Justifiable Paranoia

I’m excited to announce that I’ve accepted a position with Altria Group in Richmond, Virginia as an IT security architect and consultant in its enterprise IT Risk Management group beginning April 22nd. For those unfamiliar with Altria (previously known as Philip Morris), it’s a Fortune 200 company headquartered in Richmond which owns several tobacco companies and a winery, owns a financial services company, and has a 29% stake in SABMiller. I was impressed by what I learned of the organization’s culture and leadership and I decided the role was a great fit. Collaborating with IT and business colleagues on a range of information security risk management projects should be a lot of fun.

Over the next few weeks I’ll be honoring my commitments to complete client projects and coordinating the move to Richmond. I’ve enjoyed my time in San Antonio immensely and I will miss my regular face-to-face interaction with the local information security community. I met a lot of great people during my 2 1/2 years in the Alamo City and via my involvement with ISSA, the South Texas Security Leaders Forum, the Texas CISO Council, SAHA, and BSidesSanAntonio, as well as at local and regional events.

I’d like to thank my friends, family, and colleagues who were there for me while I focused on consulting independently through my company Befriend and explored other options. I’m grateful for those of you who provided guidance, served as a sounding board, partnered with me on consulting projects, let me know about prospective opportunities, and offered me positions with your companies. I have a great family and great friends and information security truly is a caring and collegial community.

My wife and I look forward to our return to Richmond. It will be nice to be so much closer to our family members in Richmond and elsewhere in Virginia. I’m going to miss working from my balcony in shorts and routine visits to the pool (and the loss of access to my wife’s employer Whataburger will be bittersweet), but life involves tradeoffs and I’m ready for the next chapter. I’ll still be consulting through Befriend (albeit it on a more limited basis) and research, talks, and projects are underway so 2013 should be an interesting and exciting year!

I created an NCAA basketball tournament bracket contest on Yahoo for members of the information security community. The winner gets bragging rights until next year. The scoring format is a traditional 1/2/4/8/16/32 format with a twist – a bonus equal to the difference in seeds for each game in which you pick a lower-seeded winner.

To participate:

1. Go to the tournament page.
2. After logging, click “Join Group”.
3. Enter Group ID 137592.
4. Enter the password.

Since you’re a member of the information security community, I can’t just give you the password, right? You’ll have to guess it. It consists of lower case letters and numbers, with no spaces…and all 3 parts of the passwords are information security related.

1. Part 1 – The cyber espionage group in Mandiant’s report published last month
2. Part 2 – Pseudonym of hacker sentenced to 41 months in prison for exploiting an AT&T website vulnerability
3. Part 3 – Default port number of the service that makes you want to bash your head against the wall because SSH is a superior alternative

In case you’re still scratching your head…and are willing to admit it, DM me on Twitter…or send me smoke signals and I’ll tell you the password.

Your final picks must be submitted by Thursday, March 21 at 12:15 PM EDT (the 4 play-in games earlier in the week aren’t part of the contest).

The fine print:

And did I mention you have to be a member of the information security community to enter? To be eligible to win, I must be able to verify that you’re a member of the information security community. No more than 1 entry per person. Compromising the commissioner’s computer, compromising the commissioner’s account and exploiting vulnerabilities in Yahoo to do anything to affect the outcome of the contest are strictly prohibited.

I’ll post updates here and on Twitter periodically.

I was ecstatic when RSA contacted me to let me know that my presentation “Crunching the Top 10,000 Websites’ Password Policies and Controls” was accepted for the RSA Conference 2013. This was the first time I’d submitted to RSA so I was honored. Unfortunately I chose to cancel the presentation earlier this week. I’d like to explan why. But first, here’s the abstract:

Website authentication systems are constantly under attack, resulting in disclosure of password databases, compromise of accounts and exposure of sensitive data. This session will discuss a project to gather, assess and rate password policies and controls from the top 10,000 websites (according to Alexa Traffic Rank) by leveraging community volunteers and Amazon Mechanical Turk.

The project relied on a large number of other individuals to gather data which I aggregated for analysis. In January I discovered that some of the data was inaccurate. I was not particularly concerned since that was a tradeoff of the data collection method for a subset of the data and long term I had a mechanism to flag which data had and had not been validated. I began my analysis and then checked some more of the data and discovered even more invalid data and determined the percentage of data that was likely bad was at an unacceptable level. At that point I became concerned that the results of the analysis might be substantially off. I discussed with one of the RSA staff and I proposed taking a few more days to see if I could work on identifying the bad data, recollecting it, and analyzing the results. Ultimately there just wasn’t enough time. As a result I let RSA know earlier this week that I’d need to cancel the talk.

I could have given it, but the analysis would have been light and I believe that the talk would not have met the expectations of attendees. I am continuing the research and it will be presented at a future date. Apologies to RSA and conference attendees.

New York authorities have charged Robert Stuart with promoting gambling in New York, alleging that his company’s online gaming software was used by others for illegal betting in New York. Stuart was not accused of making bets or taking bets – he was charged with creating software that allowed others to. Extension Software, Stuart’s company, only had clients outside of the US and Stuart claims that it’s only being used in places where it’s legal to be used.

Stuart alleges that the District Attorney’s office tried to coerce him into a plea agreement requiring him to modify his company’s software by adding a backdoor to gain access to the usernames and passwords of gamblers and bookmakers, then distribute it to his clients. He further alleges that authorities expected him to use the backdoor and retrieve the information on their behalf.

Though authorities claim there is nothing illegal with what was proposed, deployment of a backdoor would be a violation of the Computer Fraud and Abuse Act without a US court order and permission in the various countries in which Extension Software’s clients operate. Equally troubling, unless there’s evidence that Stuart or Extension Software employees were aware that the software was being used for illegal gambling by New York residents and didn’t take measures to stop it, the case would set a precedent with rippling effects.

Should the developers of free and commercial software which may be used for illegal purposes be concerned? What about the free and commercially licensed versions of Metasploit? Could Rapid7 and contributing members of the Metasploit community be held liable for criminal use of Metasploit? What about John Matherly’s SHODAN? A hearing in Stuart’s case is scheduled for Tuesday, January 8th. I’ll be staying tuned.

A Richmond, Virginia man was arrested this week for the 2011 theft of a commercial truck from a Richmond-area hotel parking lot. Eric Brown was probably happy to discover the truck contained audiovisual equipment and a laptop, but when he discovered the Presidential Seal on the equipment he should have realized the Obama administration and law enforcement would give the matter proper attention. Instead he sold the laptop which belonged to the Department of Defense, kept the AV equipment without removing the Presidential Seal, bragged about the equipment he kept, and was seen in possession of it.

In a bit of irony, the arrest occurred on Election Day. No word on whether Mr. Brown cast his ballot for (or against) Obama before he was arrested.

Late yesterday, Anonymous announced that PayPal had been hacked during a series of attacks against it and other organizations in celebration of Guy Fawkes Day (November 5th). I tried to access the alleged dump file an hour later, but it was unavailable. Media began reporting PayPal was exploited by a 0-day, but provided no additional detail.

I’m always skeptical of alleged leaks until I have an opportunity to review the leak data, the affected organization confirms the leak, there’s strong evidence the leak occurred, or someone I trust confirms a leak. The head of PR at PayPal said there was no evidence to validate the claim and that PayPal was investigating, but that’s common so soon after an alleged publicized incident. I asked the Twitterverse if the leak was legit, and got some interesting public and private feedback (primarily shared skepticism), but no confirmation of the leak.

After being pointed towards Darren Pauli’s November 1st article about security researcher Neil Smith’s interaction with PayPal about his disclosure of security vulnerabilities and discovery of the exposure of confidential customer data, I gave more credence to the report of the alleged leak, but was still skeptical. Then I was pointed to a post on BlackHatWorld, which stated:

“They do all just look like a dump of transaction records from any company…
It’s fake… Look at this table ../4e5ff957d5
Why would PayPal store AllPay information? lool

AllPay provides bill payment collection, prepaid card, card production, legal, and print / design services (two of these are not like the others!). Perhaps the 27,935 customer records which were leaked belong to (wait for it…wait for it!) AllPay. Then again, perhaps not. It’s unlikely since they’re [cough, cough]:

Fully compliant with the Payment Card Industry Data Security Standard (PCI DSS)

Today, @PayPal stated:

Please know @paypal was not attacked by #Anonymous original story has been corrected http://bit.ly/SmB7bG

PayPal was not attacked by Anonymous? Perhaps their data wasn’t the data that was allegedly leaked, but I assure you they’ve been *attacked* by members of Anonymous. If I was responsible for PR at PayPal, I wouldn’t have worded it that way. And what of the PayPal 0-day? It turns out that the PayPal 0-day referred to may really have been a ZPanel hosting control panel 0-day, which was incorrectly described as PayPal by Cyber War News. And the dump file? Hack the Planet (HTP) has claiming responsibility and says that it’s not affiliated with Anonymous.

Yet Anonymous continues to report that they hacked PayPal. Maybe there’s more to the story. I’ll sit back and wait for the media to report it. Until then I’ll remain a skeptic. And I won’t count on the media to get the facts right…at least right away.

Yesterday @iameltonjohn commented that she had spotted Gregory Evans giving women advice on the Ricki Lake Show so I watched the episode later in the day. Here’s a clip that includes most of his time on screen (thanks to @Cephurs for locating it so I didn’t have to use my longer, poorly recorded clip).

Prior to the commercial break before his appearance late in the show, Ricki stated “Coming up, an ex-hacker, turned online private investigator Gregory Evans.” Gregory has a colorful past. He is a convicted felon, a plagiarist, and the self-proclaimed Worlds No. 1 Hacker (missing apostrophe his, not mine). Though he has been listed as a charlatan on Attrition.org since July 2007 (with a comprehensive update in April 2010) and was further exposed by the CBS affiliate in Atlanta in February 2011, he still manages to occasionally appear in the media as an expert.

The episode concerned women who had fallen for online dating scams. Interestingly, Ricki even mentioned that she dated a guy she met on Match.com for 6 weeks before discovering he wasn’t who he seemed. For the uninitiated, his advice probably seems sound.

1. Scammers never want to talk with you over the phone. The biggest sign that the person you’ve met is a scammer is that they won’t video chat with you.
2. If you receive a Facebook friend request from someone you don’t know, check to make sure the college they claim to have attended enrolls students of the requester’s gender.
3. Configure Facebook to not display your friends list to non-friends and to only displaying mutual friends to your friends.
4. Scammers are going to Match.com and looking for divorcees with kids and money.
5. Scammers pilfer profiles of young men from old MySpace pages and create profiles on Match.com and Facebook using them to target older women. Close the social media accounts you’re not using.
6. In an email scam claiming to be from someone you know, look for a reply-to email address that isn’t exactly the same as the from address.
7. If you suspect an email is a scam, get the IP address from the email headers, paste it into who.is, and check whether the physical address is in the vicinity of where the sender claims to be.

His advice is like low-fat food which is marketed as a healthy option, but actually is low-nutrition and high in calories – if you’re naive you want to gobble it up, but it’s not really good for you. Charisma, it’s what’s for breakfast!

It damages the entire information security field when a charlatan represents himself or herself as an expert to organizations, individuals, and the public at large. If you’re disturbed that the media is consulting, publishing, and broadcasting charlatans like Mr. Evans, make yourself heard. Is it really too much to expect a journalist or producer to spend a minute to perform a cursory search via Google?

If you’d like to provide feedback to the Ricki Lake show you can use their contact form, tweet her at @RickiLake, or tweet her show at @RickiLakeShow. You can also post on her Facebook page and in a discussion thread on her site, below a clip of Mr. Evans. She’s on Pinterest too, but I’m not sure how you can leverage that. The Ricki Lake Show films in Culver City, California, a short drive from the offices of his new company, Hi-Tech Crime Solutions (formerly LIGATT Security).

The SecurityTwits Meetup will be Tuesday, July 24th from 8:00 9:00 PM until around midnight at a suite at Caesars Palace suite 1032. A HUUUUUUUUGE thanks to Rocky DeStefano and Visible Risk for stepping up to sponsor and host the event…and to supply alcohol and food.

What is a Security Twit?

Are you an information security professional? Or are you involved in the information security space in an any capacity. Then you are a security twit. Well, at least you are if you are active on Twitter.

Who can attend?

The meetup is open to security twits and their guests. Midgets, escorts, and other acquaintances you’ve made in Vegas will be considered on a case by case basis.

Do I need a ticket? Do I need to be on the list?

No. But please RSVP via Eventbrite to help with planning the amount of alcohol and food to purchase.

How can I help?

Contact @stevewerby if you have any ideas about how we can make the meetup better. Or how we can ensure that hotel security doesn’t shut it down early. Or how we ensure they do. Also, please spread the word via Twitter, Facebook, Google+…Pinterest and every other conceivable mechanism available to you. Tweet Join us at the @SecurityTwits meetup Tue 8 PM at Caesars! Hosted by @visiblerisk. http://bit.ly/OSwMtB #securitytwitsmeetup.

Who should I thank for organizing this?

@jasonmoliver got the ball rolling by asking @securitytwits about a meetup. Since @securitytwits wasn’t organizing one this year, I put some feelers out and @rockyd volunteered to help make it happen.

How do I become an official SecurityTwit?

See the instructions for joining. The page also describes the history of SecurityTwits, lists members and answers all of life’s mysteries.

Update 7/23/12 16:44 (Vegas time):

The meetup start time has been changed from 8:00 to 9:00. Rumor has it this was the request of the NSA. Or because there was a problem with the tiger rental company. Maybe both.

Update 7/23/12 21:32 (Vegas time):

There have been 96 Security Twit reservations, 3 midget, escort or exotic dancer reservations, 1 Sexy Sax Man Sergio Flores reservation (sold out – sorry!), and 1 Gregory Evans registration (sold out – sorry!).

What?: Drink craft beer and homebrew with people who appreciate good beer
When?: Saturday, July 28, TBD (late evening / early night start) [Will be updated when finalized]
Where: See “When?”

Las Vegas may cater to a plethora of vices, but it does not cater to the craft beer drinker. With tens of thousands of people descending on Sin City from across the U.S. and all over the world for Black Hat, Defcon and BSidesLV, let’s rectify that by getting together to drink craft beer and homebrew. I’ll kick things off by listing a subset of the beer I’m bringing (I’ll also be bringing some homebrew and beers from outside of Texas).

• Adelbert’s Naked Nun (Witbier) [Austin, TX]
• Real Ale Anniversary Ale XV Russian Imperial Stout [Blanco, TX]
• Real Ale Full Moon Pale Rye Ale [Blanco, TX]
• Real Ale Rio Blanco Pale Ale [Blanco, TX]
• Real Ale Brewhouse Brown Ale [Blanco, TX]
• Saint Arnold Endeavor IPA (Double IPA) [Houston, TX]
• Saint Arnold Homefront IPA [Houston, TX]
• Ranger Creek La Bestia Aimable (Belgian Strong Dark Ale) [San Antonio, TX]
• Ranger Creek Mesquite Smoked Porter [San Antonio, TX]
• Ranger Small Batch Series #1: Oak-aged Rye Oatmeal Pale Ale [San Antonio, TX]

• Freetail Buffalo Hump 1840 (Belgian IPA) [San Antonio, TX]
• Freetail Old Bat Rastard (Winter Warmer) [San Antonio, TX]
• Freetail Broken Treaty (Extra Strong Bitter) [San Antonio, TX]
• Freetail Ananke (American Wild Ale) [San Antonio, TX]
• Rahr Pecker Wrecker (Imperial Pilsner) [Fort Worth, TX]
• Jester King Mad Meg Farmhouse Provision Ale [Austin, TX]
• Jester King Noble King Hoppy Farmhouse Ale [Austin, TX]
• Jester King Farmhouse Wytchmaker Rye IPA [Austin, TX]
• Jester King Black Metal Farmhouse Imperial Stout (Russian Imperial Stout) [Austin, TX]
• Jester King Boxer’s Revenge (American Wild Ale) [Austin, TX]

So, you want to know where and when, right? At this stage, that’s to be determined, but the meetup will happen. I didn’t try to to find out if there was any interest until I tweeted about this tonight so the details still need to be worked out. There’s already good early interest from Josh Sokol (@joshsokol), Pedro Munoz ‏(@m00nyos), Joseph Sokoly (@jsokoly), and Larry Whiteside (@LarryWhiteside) and some others who’ve contacted me directly.

If you’re interested in attending the craft beer and homebrew meetup, post a comment to this blog entry, DM me on Twitter, email me at HASHTAGBELOW@justifiableparanoia.com, or tweet using the hashtag #defconbeermeetup. Let me know if you plan on bringing beer (optionally what kind), what evenings/nights work for you and if you’d like to bring anyone else. This is only for logistics planning purposes. Also, if any of you are willing to host the event or have suggestions on location, let me know.

Check back here Monday for more details or follow me (@stevewerby) or the hashtag on Twitter.

Update 7/23/12 21:41 (Vegas time):

I packed a couple of boxes this morning with around 30 beers, mostly bombers. In addition to the beers above, I packed some homebrew and some beers from Virginia (Starr Hill and Hardywood) and Delaware (Dogfish Head). I was going to check the beer, but a generous local infosec professional offered to drive my beer to Vegas. It will arrive Wednesday. @m00nyos is bringing some beers from the San Francisco area.

Update 7/26/12 16:22 (Vegas time):

@pmelson flew in from Michigan and brought some beers. The meetup will be Saturday, July 28, time TBD, but we’re looking at starting late evening or early night. If you have a location to suggest or room to offer up, please let me know. Otherwise it’ll be my room in the Rio.

If you’re interested in attending the craft beer and homebrew meetup, DM me on Twitter, email me at HASHTAGBELOW@justifiableparanoia.com, or tweet using the hashtag #defconbeermeetup. Let me know if you plan on bringing beer (optionally what kind).

Update 7/28/12 14:12 (Vegas time):

The meetup will be tonight from 7 PM to 9 PM in a room on the 30th floor of the Masquerade Tower at the Rio. DM me for the room #. There will only be so much beer so if you don’t know me IRL or online, you may need to make a good snarky and entertaining case for yourself.

A huge thank you to @topsnooper for driving my beer just under over 959 miles so I didn’t have to pack it in checked bags and lug them around. A desk during Defcon is good for *something*. More beer will be joining it tonight.

When I got home Wednesday I was greeted by a box shipped by Jericho from Attrition. My memory is a little foggy from my late-night July 3rd visit to downtown Denver, but I’m pretty sure it was payoff for a bet to see who could climb to the top of the Big Blue Bear the fastest. Or maybe I told him I’d give him money in exchange for Lazlo shirts. Who can be sure?

After I managed to get Mr. Wiggles out of the box, I poured myself an imperial stout and inspected the contents.

This is a comprehensive inventory of the box’s contents (item count in square brackets):

• Attrition Lazlo chainsaw t-shirt [15]
• Attrition Defcon 20 badge – [1]
• DataLossDB t-shirt – [1]
• Nessus t-shirt [1]
• Attrition Lazlo sticker [19]
• SECore.info sticker [4]
• OSVDB sticker [5]
• DataLossDB sticker [2]
• Attrition rubber bracelet [5]
• J Crew button envelope…containing 2 buttons [1]
• Plastic card with “INTENTIONALLY BLANK” on the front and nothing on the back [1]
• Courtyard by Marriott room access key [1]
• Attrition business card [1]
• Ninja paratrooper [1]
• Tenacity Solutions ball [1]
• Core Security ball [1]
• RSA pen [1]
• Shavlik pen [1]
• HACKER conference badge sticker [1]
• McAfee card with USB dongle [1]
• Victoria’s Secret rewards card [1]
• W Hotels condom [1]
• Scarlett’s Cabaret VIP pass [1]
• MTA Metrocard [1]

That’s 68 items. I find anything less than 70 mildly insulting, but he gave me a couple of items at RVAsec in June and another item in Denver a few weeks ago so no worries.

Favorite item: Attrition Defcon 20 badge. @MakeItUrz did an awesome job with this badge. I just have to get it back from the cat.

Exploiting my OCD: 19 Attrition stickers? 19? Really!? Couldn’t Jericho have added a 20th so I could form a nice 4×5 grid?

Got my hopes up: Victoria’s Secret rewards card. Customer support told me it has no value. Liars!

Learned something new: The 954 area code is in southern Florida. Thanks for making me smarter, Scarlett’s Cabaret VIP card!

What, I’m not special enough for a gray one?: 5 black Attrition bracelets, but not one of the coveted gray bracelets. So, that’s how it’s going to be, eh!?

Should I trust it?: W Hotels condom. It expires June, 2015. Very nice. And it’s effective against pregnancy, AIDS and other STDs. What about APTs? Being manufactured in Thailand concerns me. And a man giving me a condom as a gift is…well…please keep Jericho away from me late at night in Vegas.

Thanks for the stuff, Jericho! If you’re attending Black Hat, be sure to catch Jericho’s talk, Errata Hits Puberty: 13 Years of Chagrin, July 25th at 3:30. If you aren’t attending, you can peruse his slides from his inaugural presentation of it at RVAsec in June.