Browsing articles in "Blog"

That Time Someone Tried to Scam Me on Ebay

For years I have avoided the frenzy of selling items on eBay, but after purchasing a new iPad, I decided it was time to give it a shot. Thus, I posted my earlier generation iPad for a relatively high price and hoped for the best. I have posted the item three times now, it has sold all three times and all three times it has been a scam. The last scam attempt nearly got me, this is the story of what happened.

A few short days after posting my old iPad I got the good news that someone skipped the entire bidding process and used the “Buy it now” feature on eBay to immediately purchase my iPad. This was the first clue that something was up. My item was not by any means the cheapest iPad that could be purchased with the “Buy it now” feature. In addition, one could almost certainly have bid on an iPad and spent $50 less. Being an optimist though, I decided that my iPad had just sold and I’d move forward with the process. I immediately received a message asking for my E-mail address so the buyer could make a payment, thus I gave it (this was a mistake).

The next clue I received that something was wrong came in the form of an E-mail. Due to the fact that this was an international purchase, I had the opportunity to add an additional shipping cost. Since I was happy I sold my iPad for such I high cost, I decided to add on the relatively modest cost of $20. After I sent that to the buyer I received an E-mail letting me know that they had also looked up the cost of international shipping not to the UK where they were located but rather to Ghana West Africa, where the buyers wife was. My iPad would of course be a birthday present and the faster I could send my iPad the better. Clearly this was a scam and I had already come to terms that my iPad did not actually sell when something odd happened…I received a note notifying me that I had received a PayPal payment.

To be fair, I got this message while I was rushing to an airport for a four day trip so my immediate thought was, “Crap, there is no way I’m going to be able to get this out in a timely manner.” It wasn’t until I got home from that trip that I took a closer look at the message I was supposedly receiving from PayPal.

A few things stuck out. First, the buyer paid more than the extra $20 I had asked for, second some of the grammer was a little off, e.g. “You have ‘gotten’ funds.” I therefore went directly to my PayPal account to check to see if I received the money…I did not receive any payment. I took another look at the message telling me I had received a payment and low and behold, the message came from a ymail.com account. That’s right, a Yahoo account posing as a PayPal one. As one last piece of review I took a look to see if the user had any positive reviews. Not only did they not have any reviews, their account was created the day of purchase. Clearly a scam.

The moral of the story is this, cover all your bases when selling items online and be certain you have the money before you send anything…Anyone want to buy an iPad?

Ten Tips for the InfoSec Traveller

With RSA just around the corner, a number of infosec professionals will be packing up and doing some travel so here are a few tips to consider as you’re packing your bags.

10. Make a technology travel kit (including a travel computer)

This habit comes from my days of doing forensic investigations. There is nothing worst than having to remove a hard drive for imaging with a butter knife because you neglected to bring a screwdriver. Whether one’s travel is light or heavy, always be prepared! This means building a comprehensive kit that can be put together quickly and is light to carry.

Recommended Equipment
1. One cable for each piece of equipment (e.g. iPad and iPhone equals two USB cables)
2. Power adapters (The TrendMicro adapter pictured is worth it’s weight in gold)
3. Smartphone battery backup (extremely handing my personal choice is from Brookstone $40)
4. GPS that is not your smartphone. My personal choice is whatever is on sale when you go to buy (*Protip make this your second GPS, do not use the one you utilize at home).
5. Presentation Clicker: bring your own, never let anyone borrow (personal choice is from Targus)
6. A travel computer that is not your primary machine for computing at home (get an Apple already :-D )
7. Power supply for portable computer
8. A mouse (don’t get stuck using a trackpad on a massive excel document)
9. Display adapters (if necessary for your computer)
10. A portable projector (if work will pay for it)

9. Portable surge protectors are lifesavers in airports and conf. rooms

Every InfoSec traveller has been there, a piece of crucial electronic equipment, whether it’s a computer, cellphone, or other is dead and there are no open electrical outlets in the airport. For the inexperienced traveller this will set them out on a quest for that open face to 120v goodness, but not you, no you’ve got your own portable surge protector. Now you can share an open outlet with someone else. Even better, you can charge your computer, iPhone, iPad, and possibly something else all at the same time!

Recommended Products
There are a ton of products to choose from here, but one key feature to absolutely consider is the inclusion of USB charging outlets. This reduces the number of chargers one has to bring to charge a number of diverse devices. My personal choice in this realm is the Belkin Portable Mini Surge with USB Charging Outlet for $14.95. One thing to remember though is that this will not fit into some tight places, for those one will need a bigger surge protector with a cable, which is something that I normally go without.

8. Get a smartphone and a tablet

Ok, in many ways this goes without saying. However, if you’re running around with a Blackberry, you’re missing out on a whole lot. There are a slew of applications for both tablets and smartphones (particularly iPhones and Android powered phones) that are extremely useful and entertaining. At the same time, if you’re still watching movies on your iPhone, it is probably time to upgrade to a tablet.

Recommended Apps (for iPhone)
1. Spotify with a $10/mo subscription (always have the newest and greatest music & the ability to make new playlists on the fly)
2. Tripadvisor (City Guides!)
3. GateGuru (know all about the airport you’re in and what places are best to eat or entertain yourself)
4. Yelp! (Find the best places to eat in any city)
5. Your favorite card game

Recommendations for Tablet (iPad)
1. Bring your five favorite movies
2. Bring your two favorite TV shows

7. Buy good headphones and keep a backup

This takes a long time for a lot of people to learn but there is nothing worst than watching a movie on your iPad and then having one earbud go dead. This launches most people into a long battle of twisting the connection and trying to align wires in the manner that will just get them through the flight. Don’t be that person. Number one, a good pair of headphones will last easily their value in the multiple sets of headphones one will go through in a cheaper set e.g. Bose MIE2i comes with a one year warranty for $130 which is equal to ~4 Apple Earbud purchases (and they sound better). Also noise canceling headsets are great for quieting noisy planes (so you don’t have to blast your headphones to drown out engines) and airports.

Recommendations for headphones
1. Bose MIE2i (with iPhone mic. Great for on the run conference calls and not having to reach into your pocket for volume and/or starting and stopping music or movies)
2. Bose QC3 (personal favorites but if one prefers over ear instead of on-ear check out Bose QC15′s)

6. Always have two forms of identity (in separate places)

Simple, keep a passport with you as well as your license. Or some other form of ID that can get you around places that require ID and on planes.

5. Travel clothes are versatile and rugged

This is probably a recommendation more for the men than the ladies as I do not pretend to know how women should pack clothes. For guys though, aim to bring clothes that are multi-purpose. If you bring a coat, bring a coat that you feel comfortable wearing casually and formally as this reduces the amount necessary for packing. If you are bringing casual shoes, try to bring casual shoes you can work out in. Also, bare in mind that these clothes are going to get beat up, pack clothing items that you are ok with this happening. Finally, be prepared for several weather conditions.

Recommendations:
1. Pack for everyday specifically plus one extra day
2. Bring formal, casual, and workout clothes (and try to cross-over)
3. Be prepared for multiple weather conditions (personal preference I keep a Loki jacket which has hidden integrated mittens and facemask for cold weather)

4. Sign up for rewards programs

Not signing up for rewards programs is a rookie mistake that is made all together too often, do not make this mistake. Signing up for member rewards programs is simple, easy, and comes with an amazing number of perks. Don’t stand in line at Hertz, get free breakfast and water at Hiltons, free upgrades on airlines, etc, etc, etc. Do not make this mistake, it saves you time, money and a ton of frustration.

Some of the main ones:
1. Hilton Honors
2. Marriott Rewards
3. Starwood Preferred
4. Hertz Gold
5. Enterprise Plus
6. National Emerald Club
7. United Airlines Mileage Plus
8. American Airlines AAdvantage
9. Delta Airlines Skymiles
10. Southwest Airlines Rapid Rewards

3. Keep it clean (WASH YOUR HANDS!)

Airports, airplanes, hotel rooms, and rental cars are filthy. They are, it’s gross, so keep it clean! Wash your hands before you eat, keep sanitizer on you. Keep clorox bleach wipes with you, for areas you will be touching often (*Protip, remote controls and telephones in hotel rooms are rarely, if ever cleaned, bring some portable Clorox bleach wipes to wipe them down).

Recommendations
1. Clorox Bleach Wipes travel pack
2. Purell Sanitizing Wipes (recommended over the liquid due to travel restrictions)
3. Wet Ones (nice hand wipes)
4. Toothbrush Sanitizer

2. Keep it light!

Thus far we’ve listed a number of things to bring along when travelling. This adds a bigger load of things to have at all times. This isn’t necessarily the best idea when it comes to travel though, instead the goal is to keep it light! Reduce strain wherever possible. Much of this comes down to intelligent packing and the right kind of luggage. For those of us in the infosec space we typically will have computing equipment with us at all times. Heed these words of advice DO NOT TRAVEL WITH SINGLE SHOULDER COMPUTER BAGS there are too many people who have had long lasting shoulder injuries to ignore this. Use a two shoulder backpack and if necessary pack a single shoulder bag strictly for style. Do not use the bag you got at a conference, first of all, they are 90% not a good backpack. Also they are 100% of the time really dorky. In terms of luggage, think four wheels. This drastically reduces the amount of strain for larger suitcases.

Recommendations
1. Timbuk2 Q Laptop Backpack (I love my Timbuk2 bag)
2. Samsonite Spinner (Really any spinner case will do)

1. Enjoy yourself

This is the one most people probably forget, have fun! There is a whole world out there to be seen, when you’re travelling, try to see it! Make the best of all your time, if you are 100000% working while you travel, try to work from places that are different and interesting, maybe the coffee shops on site. If you are strictly airport to client site, try to enjoy the different airport restaurants you get to eat at. The point is, travelling can be tough, but if you make your work travel a mini vacation every time it is much more bearable.

Ten Things Every ITsec Pro Should Do

10. Work for a vulnerability research powerhouse

Working for a vulnerability research powerhouse can be a rewarding experience for any curious minded security professional. On top of working in an environment fueled by out-of-the-box thinking there is typically a wealth of information at every employees fingertips. If used correctly that information can be utilized to accelerate a career and/or reach a level of subject matter expertise. Some excellent examples include IBM ISS and Rational, Sourcefire, McAfee, the NSA, and HP (with TippingPoint and SPI Dynamics). Don’t overlook smaller companies who make a significant investment into research though, companies like ImmunitySec and Rapid7 would be good as well.

9. ?Write and conduct a hands-on training course

Due largely to the fact that the term “information technology security” covers such a broad range of topics, even the most knowledgeable security professionals may overlook the depths of their own abilities. Writing and conducting a hands-on training course can sometimes help professionals guage their knowledge level. In addition, it may result in a nice knowledge exchange as well. The days of trading “philes” may be mostly dead; trading knowledge through training may be a nice substitute.

8. Openly complain about an operating system and swear to only use BSD
Realistically BSD is enough of a pain to get up and running that hardly anybody actually ever uses it as their primary desktop (unless the desktop has a very specific purpose). Regardless, ?as a security professional it’s a rite of passage to complain about every other operating system in existence.

7. Attend the RSA Code Breakers Bash

It may sound nerdy because well…it is nerdy. Either way the Code Breakers Bash is one of the biggest (if not the biggest) IT Security parties of the year. It is easy to get lost in the day-to-day operations of IT security and never see the industry for the bigger picture. ?The Code Breakers Bash can be an eye opening experience for any ITsec pro who has never experienced it. The amount of money organizers spend on the party alone make it worthwhile, however, if that isn’t enough, then taking the opportunity to see a lot of executives and mid-level managers drunk and engaged in some sort of geek tribal dancing is well worth it.

6. A Secret Squirrel Forensic Investigation

Network forensics solutions such as EnCase Enterprise, Prodiscover, Mandiant products and others are making secret squirrel investigations (investigations where an analyst images a hard drive without the user knowing) less relevant. However, the experience is so much fun that if there is any possibility doing this type of investigation, jump on it. There is a level of thrill in this type of activity that is really unrivaled by just about any other IT security activity.

5. Publish a piece on information security

Having a whitepaper published and posted on a website is an extremely rewarding experience and publishing a piece within a publication can be equally rewarding. The best part is that a publication will be around forever. Consider it as a security professionals legacy.

4. Conduct a Formal Penetration Test

Security professionals should know how to hack stuff, plain and simple. There is no better way to put these capabilities to the test other than to conduct a real world penetration test.

3. Participate in a Government Information Security Exercise

Participating in government security exercises will show anyone just how far IT security really has to go. It will also hammer home how important it is that the community bridges that gap. Unfortunately, this stuff doesn’t work how it is portrayed in the movies. Fortunately, most people don’t know that, so it always sounds cool when you can tell your friends about participating in non-secretive government exercises like, “Cyberstorm.”

2. Walk the RSA Conference USA Show Floor

The sheer amount of money flowing through the RSA show floor make it a unique experience for every IT security professional. It is easy to see IT security as a battle for control of an infrastructure or data, seeing the RSA show floor will open anyones eyes to the monetary foundation that is really running the industry. If that isn’t reason enough to go, then robbing the show floor of as many pieces of swag as possible make it worthwhile. Bringing that swag back to an office and seeing peoples faces light up as bags full of junk are laid out for them is a memorable moment to say the least.

1. Attend BlackHat and DefCon

BlackHat and especially DefCon are somewhat like a pilgrimage for security professionals. The events and talks are legendary, although the conferences have evolved over the years they are still the premiere computer hacker conference. If for no other reason, attending these conferences is worthwhile to see and meet people who are genuinely passionate about computer security. DefCon was probably the first place where a persons cool points were based on how l33t they are. As well as probably the only place where saying things like “l33t” might cause a person to get beaten with keyboards, bad odor, and old beer bottles.

Feeling the Burn

It used to be that I could sit down and write a new blog post whenever I felt like it, I just had so much to say! Today I sat down with the intention of writing a new blog post and I came up with absolutely nothing. I am literally five drafts on multiple topics ranging from toys that I want to buy, to the business of big data analytics all the way to how to integrate an intelligence process…at the the end, they were all crap. All of them. I recognize this isn’t because I have nothing to say, but rather because I am totally burnt out.

I don’t think that I am the only one suffering under these conditions however, I think many of us are probably struggling today. Frankly there is too much work to be done and too few of us to actually do it. Worst yet, is the influx of less experienced, less passionate, and less talented security professionals stepping onto the scene attempting to dominate. In a way this is more exhausting than anything because it not only fails to decrease workloads but also creates a difficult environment for ensuring quality of security delivery.

Furthermore, for many, including myself, much of our workload now is less security related than it has ever been. This is especially true for the travelers whose work/life balance consists of trying to integrate 20 hours of travel every week. The point is it is rough out there right now. I leave you with this one piece of advice I look in the mirror and tell myself every morning…hang in there.

Defcon Survival Guide 2010

Rules to Live By

1. Do not use the ATM’s at or in the close vicinity of the Riveria

2. Secure cellphones as best as possible

a. Do not connect it the wireless network

b. Bluetooth and other non-essential communications mechanisms should be off

c. Not physically visible during the conference

d. Store phones in a secure location where it will not fall out and possibly fall into the possession of someone else. In fact do this for any personal item of value.

3. Do not use any credentials on websites without encryption throughout the entire conference (see sidejacking)

a. Dynamic port forward all your traffic through a properly configured SSH tunnel

b. Use a VPN tunnel for all traffic

4. Do not take unauthorized DefCon pictures in the contest area or in the CTF area

5. Do not give away valuable information (utilize constant vigilance)

6. Do not attach a work machine or a machine with valuable information to the DefCon network

7. Do not accept ?Free? devices to attach to a machine (e.g. a free USB key from another attendee)

8. Do not antagonize anyone with a ?Goon? or higher-level attendee badge

9. Shower. Seriously, please shower. I’ve said it once, I’ll say it again, poor hygene does not make anyone a better hacker.

10 In fact please read and adhere to the do’s and don’ts of personal presentation at conferences written by Shyama, who is a well-known, knowledgeable, intelligent security professional.

Read more >>

What is RaffCon??? (A Mock Conspiracy Investigation)

With the security community fully engulfed in Operation Aurora, BlackHat DC, and ShmooCon, it would be easy to overlook a conspiracy. Thankfully the vigilance of SecAnalysis has uncovered an underground brewing storm, known only as ?RaffCon.? As of currently, details of RaffCon are sparse at best. However what is known, is that on 7 February 2009 some of the security communities most well-known if not notorious figures met to discuss various topics. We now are aware that the codename for that meeting was in fact, RaffCon.

The Players

In attempting to unravel the tightly knit conspiracy plot that is RaffCon, SecAnalysis scoured the hacker underground for information. At great personal risk, a SecAnalysis turned asset was able to leak the photo below. What this photo reveals is that things are worst than previously suspected.

In this photo it is clear that highly notable and dangerous personas such as Adam Ely, well known for his reporting at Information Week as well as security leadership at Tivo, Rafal Los, known for his evangelization of web application security, Michelle Schaffer, one of the most powerful Public Relations professionals in the security industry, and Caleb Sima, a well known hacker, X-Force alumni and founder of SPI Dynamics were all in attendance. In addition John Terril currently a consultant and yet another SPI alumni known for his short temperment and lethal capabilities as well as Raffy Marty, former Splunk CTO, known for entrancing even the most focused security professionals with dazzling visualizations were also in attendance. Finally, there are several sleepers who may or may not have various special assignments.

It should be noted that Caleb was an asset of SecAnalysis functioning as a double agent. The last time Caleb called over to the SecAnalysis team, was 14 December 2009. The SecAnalysis team went to San Francisco to meet with Sima. However, upon arrival the SecAnalysis team was immediately headed off by RaffCon conspirators Adam Ely and John Terril who brought back up in the form of possible Raffcon sleepers Vincent Liu, managing partner of Stach and Liu and S. Rose, a well known security persona and Security Associate at Stach and Liu. It should also be noted that during the SecAnalysis visitation, it rained uncharacteristically in San Francisco for three full days. Has Ely and the RaffCon conspirators created some type of weather control machine? The SecAnalysis team can only speculate.

What is known is that the communication between Sima and SecAnalysis nearly ended Sima. Shortly after the SecAnalysis team arrival, Sima vanished. He was later found with enough of the chemical CH3CH2OH in his blood system to kill a small elephant. Fortunately, Sima has spent a lifetime building up a resistance to that very agent.

SecAnalysis Takes Action

With no other information SecAnalysis conducted indepth if not torturous interrogations of known players in an attempt to uncover the nefarious activities of codename ?RaffCon.? First up was Rafal Los himself. Below are the details of that interrogation….

?Hello Raf, I want to keep this cordial, please tell me what RaffCon is.?

?Interesting, but what is RaffCon??

SecAnalysis team leaves the room and returns after a half hour. ?Raf, we spoke with Caleb, he told us everything, would you like to tell us of your involvement? It could save you a lot of trouble.?

?Alright Raf, we tried to do this the nice way.? After four hours of waterboarding.

We were then forced to release Rafal Los because of of Geneva conventions. Attempts to question other players including Michelle Schafer yielded similar results.

At this point the SecAnalysis team had no other choice but to burn asset Caleb Sima. At great personal risk, Caleb got into contact with SecAnalysis directly. At first Caleb was not willing to give up information, however, after he was notified that a speculative blog post would be made public regardless of a lack of real information he divulged a highly sensitive piece of information…

The conversation was immediately cut short–the SecAnalysis team has not heard from him since. It seems as though the trail ends here, We encourage our readers to keep asking questions…questions like:

Where is Caleb?

What is so secretive that a public relations rockstar could be silenced?

Are Rose and Liu RaffCon sleepers?

Do Terril and Ely have some type of weather control machine?

What is going down at Source Boston?

WHAT…is RaffCon?

ShmooCon Wrap-Up

Over the past three years I have attended rougly 25 security conferences and events. In each of those, I believe I may have been searching for ShmooCon 2010. In spite of multiple adverse conditions, ShmooCon was quite simply the best run, most worthwhile (from a learning perspective) event that I have attended to date. If for no other reason, ShmooCon 2010 was a rare celebration of computer security expertise and passion that is often lost in the overcrowded, diluted conferences that seem to have taken hold of the security industry.

The awesome qualities of ShmooCon could not be out done by the 20 inches of snow that covered the Wahsington DC metro area where ShmooCon was held. Despite the unforgiving weather, to my knowledge all the speakers, with the exception of Josh Coremann who telecommuted, were able to attend the event. Furthermore, despite canceled flights, train arrivals, and bus trips, only 100 attendees were unable to make it into the DC area. These figures are incredible when one considers the severity of the weather situation which the media has laughingly labeled ?Snowpocalypse.?

Smooth sailing in spite of adversity is not however what made ShmooCon an incredible conference. What made ShmooCon an incredible conference was the attendees. The ShmooCon attendees mirrored what I have always pictured DefCon attendees to be. This is not to say that the level of expertise of DefCon attendees is not superb, but rather to say that the elite are diluted by the indifferent. ShmooCon on the other hand seemed to house a higher potency of the passionate than the indifferent and more of the knowledgeable than the curious. Granted, ShmooCon 2010 hosted roughly 1,500 attendees compared to DefCon 17?s nearly 10,000.

The significantly lower attendance of ShmooCon was not due to demand however, but rather more due to exclusion. ShmooCon does ticket sales a little bit different than most other conferences. Specifically tickets are limited and while ShmooCon could have brought in more money by allowing more attendees, they kept the figures down to 1,500. This meant that, with few exceptions, only people particularly driven to attend were able to get tickets. In fact, in each round of ShmooCon ticket sales sold out in minutes.

As a direct result of the relatively exclusive nature of the event, the level of conversation seemed higher and the ratio of vendor marketing to security practitioners seemed just about right. Finally the content of the talks was fantastic, although I still think my tracking and profiling talk shouldn?t have been an alternate (I?m just saying). ?Granted the content was probably not on par with the likes of BlackHat DC, however, that is also a $200 ticket versus a $1,095 conference pass comparison. All things considered ShmooCon was fantastic, so kudos to the Shmoo Group, I?ve been a fan since Rouge Squadron J keep up the good work!

A Few Highlights

The highlighted presentations may still be purchased on DVD or some may still be available on http://www.ustream.tv/recorded/4538594

  • Hacking Sleep Cycles
  • Social Zombies II: Your Friends Need More Brains
  • Learning By Breaking: A New Project For Insecure Web Applications
  • Jsunpack-Network Edition Release: Javascript Decoding and Intrusion Detection
  • 0wn the Con
  • Just walking around talking to people

Forget the Spoon there is No Solution

Perhaps it’s all the talk about Advanced Persistent Threats (APT’s) or the arguements over sophistication, heck maybe it’s just because it’s after the holidays and I have some kind of security industry seasonal depression–but I can’t deny that my disenchantment with the security community is at an all-time high at the moment. In fact the realization is setting in that the career of a security professional is one that will be defined by the minor victories in our overall defeat. Security professionals are Michael Spinx and we’re in the ring with Tyson. The only difference is that we’re not going to get put out of our misery in one round…it’s going to be a long affair. That is of course unless we actually learn something from organized attacks like Titan Ra–errr I mean organized attacks like Operation Aurora.

To be clear I’m not talking about learning lessons from a technical or internal process perspective, rather I’m talking about learning how, as a community, we can work to better handle these types of scenarios. My own personal perspective is that the community as a whole has lost sight of what the overall goal is and how we must ALL function together to accomplish that goal. This view is exacerbated by the multiple questions that have been left in my mind by incidents such as Operation Aurora. Again let me stress that I’m not talking about anything from a technical or internal process perspective but rather pointing out the multiple questions that continue to go unanswered by the community as a whole. Questions such as: isn’t this the exact type of real-world event that drills such as Cyberstorm were supposed to prepare us for? Why, with our multiple upon multiple information sharing venues does it seem like everyone is running so frantic and misinformed? and most important in my mind, as a community are we trying to market security or are we trying to ensure it?

The truth is, that I don’t have a definitive answer to these questions. What I do know is that when most of the community is looking to vendors like McAfee and Symantec for answers it doesn’t help when one vendor calls the event a “Watershed Moment In Cybersecurity” and the other rates the risk as very low. In my personal opinion, which is supported by researching multiple responses to the event and conducting a source code analysis on the IE 0day exploit, I would personally say it’s somewhere in between, at a medium. On the one hand it is certainly not a “Watershed Moment In Cybersecurity” the details of the event that make it distinct are extremely similar to the Titan Rain incident of 2003. The only real difference between the distinct details of the two events is that Titan Rain really only targeted US government and defense contractor infrastructures, while Operation Aurora has targeted multiple industrial segments. Put simply, Operation Aurora makes for a better marketing message. On the other hand, the attack used an evolving IE 0day exploit and leveraged three pieces of malware working in concert together. The risk is not “very low”.

The bottom line is this, security events such as Operation Aurora can be detected early if not ototally prevented but the security community as a whole needs to make major changes. Vendors need to stop selling snake oil and vaporware, while security teams need to do a better job of information sharing. The only problem is that no one seems to know how to do this, so at the end of the day the problem is not the attackers, it’s the defenders and unfortunately there is no solution in sight.

ShmooCon Picks

Nothing gets me more excited professionally than the opportunity to go to a good conference. If nothing else, I relish the opportunity to surround myself with others who are as passionate for information security as I am. Unfortunately, while I have experienced a number of conferences in my six years as an information security professional, I have no as of yet experienced a ShmooCon. This year I decided to change that trend.

I will be spending three full days at the Marriott Wardman Park soaking in all the infosec information I can find with the other ShmooCon attendees who successfully battled for tickets. Find me for some cool swag and be sure to attend the Fire Talks, I might be speaking (I’m the first alternate).

Friday

1600: GPU vs CPU Supercomputing Security Shootout

1700: Economics Of Cybercrime

1800: Learning By Breaking: A New Project For Insecure Web Applications

18:30 Guest Stealing…the VMware Way

Saturday

1000: Jsunpack-Network Edition Release: Javascript Decoding and Intrusion Detection

1100: Social Zombies II: Your Friends Need More Brains

1600 BaS04: A Dynamic Dataflow Tool For Auditing and Reversing

Sunday

1000: PCI an Extistential Threat To Security As We Know It

1200: 0wn the Con

An Underlying Message from Operation Aurora

Looking past the hype surrounding the IE 0-day that was utilized in Operation Aurora, is it all that different from other attacks in the past? Not at all. In fact if?one were to look a little closer at what is actually delivered to the victim, it is blatantly obvious that this is an attack. From the large unescape variable that is clearly percent encoded hexidecimal values (and probably shellcode) to the padding in the form of the repeated 0c 0d. These are characteristics of exploits that the security community has been dealing with for the past four years and not of a sophisticated new threat!?In fact, existing IPS signatures were capable of triggering alerts on the attack itself. For example, ISS Proventia IPS devices would have raised at least six alarms should this IE 0-day have crossed a sensor. Why then does the security community find these attacks so frightening?

My own personal perspective is it is because the attackers showed an advanced level of sophistication beyond what most security professionals will ev er achieve in their careers. The security community today is saturated with professionals who may have never even witnessed a computer compromise, let alone truly understood one.?For the most part security professionals do not know how to hack and to a large extent do not know how to code. While they might understand the basics of a buffer overflow or SQL injection from a theoretical level, in a real world situation the average security professional would not have the slightest idea how to actually infiltrate an application or network. Thus, when security professionals are enlightened to the level of sophistication held by their opponents it is frightening. Even more so when jazzy labels like, Advanced Persistent Threat (APT) or “Operation” are applied to an incident. Terms such as these insinuate battle and make people feel threatened by something they do not truly understand and like so many other things, what people do not understand, scares them.

So while I do encourage decision makers to allocate more budget towards the products and services that will better protect them from attacks like Operation Aurora, I also encourage them to recognize the need for better understanding. Particularly, I encourage them to realize that ten people with certifications may not be worth a single person who understands the COND field of a microword, or rather someone with a deeper level of knowledge. For the rest of the security community, I would encourage them to recognize that with the saturation of what qualifies as a security professional, the endless pursuit for knowledge in this field is invaluable. If a cyberwar does truly exist, then it is not a battle of what was hacked and what was secured, but rather an intellectual competition the likes of which have not been seen since the space race. And for those frightened by the events that took place in Operation Aurora, I offer for comfort the fact that in this intellectual race, the good guys are not behind, just saturated. | An Underlying Message From Operation Aurora

Pages:12»