Author Archives: higB
The entire crew will be there Tuesday-Sunday! Most of us are staying the entire time at The Rio but we have a few things going on at Caesars.
- Tuesday – Arrive, the FNGs to fetch supplies.
- Wed-Thurs – @caesars in sessions/ or at the cabanas/or booth.
- Thursday-Sunday – Find us at The Rio (or In-N-Out)
- Thursday, Early morning: – We are doing our own trapshoot. The Defcon shoot was just too massive last year. This is a competitive group that likes to keep score!
- Friday – Hack Cup, hopefully no injuries this year! - https://sites.google.com/site/securitytournament/
If you don’t find us in sessions or hallway-con, we are probably recovering in one of the two cabanas we rented out. If you are not staying at Caesars but still want to come hang out, stop by our booth to get a cabana pass.
Gawker, Trapster, now Tripadvisor.
I’m sorry Steve Kaufer, but I don’t think the email you sent is good enough anymore. You said “passwords remain secure”
HOW DO WE KNOW THAT?
- State how you stored the passwords
- Is it a one way hash? If so, state the algorithm
- What about the salt? Did you have one? How many bytes?
- Even better, were you using something strong,with a work factor, like bcrypt or md5crypt?
Here is the email form Tripadvisor’s CEO:
To our travel community:
This past weekend we discovered that an unauthorized third party had stolen part of TripAdvisor’s member email list. We’ve confirmed the source of the vulnerability and shut it down. We’re taking this incident very seriously and are actively pursuing the matter with law enforcement.
How will this affect you? In many cases, it won’t. Only a portion of all member email addresses were taken, and all member passwords remain secure. You may receive some unsolicited emails (spam) as a result of this incident.
The reason we are going directly to you with this news is that we think it’s the right thing to do. As a TripAdvisor member, I would want to know. Unfortunately, this sort of data theft is becoming more common across many industries, and we take it extremely seriously.
I’d also like to reassure you that TripAdvisor does not collect members’ credit card or financial information, and we never sell or rent our member list.
We will continue to take all appropriate measures to keep your personal information secure at TripAdvisor. I sincerely apologize for this incident and appreciate your membership in our travel community.
Co-founder and CEO
The reason why we just can’t accept the two statements I’ve highlighted is because not enough information was provided about the breach. In several other news outlets security experts were speculating this was likely the result of a SQL injection attack. When minds are left to wander, and people go to SQL injection as the likely vulnerability, then someone familiar with SQL injection is left to ask the question,.. “well why weren’t they able to dump the password table too?” Maybe it wasn’t SQL injection. Maybe there was a bug in an accessible CMS. Maybe some development test data was carelessly left somewhere. Maybe some API TripAdvisor exposed to a partner had a weakness that allowed the attacker to pass a userID number and get an email address.
Even though the TripAdvisor email is missing some useful detail, there will be some clues if password hashes were compromised. If they force a password change on returning users, that will tell the real story.
Who really knows? Tripadvisor does. This email sucked. It should have had more detail.
I’m a bit of a CNBC junkie; I stream it all day (so if you want to spear-phish me, send an email about my subscription to pro.cnbc.com expiring, harhar).
While drinking coffee this morning and going through my news feeds, the story about malicious Android applications floated to the top (via finance.yahoo.com):
So who is to blame? Google for not really vetting things before they go to the marketplace? Users for being tricked? Certainly more than one party can share blame, but based on the soundbytes from financial news, Google has been doing exactly what Wall Street wants them to do: MORE APPS!
The yardstick to measure success in the mobile marketplace is the number of handsets/devices AND number of applications. I’m sure Google is aware of that, because nearly every bit of financial news banter is about whether or not Android can gain share from Apple. RIM is acutely aware of this, too. If you see any of their latest ad campaigns (on financial TV) it’s about their Super Apps. What RIM is trying to do is tell the world, “nevermind the fact we dont have a bajillion apps, we have quality apps!”
@Google – I know you know you have a problem here. And I know that you know there isn’t much you can do about it. It’s a difficult dance: you need fast, wide-spread adoption to keep the financial analysts happy. But, if you continue down this reckless path, consumers will lose confidence in your platform and go to iOS because it feels safer. (BTW Google, YOUR Gmail app, written by you, keeps crashing on my phone…nasty error. When consumers see com.android, it hits the same nerve as the blue screen of death.)
The security industry can learn a lot by watching financial news! I’m curious to know what our blog readers think. Will we see a change from Google? How many news stories like this will it take? Maybe Google will stay out of it and let the anti-virus vendors get in to slow down our devices?
p.s. This email came in while this post was in draft:
higB here.. I’ll keep my post mostly about the culture
Amanda did a great job making sure we were in the Palace tower (not the stinky Forum tower). It was awesome having help this year to organize the Intrepidus Group visit to BlackHat/DefCon. Every year we get bigger and every year the cat herding task is more challenging. Thanks Amanda! (and thank you Mac for organizing the shoot, more on this later…)
Some of our traditions are borrowed, but we have some of our own, too.
Tradition: The FNG list
If you haven’t brought an intern to Vegas with you I HIGHLY recommend it. In keeping with Intrepidus traditions, the FNG is required to fetch Vegas supplies.
- The FNG can get you any reasonable supply.
- The FNG should avoid drug dealers named Doug.
- The FNG must have your list prior to Tuesday the 27th.
Max, thank you! You were awesome!
(LtoR: Corey, Max, Zusman, Pridgen)
Tradition: Custom Con Tee Shirt
One fond memory I have of my early days at FS was rocking a freshly designed con shirt. Prosise and crew put in effort to get a cool design for us to wear every year. We carry on a similar tradition here. (The shirt is usually packed with inside jokes, so apologies in advance.)
Tradition: Death via Maggiano’s
If you didn’t see any of us Friday night, it’s because we got close to nearly killing ourselves at Maggiano’s. Seriously, we have to stop going there. Every year it’s the same thing, followed by a direct trip to the hotel room to moan and groan. I was down for the count and didn’t leave the hotel room.
*New* Tradition: DefCon Unofficial Shoot [Link]
My first DefCon was in 98. My first participation in the DefCon shoot was 2010. Thanks to our guy Mac for organizing and, of course, Deviant and crew. The event was well organized, but I think they were a little worried when they saw the target we brought…
This is getting a little long so I’ll go rapid fire:
- Ridley’s Photos: check em out
- Jeremy Allen and Raj Umadas BH talk on Mallory
- Zach’s BSides talk
- taqueria canonita venetian
- SecurityTwits party
- DefCon Shoot
- Craig Heffner’s “Millions of Routers” talk (seriously)
- WiMax talk: Pierce, Goldy and aSmig
- Blake Self and Bitemytaco’s Docsis talk
- Blue EFF teeshirt
- This year’s badge
- The Riviera (gross bathrooms .. yay Rio?)
- Goon track change on Saturday screwed over people in line.
- Last year’s badge (it was bad enough that it deserved another mention)
- FastlapLV broken and slow go-karts
I hope to see everybody next year!
(LtoR: Dean, Aaron, and Rohyt @ Caesars.)
If you havent been over to XKCD to see their new shell, go check it out:
guest@xkcd:/$ vi You should really use emacs. guest@xkcd:/$ WHAT Unrecognized command. guest@xkcd:/$ rm -Rf / guest@xkcd:/$ woo Unrecognized command. guest@xkcd:/$ su God mode activated. Remember, with great power comes great ... aw, screw it, go have fun.
- BES managed blackberry application that pushes data over the carrier IP network
- BES managed blackberry application that can use the WiFi radio in the device
- BIS blackberry where the end-user gets to grant security permissions, data over carrier IP network
- BIS blackberry where the application can use the carrier network
- BIS/BES blackberry that can do its authentication via the carriers LDAP/Radius via a reverse IP look-up
All of these can dramatically change the scope and type of testing we do.
The application security rights management is, — to use one word, awful! — Most applications are requesting rights to portions of the device they don’t need, most are requesting cross-application-communication rights they don’t need, and quite a few are wanting location data when they don’t really need it. — I can see why the enterprise IT manager is concerned about letting employee managed BIS RIM devices into their environment. It’s a mess! and it WILL lead to compromise of sensitive data if RIM doesn’t do something to fix this. The user needs a better way to make informed judgement calls on application rights management, and RIM needs to audit and remove applications from appworld that are requesting egregious permissions.
More about this here:
From Blackberry’s blog: IT Managers: Embracing Personal Employee Smartphones in the Enterprise
So the real problem is all the unmanaged applications,.. more about that later in Part 2.
RIM Security: Application Rights, what a mess – Part 2
Or rather experiencing the consequences… that, can inspire change. A perfect example; most people I know that are serious and disciplined about regular system backups do it because they’ve been burned in the past. (I’ve been very good about it ever since I paid Ontrack 1400 dollars to recover an IBM Deathstar hard drive)
How was your weekend? Mine was ok, except I spent a good part of my Sunday helping a teenage family member re-image her laptop after it was infected by some variant of the classic “pay us money to clean the virus off your computer” (see fake Security Essentials post here: http://blogs.technet.com/mmpc/archive/2010/02/24/if-it-calls-itself-security-essentials-2010-then-it-s-possibly-fake-innit.aspx ) This is nothing that we are not all familiar with.
The fallen laptop:
Vista Home 32bit, running as Administrator, expired Norton suite.
The Ah-Ha moment for me:
She wasn’t too upset about this. She needed a word doc for homework but could hardly take a break for texting while I was trying to find out what other important things she needed from the laptop.
Pictures? Picasa and Facebook. Email? Gmail. Music? Already on her iPod. Docs? Maybe she will use google docs from now on. SSH and PGP keys? (yeah right!) For her, a laptop is just a bridge to the Internet. Who cares about what is on the laptop? It’s just a thing that gets you to the <cringe> cloud </cringe> Is recovering your computer from the system disc every six months just the new norm?
She will be entering the workforce and on your corporate network in 2014.
Check out our new blog.
Look at my blog, my blog is amazin’
For a while we had blog.phishme.com where members of the Intrepidus circus posted on a semi-regular basis. That is all well and good, but we outgrew that and it really made more sense to limit blog.phishme.com to PhishMe and phishing related blog posts.
So what is his blog for?
Fair question. We’ll let you know when we figure that out. There are many blogs like this but this one is ours. This blog is mainly for Intrepidus Group folks to share their research, provide commentary, and solicit feedback. There are a lot of really-really excellent security blogs out there. This blog will be at best, semi-good. I hope we get a good laugh out of readers from time to time.
Let’s face it.. we are part of the <airquotes> industry </airquotes> — we play in the industry and the industry takes care of us. There is nothing wrong with that. We really are in no position to take ourselves too seriously, so we won’t.
About this blog’s infrastructure.
Last year there was some excitement surrounding security companies getting their boxes owned. This, of course, was a concern for us. Being security geeks… the Intrepidus crew all started throwing out fanciful ideas about how to host a blog, lock it down, create boobytraps, manage it only over SSH tunnels, which you have to portknock to open, blah blah blah… The conversation went from zero-to-ridiculous pretty quick. so I chimed in with…. “How about we >don’t< try, AT ALL?”
So…. We went one step below not trying .. we are hosting a PHP Wordress blog on a cheap-ass shared hosting provider (Dreamhost) that emails your clear-text password out every chance it gets. We manage this over (are you sitting down?) HTTP! For security, it can’t get much worse. (Did I mention they hang your MySQL database out in the wind with a juicy phpmyadmin interface? Oh, and you get squirelmail even if you didn’t want it.)
Enjoy our blog!
“Sweet lemonade, sweet sweet lemonade!”