NetAssassin.com

Retooling my classes

Well good news! The TPA (Texas Police Association) has asked me to continue teaching my cybercrime course next fiscal year. (October.) In addition, they have asked that I develop an intermediate or advanced course.

Given the breadth of topics inside of Cybercrime I will probably opt for an intermediate class, and later develop an advanced class. E.g. something very technical for advanced probably along the lines of teaching some hacking and use of more sophisticated tools.

So that leaves the question of: what makes a good "intermediate-level" class?

I always like to throw in some demonstrations, because I loved Mister Wizard growing up and enjoyed finding a passion for learning something by seeing the combination of future knowledge done in a real experiment. E.g. Dry ice blowing up a bottle as a primer for the various states of matter. But in this case, as they don't like me blowing things up at the DPS Headquarters (well not for this class anyway), I am thinking some interesting things like cracking wifi passwords, RFID hacking, and some Blue Tooth shenanigans.

Now I am left with figuring out what meat and potatoes to put into that class.

At the same time, I need to go back through all my slides and hand-outs for the introductory class.

So to that end I am openly taking suggestions. What is important to present as material to law enforcement who are learning as much as they can to help with everything from identity theft to hacking cases.

Feel free to write me with your suggestions... maybe I should open the blog to posting comments...

Why he steals movies...

I read an interesting article on Gizmodo.com written by Peter Serafinowicz where he talks about his piracy of everything from eBooks to motions pictures. He gives justifications for doing each example, and they range from "it was easier than ripping my own DVD to make a demo reel", he is an actor/director/etc. and was referencing films and shows he has been in, to "I already paid for it twice" which was a reference to needing to crack the DRM (Adobe) around an eBook which he paid for as well as the hard copy but wanted it on his iPad and there was no viable commercial source for the product on that platform... so he made one for himself.

I run into this logic in my world a lot. Surprisingly, those who participated in the creation of Intellectual Property (IP) feel they are "allowed" or "entitled" to do as they wish with it. I think Peter gives enough examples of why and what his thinking is, so I won't create more examples. Needless to say, I represent the content owners not those who participated in the creation of the content and thus I am apt to point out all the ways this thinking is wrong.

It may come as a shock, but those who made a movie, album, TV show, etc. aren't normally the ones who own it. The IP itself belongs to the company that paid them. This gets even more complicated when you review who own the IP itself, who owns the licensing, who owns distribution, etc. Take into account all the trades that get paid every time something gets re-marketed or rebroadcast, the talent who get their share, licensing issues, etc. and you start to understand why that eBook which is available on every platform other than the iPad is the way it is only a month after the iPad release.

I too would love things like ALL the James Bond movies in one boxed set. (BlueRay Disk please!) but that just isn't going to happen due to licensing. Sure, I could go on Ebay right now and find what I want... it's probably in a really attractive looking tin holding case shaped like a gun or the numbers "007." But no one involved with the franchise makes money, nor is my purchase counted by the people who make decisions about re-releasing content.

I travel a lot, but I don't download TV shows off of torrents etc. I will hunt them down on Netflix or other valid distribution systems in the hopes that my usage of the content will be counted toward income for the product as well as simply that someone is viewing it. Take for example a favorite show of mine that was recently canceled due not because of a lack of fans, but because of a lack of media outlets. "Legend of the Seeker" was canceled because they couldn't get local TV stations to pick it up. But millions and millions of people watched every episode on all forms of streaming and torrent sharing systems. They hosted many websites calling for the show to continue. But even as Peter points out in his article, money matters. I am sure many had the excuse of "well this isn't broadcast in my town/country/hemisphere so I will have to torrent a copy to my computer." Great, you got to see the show, but marketing for the show could never count you as a valid mark of data to gain sponsorship and thus open into new markets. Without these things, even as Peter points out, your production is going to fail. So if you like a TV show, album, franchise, etc. support it legally. I know everyone says that, but look at it from even my prospective... if something doesn't sell well, the people who have the money to pay for the talent and fund the next product won't do it. They, like the rest of us, are interested in making money on their investments not loosing money.

Direct Digital Delivery isn't perfect yet, but no one can argue that the consumer is demanding it and new technologies are driving it. And even to Peter's point, if there is a way to make money it will be found. It just so happens it is, as pointed out, just as easy and sometimes easier to download the pirated copy. Help support your favorite artists, like Peter, and pay for the valid content. There are no excuses to pirate media.

In closing, only your ethical beliefs prevent you in many cases from pirating. It does, quite truly, affect the future of the franchise, artist, and company (as well as all those employed by these and their families) when you do this. Go buy a legal copy for what ever format you want. Stop thinking that if you own one format you can transcode to any other format you need.

News: Latvian hacker tweets hard on banking whistle

News: Latvian hacker tweets hard on banking whistle - Latvian hacker tweets hard on banking whistle [SecurityFocus News]

Anyone else read that subject as "Levitating hacker tweets..." because I found that very funny when I did it.

New Study: Compliance Is Wasted Money

Article on SlashDot.org.

Slashdot has a link to an interesting study commissioned by Microsoft and the RSA. It shows the high cost of resources and funds to compliance outweigh those provided to protect corporate secrets. E.g. Custodial vs. Secret data.

The report is keen to point out that there is limited cost / damages for (in most cases) Custodial Data loss. Granted, it could be very expensive - but not as much as say loosing your entire market and going out of business.

What I think is missing from this report is how much of the lessons learned, or practices developed, for Compliance / Custodial Data Protection are reused for Secret Data. Inculcating things like Segregation of Duties, Auditing, Accounting and Need to Know / Access is valuable.

I prefer to use the "no compromising" need for compliance to groom and gain acceptance for methodologies and procedures guarding Secret Data. It's a great tool when you think about it, and as the study shows you are more likely going to get funding for a compliance regulation then you are guarding something that has "never been stolen before."

And really, isn't that the end-all of this? If no one has ever stolen something in the way you want to protect against, you are somewhat of a snake oil salesman when trying to make the claim that it is a risk.

Very few companies, even in this digital age, see their corporate secrets as being super important. Protection of Intellectual Property (IP) is seen as a defense of Trade Mark and Property rights. But that is normally only done for items that will enter the public market, not for example your well built proprietary system that allows you to produce something far cheaper and in a way never thought of by any of your competitors. With everything being digital, the very work you produce should be protected, but few stop to think about and protect the programs and tools developed to create that final product.

So I am not sure how much of this is in fact due to excessive focus on Compliance vs. no one is really out selling the idea that there is more to secure than just what the Government tells us we need to be securing.

Infocus: Enterprise Intrusion Analysis, Part One

Great review on the need for analysis and how to use those "silver bullets" that don't work by themselves. #lovemytool Infocus: Enterprise Intrusion Analysis, Part One - Enterprise Intrusion Analysis, Part One [SecurityFocus News]

Peeps, how I love thee

As Easter is upon us, and thus Peeps are in the stores... it is once again time to share my ode to the Peeps.

----------------------

Peeps, how I love thee.

Peeps, you are palatable.
Somewhat stale, oh so delectable.
Bright neon-colours, incredible!
All year I long for thee, insatiable.
To hide away with a package of thee. I remove first your head, oh chickadee!
You float in milk, how can this be?!
Microwaved, you grow for me!
The magic of my holiday, is marshmallow debauchery.

-Francisco Artes

Xbox 360 3 red lights of death... how to fix it.

Okay, so this is as close as you are ever going to get to me telling anyone how to modify a game console. I happen to despise piracy, so I have no reason to go into my research in that area as the few people who work to stop that stuff all know me and we talk all the time. What I will talk about is how to fix some issues with the Xbox 360. First, if you are still under warrantee contact MicroSoft and send them your Xbox. No need to void the warrantee just because you are in a rush. Second, if you don't have patience or basic mechanical abilities I suggest going to the store and spending 199.99 on a new Xbox arcade and moving your drive and gear over to the new unit. Third, there isn't one really I just hate making lists of only two items. So why do the consoles have problems? Good question. Well, Microsoft decided that they would make the Xbox 360 VERY child safe... despite what you might think of some of the content. So they opted to have the entire machine made lead free. Yes... for those of you who are EEs out there you read that correctly. The solder in the Xbox lacks lead. (I guess the fear of children disassembling the Xbox 360 and then licking the tiny solder points about a million times a minute was crippling at Microsoft so they did something about it.) This is okay, for things that don't get as hot as an Xbox 360 or stay working for as long. (Everyone point to the guy you know who plays all weekend long and eats, sleeps (if even) and lives in front of their console this way.) The next thing they did was hold down the heat syncs on the CPU and GPU with a cool innovation called the "X-Clip." It's cool... but it doesn't keep an even force on the motherboard and this is where it causes problems when combined with the wrong kind of lead free solder. So, um FAIL! Basically what tends to happen is the solder gets hot, breaks down because it lacks that ever so important element of lead, and cracks. Cracks mean gaps, gaps are hard for those funny little electrons to jump across. When electrons can't move about electronic devices tend to fail. Kind of like unplugging a lamp and then pondering why it won't turn on. I know, crazy right?! So there is a trick to undoing this. If your Xbox 360 hasn't had this issue, go get a cooling fan unit and add it to your console to prolong its life. If your Xbox 360 is now sadly blinking the 3 red lights that surly mean it is dead, then you can try the following (it worked for me.) Fix your Xbox 360 is a great site and well worth the money. I am not going to walk you through his process as that would basically undermine his site... but I will give some extra pointers: 1.) You will probably have a hard time with the hardware guy when you ask for 5mm X 10mm screws. What you want are "M5-.80 X 10" screws. I can tell you from experience you can get longer (as much as 12mm, "M5-.80 X 12", and things will work just fine.) 2.) Nylon washers are not often sold in metric, so you will need #10 size... I have used 1/4" flat nylon washers and have been just fine. For reference, I used all "Hillman" washers and cap screws. I got them at Lowe's for something like $3.00. 3.) If you are like me and don't want to wait for the heat sync compound and cleaner he suggests, I say go to Fry's and get "Formula 5" which is a Silver Thermal Compound and their ArctiClean remover and purifier. I think this came to a whopping $13.00. Then follow his directions. Take the time to review the PDF and watch all the videos before you begin. Then follow along on with his videos as you do the job. It will take one hour, and you will be super happy. I also added a cooling fan just to make sure I can prolong my bad solder even more. And I picked up two new games. So basically I still spent less than a new Xbox 360, ended up with a unit that will run cooler and thus faster than a normal Xbox, and scored some new games! Woohooo! Now to spend the next 24 hours in front of the TV so you people have someone to point at when asked where the guy is who plays console games is.

Having the answers to the test...

A wise man once told me, "I only take tests when I know I have all the answers." I find this to be a good idea. I mean, all things aside for being in school and not cheating of course, who wants to be tested without the benefit of knowing the answer key. In the event of your network and applications being tested by a 3rd party (probably a customer) you might want to know how your house looks before inviting others to snoop around.

It surprises me that this concept of knowing thyself is so alien to people. A good security practice in any business should offer vulnerability assessments, pen testing and application testing. Or, if you are in the outsourcing mindset, have some well vetted and trusted partners to do this testing for you.

It is becoming more commonplace for people to test one another. Two companies may wish to enter into a contract with each other is often the case. Normally one being the client and one the customer providing a service. Sometimes we do this for Due Diligence prior to a merger and acquisition. (M&A)

So lets say you are thinking this is a good idea, great! Now what are the benefits? Well glad you though of this question... try these on for size and then let me know if you have a spark to start a new process in your organization:

1.) You can test and remediate any embarrassing issues before you let your potential customer take a close look.

2.) If you can't remediate in time for the required 3rd party assessment, you can at least start to frame a response to the indubitable arrival of hard questions.

3.) Management likes to know when there are going to be issues. And let's face it, you need to be pointing out that Security is doing something and found problems to fix.

Mile-high WiFi, or It's in the air... you decide.

So, I am literally writing this blog from something like 32,000' above the continental US. I don't want to turn on my GPS to get fun things like air speed, direction of travel, or well my location... I have to assume things are shielded in the plane, but after a near-miss with a flight from Austin to Los Angeles a few weeks ago I am not going to tempt fait on commercial airlines. Ironically, they tell me my cell phone is evil but offer WiFi on my airplane. So, I decided to try it assuming it is indeed safe.

Me, and 300 or so of my new friends, are flying in a 747 from LAX to JFK. I am stuck with these new friends for something like six hours. And if they are crafty like me they have brought their power adapters for the airplane and will be goofing with their digital toys for nearly that long. Walking the isles there are the normal collection of techno-gizmos and gadgets. A large number of MacBooks, I am now counted among that massive growing segment of the population, iPods, iTouch, PSPs, video players, Windows based laptops (Mostly still Dell with some ThinkPads here and there, and plenty of BOSE and other knock-off noise canceling headphones. It's quite amazing, but I doubt very much that people who frequent NY to LA flights represent a true snap-shot of today's economy... other than Apple is doing a lot of things right. But that isn't what this blog is about...

So for $12.99 I can use "gogo" (Find them here) for my entire trip. This is fantastic! I have tried all sorts of fun things with this service. I can connect to and watch my slingbox, even watched an entire episode of CSI - NY to get into my "New York State of Mind." Going "home" has never been so much fun! I am able to check email, use my VPN back to the NetAssassin World Headquarters, chat with friends with Adium iChat and Skype. I even did a video conference just for giggles. I soon ran out of things to do, and with my desire to procrastinate on two presentations I have to finish for a security conference in South Africa next month I decided to see what else was happening on the network.

Unlike Starbucks, or any other hotspot, I have a captive audience. No one, unless that bulky shirt on the guy two rows up from me is a parachute, is going anywhere for quite some time. And people are digging this wireless. Now to the credit of gogo, they even supply a pop-up warning that people on this network (e.g. any network really) may be able to see what you are doing and to keep that in mind. YEA! Someone said it! So, I dropped my VPN tunnel that was protecting me and decided to see what was happening with my fellow Mile-High Wifi (What I would have called my company if I did this service) users were up to.

I started by just resetting my mac and letting it behave with no extra security other than what it ships with enabled. This seems to be the way many of the laptops are configured on the flight. I know about a dozen full names of my fellow passengers as of course the default name for any MAC is going to be your something like "Francisco Artes' MacBook Air." This is nice, as I now know names... it's always polite to call people by their name. The PC's aren't as friendly, unless you ask them who owns them. They just tell you their silly PC names.

Some people are sharing files. It's nice to share. I like sharing, I don't do it myself but I will always accept free stuff. I do this with cookies too... I need to stop that habit so I can loose some weight. I have read fun documents for loan applications with all kinds of sensitive data, a few love notes, the normal smattering of personal photos taken... some during some very personal times alone or with others... who am I to fault anyone?! But if you are here for a while, I can look at your largest files too. I don't even need to apparently bother packing DVDs with movies on them anymore, I can just stream the movie files off of other peoples' computers. Quite cool... granted it is also quite dangerous to start streaming a movie file with a non-descriptive name while in a crowded public place like an airplane. I am so happy I have mastered the Command-Q keystroke and can slay those windows with the pr0n faster than others might notice what just popped-up on my screen. But none of this is new, these are things one can do in any hotel, office, hot spot, etc. Just the captive time is more on par with doing this at night in a hotel.

Sniffing... why not try sniffing now. I mean, I know everyone's name, computer make and model and in some cases all their financial information, what grooming choices they have made, and in some cases sexual orientation. So why not listen in a bit and see what they are doing?

I am not the only one geeking-out and chatting up my friends in IM. Many are excited about having their "Mile-High WiFi!" (I should totally TM that one.) But alas, while I had hoped that the open file shares on laptops was an oversight, no one has paid attention to the warning for this either. I won't go into things, I really don't pry and once I see a chat session, or any of the files I mentioned above, I don't really look. Why would I want to... it's rude to listen in on anyone's conversation and this is no different. I was more curious of I could "hear" someone else.

Well that's about it from my Mile-High WiFi connection. I will probably get to those presentations now.
~

RSA B-sides presentation ideas

Mike Dhan, @sfoak, has asked me to speak at B-sides presentations to be held in San Francisco at the same time as RSA. E.g. why it is a B-Side. (The kids who never knew vinyl will never get this.) I am looking for good ideas. All suggestions are welcome.

Syndicate content