Rick’s Playground

#include<stdio.h>

main()
{
    printf("Goodbye World");
}

Recently th security industry becomes more and more exciting and “cool” with various 007 style secret operations.

“Operation Dynamaphone” - Aug 3, two-day operation by UK and Ireland police to crack down a group of six individuals for pilfering funds from 10000 online banking accounts through phishing emails. 

“Operation Pin Pad” - April 16 2010 Brazil PoS (Point-of-Sale)  Hack

“Operation b49″ -  Feb 2010  A coordinated effort of taking down Waledac Botnet by Microsoft along with supporting experts from Shadowserver, the University of Washington, Symantec and others.

“Operation Aurora” - Quote from wiki

Operation Aurora is a cyber attack which began in mid-2009 and continued through December 2009.The attack was first publicly disclosed by Google on January 12, 2010, in a blog post. In the blog post, Google said the attack originated in China.

The attack was named “Operation Aurora” by Dmitri Alperovitch, Vice President of Threat Research at cyber security company McAfee. Research by McAfee Labs discovered that “Aurora” was part of the file path on the attacker’s machine that was included in two of the malware binaries McAfee said were associated with the attack. “We believe the name was the internal name the attacker(s) gave to this operation,” McAfee Chief Technology Officer George Kurtz said in a blog post.

“Operation Bot Roast” - June 2007 - An initiative from FBI to track down Botnet owners and subsequently a number of high profile charges are made against Botnet owners globally.

Some advice from Heartland Payment CTO after the largest credit card data breach in history - Link from Bank Systems and Technology - http://www.banktech.com/blog/archives/2009/10/heartland_calls.html?cid=nl_bnk_daily

Heartland Calls for End-to-End Encryption, Cooperation to Prevent Data Breaches

In an era when newsletter from vendors are almost the equivalent of spam emails, I am pleasently surprised by the content of Microsoft Security Newsletter - at least for this issue volume 6, issue 10.

First of all it is of the right length, no chunky huge paragraph and with proper links - it is an absolute turn-off when you see something interesting and yet no links or even worse - the content is for restricted groups.  Next, related articles give the interested readers full picture of tools and their relevant usage - For example, BinScope is introduced in this newsletter together with a how-to article. (BinScope Binary Analyzer and Security Tip of the Month: Using BinScope Binary Analyzer to Improve Code Security ). In the Business Security session, Andreas Wuchner speaks out the exact thought in my mind of “What I Look for When Hiring IT Security Staff “. It is short, precise and very accurate summary of the reality in hiring of IT security staff.

This is the 2nd time in the week I am impressed by Microsoft (the first one is the Microsoft Security Development Lifecycle blog). Probably it’s time to get a copy of Windows 7 ..LOL

I have to admit that the recent malwares like Storm, Conficker have really impressed me - the various top-notch feature implementations and the strong skills and knowledges demonstrated. If you still think the malware developers are the bunch only knows to package published vulnerability POCs and inserts the payloads into the out-dated templates, you probably are still living in the pre-2004 era.  yeah, that’s not very long ago, but long enough for the information security industry to get rid of a bunch of old concepts and ideas.. Here is the original description from SRI about the Conficker worm - Conficker Write-up .

One of the quoted paragraph from this write-up realy sends a chill down the spine for most infosec folks.

“Finally, we must also acknowledge the multiple skill sets that are revealed within the evolving design and implementation of Conficker.  Those responsible for this outbreak have demonstrated Internet-wide programming skills, advanced cryptographic skills, custom dual-layer code packing and code obfuscation skills, and in-depth knowledge of Windows internals and security products.  They are among the first to introduce the Internet rendezvous point scheme, and have now integrated a sophisticated P2P protocol that does not require an embedded peer list.  They have continually seeded the Internet with new MD5 variants, and have adapted their code base to address the latest attempts to thwart Conficker.   They have infiltrated government sites, military networks, home PCs, critical infrastructure, small networks, and universities, around the world.  Perhaps an even greater threat than what they have done so far, is what they have learned and what they will build next.”

While we - the infosec folks are happily talking about nice-looking process, management, frameworks etc.. indulging ourselves in various fanciful security solutions which are full of marketing hoohaaas. We seems to forget about the fundermentals. Probably we need some form of wake-up call - before it is too late.

Nokia ‘curse of silence’ sms details are released by Tobias Engel.  It is a simple sms like ‘123456789@123456789.1234567890123′ sent as email format from most mobiles. Once you recieve this sms in your vulnerable nokia smart phone (most symbian S60s), it’s a gone case. Factory reset is required.

Exploits details:

http://berlin.ccc.de/~tobias/cos/s60-curse-of-silence-advisory.txt

I just read an article “Confessions of a Risk Manager” from economist.com. It is recommended by a featured blog post “Risk Managers Are Just Like Security People” on securityfocus.com.  The article truely and vividly described the kind of difficulties and dilemmas encountered by a Risk Manager, which I can very much relate them the information security folks in the finanical sectors. The situations are amazingly similar between information security folks and the risk managers.

” In their (By Rick: the business people mainly front line traders, bankers, sales) eyes, we were not earning money for the bank. Worse, we had the power to say no and therefore prevent business from being done. Traders saw us as obstructive and a hindrance to their ability to earn higher bonuses. They did not take kindly to this. Sometimes the relationship between the risk department and the business lines ended in arguments. . . .

Tactfully explaining why we said no was not our forte. Traders were often exasperated as much by how they were told as by what they were told.At the root of it all, however, was—and still is—a deeply ingrained flaw in the decision-making process. In contrast to the law, where two sides make an equal-and-opposite argument that is fairly judged, in banks there is always a bias towards one side of the argument. The business line was more focused on getting a transaction approved than on identifying the risks in what it was proposing. The risk factors were a small part of the presentation and always “mitigated”. This made it hard to discourage transactions. If a risk manager said no, he was immediately on a collision course with the business line. The risk thinking therefore leaned towards giving the benefit of the doubt to the risk-takers.

Collective common sense suffered as a result. Often in meetings, our gut reactions as risk managers were negative. But it was difficult to come up with hard-and-fast arguments for why you should decline a transaction, especially when you were sitting opposite a team that had worked for weeks on a proposal, which you had received an hour before the meeting started. In the end, with pressure for earnings and a calm market environment, we reluctantly agreed to marginal transactions.”

Probably I shall replace all the financial terms with information security terms in this articule and come out a new version titled “Confessions of a Information Security Manager”.

Fresh from the oven !!! wondering where did our deal friend Michael manage to source these treasure …

Full Set of Blackhat 2008 Vegas Conference Presentation Slides

It’s probably the most [discussed,argued,rumured ...] topic in the infosec field for the past few weeks. Starting from all the media hype of “largest synchronized internet security efforts“, “Most serious security vulnerability” etc and tons of speculations on what exactly is wrong, and just a couple of days ago, the security researcher Halvar Flake revealed some educated guess (exact term used by securityfocus) about this flaw and H D Moore put up some POC exploit in Metasploit as well. For geeks who need more information, there are tons of materials on various mailing list, forum, underground articles. 

But for man on the street, Why so serious?  here is an interesting video from the researcher Dan Kaminsky who discovered this vulnerability and is going to present the details in the coming BlackHat 2008 Vigas.

Recently we have seen some rapid growth of information security topics in virtual world, typically relating to MMORPGs and both good and bad. For example World of Warcraft is getting bank-like security while Game Trojans outscore Storm worm.  It has been almost a year since I kicked off my part-time hobby research project on MMORPG security. The progress is rather slow but I am really enjoying the exploring process. It’s really amazing to witness the evolving process of all the virtual worlds. Here are a couple of MMORPG security discussion topics I have raised among the local infosecurity interest groups.

• MMORPG - InfoSec Research Nov 2007
• MMORPG - InfoSec Research Mar 2008

Based on the current trend, more and more MMORPGs are no longer “game” and they become a special type of social communities. There is a newly published research survey from CNNIC(China Network Information Centre). Majority of the users consider the virtual world is a community and have a sense of identity and belongings.

Fig 1. The meanning of a MMORPG to users

Fig 2. What are the factors of an MMORPG most valued by the users

This change of users perception towards MMORPGs also reflect the growing importance of information protection to the virtual world and remind the gaming industry to take it very seriously.