(C) BSides Austin a HUGE success and spawns additional effort - Hackers in Uganda

2 years ago I hounded the director of CODE 2600 to allow BSides Texas events (DFW, Austin & San Antonio) show his movie at our awesome Cons. He agreed and the rest is history as they say.

At the BSides DFW post Con reception I had a discussion with Jeremy on the efforts of Johnny Long and Hackers for Charity and thought it would make a good documentary. Our own HFC supporter and Austinite @Spridel11 (Justin Brown) was in attendance and I introduced the two and they talked.

A short 4 months later at BSides Austin's CODE 2600 movie showing, also the following day during the Con, Jeremy made the following announcement. Roughly stated:

'We are pleased to announce Zerchak Films and 'Hackers for Charity' have officially launched 'Hackers in Uganda' KickStarter to raise $15,000 to help fund a documentary of the impact and efforts of Hackers for Charity on the people and country of Uganda.'

I am proud to have been a part of this and look forward to seeing what comes out of this endeavor. We need films like CODE 2600 and 'Hackers in Uganda' in order for people to truly understand the Information Security and Hacker communities and the good we do.

Hackers are not bad, just curious, and we help people just like anyone else. We are the good of our community and help to find flaws in systems before the criminal element does, we are the good guys and gals of the Information Technology community.

So PLEASE support the Kickastarter "Hackers in Uganda” effort and let's make this movie and a difference. There are lots of good stuff you can get as a part of your donation, so take a look.

Hackers in Uganda website

Hackers for Charity website


CODE 2600 website


#InfoSec #HFC #HackersinUganda

(W) Amazon leaking data found by one Thoughtful Hacker in July 2012

Recent press by Rapid7 on Amazon S3 Buckets leaking data was first shared with me by my partner Ian. In June/July of last year he was working on a side project and found some disturbing information with me.

I wanted to share his findings as Rapid7 missed something. Here is his comments to me.

"OK, here are some additional details that I didn't see touched upon. I've been keeping this one quiet within the community, but since Rapid7 broke it, might as well...

Back in June of last year I was working with an Amazon EC2 instance and something caught my eye. I made a mental note to come back and check it out. I did later and found a whopper.

In EC2 you can create additional S3 drives. When you go through that process, you can select a "public" image to use. Just by scrolling through the list, some of these looked like they shouldn't have been public. I later came back and started examining them manually. The first one I tried was pretty significant. Let's just say it was a company that has a fondness for a type of dog and the color red. 'Nuff said. There were tons of email addresses, SSH keys, and so forth all over this.

So I went to work writing a utility for scraping called Snoop.py so I could pull out and analyze more of this stuff and see what the common thread was. As you found, there is lots of stuff exposed on there that shouldn't be.

Now, here's where it gets really interesting.

I found that most, but NOT ALL, of the "public" drives were configured as "public". That is, there was a clear subset that were NOT marked as being public. And I found a really easy way of seeing this in the Amazon portal. Here's how it works. If you go to the S3 side of the house and go to the option where you can see all public images in a list, take a copy of that list. Now, go to where you would create a new drive and attach an image. Take a copy of that, and compare. Back in July through probably September, if you did this you would have a discrepancy -- you could attach to more drives that weren't yours than you could see on the public list. And, these were the most, let's say, juicy.

I let some folks know and made attempts to contact others. At some point, sometime around or after September, it seems those "extra" drives disappeared from view and things went back to normal.

Although clearly people still are leaking data. But I suspect, but have no hard proof, that there was something else wrong in the cloud."

Ian and I got side tracked with malware work, but planned to get back to it. Since Rapid7 released the info,it only seemed right to release this info.

Got leaky storage?

Rapid 7 article on data leaking S3 buckets

#InfoSec #Amazon

Humor

#InfoSec

(I) Safer Internet Day? Who knew

Ever wonder what to tell your kids about Internet safety? Do you know yourself? I would say the BEST thing you can teach them, and yourself is to use a Password Manager since passwords SUCK in general and even worse for children. Unique passwords per website is KEY! So lets start them off with a high bar and start with Password Management with apps like LastPass or Password Safe with a YubiKey, because it works and is secure and easy.

Sophos article on 10 things Kids should know and do

#InfoSec #SaferInternetDay #Passwords

(I) Everyone should understand how Cyber crime works

This is a decent overview of how Cyber (drink) crime happens. You can apply this to anything the nefarious ne'er-do-wellers want to steal.
How to Rob a Bank - Cyber style
#InfoSec #CyberCrime

Enough said!

#InfoSec #ClickOnCrap

(W) Browser Plug-Ins act as Malware launchers

Ever wonder about plug-ins that are forced on you, I mean included in the install of Java, Adobe or many other applications that annoy us asking "Do you want this toolbar which has NOTHING to do with the application you're installing, possibly installed without you knowing it cuz i'm sneaky?"

This particular Adware/Malware uses The Ask, Bing, Weather and other browser plug-ins to launch additional files to do nefarious things. These seemingly helpful utilities actually add additional risk by allowing an easy exploit entry point by adding a modify crafted support .DLL that points to additional malware files infecting your system, adding a backdoor or worse.

Similar to DLL injection, just dropping additional files could totally P0wn your system. Just avoid miscellaneous plug-ins you don't need and refuse them when installing ANY software offering an unrelated plug-in and PLEASE tell the vendors "I won't use your damn product (cough cough Java, Adobe) if you continue to do this". I've had enough and NOT going to take it anymore!!!!

SecureList Evaluation of AdWare/Malware Win32.Gamevance.hfti

#InfoSec #BadPlugIns

(I) Hackin9 Magazines launches FREE Monthly Online Mag

Proud sponsors of BSidesAustin, Hackin9 Magazine announced today they are offering A FREE monthly InfoSec online magazine.

Check it out and sign up!

Sign up for the Magazine

Hackin9 website

#InfoSec #Hackin9

(I) Feb 1st - Change your password day - Gizmodo (snicker)

Hmmm a 'National Change your Password Day', would that really work?

First off, it's not your password that's bad, it's what you do with it, it's YOUR BEHAVIOR!!!!

If you have a crappy password aka short < 8 characters and use it everywhere, then changing it won't do you any good, it will still be a crappy password.

Now a 'National Manage your Credential Day' makes more sense. Really, October is Cyber Security Awareness month, but lets go with it... If you resolved to improve your credential management, that means the whole process of managing your usernames, passwords, accounts, sites you use, etc. then that would make sense.

We need to actually start managing our credentials before we change a password to really make a difference. How many of us in IT or InfoSec have a SmartPhone and use 2-factor Auth like The Google Authenticator App or a YubiKey? It's low I'm sure ;-(

Start by using a Password vault like LastPass or Password Safe (with YubiKey or Google Auth) and capture all the sites and credentials you use and start managing them. Then if some site you use gets popped (and it will) you can change your passwords quickly with a good long random password and be safer then you are now.

I guess Gizmodo didn't learn from being popped themselves.

Gizmodo article

#InfoSec #Passwords

(I) So what do we do about Java?

With the latest scare with Java and right after Java 7 release 11 yet another vulnerability announced - what do we do about Java?

Nothing!

No really - NOTHING!!!!

The Feds say remove it, articles say the Feds say to remove it... So when did a vulnerability in software require us to stop using it? We would have stopped using Windows years ago, but we can't. You can uninstall the runtime Java on your system (if you can), but it is built into browsers and the Internet.

Could you really remove Java? Have you ever visited a city, county, state, federal or local government website. Java is everywhere, can you really remove it? Apple solved it by flipping a switch that disables it across all Apple Macs.. How cool is that !?

Seriously though, the only thing that you need to do is CHANGE YOUR BEHAVIOR!

Oracle in release 10 allows you to disable Java directly in your browser. But I don't do this... In many a post I have stated Not Script for Chrome and NoScript for FireFox. If you stop using IE and start using Chrome and FireFox with the add-ons to block Java and Javascript (which has nothing to do with Java FYI) except when you know you need it and trust (in theory) the site, then you really do not need to do a darned thing other than change your behavior.

These Java exploits are going away and will come in email attachments and drive by surfing. If you block Ads with AdBlock+, use Web of Trust (WOT) when you search the InterWebbings to avoid known bad sites and NoScript and Not Script then you don't have to do anything except pay attention.

If you are an enterprise admin, then deploy the add-ons and train your users and of course 'Don't Click on That!'

#InfoSec

(I) 2012 in review - Cybercrime and Malware

Another year has passed us by and we saw more Cybercrime and the discovery of malware that went undetected for years... WTF?

What did 2012 teach us? (More importantly will we and management learn from it?). Will history of 2012 repeat itself? You betcha!

Cybercrime is here to stay, passwords suck and advanced malware can't be detected by any Anti-Malware, I mean any and all.. For YEARS!!!

We need a new way to detect malware once it strikes so that we may respond to the threat. Stop relying on Anti-Malware would be a start, it's just one of many security tools you have to reduce risk, stop thinking you can prevent malware, you can't! Convert your mentality and processes to look for malware regularly, with new tools, like the Sniper Forensics Toolkit.

I read a recent SC Magazine article on how malware has made it to POS systems. Duh! They're Windows based with a browser, what do you think would happen? Give employees a browser to the Internet and they will infect your systems in no time flat.

SC Magazine article on Malware on POS systems

So I set out to find a Windows based POS system with a browser... It didn't take me but my first restaurant to find one. Seriously, it was open to employees to surf the web on the system that takes our credit cards, and our orders, why oh why would you do this POS company. And yes, I played with it... Just needed a little Social Engineering.

Windows based POS has a new meaning... Piece Of Sh!t

I am sure the Sniper Forensics Toolkit would work GREAT for these types of turn-key Windows based POS systems since we should have a gold image (the vendor) that we can baseline to run a scan against and then compare it to systems in the field, easy.

Have a speciality type of system you want to know for certain is malware free? Let me know.

2012 showed us malware is a significant concern since it can go years undetected if a little thought and engineering goes behind it. Isn't that ANY and ALL Cybercrime and advanced malware that I talk about and Brian Krebs blogs about? Yes it is and it IS far more common than you ever thought!!!

Good Luck in 2013!!!

V3 article on the year of security




The Sniper Forensics Toolkit

#InfoSec #malware #sniperforensicstoolkit

(W) Proof Anti-Malware is not enough - Flame, Ducu, Stuxnet

I have always said if you rely on Anti-Virus/Anti-Malware as your sole defense against the nefarious neer-do-wellers of the InterWebbings you will get p0wned! Most home users may have AV, hopefully also their local operating system firewall is enabled and have a DSL/Cable router with firewall capabilities, but is that enough?

We have learned over the past year that the analysis of The Flamer, Ducu and Stuxnet malware went undetected so long by Anti-Malware software, Intrusion Protection Solutions and other security solutions because they all use signature based analysis.

The moral? We only can detect what we know about and all these solutions are designed to monitor what we know, not what we don't know. This is why user behavior is so important when it comes to browsing the InterWebbings.




Only YOU can prevent Forest Fires... I mean Malware by your behavior. Use Extensions for Chrome, Plugins for FireFox to block unwanted scripting on sites you might just visit or 'drive by' as we say. Using Web of Trust (WOT) will give you an indication of links that may be bad on google searches and websites. NotScript and NoScript prevent auto loading of scripting and allows you to only enable the sites and content you actually need versus seeing all of it all the time. Using AdBlock, blocks those often malware distributing ads.

Browsers are also becoming more aware of blocking tracking as well, so utilize these features and avoid using Internet Explorer to browse as this is a great browser to catch malware from. Proof is the latest MS XML 0-Day that is currently out for all versions of IE.

Build your environment to protect users from themselves and make a more secure browser with extensions or plugins required for all users and get used to having them and using them all the time!

Oh yeah... It goes without saying... DON'T CLICK ON THAT... Dot com

Safe browsing in 2013

#InfoSec

(I) Sophos wins VB100 award for best Anti-Malware contest - Yeah right

I saw this article today on how Sophos Anti-Virus won the "Virus-Bulletin 100 title by detecting 100% of the viruses in Virus Bulletin's "in-the-wild" collection and not having any false alarms."
After I stopped laughing, since it was for Windows Server 2003.... Yes it is 2012, 8 years later; but that's not the funny part.
I was just up in Dallas describing how malware we had been collecting had a whopping 3% detection rate on VirusTotal and that the industry generally accepts Anti-Malware is roughly 60% effective.
Then I saw this from Symantec...

8,000,000 users CAN be and are wrong... Detecting 25% more of 60% or even better 25% more of our 3% which equates to.. Wait for it... 3.75% is still pathetic.
The reality is Anti-Malware does nothing for the real malware that is being targeted towards users and enterprises. The nefarious ne-er'do-wellers craft real malware to evade AV and even know what AV you are running as a part of their payload delivery.
We need a new way to detect malware and we happen to have the tool!
The Sniper Forensics Toolkit
Check it out
Article from Naked Security
Sorry Chet ;-)
#InfoSec #SniperForensicsToolkit

(W)(I) WTF Microsoft.. really? I mean SERIOUSLY????

I was sitting next to Rafal Los at ConSec 2012 and he showed me the official statement from Microsoft on their latest IE 0-Day.


Microsoft's recommendation? Make sure you keep your Anti-Virus updated.

Seriously?

With ANY flaw like this one that affects all IE versions, the ONLY prudent action to take is DO NOT USE THAT BROWSER UNTIL IT IS FIXED!!!!

The proper response from Microsoft should be "Microsoft is working diligently on the issue and will push out an update as soon as one is available, in the meantime use an alternative browser like FireFox, Chrome or Safari."

Get real Microsoft.. Anti-Virus/Anti-Malware does NOTHING for a flaw in your browser design.

Stoooopid

#InfoSec #Microsoft

Things I ponder

Hmmm... How do I lock or pick this lock?




#InfoSec

More Humor

#InfoSec

Humor

#InfoSec

(W)(I)(E) Why any and all Security Tools WILL fail you

If you are one of the people that believes by implementing one or more security tools will prevent or help protect you from being hacked, think again. First off, an apology to all my colleagues that work for vendors, many of whom I respect, trust and admire.

IPS, IDS, File Integrity, Anti-Malware, Patching solutions, Logging solutions, VPN's, Vulnerability scanners, Pen Testing tools, Code scanners, Mobile Device Management, the list is endless.

All of us in information Security budget for serious dollars to buy all the fancy gizmos, widgets and InfoSec gadgets we are about to see at BlackHat, DefCon and BSides in Las Vegas this week. Not to mention the budget we ask for head count.

So "Why do security tools fail us"? because we fail at implementing to the best ability of not only the tools total ability; but the new owner/user/admin's lack of knowledge of the tool and what it can and CAN'T do. Some tools just can't do what we want.. it's reality.

Most importantly it is the failure of the vendor or person implementing the solution to understand how to apply the "real world of the organization" to the product and tweak it if you will to the unique things the owner will need it for.

Ask the vendors you are considering purchasing a solution from, or more importantly the person that will be implementing your next security solution this question. "What security incident did you implement this tool for and what tweaks did you have to make over the default implementation to detect, deter, monitor and alert on the incident so a similar incident would not go undetected"? I think you will be shocked by the response.

I worked for HP for many years and implemented many products and yet I was also guilty of the "it's an engagement, installed, working, doing stuff... I'm done, bill the client, next" mentality of a vendor and consultant. Some engagements went on long enough we did some real good, most I left wondering what would happen with the solution or effort we put forth, would it last or is it just to pass compliance at that moment? couch couch.. PCI.. cough.. SOX... cough....

What is lacking in every single security tool is critical thinking and practical real world application of the tool to a real world incident or event specific to YOUR environment.

The default installation of a File Integrity solution will NOT catch a piece of malware being placed on your systems in many directories. Why?, because many directories like Windows and their sub-directories are noisy and would generate alerts up the wazoo making the tool noisy and worthless to many. You may find it in the forensics folder, but how does one review hundreds or thousands of forensic folders? How can you tell a patch from malware when they are named the same? Where would a hacker place their Malware anyway? Windows? System32? SysWOW64? ProgramData? Local? LocalLow? Temp? bin? etc?

Have you tweaked your IPS and the alerts to detect real SA, Admin, root failures that differ from the pattern of an Administrator or does your solution just log it as an event? What about your logging solution? If you do not have a logging solution today, you should! In fact it should be the #1 item in your budget !!! Send your syslogs, Event logs and YES, even workstation logs to a central log server. If you have a log solution have you created reports and alerts to known conditions that are bad? Do you know what is normal behavior of administrators so you even know what is suspicious activity? If you are not a log management fan.. talk to me and I will change your mind, or at least make you think seriously about the subject.

Everyone has Anti-Malware, does it work ? Sure it goes off for stuff it knows about, but what does it do for REAL PITA (Pain In The Ass) Malware, not the annoying crap that your users catch surfing and opening emails, but the 0-Day, Duku, Stuxnet, Flame type malware that there are NO signatures for? Does it even have a feature/option to detect nefarious activity by a ne'er-do-weller? What I would I ask an Anti-Malware vendor would totally vary from your questions.. trust me.

This is where head count and budget come into play. Do you have people that have experienced, lived or recovered from one or more of the REAL PITA Events that all of the above would have missed in a default installed configuration and had to recover from a PITA event? If not... seek out and hire one or more of us to tweak your security tools to do everything they are capable of that product training and the vendor that installed it unfortunately do not know enough about, nor can they. I left consulting 4 years ago to get more personal ownership and live in the trenches... boy what a learning experience that has been, but I am better for it for sure.

It is these truly experienced folks that were/are on the front lines that have critical thinking skills you want and are after.. they are the only thing that will keep your security tools from failing you when the poop hits the fan. They are not taboo because they were involved with the major incident at XYZ Corp... they are seasoned at a real world incident. If a candidate can convey what they learned and how they could help you improve your security posture, you have struck pay dirt and maybe your security tools won't suck any longer...

Assuming management will budget for the head count and cares ;-)

Find me at BSidesLV or DefCon to discuss.

#InfoSec

(I) Skype Supernodes are dead...Long live thousands of Linux servers hosted by M$

Yup, Microsoft updated Skype in May to do away with the Supernodes concept which had hijacked many a computer to relay Skype info.

Even more interesting is Microsoft is using LINUX servers to be the the Supernode servers. Hosted in their many data enters around the world, yes Linux, not Windows.... Have no fear, I am sure Microsoft will port the code to the next version of Windows server.. Just guessing...

The importance of this change means all those people who had their computer hijacked by the Skype Supernode formula and thus suffered performance issues can now fix and avoid the issue by upgrading Skype to the latest version.

In addition corporate users and and administrators can relax a bit knowing Supernodes will stop consuming computer CPU when Skype is installed and meets the Skype Supernode criteria and not freak out us InfoSec folks seeing all this traffic on a users system.

arsTechnica article on the new Skype Supernodes

#InfoSec #Skype

(I) How you can mitigate the LinkedIn and e-not-so-Harmony breaches -LastPass

Be aware that hackers create scripts to use compromised credentials to attempt logging in to other websites, it is easy to do... Presidential candidate Mitt Romney had his Email account hacked and the hackers tried the same credentials on his Dropbox account and low and behold they were the same... 2 birds with one stone... Popped and pwned... And WHY password reuse is a bad, VERY bad idea! This occurred with the Gawker hack as well in late 2010.

Use the LastPass LinkedIn tool to see if your account is within the hacked credentials:

LastPass LinkedIn hacked account tool website

While checking my own LastPass vault for any threat due to the LinkedIn breach, I stumbled upon 2 bugs that I worked with LastPass to verify, one that is due to FireFox ver 13 ( don't upgrade), the other with their Security Challenge); but I also found a way to use LastPass to check and remediate your credentials when a cloud provider is breached.

First off I am assuming like most users that you indeed use the same 'name@email.com' username and 'password' for multiple websites. It goes without saying you should never use the same password for multiple websites since most usernames these days are your email address, but many people do, so we will roll with it for this example.

I was curious in my own LastPass vault of 170+ logins if I had any username/password combos that matched my LinkedIn credentials or if any were in fact duplicates...

I recalled the LastPass Security Challenge I have blogged about before (found here)

LastPass Security Challenge website

And recalled it showed you sites that had the same password grouped by similar password and it nicely shows you the username for each within a grouping.

So how do you use this to check and remediate?

First: Install and use LastPass of course
Second: Run the LastPass Security Challenge by either selecting the "LastPass icon-Tool-Security Check" or by using this URL:

Third: Once the Challenge completes, scroll down to the 'Sites with similar passwords' area, and there will probably be several since you reuse passwords and you will see all sites with the same password grouped together (the password is NOT visible unless you select 'Show'.

Review the list(s) to see if a username (your email) from a site (LinkedIn, eHarmony, Zappos, Gawker, etc.) that was compromised matches other sites where you are using the same password. If you are... Visit the site, change your password (use the LastPass unique generator) and update your vault!

You can quickly go through all similar credentials and change them to hopefully something unique so you don't have this issue in the future when another service you use gets popped, and they will, bet on it!

* NOTE: LastPass ignores case and spaces in the challenge evaluation so some passwords may be grouped as similar when they could be very different. They do this since some sites convert to one case and strip spaces.

Again, LastPass rocks ! And allows you to quickly remediate any username/password issues you might have after a breach of a Cloud provider you might use!

Want to know if an email address you use has a known password from one of the many breaches? Check it using the following website:

Pwned List website

Put in your email(s) and see if it shows up.. If so, you have a LOT of passwords that need changing.

#InfoSec #LastPass

(W) Chase banking users beware !!!

I recently received the following email and informed my Brother-In-Law NOT to take action as banks like Chase would NEVER send a generic email with links that are cryptic... Or would they?


I had my Bro-In-Law go into a local Chase Bank Branch and ask the manager about it and verify it. Turns out the Bank manager also had never seen such an email.
It was a notification from Adeptra Fraud prevention service used by Chase informing my Bro-In-Law that his Debit account account (yup.. debit) was used to purchase computer equipment in Honduras of all places and to approve the purchase or report it as fraud.

Really Chase and Adeptra, I mean REALLY ??? WTF !

He did call Chase after my warning and indeed it was fraud and thus a victim of Card Skimming as Brian Krebs writes so much about. His debit card number was skimmed somewhere and thusly used for nefarious charges by Honduran ne'er-do-wellers. He cancelled his card and got a refund very quickly. Remember Debit unlike Credit Cards are linked directly to your Checking account! If you get skimmed you might have an issue paying your mortgage and car payment before your case is resolved and you only have a few days to detect the fraud or the bank might not believe you.

Banks should NEVER send this type of email with links or telephone numbers. Rather they should tell you to call or visit your local branch (a number you should know) and ask to be transferred to the Fraud department, no email, no telephone, just URGENT - CONTACT US!!!

There are lawsuits over Wire Transfer Fraud where affected bank users felt their bank communication methods conditioned them to click on links in emails. This IS and always WILL BE a very BAD practice. Financial and Health organizations should never do this in emails.

Remember these Tips when using your Debit/ATM card.

1. When you use your Debit Card on a device that is outside or portable ATM or bad part of town... bad things can happen.
2. Be careful when you use your Debit Card and NEVER let it leave your sight when used, preferably never let it leave your hand.
3. If you need cash.. Go to a WalMart or Grocery store and buy a pack of gum and get Cash Back. These units are less likely (not impossible) to be modified with skimmers.
4. Contact your financial institution if you ever get an email with links to verify it is REAL.

Brian Krebs BLOG on Skimmers

#InfoSec #Fraud #Skimming

(I) Funny video on what people think about Computer Security

I laughed my pASSword off watching this. Describe Computer Security in one word...

Hilarious... maybe not so much after the LinkedIn breach.

YouTube video on describing Computer Security

#InfoSec

(W) Warning - LinkedIn Hacked ! Change your password NOW

Well, yet another large Cloud service provider has fallen and 6.5 million usernames and passwords have been popped as we say.

If you use the email address and password for your LinkedIn account for other websites... you may be in for some compromised accounts in the near future... Change all web logins you have that are the same email and password as LinkedIn immediately !!!

Graham Cluley from Naked Security gave a nice summary of how to change your LinkedIn password:

Naked Security Blog on Changing LinkedIn password

Why is this a problem ?

Most users of Internet Cloud Services reuse the same password for multiple websites, if not most or all websites. In late 2010 Gawker was popped and their user credential database taken. Providers like Facebook, Twitter, Hotmail, Yahoo, Google, LinkedIn and others locked/reset their users accounts that were found in the Gawker breached data. Because they know like we do in InfoSec that people reuse passwords across the InterWebbings and these providers did not want a massive user accounts compromise to deal with, so the accounts were locked and/or passwords reset.

Time will tell if the LinkedIn breach results in the same account lockout across the net, it should as those of us with LinkedIn accounts, CLEARLY use all the InterWebbings has to offer.

Want to protect yourself from this type of breach? Use a password manager solution like LastPass. Let LastPass remember your logins and use the Password Generator LastPass offers to create ridiculously good passwords. You now need only remember your master password to gain access to your vault and thus all your logins... and don't forget to add Google Authenticator or YubiKey for 2 factor authentication to further protect your vault from nefarious ne'er-do-wellers. Both solutions are FREE !

LastPass website

More on the LinkedIn breach HERE

More details about the LinkedIn hashes

#InfoSec #LinkedIn #Breach

(W) House Key in your Smartphone Yikes !!!!

Ever wish your smartphone could open the door to your house? I just watched Shark Tank and this was one of the products. A lock for your home that has the technology (via Bluetooth) when in close proximity can unlock your door when you press a button on the door lock.

We all love gadgets and using your iPhone, Droid or Crackberry to open your house seems like a cool idea.... Or is it?

First question... How many of you have your home address in your phone for a contact card to be used with Bump for example on the iPhone?

Second question... If I steal your phone will you be worried I can unlock your house?

Known this first before you answer... By looking at the lock on your front door, I know you have this type of lock because it has two buttons to lock and unlock the door.

Afraid yet?

Smartphone, DumpApps as Dan Cornell says in one of his many entertaining InfoSec presentations. This application must send a command sequence via Bluetooth to your door lock in a secure manner... What if the developers don't consider us Security researchers know how to sniff BT traffic? What if they use just a pin or code to open the lock? Or send it in the clear versus encrypting it as that adds $$$ to the lock, needs a processor and battery to decrypt it all in the lock. What if they forget to do this?

Afraid yet?

I reviewed a solution similar to this years ago for a large customer service entity looking to add features to their service to break into the home market. The solution is now available by Schlage at Home Depot. What I found with the first gen of this solution was that each code sent to each home over the service, in this case the Internet, was the same code for each house, so I was able to turn on and off the lights that were in the pilot users home... They were not happy this could be done and killed the project... Let's hope Schlage corrected the issues I found...

Now would you use UniKey?

The potential of what could go wrong with this solution is scary, VERY scary!

The reason keyless entry for cars works is the ring of keys don't have the license plate and location of the car if you were to find or steal the keys. Your smartphone has your home address in most cases so you know exactly what the key belongs to and where the key fits or works.

Knowing all I would need to gain entry into your home is to steal your phone, or reverse engineer the solution, as we did with the Key Card exploit, there is not much you could do. Worse.. People leave their phones in their cars often to run into a store, go to a movie, hospital and various other businesses or situations like the beach, volleyball, softball, etc. where we leave our phones in our cars so we don't lose them.

And what about kids? How many have lost their phones?

I will be contacting them to share my thoughts and warn the sharks about their investment risk...

Stay tuned.

UniKey website

#InfoSec

BSidesAustin is over, but BSidesDFW coming Nov 2012

Well, BSidesAustin 2012 is over and it was GREAT! We had 2 days of talks, presentations, discussions and panels. Lots was learned and even a gr33nh0rn elevated to beginner by winning the CTF Badge challenge.

As we collect speaker preso's, pictures and video we will post them on the BSidesTexas website so watch for them.

It was a blast and we look forward to 2013! Watch for announcements in the next few months!!!!

BSidesTexas website

#InfoSec