Intrepidus Group
Insight

Author Archives: higB

rot13? Can’t bring that weak stuff up-in-here!

Posted: September 1, 2011 – 5:21 pm | Author: | Filed under: Administriva, bugs, Humor

Comments disabled

Intrepidus crew: Blackhat-Defcon Vegas next week

Posted: July 25, 2011 – 11:12 am | Author: | Filed under: Uncategorized

The entire crew will be there Tuesday-Sunday! Most of us are staying the entire time at The Rio but we have a few things going on at Caesars.

  • Tuesday – Arrive, the FNGs to fetch supplies.
  • Wed-Thurs – @caesars in sessions/ or at the cabanas/or booth.
  • Thursday-Sunday – Find us at The Rio (or In-N-Out)
  • Thursday, Early morning: – We are doing our own trapshoot. The Defcon shoot was just too massive last year. This is a competitive group that likes to keep score!
  • Friday – Hack Cup, hopefully no injuries this year! - https://sites.google.com/site/securitytournament/

If you don’t find us in sessions or hallway-con, we are probably recovering in one of the two cabanas we rented out.  If you are not staying at Caesars but still want to come hang out, stop by our booth to get a cabana pass.

Cheers,

-higB

Intrepidus Dice

1 comment

Some thoughts about the Tripadvisor breach

Posted: March 24, 2011 – 9:49 pm | Author: | Filed under: Articles, bugs, Passwords

Gawker, Trapster, now Tripadvisor.

 

I’m sorry Steve Kaufer, but I don’t think the email you sent is good enough anymore. You said “passwords remain secure”

HOW DO WE KNOW THAT?

  • State how you stored the passwords
  • Is it a one way hash? If so, state the algorithm
  • What about the salt? Did you have one? How many bytes?
  • Even better, were you using something strong,with a work factor, like bcrypt or md5crypt?

Here is the email form Tripadvisor’s CEO:

To our travel community:

This past weekend we discovered that an unauthorized third party had stolen part of TripAdvisor’s member email list. We’ve confirmed the source of the vulnerability and shut it down. We’re taking this incident very seriously and are actively pursuing the matter with law enforcement.

How will this affect you? In many cases, it won’t. Only a portion of all member email addresses were taken, and all member passwords remain secure. You may receive some unsolicited emails (spam) as a result of this incident.

The reason we are going directly to you with this news is that we think it’s the right thing to do. As a TripAdvisor member, I would want to know. Unfortunately, this sort of data theft is becoming more common across many industries, and we take it extremely seriously.

I’d also like to reassure you that TripAdvisor does not collect members’ credit card or financial information, and we never sell or rent our member list.

We will continue to take all appropriate measures to keep your personal information secure at TripAdvisor. I sincerely apologize for this incident and appreciate your membership in our travel community.

Steve Kaufer
Co-founder and CEO

The reason why we just can’t accept the two statements I’ve highlighted is because not enough information was provided about the breach. In several other news outlets security experts were speculating this was likely the result of a SQL injection attack. When minds are left to wander, and people go to SQL injection as the likely vulnerability, then someone familiar with SQL injection is left to ask the question,.. “well why weren’t they able to dump the password table too?”  Maybe it wasn’t SQL injection. Maybe there was a bug in an accessible CMS. Maybe some development test data was carelessly left somewhere. Maybe some API TripAdvisor exposed to a partner had a weakness that allowed the attacker to pass a userID number and get an email address.

Even though the TripAdvisor email is missing some useful detail, there will be some clues if password hashes were compromised.  If they force a password change on returning users, that will tell the real story.

Who really knows? Tripadvisor does.  This email sucked. It should have had more detail.

Aaron Higbee

Comments disabled

Financial News and malicious Android Apps

Posted: March 2, 2011 – 4:19 pm | Author: | Filed under: android, Articles, Mobile Device Management, Mobile Security

I’m a bit of a CNBC junkie; I stream it all day (so if you want to spear-phish me, send an email about my subscription to pro.cnbc.com expiring, harhar).

While drinking coffee this morning and going through my news feeds, the story about malicious Android applications floated to the top (via finance.yahoo.com):

http://mashable.com/2011/03/01/android-malware-apps/

So who is to blame? Google for not really vetting things before they go to the marketplace? Users for being tricked? Certainly more than one party can share blame, but based on the soundbytes from financial news, Google has been doing exactly what Wall Street wants them to do: MORE APPS!

The yardstick to measure success in the mobile marketplace is the number of handsets/devices AND number of applications. I’m sure Google is aware of that, because nearly every bit of financial news banter is about whether  or not Android can gain share from Apple. RIM is acutely aware of this, too. If you see any of their latest ad campaigns (on financial TV) it’s about their Super Apps. What RIM is trying to do is tell the world, “nevermind the fact we dont have a bajillion apps, we have quality apps!”

@Google – I know you know you have a problem here. And I know that you know there isn’t much you can do about it.  It’s a difficult dance: you need fast, wide-spread adoption to keep the financial analysts happy. But, if you continue down this reckless path, consumers will lose confidence in your platform and go to iOS because it feels safer. (BTW Google, YOUR Gmail app, written by you, keeps crashing on my phone…nasty error. When consumers see com.android, it hits the same nerve as the blue screen of death.)

The security industry can learn a lot by watching financial news! I’m curious to know what our blog readers think. Will we see a change from Google? How many news stories like this will it take?  Maybe Google will stay out of it and let the anti-virus vendors get in to slow down our devices?

Cheers!

-Aaron Higbee

p.s.  This email came in while this post was in draft:

Kaspersky Mobile for Android and RIM

Comments disabled

higB’s 2010 Las Vegas BlackHat DefCon summary

Posted: August 4, 2010 – 1:38 pm | Author: | Filed under: Conferences, Humor, Mobile Security

higB here..  I’ll keep my post mostly about the culture

Amanda did a great job making sure we were in the Palace tower (not the stinky Forum tower). It was awesome having help this year to organize the Intrepidus Group visit to BlackHat/DefCon. Every year we get bigger and every year the cat herding task is more challenging. Thanks Amanda! (and thank you Mac for organizing the shoot, more on this later…)

Some of our traditions are borrowed, but we have some of our own, too.

Tradition: The FNG list

If you haven’t brought an intern to Vegas with you I HIGHLY recommend it. In keeping with Intrepidus traditions, the FNG is required to fetch Vegas supplies.

Rules:

  • The FNG can get you any reasonable supply.
  • The FNG should avoid drug dealers named Doug.
  • The FNG must have your list prior to Tuesday the 27th.

Max, thank you! You were awesome!

(LtoR: Corey, Max, Zusman, Pridgen)

Tradition: Custom Con Tee Shirt

One fond memory I have of my early days at FS  was rocking a freshly designed con shirt. Prosise and crew put in effort to get a cool design for us to wear every year.  We carry on a similar tradition here. (The shirt is usually packed with inside jokes, so apologies in advance.)

The IG BH/DC TeeShirt

Click to see the design

Tradition: Death via Maggiano’s

If you didn’t see any of us Friday night, it’s because we got close to nearly killing ourselves at Maggiano’s. Seriously, we have to stop going there. Every year it’s the same thing, followed by a direct trip to the hotel room to moan and groan. I was down for the count and didn’t leave the hotel room.

*New* Tradition: DefCon Unofficial Shoot [Link]

My first DefCon was in 98. My first participation in the DefCon shoot was 2010. Thanks to our guy Mac for organizing and, of course, Deviant and crew.  The event was well organized, but I think they were a little worried when they saw the target we brought…

Of course we knew Mac and Jim would be great marksmen, but we were all a little creeped out by how awesome Doug was. (If that is your REAL name, Doug…mister “i’ve never done this before…”)


This is getting a little long so I’ll go rapid fire:

Hot:

  • Ridley’s Photos: check em out
  • Jeremy Allen and Raj Umadas BH talk on Mallory
  • Zach’s BSides talk
  • #maggianos
  • taqueria canonita venetian
  • SecurityTwits party
  • DefCon Shoot
  • Craig Heffner’s “Millions of Routers” talk (seriously)
  • WiMax talk: Pierce, Goldy and aSmig
  • Blake Self and Bitemytaco’s Docsis talk
  • Blue EFF teeshirt
  • This year’s badge

Not Hot:

  • The  Riviera (gross bathrooms .. yay Rio?)
  • Goon track change on Saturday screwed over people in line.
  • Last year’s badge (it was bad enough that it deserved another mention)
  • FastlapLV broken and slow go-karts

I hope to see everybody next year!

-higB

(LtoR: Dean, Aaron, and Rohyt @ Caesars.)

1 comment

XKCD – cool shell!

Posted: April 1, 2010 – 3:51 pm | Author: | Filed under: Humor, Techno, Tools, Web Apps

If you havent been over to XKCD to see their new shell, go check it out:

http://xkcd.com/

http://github.com/chromakode/xkcdfools/blob/master/xkcd_cli.js <– badass


guest@xkcd:/$ vi
You should really use emacs.
guest@xkcd:/$ WHAT
Unrecognized command.
guest@xkcd:/$ rm -Rf /
guest@xkcd:/$ woo
Unrecognized command.
guest@xkcd:/$ su
God mode activated. Remember, with great power comes great ... aw, screw it, go have fun.

Comments disabled

RIM Security: Employer BES vs. Employee BIS – Part 1

Posted: March 23, 2010 – 8:18 pm | Author: | Filed under: Articles, Mobile Security, Security Management

When we perform security testing of blackberry applications for our customers, we have to consider the device from 5 points of view:

  1. BES managed blackberry application that pushes data over the carrier IP network
  2. BES managed blackberry application that can use the WiFi radio in the device
  3. BIS blackberry where the end-user gets to grant security permissions, data over carrier IP network
  4. BIS blackberry where the application can use the carrier network
  5. BIS/BES blackberry that can do its authentication via the carriers LDAP/Radius via a reverse IP look-up

All of these can dramatically change the scope and type of testing we do.

The application security rights management is, — to use one word,  awful! —  Most applications are requesting rights to portions of the device they don’t need, most are requesting cross-application-communication rights they don’t need, and quite a few are wanting location data when they don’t really need it. — I can see why the enterprise IT manager is concerned about letting employee managed BIS RIM devices into their environment.  It’s a mess! and it WILL lead to compromise of sensitive data if RIM doesn’t do something to fix this.  The user needs a better way to make informed judgement calls on application rights management, and RIM needs to audit and remove applications from appworld that are requesting egregious permissions.

More about this here:

From Blackberry’s blog: IT Managers: Embracing Personal Employee Smartphones in the Enterprise

and

Blackberrycool:  RIM Hosting Sessions for IT Managers Looking to Embrace Employee Liable Smartphones

So the real problem is all the unmanaged applications,.. more about that later in Part 2.

RIM Security: Application Rights, what a mess – Part 2

^higB

Comments disabled

Does the end user care about security? Do they have to?

Posted: March 1, 2010 – 11:23 am | Author: | Filed under: Security Management, Techno

Consequences.

Or rather experiencing the consequences… that, can inspire change.  A perfect example; most people I know that are serious and disciplined about regular system backups do it because they’ve been burned in the past.  (I’ve been very good about it ever since I paid Ontrack 1400 dollars to recover an IBM Deathstar hard drive)

How was your weekend? Mine was ok, except I spent a good part of my Sunday helping a teenage family member re-image her laptop after it was infected by some variant of the classic “pay us money to clean the virus off your computer”  (see fake Security Essentials post here: http://blogs.technet.com/mmpc/archive/2010/02/24/if-it-calls-itself-security-essentials-2010-then-it-s-possibly-fake-innit.aspx )   This is nothing that we are not all familiar with.

The fallen laptop:

Vista Home 32bit, running as Administrator, expired Norton suite.

The Ah-Ha moment for me:

She wasn’t too upset about this.  She needed a word doc for homework but could hardly take a break for texting while I was trying to find out what other important things she needed from the laptop.

I was on my normal soapbox and going down my checklist of fixes.. new image, non-privileged account, Adobe Reader with javascript disabled,  Firefox+NoScript, and ditching Norton for Kaspersky Internet Suite….     but,…. None of that really mattered much, because there wasn’t anything  that important on the laptop.

Pictures? Picasa and Facebook. Email? Gmail. Music? Already on her iPod. Docs? Maybe she will use google docs from now on.  SSH and PGP keys? (yeah right!) For her, a laptop is just a bridge to the Internet.   Who cares about what is on the laptop?  It’s just a thing that gets you to the <cringe> cloud </cringe>  Is recovering your computer from the system disc every six months just the new norm?

She will be entering the workforce and on your corporate network in 2014.

cheers,

^higB

1 comment

PCI – Don’t even joke about it…

Posted: February 25, 2010 – 12:50 pm | Author: | Filed under: Humor
[12:30:08 PM ] Higbee: In his interview.. I think he said something about how he loves java, esp  any java-PCI related work.
[12:32:13 PM] Zach: Oh, good.
[12:32:20 PM] jaime: lol
[12:32:33 PM] Jeremy: I have written tons of Java code…
[12:33:50 PM] Jeremy: Never… ever on the PCI part, though. PCI is an infosec torture device.
[12:34:39 PM] Higbee: jeremy is so put off by PCI — he doesn’t even like PCI jokes.  Thats some Louis CK hate right there.
I wish Louis CK knew enough about PCI to watch him go off on it.

Comments disabled

Y halo thar! The New-New Intrepidus Group Blog…

Posted: February 24, 2010 – 12:18 am | Author: | Filed under: Administriva, Humor

Hi Internetz,

Check out our new blog.

Look at my blog, my blog is amazin’

For a while we had blog.phishme.com where members of the Intrepidus circus posted on a semi-regular basis.  That is all well and good, but we outgrew that and it really made more sense to limit blog.phishme.com to PhishMe and phishing related blog posts.

So what is his blog for?

Fair question. We’ll let you know when we figure that out. There are many blogs like this but this one is ours. This blog is mainly for Intrepidus Group folks to share their research, provide commentary,  and solicit feedback.  There are a lot of really-really excellent security blogs out there.  This blog will be at best, semi-good. I hope we get a good laugh out of readers from time to time.

Let’s face it.. we are part of the <airquotes> industry </airquotes> — we play in the industry and the industry takes care of us. There is nothing wrong with that. We really are in no position to take ourselves too seriously, so we won’t.

About this blog’s infrastructure.

Last year there was some excitement surrounding security companies getting their boxes owned. This, of course, was a concern for us.  Being security geeks… the Intrepidus crew all started throwing out fanciful ideas about how to host a blog, lock it down, create boobytraps, manage it only over SSH tunnels, which you have to portknock to open, blah blah blah…  The conversation went from zero-to-ridiculous pretty quick. so I chimed in with….  ”How about we >don’t< try, AT ALL?”

So….  We went one step below not trying .. we are hosting a PHP Wordress blog on a cheap-ass shared hosting provider (Dreamhost) that emails your clear-text password out every chance it gets. We manage this over (are you sitting down?) HTTP!    For security, it can’t get much worse.  (Did I mention they hang your MySQL database out in the wind with a juicy phpmyadmin interface? Oh, and you get squirelmail even if you didn’t want it.)

Enjoy our blog!

“Sweet lemonade, sweet sweet lemonade!”

^higB

1 comment

image

This site is protected with Urban Giraffe's plugin 'HTML Purified' and Edward Z. Yang's Powered by HTML Purifier. 24295 items have been purified.