Rick’s Playground

I just rushed back from this month’s Security meetup and finished attending a 40 minutes conference call with my teammates in US. Today’s meetup was really impressive because we have Rogan Dawes- the author of Webscarab in town and gave us an hour talk on Webscarab. It was really nice to meet up with these guys who created fantastic tools and brought tremendous values to the community. I also prepared a short presentation on Web Application Testing Using Burp Suite together with a little bit demo. However I encountered quite a few technical glitches with the projector and my Ubuntu laptop and wasted almost 30mins trying to fix them. It was really a pity that I couldn’t show all my materials although the guys in the group waited for me patiently. I shall find out the bugs and make sure my next presentation won’t be messed up.

Here is my presentation slide if you are interested: Web PT Using Burp Suite

This is absolutely ridiculous that a Singapore based company is trying to charge patent fees for web pages linking image to contact information. This is not the first time we hear that companies intend to charge patent fee for commonly known technologies. Just a few months ago, someone in China filed patent application for booting Linux OS through USB devices.

Claiming itself as “pioneers of visual search technology”, Vuestar Technologies started issuing invoices to various SME(Small/Medium Enterprise) websites owner to demand annual fees from s$500 to s$10000. It is such a blatant act of bullying - the company stated that they are not going after government agencies and big boys. Vuestar’s patent–tagged under publication number 95940–appears also to have been granted in Australia, New Zealand and United States. The company’s website shows no business related activities other than requesting people to pay for their license. Local lawyers urge clients to practice caution and seek legal advice before reaching any settlement with the claiming firm.

This scene is very similar to the domain squatters back in 90s. However Patent squatters are more aggressive and they like to use loopholes in current patent systems and obtain greater financial gains. But this also makes poeple ponder how did these patent squatters manage to get their applications accepted in the first place.  

Links: http://en.wikipedia.org/wiki/Vuestar_Technologies

Crowd Control Productions (CCP) has had its Eve Online client code hacked and mass distributed via torrent. Here’s the Official CCP statement on the incident:

We are aware that an individual claims to have access to the source code of the EVE client, but this access is not a security risk to CCP or our customers in any way. The Python scripting language that is used by the client can be easily decompiled to generate readable code, and we have designed our server-side systems with that understanding. Therefore, there is no reason to believe that the code was leaked by an employee and our internal investigations confirm that.

Access to the source code for the EVE client exposes no security vulnerabilities, has no privacy protection issues, and poses no threat to our customers billing information. The server-side interface used by the client is carefully protected to ensure that no abusive or unwanted information is transmitted to or from the EVE system.

Nothing the EVE client can do can affect the game state, a manipulated EVE client cannot affect the server, no advantageous or disadvantageous information can be transmitted to other EVE users by altering the EVE client. The EVE client is signed with a security certificate registered to CCP. Hashes are available on our web site for those who wish to ensure the integrity of EVE client download files they may have received from a source other than direct download from CCP’s web site.

Finally, there have been no mass bannings, as reported in some news articles, though we do remove all message board posts regarding violations of our EULA and Terms of Service as per standard policy and procedures. We consider any alterations of the client software, including decompilation, or discussions thereof, to represent such a violation.

Let’s just cross our fingers and pray that EVE-online was truly developed with Server-side security in mind and follow the principle of “Whatever client-side submitted is unreliable”.

This is the newest ranking report by Javelin Strategy & Research on US-based Credit card issuers’ protection of customer identity and fight against various credit card fraud cases. 25 top US credit card issuers were evaluated based on the criterias of Prevention, Detection and Resolution. Here is the results:

Also based on the information in Javelin’s report preview brochure, banks generally did well in Resolution aspect and Detection is still the weakest link. This again reminds credit card users to be pro-active to identify potential fraud cases instead of waiting for your banks to notice the case. On the other hand, it will be interesting to know what are the current detection mechanisms used and whether innovative products such as automated credit card account fraud detection system (someting like IDS for network security) will come into the market?

I can consider this as my first MMORPG game which I really pay and play. I have touched quite a number of MMORPG games before, but most of the time I was just trying out the game and usually would dump it after the trial period. But EVE-Online is different and it has all the factors which attract me and make me hooked - futuristic Si-Fi, stars, planets, spaceships, weapons, equipment, fleet fighting, fabulous graphics, strategic planning etc. Those are the things which I love from young and EVE-online has them all. My char in Eve

These three terms (let’s use a short form “PPT”) are very popular among the InfoSec folks nowadays. They were mentioned at least in 4 of the conferences I attended last week. If my memory doesn’t fail me, my first encounter of the usage of these three terms in InfoSec arena was 5 years ago. I was attending a certified information security practitioner course conducted by a Singapore based institute. (I was sponsered for winning an on-line hacking competition :D) I can still remember that DBS internet banking fraud was used as an illustration of vulnerability in business process.

I guess no one will try to argue the validity of PPT in infosec because there are plenty of examples illustrating failed attempts to solve infosec problems with isolated approaches. Among the conferences I attended last week, one is about Vulnerability Management, one is about Enterprise security practices, one is about IT Governance and the other is about Technology Innovation in Banking.

In the VM talk, the idea of staged gap analysis from PPT aspects is a good structured approach besides the usual PPT oriented vulnerability remediation. The Enterprise security talk was not very interesting except the analysis of impact of web 2.0 (or Enterprise 2.0 - usage of web 2.0 in enterprise environment). The speaker from the IT Govenrnance talk listed few obstacles and hurdles encountered from PPT aspects when pushing information security to LOB (Lines of Business). I like this one very much because this guy showed that he had hands-on practical experiences instead of just big talks and I can actually relate my current challengers in my workplace to his examples.

I will write more about technology innovation in Banking in separate posts because this is the newest portfolio I take up and I am really excited about this global initiative in my workplace. Again we can always use PPT to draft some structured approach on doing innovation, but where is the fun when everything is structuralized?