March, 2009

Does this bring back memories, or what? I still remember my first PC, the modem, my parents sleeping, me watching the 4000 color screen showing facinating information...I found the text here.

The Hacker Manifesto

by
+++The Mentor+++
Written January 8, 1986

Another one got caught today, it's all over the papers. "Teenager Arrested in Computer Crime Scandal", "Hacker Arrested after Bank Tampering"...

Damn kids. They're all alike.

But did you, in your three-piece psychology and 1950's technobrain, ever take a look behind the eyes of the hacker? Did you ever wonder what made him tick, what forces shaped him, what may have molded him?

I am a hacker, enter my world...

Mine is a world that begins with school... I'm smarter than most of the other kids, this crap they teach us bores me...

Damn underachiever. They're all alike.

I'm in junior high or high school. I've listened to teachers explain for the fifteenth time how to reduce a fraction. I understand it. "No, Ms. Smith, I didn't show my work. I did it in my head..."

Damn kid. Probably copied it. They're all alike.

I made a discovery today. I found a computer. Wait a second, this is cool. It does what I want it to. If it makes a mistake, it's because I screwed it up. Not because it doesn't like me... Or feels threatened by me.. Or thinks I'm a smart ass.. Or doesn't like teaching and shouldn't be here...

Damn kid. All he does is play games. They're all alike.

And then it happened... a door opened to a world... rushing through the phone line like heroin through an addict's veins, an electronic pulse is sent out, a refuge from the day-to-day incompetencies is sought... a board is found. "This is it... this is where I belong..." I know everyone here... even if I've never met them, never talked to them, may never hear from them again... I know you all...

Damn kid. Tying up the phone line again. They're all alike...

You bet your ass we're all alike... we've been spoon-fed baby food at school when we hungered for steak... the bits of meat that you did let slip through were pre-chewed and tasteless. We've been dominated by sadists, or ignored by the apathetic. The few that had something to teach found us willing pupils, but those few are like drops of water in the desert.

This is our world now... the world of the electron and the switch, the beauty of the baud. We make use of a service already existing without paying for what could be dirt-cheap if it wasn't run by profiteering gluttons, and you call us criminals. We explore... and you call us criminals. We seek after knowledge... and you call us criminals. We exist without skin color, without nationality, without religious bias... and you call us criminals. You build atomic bombs, you wage wars, you murder, cheat, and lie to us and try to make us believe it's for our own good, yet we're the criminals.

Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for.

I am a hacker, and this is my manifesto. You may stop this individual, but you can't stop us all... after all, we're all alike.

I hate incompetence.

What is more, I hate when professionals are incompetent.

What is even more, I hate when experts in a field are incompetent. In their own field.

...

This morning started very nice with light snowfall, and sunlight streaming through the clouds. My son had just got out of bed, we had breakfast and enjoyed the joys of the morning. I took him to school, and went to my office.

I then started to check my e-mails. Deleted most of them as usual, and started reading an email from a business partner that I have dealt with over many years. His business is hosting websites, and he has been my preferred hosting partner since I left the hosting and webdevelopment business in 2001.

Out of the blue, he wrote that he had removed a table in my database, due to extensive amounts of data collected and stored in it (1.2 Gb). Yes, he deleted it without my confirmation. Yes, it turned out to be a vital part part of the core of the website CMS. No, I did not like the fact that the website (this blog, actually), had been down for more than 8 hours.

He had worried that the database table had collected too much information, and that the functionality slowed down the server. So he just decided to remove the table itself.

...

When I read the email I did not reccognize the name of the table, so I did not think too much about it. Then I went to the site to check if it had any impact. BOY! Did I get surprised! My blog was no longer a blog. It had turned into a mile long page of SQL-errors. It turns out the table he deleted is a vital part of the system, collecting log data. And since this is a security site, it seems to attract a lot of script kiddies that try to mess around here (no, I do not understand why they do that...).

When I discovered this, I had to spend the morning fixing. It did not take more than 30 mins before I had it all back and running, including a security update. But I am still angry, I am still questioning the competence of that expert, and I am seriously considering ending a business relationship that has lasted over many years.

...

What would you do in this situation? How would you react? What would you do to prevent such things to happen again in the future?

Cartoon from http://www.cartoonchurch.com/blog/

The former head of security at Bank of England, Joe Peachey, will give the keynote address at the Scandinavian ISACA Conference from 22-23 April at Hotel Hvide Hus, Aalborg, Denmark. Peachey’s keynote will discuss how important information can be to a company and will point out potential risks. He will also discuss using controls and access rights to mitigate threats and the benefits of implementing such procedures.

ISACA, a nonprofit association, serves more than 86,000 IT governance professionals worldwide.The Scandinavian ISACA conference is the first collaboration of the ISACA chapters in Sweden, Denmark and Norway to bring together experts to discuss how to resolve key issues around IT governance, assurance and security, as well as the benefits of using Control Objectives for Information and related Technology (COBIT) and Val IT, two internationally tested and globally adopted frameworks that addressstrategic alignment, value delivery, resource management and performance measurement.

The opening keynote will be given by Steen Thomsen, professor, Centre of Corporate Governance at CBS (Copenhagen Business School). Thomsen will examine IT governance from the corporate board perspective and how to empower the board with the benefits of IT governance.

On the second day, there will be a panel discussion on the Swedish FRA (Försvarets radioanstalt) legislation. According to the legislation, Sweden will conduct surveillance of all Internet and telecom traffic crossing the Swedish border. The panel will discuss how this legislation will impact companies, citizens, politicians and the press, and if stakeholders should refrain from exchanging sensitive information using these channels. Panellists include Henning Mortensen, senior advisor, DI ITEK (The Confederation of Danish Industries), Mark Klamberg, Dr. Jur., University of Stockholmand Gisle Hannemyr, professor associate, University of Oslo.

The conference is held over two days and will feature more than 30 sessions divided into three streams covering IT governance, assurance and security:

IT Governance

This stream consists of session topics such as the value of IT and using Val IT, how IT can create business value while reducing risks, the challenges and success around IT governance, NorSox, and a case study on E.ON’s risk management strategy.

Speakers in this session include Jan T. Bjornsen from Ageto, Ola Holm from PricewaterhouseCoopers and Rita Lenander from E.ON

IT Assurance

Topics in this stream look at auditing using international standards, Sarbanes-Oxley, requirements and challenges faced during the auditing of Norwegian Central Banks Interbank system, and a practical guide for using COBIT.

Speakers include Aina Karlsen Roed from Ernst & Young, Ulrika Granfors Wellemets from Volvo and Hilde Nordid from Norges Bank.

IT Security

Sessions in this stream will look at the Norwegian data inspectorate’s national and international work, secure multiparty computation, biocryptics, and the implementation of PCI DSS (Payment Card Industry Data Security Standard).

Speakers include Georg Apenes from Datatilsynet; Lars Neupart from Neupart; Jonas Jansson, vice president of the ISACA Sweden Chapter; and Robert Roussey, former international president of ISACA.

The registration fee for the conference is kr 4,995 for ISACA members and kr 6,495 for non-members. Attendees can earn up to 15 continuing professional education hours.

Sophos just shared news on a malware targetting ATM systems.

This is a new type of highly targetting attacks - where the attacker tagets something very special. I have warned about such things before, mainly attacks targetting single corporations for ransom or information theft. The challenge with these kinds of attacks is that they usually drop below the radar of typical AV tools - especially the signature based ones.

To me, it is totally natural to attach ATMs. After all, that is where the money is!! The malware in use skimmed the CC numbers, and sent it to the attacker.

ATM attacks traditionally involved HW attacks - like skimming devices and pin code collectors. It is a natural development that it is moved to software, residing on the ATM itself. One of many challenges is to protect against this type of attacks - and to discover them.

How will we protect ourselves? AV on the ATM? Pentesting the ATM? I would think a mixture of hardening the OS - including a signature based mirror, so alterations would be detected, reported and require authentication would be important. Further, I expect some sort of network monitoring, allowing ONLY authorized traffic to white listed targets (i.e. the bank system) would help too. After all, the malware need to communicate, and by shutting of any and all traffic that is not directly related to the transaction, the malware is not able to communicate with its owner.

This kind of scenario of closing down everything is fully duable in a ATM network, as the ATM itself only requires a small amount of traffic and communication, unlike your desktop computer. So monitoring and controlling this traffic would be easy, and not even introduce lags.

What do you think? Are there other ways to stop this kind of malware? Where do you expect to see similar attacks in the future? What will happen when we hook up the fridge to the net - will it be attacked too?

Mashups is a technology taking over for portals, allowing content to be aggregated from different sources and melted in a presentation that shows relevance and connections. Where portals merely presents data from different sources, mashups present it, mix it and work with it to create information relevance from many different data sources.

The type of information does not matter – you can connect your CRM system with Google maps to create live data streams of your sales based on geographic location, or you can use them to build a reputation monitoring dashboard. And anything else. If an (web) application has an API, you can connect to it, extract the data and mash it up with other sources, and create a new presentation layer that makes more sense.

The principle of mashups is fairly new, and it has sever security issues that is keeping it from becoming the preferred method of creating intranets, extranets, dashboards and information services for business use. The fact that the technology is young in it self is one factor. The lack of authentication between the applications, however, is a major reason companies stay away at this point.

At least until yesterday, that was a valid reason. Enters SafeMashups, the new company of Ravi Ganesan – you may remember him from TriCipher? SafeMashups created MashSSL Web Toolkit, which enables the applications to authenticate directly.

Roll back a while. I’ll let Ravi explain:

“With web applications, it is traditionally the user who is authenticated. The same applies in traditional mashups. The user launches her web browser, and while loading the mashup she is authenticated towards each application. This is fine as long as the applications do not interact – but part of the thrill with mashups is to have them communicate directly. That automatically means they need to trust each others. And that trust should be controllable.”

In my mind, I draw a picture of me opening a mashup, and it connects to my apps – like my online bank and the stock market analytic site. Today, I need to log on separately to each of the sites, and they are not communicating directly. I dream of a way to have them talk to each other, and update each other directly.

Ravi continues “How can your bank know that your stock broker site is trustworthy? What we did is the same as SSL back in the 1990 – we provide the security that is required in order for these systems to trust each other. With SafeMashups MashSSL, the applications will be authenticated behind the scenes, based upon certificates and CAs. They no longer need you to do the authentication, and that removes the risk of the man-in-the-middle – someone using your computer to gain access to your applications”.

Ravi rambles on, while I get caught in my own imaginations. I remember how SSL changed the e-business back in the 90s. I remember how it made moneymaking possible, how people started to flash their Visa cards and started what can only be described as a Klondike for the Internet. How people started to trust that the Internet could be a safe place no matter how odd it seemed at the time.

I see the great value MashSSL offers to the B2B market space. I would love to see a mashup combining all the products and prices of all suppliers – all in one place, no need to look up prices and quotes from many different sources. Not to mention the prospects of my aforementioned interest in bank vs. stock updates…

“…and then the SafeMashups Community service comes into play” I hear Ravi saying; “the service acts as a CA for mashups, so you no longer need to set up your own services. You can think of it as a social network for business – where you just choose the partners you like to deal with and the service takes care of the rest for you.”

I am too excited to keep listening. This sounds like a tool that is right on the spot – timing is right, technology is right, the need is here. And there is no doubt in my mind that if someone can make this happen, it must be Ravi!

Thumbs up to MashSSL and SafeMashups. If you are into mashups, MashSSL is a must-have!

Found on XKCD.

After ROFLing from this cartoon, I realized the reason I laughed. And that is not funny at all.

What I realized is how we security folks sometimes seem to over complicate issues. How we fail to see that door bell button, and search for methods and tools and systems to increase awareness, add layers of security, or informing decision makers.

The good, old KISS comes to mind. Keep it simple, stupid.

The next time you sit there messing around, fooling yourself into creating even more complex systems, challenge yourself to see if there are other ways, more obvious ways, like the door bell. I bet you'll be surprised to see that the easy usually works out better than the complicated.

Shrdlu shares a few lovely tricks to "enforce" security in your enterprise.

Carrots are nice when they work - it does require the person to like carrots - and usually I prefer carrots to the stick myself. But, as Shrdlu so greatly picture it, sometimes you really need the stick to show:

Carrot plus even more stick: You meet with the supervisor first, without talking to the user. Then, depending on what the supervisor wants to do, you call in the user. When you have clearly already been talking to the supervisor first, it carries more weight.

On a side note, I figure it is time for me to get out of security, as Shrdlu clearly have called my shots!

A lovely weekend to all of you! Have fun!

If you where to set up a Security as a Service company, what products and services would you consider the "must have's"? I am thinking along the lines of firewall / UTM (AV/AS/IDP) management and monitoring, remote backup, monitoring services (LAN, WAN, Gateways, critical servers), as well as incident management (ISMS - perhaps in an easier implementation).

Am I on the right track here? Should I consider other products/services? Or focus on only one of these areas? Or perhaps just forget about it totally?

From the point of view of the clients, I see that security is an ever growing pain for many SME and smaller municipalities. They lack the knowledge, and the funds to build the knowledge to do security efficiently. And face it, many IT-resources in this segment runs their feets off to help people use Word and e-mail. SaaS would offer these people and organizations a safe haven where they can focus on their core business, and know that some specialists are taking good care of their required level of security.

Can you help by sharing your ideas and thoughts? Would YOU buy SaaS if the product mix is right? What products and services would need to be included in order for you to buy SaaS for your company?

Thus, when I got this message from a trustworthy contact of mine:

RT @garymccaffrey has a crazy idea. 19,530 new twitter followers in 30 days? Check it out http://tweetergetter.com/xxxxxxxxx.

I got curious. And I went to the site. It plays on the old math of doubling your coin for every square on the chess board, claiming to grow your followers to 20 000 in no time at all. Combine that with the good ol' pyramid scheme, and there you are! TweeterGetter!

Of course - it is FREE!

Yea, right.

Taking a closer look, I see that in order for this service to work for you, you need to supply your twitter account name. Now, that is not that bad, as everyone knows it already.

Then you need to enter your Twitter password too!

I am like, what the h**k? My twitter account name AND my password.

Alarm bells ringing, this must be fake, this must be a harvester. What is more, people - bright people even, like my contact - get's fooled by this. They add their name and their password, and expect to get 20 000 followers over a few days.

My advice to you is simple - if a service asks for your username and password for a different service, turn away. Get out of that den before the lion gets you.

And if you did add your username and password (Edgar, this is for you) - make sure you CHANGE your password RIGHT away!!! NOW!

Hoaxes will arrive as soon as there are people wanting something for free. There are no such thing as a free lunch - in TweeterGetter, you pay simply by giving away your credentials, allowing someone else to control your account.

What do you think? Would you fall for this? Did you fall for it? It almost took me, I admit! Have you come by other hoaxes profiting from Twitter?