's very possible, and I'm in fact hopeful, that Apple has considered these things and put protections into place, but even so it is easy to suppose that this would be a thin veil of separation, and the possibility for misuse could easily be close to the surface.

For a company like Apple, who so often touts their security record (no I will not digress into a discussion of Safari now (but yeah, wow, 2 code execution vulnerabilities in a day?)), to not aggressively market that aspect makes me wonder how much consideration that aspect of design received. All of this is obviously speculating the worst, but as Apple has messaged little to nothing about the security features of the iPhone, leaving everyone to evaluate what they see. And based on what we see of the iPhone's design what else are security researchers to assume?

Or maybe I'm the only one who is worried about all this.... well, there's also Billy.

Introduction to Malware Analysis

From JST at Offensive Computing:

I have a folder (just over 300 megabytes/927 files), which contains a lot of malicious software. I uploaded it in case anybody wants to analyze it, or if anybody from anti-virus companies wants to detect it. A lot of it is already detected, but some of it is detected by some anti-viruses but not detected by others. There are all types of executable files, pif/exe/scr etc and also some .jpg/.zip which are really executable files renamed. There are also some HTML files, but a lot of those can just be ignored. Well I uploaded it all anyway.

The password for the rar file is "malware"
http://www.megaupload.com/?d=KE19T9DI

As someone interested in learning malware analysis this is a treasure trove of potential examples. Theory is great, and I love reading a good book, but having a third of a gig of applications to rip apart and find the nastiness really calls out to my "learn by doing" mindset.

I really enjoy the Offensive Computing site. These folks are really dedicated to what they do and have a ton of resources about their chosen specialization. So give their site a read, download their malware, and send me an email to compare notes.

Week of Vista Bugs a poor April Fools Joke

If you are into the computer security information sphere, and I expect you are if you're reading this blog, then chances are you've heard the whole shouting match over the Week of Vista Bugs and it's following firestorm. The long and short of it: it's a hoax. Game over.

Now this was something vaguely suspected by many, but at the same time it was something everyone in the security community had to approach with at least a guarded curiosity. Most major sites mentioned it, at least in passing, even if with a mention of the fact that it could be less than legitimate. Sadly this was exactly what the social engineers (a term I use with more than a little disdain and I'm not fully sure they deserve even that high of praise) at TWOVB wanted, in an exercise they referred to as "hacking the media" on their revelation page. I'd to into more but I'm disgusted with the whole thing, so I'll let you read for yourself here:

The Week of Vista Bugs: The Truth

SANS Internet Storm Center: Week of Vista Bugs is a Hoax

For the ISI's out there...

That's Information Security Insomniacs, clever I know.

Well it's late and I've been doing Shmoocon prep work all day. I didn't want to call it a night before I posted something interesting.

While no one would confuse me for a big Microsoft fan there are some things I think they've managed to do very well. Necessity being the mother of invention Microsoft has now developed one of, if not the most, expansive computer security programs in the world. I can't speak for anyone else, but I'm always curious what goes on behind closed doors like that, and in this video documentary of the his team Stephen Toulouse really gives you a run of the farm at Microsoft Security Response. Definitely worth a watch.

A vulnerability to be proud of...

*I make this post without any sarcasm, back handedness, or cynacism.*

I would like to congratulate all the members of the OpenBSD team for their second remote vulnerability in 10 years. Really, it's an accomplishment. This may seem like an ironic thing to say, congratulations that a vulnerability has been discovered, PoC code published, and finally patches issued, but really, in my mind it highlights the amazing efforts of the OpenBSD team.

Ten years is a lifetime for a computer system. Ten years ago most people were running Microsoft Windows 95. Since then OpenBSD has had a grand total of 2 remote vulnerabilities. I'm not even going to fathom a guess at the number of Windows vulnerabilities that have been seen since then, but if you've been involved in security long then it won't take long to conjure up memories of the many, many remote Windows vulnerabilities since then.

In a day when Month of [Insert Technology Here] Bugs are occurring for every technology under the sun I think the OpenBSD team should be proud of themselves for the amazing job of proactive software security that they've done. Bugs will happen, vulnerabilities will be discovered, patches will have to be issued. It's a fact of life in any major development project that such things can't all be avoided, but it's great to see someone is actually doing proactive software security well. The OpenBSD team is setting an example that few, if any, are ready to follow. So I hope the OpenBSD folks celebrated this St. Patty's Day, and here's to another 5 years.

Torment causes Moore harm than good

In August 2006, H.D. Moore of the Metasploit project and Month of Browser Bugs presented an idea that is now stirring up a hornets nest within the Internet. He proposes a “patch” to the Tor server software called Torment (Tor, everyone’s favorite traffic anonymity tool), that allows the traffic to be traced back to the user in an effort to combat "child pornography." This works by analyzing traffic as it passes through the Tor server and watching for keywords. If any keywords are found, the Torment software uses a Java applet to install software on the user’s machine, which then attempts to gather information about the user and phone home with it.

Let me be clear here. I expect nothing short of absolute and unabated outrage at the proposal, and further, the implementation of such an idea.

I’d like to stop child pornography and the many other electronically assisted evils that are banes to the digital age just as much as the next guy, but H.D. Moore’s proposition of Torment is flawed on so many levels that it should be dead long before arrival.

First and perhaps foremost, the entire point behind the creation of Tor was to reach nearer to the holy grail of completely anonymous Internet usage. The Tor project description clearly states this is necessary so that others cannot “track your behavior and interests” using traffic analysis. Tor might as well not exist if Torment is implemented.

Second, H.D. Moore certainly has a black-hat side – evidenced by his Metasploit roots, and more recently, the time he released a new zero-day every day for a month – however, Torment is being flaunted as a white-hat idea. H.D.’s goal is to “turn the tools over to law enforcement for their own use” to fight the aforementioned crimes. The thing he’s not mentioning is that Torment is no better than any other black-hat attack performed by any run-of-the-mill hacker. It sniffs the user’s traffic, injects code into their request, quietly installs software on their machine without their knowledge, gathers private data about them and their machine (external IP, internal IP, ISP, etc.), then sends this illegally obtained data back to the Tor server. This is no different than any other hack, and no different than breaking into a house. This is illegal, and an invasion of privacy.

Third, federal laws require ISPs (or anyone) who discovers the flow of child pornography and similar crimes to report it, however, the ISP is not required to watch their traffic and look for it. This means that if the ISP just ignores all the traffic, they aren’t liable to report anything – saving themselves a great deal of time, effort, liability, and litigation. By installing Torment, traffic will be analyzed on the Tor servers (which qualify as ISPs), and findings will have to be reported. This is an entirely new level of responsibility for which many Tor server operators are not likely to be prepared.

This rant is becoming a bit lengthy, so I’ll just briefly mention a few other salient points. If Moore’s intention is to turn these tools over to law enforcement, does this mean that we can assume they will be in use and that law enforcement will be watching our traffic without our knowledge? Sounds like a wiretap without a warrant to me. Due to the likely inadmissibility in court of any evidence collected through these means, law enforcement may not even be interested in these tools, but by publicly releasing Torment, H.D. Moore will have just opened another black-hat door to anyone with the means to run/control a Tor server.

Through all this doom and gloom, there are some quick fixes to protect ourselves. From my understanding, if Javascript is not enabled in your browser (which Tor recommends anyways), then the key applet will not function. Second, if you need Javascript (as many online activities do), this tool is looking for keywords. As with any signature-based detection, its accuracy depends entirely upon its dictionary, and if even minute changes are made to the traffic, it may not be a signature match any more. Keep these points in mind as you use Tor or any other anonymous communication protocol. The aptly named Torment may do exactly that to Internet users, so I’m glad that we at Vulnerable Minds have Subrosa in the works.

How to most effectively beat a dead horse...

The trend of Month of Bugs continues unabated. Lets look at the history and get my arm chair analyst commentary:

• Month of Browser Bugs
• Leader: HD Moore
  
• Impact: Effective, highlighted the importance of browser security and pointed out a number of noteworthy flaws in a wide range of browsers including IE, Firefox, Camino, Opera, and Safari.
• Positives: Well researched, well orchestrated, spread over multiple vendors, including some vulnerabilities that affected multiple applications.
• Negatives: Hard to say considering this one set the bar, and many since have fallen short.
  
• Site: http://browserfun.blogspot.com/
  
• Month of Kernel Bugs
• Leader: LMH
  
• Impact: Similar to MoBB. Showed that fuzzable flaws weren't purely things found in "trivial" places like browsers, but in serious places like the lowest levels of operating systems.
  
• Positives: Took on an equally, if not even more, prolific area of system security. Lots of tasty PoC code.
  
• Negatives: I didn't play with many of them myself, but I've been told some of the PoCs were a bit unreliable, not to mention many were not remotely exploitable.
  
• Site: http://kernelfun.blogspot.com/
  
• Month of Apple Bugs
• Leader: LMH and Kevin Finisterre
• Impact: Definitely the dark sheep of the "Month's" the MoAB was littered with issues. While it did expose some flaws on Apple hardware/software it did little to dissuade Mac users from a feeling of invincibility and was taken less than seriously, even by information security types. Also the first "Month" to have a concurrent project providing on the fly patches to each days bugs.
  
• Positives: Had it's sights set on a group that needed to understand their vulnerability and went after a wide spread of Mac software.
  
• Negatives: The spread was too wide. Many of the flaws found were shrugged off by Apple users as "not Apple problems" (See: PDF and VLC). Coupled with the fact that PoC was spotty and nothing was ever released about the crowning "Unspecified Kernel Remote Fun" this was thought by many to have not been worth the hype.
  
• Site: http://projects.info-pull.com/moab/
  
• Month of PHP Bugs
• Leader: Stefan Esser
  
• Impact: At first I thought this would be a joke. Vulerabilities are reported every day in various PHP based applications. What is currently making this so effective is that they're only releasing vulnerabilities in the PHP core, not the poorly written Bullitin Board applications that get reported on daily.
  
• Positives: Focused on the real security problems with PHP, not the low hanging fruit in 3rd party PHP applications.
  
• Negatives: Well... this is where that beating a dead horse comment came from. PHP can seem like the majority of all vulnerabilities reported and it can seem like more PHP vulnerabilities are just overkill. Also no word yet on if fixes will be provided.
  
• Site: http://www.php-security.org/

So what's my final take? Well, there's a place for "Months" but they're only effective if well done. What makes an effective Month? Here ya go:

• Chose a relevant technology and make sure your vulnerabilities affect it, not arbitrary related software. If you say it's Apple vulnerabilities then fuzz iTunes, not VLC.
• Going a long with the last point it's also important to deliver what you promise. If you promise a kernel level vulnerability then it better exploit the kernels. If you promise it's remote then it needs to be remote, not remote if you can social engineer someone to run it with Admin privileges.
• Give us proof of concept code, otherwise it's too easy for everyone to say you're makin' it up.
• If you break it then fix it, or at least find someone who will.
• Be fair to the vendors and be fair to the users. Dropping 30 0-days doesn't help users. Being pushed around by a vendor who doesn't wanna fix their problems doesn't help users either.

All that said I welcome the Month of PHP Bugs. While I'm not a huge fan of PHP it is an important language that makes up many sites that are used daily all over the Internet. Stefan Esser has tried to improve security in every way he can, and for my money he's now responsibly using vulnerability disclosure in a way that will hopefully encourage the PHP team to make their language more secure, and that's better for everyone.

Quick Note

Ivan Krstic is scary smart. That is all.

Forget the watchers: Who will protect the protectors?

So Microsoft has posted what we (Windows related security folks I mean) can expect this coming Tuesday (which I refuse to refer to as super). A grand ol' 12 patches this time, with more than a healthy smattering of critical ones. One caught me off guard:

One Microsoft Security Bulletin affecting Windows Live OneCare, Microsoft Antigen, Microsoft Windows Defender, Microsoft Forefront Security for Exchange Server and Microsoft Forefront Security for SharePoint. The highest Maximum Severity rating for these is Critical. These products provide built-in mechanisms for automatic detection and deployment of updates. Some of these updates may require a restart.

Interesting. It shouldn't really come as a surprise I suppose. Software is software, it's all going to have holes, and it's all going to need to be patched. Still, it always seems to make us pause whenever security products are possibly exploitable, like that dream where you suddenly naked. Suddenly, abruptly, you're vulnerable.

This makes Symantec an interesting case study. They had a hole in Symantec Antivirus. Guess what, it happens. They put out a patch when the vulnerability was announced, no exploit really floated to the top, no big deal. That was in the spring. December roles around and all of the sudden we get W32.Spybot.ACYR, a network worm exploiting that flaw in Symantec Antivirus. Why? Because most system administrators were great about updating their virus definitions, but seem to have not bothered to install the patched detection engine. Who ever said security devices were impervious? No one. This is why we deploy defense in depth.

Cisco's dealing with it now and the potential exploits against everything from routers to firewalls and IDS sensors. And now Microsoft is patching the majority of it's security software, including it's security crown jewel, Live OneCare. Many others have happened in the past, and yet still the Symantec worm happened, nearly 6 months later, because the message still hadn't gotten through, even your security software needs to be patched.

Still, I can't help enjoying the irony.

I Dvorak

The grand experiment has begun. After Steve's wonderful diatribe on his good experience with Dvorak, reading the Dvorak zine (comic book style), and after hearing the same for months from al3x, I've jumped in and taken the Dvorak plunge. Friday afternoon, sitting around Murky, I pulled out my trusty little pocket knife/bottle opener and proceeded to painstakingly scrape all the relevant letters off my iBooks keyboard.

Now I don't do well with tedious things, but taking the time to scrap each little letter off all those keys was good preparation for my first few minutes of typing. I'm not going to pretend it wasn't frustrating, because it is. Everything you've been taught, everything you've trained on, all different.

Slowly though thinks got better. I visited the Dvorak zine website and found a lot of great resources that helped me through the initial stages. First I popped onto their Downloads page and downloaded the Dvorak wallpaper, which makes for a very handy reference, especially when combined with Expose.

Now it's two weeks later.....

I'm an undisciplined slob. The wallpaper is still up, my keys are letterless, but I'm still typing QWERTY. This weekend I take another crack, hopefully getting in the practice I wasn't able to get in last time. I still need to be functional at work. Hopefully my practice this weekend will help, but with so much to do it's not really the best time to start typing like a dyslexic 3rd grader. Maybe there never is a good time though.

Any tips from anyone?

Might wanna rethink that...

The Register today had an article saying:

"Brits planning a trip to the US will now have to surrender all 10 of their digits to the authorities for fingerprinting. The prints will then be added to the same FBI database which stores the prints of convicted criminals.

Trials are set to start at 10 airports in the UK this summer, according to a report in yesterday's Observer newspaper. But critics have warned the move will infringe people's civil rights and, worse still, lead to longer queues."

First of all I don't know if anyone would notice the lines at the airport getting longer considering how long they are already. Second, and more importantly, I think perhaps there are bigger problems here than just standing in line longer.

The Degree Debate - Is a degree necessary in tech?

This post is a little close to the vest (is that the actual phrase?) so I'm not quite sure where it's gonna go.

As I state quite freely in my 'About Me' bit on my blog I have not yet fully completed my Bachelors of Sciences degree in Information Sciences and Technology from Penn State. It's close, only 10.5 credits away.

The Breakdown:
- 3 credits of IST331 - An Introduction to Human/Computer Interaction.
- 3 credits of either IST412 (Structured Programming) or IST413 (User Interface Design).
- 3 credits of IST440w - IST Senior Capstone Class.
- 1.5 credits of Kinesology (aka Gym Class).

I planned on finishing all these requirements this past fall, taking a ninth semester. This choice was made last spring, and a week after got my job offer from my present employer. After deliberation I decided it was too good an offer to pass up, and so here I am outside our nations capitol, doing my thing.

Ever since then everyone and their brother (or more often mother) has harped on me about how important it is that I get my degree. I hear reasons like "You're so close!" or "You'll only go so high without a degree!" or "What if you lose your job?" day in and day out. I'm already wondering how many conversations I have with my family this Christmas will be 3 minutes about my new job and 7 minutes having a family member, who most likely is making less money than I do with lower job security and multiple mouths to feed, lecturing me about how I'm in an unstable situation and need to finish my degree.

The more I think about it I just want to turn to them all and ask "Do I really? I'm not so sure I really do." Honestly I'm not convinced. I have a few reasons for this. The computer industry is not the business industry of the 1980s. A Bachelors degree is not a magic ticket. While there are many talented people in this business that have degrees there are nearly as many equally talented people who don't have them. Nicholas Negroponte is building his own computer to change the world, and he has a PhD. Bill Gates and Steve Jobs also built their own computers that changed the world, and they were drop outs. Bruce Schneier has a Masters in computer science and is (or was depending on peoples opinions) a leader in the security field and holds a Masters from American University. H.D. Moore is also a leader of the security field and as far as I can tell never went to college at all. Even closer to home I have good friends who are leaders in the computer security world, some with degrees, many without.

Since it seems to have little to do with my overall success in my chosen field I always question what will a degree do to benefit me? If you scroll back up and look again at the classes I'm going to have to take I think you'll agree that they aren't really relevant to my career path. IST440w especially seems stupid, since the whole point is to prove you can survive in the business world. Guess what, I think I'll be ok. Maybe it's the gym class that I need.

Now that I've ranted enough about this I'm going to admit that I do plan to finish my degree soon. Between the combined forces of being so close, having an employer who will pay for it, the desire to be a professor someday (and thus need PhD to go with a BS), and my parents wishes are too much for me to fight against. I'm still not convinced it's necessary, nor a real boon in the InfoSec/Computer field anyway.

I'd love to hear various peoples thoughts on this. Do you think a degree has or will help you? What skills do you think you gained in an educational environment that will help you in business? What gym class should I take? These are all important question, and I hope some of you, my readers, will take the time to answer them.

Yeah, that'll protect 'em.

I don't normally walk in and introduce myself with a rant, but this I actually found rather funny. Now, I understand that protecting the safety and sanity of legal minors is an altogether important issue that should be addressed by society as a whole. In cyberspace, networks can be configured and monitors set up to protect little kiddles from objectionable material. And then there are the currently unsuccessful attempts by web service to do the same. Granted, this is no easy task! As someone who's had to (and still has to) consider mitigation strategies against the risk of a minor meeting a cyber someone-up-to-no-good, I can empathize with the difficulties. But honestly, some of these implementations I've encountered are just plain ridiculous.

At the risk of being über-cliché, let's focus on MSN. When my university email account expired, so did my messenger service (despite there not being any logical or necessary relationship between the two -- oops, tangent). Since MSN Messenger has been the conventional link to my cousins in Asia (during their office hours anyway), I decided to sign up for a new account. Yeah, umm, that was an interesting experience...

No, I don't have a hotmail account, nor do I want one, so I decide to use one of those throwaway email addresses. First page is the usual registration stuff -- pick a password, pick a security question, verify your non-botness. Second page asks personal info. "This information will help to personalize your MSN features." Mmm, okay, I've never seen these personalizations during my last account, so I check to see if these were optional. No, unfortunately, they're serious about wanting my birthdate and field of work (even though I was born on January 1, 2006). They even insist that my zip code (somewhere in Wisconsin, apparently) match my California location. I guess if you're asking for personal information, might as well do some basic location validation.

"Before you can sign in and use Microsoft online services, a parent needs to give you permission. You can get permission right now by asking your parent to come to the computer. Or, you can send an e-mail asking your parent for their permission." -- Third page.

This is where the game is played. Long story short, they want the adult to sign in with their LiveID, or create one if they don't have it. Not like this "adult" has actually ever been verified as an adult... It would've been much easier if I had listed my birthday as over 18 to begin with, but I'm not really in the mood to go back and redo my answers. So I try clicking on the "I'm an adult. Why am I seeing this page?" link...

Are You an Adult?

Your birth date indicates that you're a child. A parent must give permission before a child can sign in and use Microsoft online services.

If you made a mistake when you entered your birth date, and you're an adult, click Yes below. We'll ask you to provide a valid credit card number so we can verify your age. We will not charge your credit card. [emphasis mine]

Nice try.

I mean, this is not even a "kill a fly with a brick" situation so much as a "kill a fly by turning off the light" non sequitur. I faintly wonder what they'd do when fed a legitimate credit card number of a sixteen-year-old Daddy's girl. I wasn't interested enough to find out, and I ended up starting the whole process over again anyway.

Obviously, current server-side child-protection measures leave much to be desired; that's a given. My guess is, until the day comes when Big Brother can fully ID you on the other side of the wire, there will not be any effective mitigation at all. And in this case, who are they really trying to protect here? Their own butts, really. I wonder if the parents of the world actually feel any safer at all with these mechanisms.

That said, honestly, the best firewall / content-based IPS one can ever set up to protect one's kids is by providing them with the knowledge to make their own informed decisions. Hopefully that will be a cliché and we can get over this credit card number silliness.

Frameworks - The Way of the Future

I've finally done something I've been promising to do more lately. I've been programming more. SCARP, yes it needs a new name and no I'm not telling you what it is, has been my project of late and it's great getting back on the wagon. In spite of what I said in a previous post (Does this sound Scripted?: My Love/Hate Relationship) I've been back to learning Ruby. The draw of getting involved again with the Metasploit Project and the evangelism of my friend al3x has convinced me, and it's fully worth it. Ruby, once I got away from Why's Guide, has been a joy. My current project has been good, and it's already leading to a larger project that should be quite interesting.

One of the things that makes Ruby most interesting is Rails; defined by it's inventors as:

"...an open source web framework that's optimized for programmer happiness and sustainable productivity."

A nice application by the folks at 37 Signals, Rails will make my next project possible and I look forward to working with it.

In addition I'm also looking forward to renewing my involvement with the Metasploit Project, which moves to Ruby for version 3.0. Metasploit is defined as:

"...an advanced open-source platform for developing, testing, and using exploit code. This project initially started off as a portable network game and has evolved into a powerful tool for penetration testing, exploit development, and vulnerability research."

Now before you start thinking that this post is going to be about me espousing my love of Ruby you should know I'm not there yet, though on the way. No, what sparked this post was coming across the Backframe Project. Not familiar? Neither was I. Backframe is:

"...an experiment to create a full featured attack console for exploiting web browsers, web users and remote applications. Those who are familiar with XSS Proxy or even BEEF might already be familiar with the core principles of the project.
...
The result of these core principles is an easy to use and understand web-client-oriented attack framework that keep the data, the presentation layer, and the underlying logic apart. This design is known as "the separation of concerns model". This is highly effective practice which allows to easily extend upon the core elements."

What struck me is the fact that frameworks, like Rails, Metasploit, and Backframe, are becoming the new elements of object oriented programming. Since the beginning of OOP there have been classes, even libraries, but now so many modern projects are moving well beyond that, complete applications, complex, intricately designed, with no other use than to facilitate the creation of other applications. The full featured APIs that are coming out of web projects from people like Google and sites like Remember The Milk are close relatives, but they are interfaces, where frameworks are going above and beyond.

What's my conclusion? I don't really know, I'm waiting to see. All I know is that projects like Rails and Metasploit are turning their respective industries on their heads. Rails has made Web 2.0 applications something that aren't just created by the likes of Google, but by some kid sitting in a coffeeshop on a MBP sucking down americanos wearing a goofy Puma sweater. Metasploit took cutting edge exploits, made them easy to develop, and even easier to fire, drastically changing the threat landscape for people like yours truly.

So check out Rails, Metasploit, and Backframe. They're all interesting projects with nice frameworky goodness. I'm not sure if frameworks will be the way of the future, but frameworks have largely become 2006's contribution to the idea of object oriented programming. I'm eager to see what 2007 may offer. And keep your eyes peeled, more fun is on the way.

Is infosec all about the benjamins?

Author's Note: This post has been a very long time in coming and has been reworked more times than I care to count. Coming up with the correct perspective was tough, but I think I captured it. Finally. (On a second note I wrote this before I started my hopefully last set of revisions, so we'll see.)

There was a somewhat depressing message board post that I stumbled across today in the Security Basics list of SecLists.org:

Date: Fri, 01 Dec 2006 22:09:12 +0000

Evening,
Showing my age I'm finding it increasingly difficult to find security geeks who
are truly passionate about security. There seems to be a recent trend in
unpassionate people chasing either the money, an easy ride or something that
isn't as dull as network or system administration.
So how would you identify passion quickly, personally I like what cons have you
been to? If they are passionate but poor they would reply none but I'd like
to .... What books have they bought, what tools do they use what sites
do they visit email them at night and see how long it takes them to reply

what else?

--
Andy Cuff

I've been thinking a lot lately about the polarization of the information security industry as it's grown. Lets take a look back.

A few years ago there were no security jobs, and very little security industry. Hackers were pesky, annoying people who sysadmins had to cope with. Network worms were largely theoretical. Security was merely a secondary function of many different jobs, such as website designers, network managers, and client support teams. These admins, programmers, and support reps began learning new skills as necessary, related to their primary responsibilities. As security events became more prevalent, with more high profile computer compromises and worms like Code Red and Slammer, these people morphed into the vanguard of information security. Different jobs by trade, they quickly moved in to fill this emerging need. These were the first, the armatures who became more. Most of the information security ranks, large as they are now, are filled with these people. They come from computer science degrees, information systems degrees, business degrees. Many have no degree at all, merely drive, the ability to learn, and the desire to be pioneers. Many of them have been blackhat hackers themselves, turning over a new life, reinventing themselves as today's protectors, giving them an insight and understanding that few can conceive.

A few years ago this model was realized by the military, and later academic, community. They realized that as more and more value was placed on computers and on the Internet that we'd need more of these people. Until around 2000 these people had grown and learned organically, but universities decided they needed to be manufactured. The result? Degrees like: Security and Risk Analysis (from my own Alma Mater), Information Technology Security, Information Assurance, even (my personal favorite) Information Security Engineering, and many others. All these programs under all these names resulted in one thing, a new breed, 75% computer scientist, 15% script kiddie, 10% policy wonk, the Information Security Professional.

The piece of this post I've been missing, my point, was exactly what Andy brought up. I'm frustrated that this new generation, these Information Security Professionals, have no passion, no desire for it, no deep abiding curiosity. At first I figured it was more about the old guard hackers vs the new school professionals and thought that was the difference, but it didn't feel right. I got in my fair share of trouble and may have done some things in high school that wold loosely be defined as compromising a system, but I can't lay claim to ever being a blackhat. I can't claim to be a hacker in the media given sense of someone who pops boxes for fun. I am, have, and will, for most of my career, be a defender. I've been trained not from Phrack or attending 2600 meetings, but through personal research and even some classroom activity. Yet I feel more akin to those from that older group than these new "professionals". I wondered why this was as it often feels, based on my technical aptitude that I fall closer to the new breed. Passion I realized, that was the difference, the deciding factor. It's not taught, no matter how many 400 level Security Architecture, Ethical Hacking, and Risk assessment courses a person takes. That's the missing element, that's the difference, and I somehow think the future of this industry is going to hurt as a result.

So where's that leave us? I don't know, give me 10 years and I'll tell you. I hope things turn around but between now and then I know I am going to continue to try to surround myself with those who have the passion for what we do. Those people will be the difference between innovation, and simply firewall maintainers.

Might have been better as a Haiku

Dave Aitel, someone who I've disagreed with on a number of occasions but ultimately recognize as one of the best of the offensive end of infosec, put up an interesting little post in his list "Daily Dave". It was almost poetic really, and since many people don't really keep up with Daily Dave (seriously, who likes mailing lists anymore?) I figured I'd repost it here and maybe add a thought or two:

Date: Sat, 2 Dec 2006 21:04:32 -0500

Give up all your Solaris RPC remotes. All your Tru64 tricks, all your
Microsoft client-sides. The bug classes no one has seen yet, forgotten. The
kernel trojans you use daily, gone. All your shells. The ISPs, the wacky
personal servers of the developers everyone else reveres. Your
ex-girlfriend's laptop. Every exploit and click-script. Lose everything you
know.

Give it all up, and never look back. If you are a Unix hacker, switch to
Microsoft. If Win32, install Linux and never call a Windows API ever again.

Now try again.

-dave

I for one couldn't agree more. As security professionals it's easy to get locked into our tools, especially operating systems. It's natural. We're creatures of habit as human beings, and this is only exacerbated with our work in the security world. We spend our lives looking at and for anomalies, the new things, the cutting edge. I think many of us get very habitual about things because we're trying to give ourselves the slightest bit of consistency as a framework in the constant search of the anomalous.

Still, Dave's point has nearly infinite merit. Every bit of time spent with new tools, new systems, new malware, new operating systems, all of it is increased knowledge, gained familiarity, the chance to discover something new. Sometimes it's done to learn something specific, more often we don't even know when it will come in handy. Being comfortable with your tools is good, but being comfortable with a more diverse set of tools is even better.

I'm the first to admit I've become fairly comfortable, even though I'm fairly diverse. My personal laptop, called Kaylee, is running OSX. My desktop, called Book, is running my Linux distro of choice, Ubuntu. Beyond that I use Windows here and there, but I'm still far from as familiar as I'd like to be, especially as I attempt to better learn the offensive end of infosec. I could also stand to spend some time digging around some of the other big operating systems out there, most notably Solaris.

Maybe it'll be like getting a new piece of furniture, not so familiar, but functional, and maybe more in style.That being said everyone has that old, beat up, junky couch they just can't throw out, I guess there just has to be a place for both.

Did we not see this coming?

There's an easily exploitable critical vulnerability in OSX. (See here, here, here, here, here, and here.)

I'm torn on my reaction to this, but in different ways from most. On one hand it's not worth getting worked up, anyone who can be honest will admit there are going to be security problems in any bit of code as big as an operating system, or even a file system. On the other hand as Mac users there's largely been an undeserved sense of security that can only last so long and this is a serious threat.

I'm tired of the "Is OSX or Windows more secure?" game and I'm not even gonna try to throw out a logical opinion. I have a whole new opinion; operating s ystem security is not a zero sum game. Just because one may be more secure than the other does not make it uncompromisable. I drive a car that has an impressive safety rating. I have a friend who drives one who doesn't. If I'm in a bad enough accident I'm still dead, there's no "but Amber's car is less safe so why am I dead?" Maybe OSX is more secure than Windows (though we have yet to really see Vista in action) but a system level exploit is still a system level exploit with the same results, even against the "more secure" machine.

Windows users have been under fire for years. My own mother, a very intelligent woman, though not the most computer savvy, knows that it's a problem when her anti-virus subscription is about to run out and knows why the family computer has a firewall. Mac users have been in their ivory tower too long. If Apple users don't want to learn the hard lessons that Windows users once had to learn reactively then Apple users must learn proactively and I fear few are ready for that lesson.

I was chided once by an Apple Genius for having an Open Firmware Password setup on my system. I've heard too many "respected" Apple advocates suggest that an Apple will never need anti-virus software, and that built in security features like FileVault and Secure Memory aren't worthwhile. And then today a handful of bloggers considered an easy to exploit vulnerability as something to be put out of mind cavalierly.

It's time for the security conscious of the Apple community to stop quibbling about "us vs. them" and instead to educate those who still believe they are invulnerable simply because their operating system is from Cupertino and not Redmond. We have a responsibility, and I think rather than arguing, it's time to improve things for everyone.

An Excuse and Thank You

So I've been working on a blog post for most of the day, and it'll be a good one *crosses fingers*, but trying to get the cohearance I want is taking more effort than I'd like. I'm less than pleased.

In liu of that I'll leave you something short to chew on:

I added John Grubber's Daring Fireball back to my blog list recently because.... I don't know. Everyone seems to think he's the Mac Pundit and that his words are gold, but I never really thought so. Even so if I miss some word he says someone has to say I'm missing a vital piece of the Mac blog scene. He also seems to be the fountain of all baseless drivel that Mac people spew in regards to OS X security. I mean, I agree it's better than Windows, but it's not infalable, far from it, and possibly farther from it than we like to think.

For this reason I'd like to say a big thanks Thomas Ptacek at Matasano for putting Grubber in his place. It's reasons like this that's why I hardly pay attention to Grubber, and hardly ever will. Read away:

Daring Fireball - > Matasano