Our national leading ISP is caught in the web of an attacker (or group of attackers ?). For the second time in a few weeks somebody operating under the nickname Vendetta has posted hundreds of login accounts from xDSL customers online. According to the hacker, he can easily steal the login data from the xDSL modems that the customers use to connect to the internet. I am not aware of which type of modem it concerns, but I will look into this further.
A spokesman for the company told their users on the television news today that there was nothing to worry about. They closed the website that hosted the compromised accounts within one minute (yeah right …) and changed the passwords of all the published accounts. Additionally he pointed out that the hacker is commiting criminal acts and anybody trying to use the accounts can be prosecuted also. Hence there is no issue for the customers.
STOP.RIGHT.THERE
Since the police is aware of the issue, this is no longer a problem for the customers? Excuse me but these accounts can be used to create self-service accounts that give access to my billing history. They can be used to surf the wireless access points from the same ISP in coffee-shops and public places. Apart from that, I should assume that the attacker has full access to my modem and might even be able to install MITM software to capture other personal and private data. Downplaying this attack doesn’t work here. You should own up and find out what the hell is allowing this adversary to get into these modems and either upgrade them OR replace them for free.
You supplied faulty products, your job now is to get in contact with the customers that have these devices and assure that their personal information is safe.
Robert Hansen (RSnake) recently wrote an article with some fundamental critique on the adoption of the open-source CMS Drupal to run The White House website. Mr. Hansen basically questioned the sanity of the people at the Casa Blanca that made the choice of moving from a prorietary CMS to an open-source product. The point (that I feel) he tries to make is that a site running on code that is developed and owned by the White House is much more secure than a site that runs on a (possibly heavily) modified version of an open source product. At first it was unclear whether he was comparing FOSS (Free Open Source Software) to COTS (Commercial Off The Shelf) or really prorietary (in-house developed) software. He later pointed out in an update of the blogpost that it concerned FOSS against proprietary. Let’s analyze the three options, objectively.
Commercial Solutions Products.
Considering you are looking for a CMS, you are looking for specific functionality. How can I bring the content that I want to communicate to my target audience as efficiently as possible. Choosing a commercial product will end up in a classic trade-off. You will choose a product that hopefully covers 100% of your needs, most of the time though it will include functionality that you don’t and never will need. Worst case scenario is that you have to choose a product that only covers 60 to 80% of your needs and all you can do is hoping that the roadmap the vendor presented to you will be respected. From a security point of view, you rely on the vendor to provide you a secure product and to up-to-date in case a hole is ever poked into it. Chances that this will happen are … high.Disabling or removing the functionality you don’t need is rarely an option so in fact this might prove to be an extra headache from a security point of view. We’ll assign the total cost of building a solution on COTS Software an initial value of 10. We all know what happens with commercial products and security … you can go and pray that it will never happen, but in the end it will … and you are laying your fate in the hands of a commercial third party that you can only hope has a proper response in case a breach occurs.
Prorietary Solution.
There is something to say for making your own CMS. You will, in the end, have a solution that fits 100% of your needs and you can start with a Secure Development Lifecycle from the get-go. This is assuming that you find security-aware software architects and developers. If you don’t find them, you’ll have to train them and hope that once they have the knowledge they don’t jump ship to go work for another employer that promises a bigger paycheck. Roberts claim that this proprietary solution is more secure because The White House owns and controls the code falls apart right here. There still is no mind-erasing software to apply to people leaving your company. Assuming you have the proper resources to monitor the site and respond to attacks. The total cost of the solution, including the development from scratch will be at least 1,5 times as high as the commercial solution and still it is not 100% watertight. Or are you gonna send the cops after each IP that visits your site with a funky agent string or performs a wget -r ? I didn’t think so either …
And then we aren’t mentioning frameworks … those are rarely (if ever) proprietary.
Free Open Source Software.
So … you’re still looking for that CMS and you just received the offers from the commercial vendors. Just buying the product will cost you an arm and a leg and then the modification and implementation still has to start. Then there’s FOSS, you can download the source of the software and build your own CMS on it. Getting the software won’t cost you a dime, adding features and functionality will cost you the same per day as the proprietary solution. Given that 80% of the functionality is already their, I would rather have those gifted architects and developers perusing the code that already exist and making it better than writing new code from scratch. If they are that gifted that they could presumably build an unbreakable CMS from scratch, I would assume they could make an existing CMS unbreakable too. The best side of this approach is that you have much more of your budget left to spend on security than in either of the above solutions.
The Conclusion.
Were you trying to tell me that the Mac-loving über-geeks at The White House couldn’t be arsed about security when they chose Drupal as their CMS for whitehouse.gov ? I beg to differ. You can bet on it that the Drupal they will use will be very different from the Drupal you can download. They knew that they didn’t want to reinvent the wheel (proprietary solution) and they didn’t want to put all their eggs in one basket (COTS). Instead they chose a free and open source products to build a solution that fits their functionality and security needs. In my humble opinion … not a bad choice at all.
I take pride in what I do. Do you ? From what I read on mailing lists, not so much.
Lately I’ve seen quite some posts like this :
We have signed a customer to do a VoIP assessment, who can tell me how to go about it ?
I have to perform a webapp pentest for one of my customers. This is our first time and I would really like
to find out which tools to use.
I am new to hacking but I have to perform pentesting for one of my customers. Can you point me to helpful
resources to learn about methodology, tools and how to break in to their servers ?
In my ears this sounds wrong on so many levels. First, there’s the customer. They have obviously not done their job to search the market for a trustworthy partner to test their infrastructure or give them information security advice. They are bound to be misinformed, inadequately pentested and left wide open for hackers. I can’t care much, because it’s their own fault.
Then there is the companies that offer these services while they are obviously less than qualified to do it. I can understand that in a slow market, you would do anything to rake in the little cash that you can earn. Most of your customers must have already left because of your other crappy services. So now you decided to go provide security services ? Wow man, I really hope the first customer that sees his report goes ballistic on you and wipes his doorstep with your sorry face. One wise man once told me “What you do is defined by what you don’t.” By clearly drawing the line at which services you try to deliver at the highest quality and by the ability to say no to requests you don’t master, you can become a better company. You can actually grow that way. It may be slow and painful but if you don’t the fall you are bound to make will be lightning fast … and deadly.
In the end, there’s the person who posts this type of questions on public mailing lists. You too should learn to say no. There is no way you can take pride in delivering a half-hearted Nessus-scan to your customer. But I can cut you some slack. If your boss really pushes that hard for you to go do something you don’t master, maybe today is the day to start looking for a new boss …
In the end, I always asks myself : “Would I implement this solution or deliver this service to my own company?”. If the answer is no, I will not offer it to my customer. I’d rather point him to another service provider that can do what I have yet to learn.
There’s nothing as stupid at shelling out $50 to $100 for a gadget that only serves one function like a presentation clicker. Sure you can use your wireless mouse to serve as a clicker, but you’ll run into some limitations with that pretty soon. Luckily, Johnny Lee provides us with some inspiration on how to use the Wiimote. His Wii-fu is awesome.
If you are like me, a geek somewhere in your thirties with kids, you will probably have a Wii somewhere in the house. It comes with at least one bluetooth controller that fits the Mac perfectly … the next question is, how do you pair them ? It’s as easy as 1,2,3 :
- Download the application DarwiinRemote
- Drag it to your applications folder
- Run it
- Push the 1 and 2 button on your Wii Remote simultaneously
- Configure your Wii Remote to your liking (assign actions to buttons) through the preferences screen.
- Have fun
Next time you’re presenting … you have the coolest clicker in town (but your kid maybe crying at home, cuz he can’t play his favorite game 
)
As our employees are enjoying the interaction and learning that comes with using social media like (amongst others) twitter, facebook, friendfeed and soon Google Wave, we have a tougher time to control which information in name of the company, who is ‘representing’ our organisation. Social Media Security is one of the hot topics of 2009 (and probably will continue to soar in 2010).
socialmediagovernance.com has build a comprehensive database of social media policies from companies in different industries worldwide. If you are going to address social media use in your company it is worth it to take a look at how others are doing it.
http://www.socialmediagovernance.com/policies.php?f=3
This video gives a very good impression of how Brucon 2009 (the first edition of the con !) was.
I’ll be at the 2010 edition, will you ?
update
the site seems to be removed is back, but you can still find the job opening in Google Cache, in case the admins decide to take it down again :-p :
Dutch : here
French : here
As announced a few weeks ago, the people at BELNET are working hard to get the Belgian CERT going. Obviously, they need more people to run the CERT and they are officially looking for your CV.
To keep them from hacking your puter and/or carving the pdf/doc/rtf/odt file from your HDD, visit the link above and drop them an e-mail if you’re interested.
Categories
Tag Cloud
Blog RSS
Comments RSS
Last 50 Posts
Back
Void 
Life 
Earth 
Wind 
Water 
Fire