Archive for August 2008
Bad hard drive? Don't let Apple take your data!
Posted by: Tom
So the hard drive on my wife's one year old MacBook has officially started to kick the bucket. Random crashes, slow performance and lots of errors like this in the system log:
disk0s2: 0xe0030005 (UNDEFINED).
Yup, we have bad blocks..all indicating imminent drive "FAIL". I have AppleCare on the MacBook so I call them up and explained the situation. Surprisingly, they didn't give me a hard time. In the past I have had problems with other computer manufacturers (ummm...Dell) in which I would have to argue with the guy/gal on the other end of the phone that the drive was "really bad" and I didn't need to spend hours on the phone with them troubleshooting. So far so good with Apple right?
So I am finishing up the call and the tech is explaining how Apple will ship me a box to send the MacBook back to them for repair. Apparently, they don't do self service hard drive swaps anymore. Weird since it's easy to replace a hard drive on a MacBook. Anyway, the rest of the conversation went something like this...
Apple guy: "Sir, do you have a password set on your MacBook"?
Me: "Yes. Why do you need that?"
Apple guy: "The tech's need it to replace your hard drive"
Me: "Huh? Why do you need my password to replace a bad hard drive? Just pull the old drive out and put the new one in."
Apple guy: "Sorry sir. That's the procedure."
Me: "What if I don't give you the password?"
Apple guy: "Then we can't repair your laptop"
Me: "grrrr...fine...here is my password..ready? a-p-p-l-e-s-e-c-u-r-i-t-y-F-A-I-L"
Apple guy: "Thank you sir. You will have your shipment box in 24 hours."
So for every bad hard drive that comes into the Apple repair center they log in to verify that the drive is bad? What do they do with all the drives like mine that are still functional but have bad blocks? Can Apple guarantee that there are no shady people working in the repair center wanting to steal my personal information? What happens to the data? The sad mac fact (note the "sad mac" picture above) is that no one knows!
I did some research on this and apparently Apple doesn't care too much about your personal data. Dave Winer wrote about this extensively and notes the same problem. The Apple repair "terms and conditions" only states that your information is protected in accordance with the "Apple Customer Privacy Policy" and that you agree that Apple can use your data to perform the "service obligations". Interesting to also note that on the Apple privacy web site under the AppleCare Repair Agreement it also states the following:
"You agree and understand that it is necessary for Apple to collect, process and use your data in order to perform the service and support obligations under the Plan. This may include the necessity to transfer your data to affiliated companies or service providers located in Europe, India, Japan, Canada, People’s Republic of China or the U.S."
Huh? People's Republic of China? That's nice. I couldn't find any reference noting what Apple does with your personal "hard drive" data. They only mention your name, address, things you purchased, etc...
So what am I going to do about this? I'm going to completely wipe the drive (Darik's Boot And Nuke is my favorite disk destruction utility) before sending it back to Apple just to see what happens. I have my doubts that they will actually log in to the MacBook to see if the drive is bad. Let's see if I get the drive replaced or not...I'm betting it will be replaced, no problem.
Sure, Apple is not the only company doing this with hard drives. This is a problem that needs to be addressed by all computer vendors. What they do with your data should at least be disclosed in their repair and/or privacy policy (at a minimum). In the meantime, encrypt your sensitive data (TrueCrypt works well) and securely remove any data you don't want people servicing your computer to see. I'll keep you updated on the repair status... :-)
Are you using strong and unique passwords? You should!
Posted by: Tom
I have been following several stories of recent targeted attacks against a few high profile security professionals. Two that I was made aware of were pdp from GNUCITIZEN and Alan Shimel from StillSecure, After All These Years. pdp had his Gmail account compromised and his entire mailbox mirrored all over BitTorrent. Alan's, was far worse with his mailbox compromised, personal info released and his blog domain hijacked. Both pdp and Alan have returned to blogging after the attacks and I commend them for making such a quick come back.
While these types of attacks are not new...it goes to show that this can happen to anyone, even high profile security professionals. Not much is known yet on how these attacks happened but I am willing to bet that common and/or weak passwords were part of the attacks in some way. Think about all the passwords you have...do you have the same one for everything? If you are a blogger or manage a web site think about the last time you changed the password you use for your domain registration (yeah..that was a long time ago right?)! Add to the fact that these passwords may not be very complex and you have a potentially dangerous situation.
Close to two years ago I started using a password manager and it has been one of the best things I have done to help sort out the password mess. Password managers are great...but you can still get lazy. We all have the lazy bug...especially with online forums and web sites. One idea that I learned to help combat this was to have a "throw away" password that you can easily remember (yet still somewhat complex) for things on the web that you wouldn't care if they were compromised. Everything else...use the password manager and make sure you use a long (> 20 character) randomly generated password for each application. Keep in mind that 20 characters may be too long for certain web sites or applications. Case in point...LinkedIn has a limitation of 16 (I found this out the hard way). Sure, it's a pain in the ass to use a password manager but in the end...it's well worth the extra work.
So what password manager to use? I did a few posts a long time ago about two of them. However, over the years I have migrated everything over to KeePass and KeePassX (for OS X). Since I use multiple computers with different OS's (and a Blackberry)...KeyPass is the only one that I found that can be easily used on multiple platforms. There are also a TON of great plugins. Add to the fact that it's free...it's tough to find a more robust solution.
So yes, go for it! These targeted attacks should remind you that it's a good time to change those passwords to something complex and unique. Don't forget to use a password manager to help you out!
While these types of attacks are not new...it goes to show that this can happen to anyone, even high profile security professionals. Not much is known yet on how these attacks happened but I am willing to bet that common and/or weak passwords were part of the attacks in some way. Think about all the passwords you have...do you have the same one for everything? If you are a blogger or manage a web site think about the last time you changed the password you use for your domain registration (yeah..that was a long time ago right?)! Add to the fact that these passwords may not be very complex and you have a potentially dangerous situation.
Close to two years ago I started using a password manager and it has been one of the best things I have done to help sort out the password mess. Password managers are great...but you can still get lazy. We all have the lazy bug...especially with online forums and web sites. One idea that I learned to help combat this was to have a "throw away" password that you can easily remember (yet still somewhat complex) for things on the web that you wouldn't care if they were compromised. Everything else...use the password manager and make sure you use a long (> 20 character) randomly generated password for each application. Keep in mind that 20 characters may be too long for certain web sites or applications. Case in point...LinkedIn has a limitation of 16 (I found this out the hard way). Sure, it's a pain in the ass to use a password manager but in the end...it's well worth the extra work.
So what password manager to use? I did a few posts a long time ago about two of them. However, over the years I have migrated everything over to KeePass and KeePassX (for OS X). Since I use multiple computers with different OS's (and a Blackberry)...KeyPass is the only one that I found that can be easily used on multiple platforms. There are also a TON of great plugins. Add to the fact that it's free...it's tough to find a more robust solution.
So yes, go for it! These targeted attacks should remind you that it's a good time to change those passwords to something complex and unique. Don't forget to use a password manager to help you out!
Black Hat/Defcon 16 Recap from Vegas
Posted by: Tom
I am on my way back from Black Hat and Defcon 16 in Las Vegas with a three hour delayed flight so this is probably a good time to talk about Black Hat and Defcon 16.
To start off...this was one busy and eventful week! I met so many people this week it was crazy. I am officially overflowed with business cards! I got lots of opportunities to not only meet some of the people that I admire in the security industry but also had a chance to network with a great many others that I just met. There were some really good parties (umm..networking opportunities) at both Black Hat and Defcon. Some worth mentioning that I was at were Mozilla, Core Impact, Ethical Hacker, and I-Hacked. I also attended a Security Twits meetup on Friday night at Sushi Roku and got to meet many of the Security Twits in person which was really cool. Thanks to @quine for organizing this event!
I attended several talks at both Black Hat and Defcon. I was able to attend everything that I wanted at Black Hat and even attempted to "live tweet" the Dan Kaminsky talk. You can see my updates through TweetScan or other Twitter search tools by searching for #blackhat and #defcon on my Twitter ID (agent0x0). Most of my time at Defcon was spent watching my wife win the Guitar Hero 3 Medium contest...(first woman to win this contest at Defcon) and improving my lock picking skills in the lock picking village. I have to say that I focused a lot of my time at Defcon just enjoying the contests and meeting new friends. I absolutely love Defcon. It's the greatest meetup of the good, bad, and everyone in between. One talk that was a highlight for me was Jay Beale's talk on "Owning the users with the Middler". I interviewed Jay on the Security Justice podcast about a week ago where he talked about the tool. Jay's talk was packed! Standing room only (goons were sent in to crowd control). He did a good job even though he couldn't finish his talk because time ran out. If you get an opportunity to see Jay speak, I highly recommend it! Speaking of goons...I have to hand it to the Defcon goons this year for doing a great job with crowd control! I overheard one goon say that he was doing crowd control for a "f***ton" of people! Oh, and the badges were pretty cool as well...once I waited in a long line for mine on day 2. The badge is actually a "tv-b-gone"...I could turn the TV on and off in my hotel room with the badge. Neat!
Speaking of podcasts...I was fortunate to participate in the live podcast at Defcon 16 right before the I-Hacked party in one of the Sky Boxes. I podcasted with Chris and Jay from Securabit, Larry from PaulDotCom, Matt from SploitCast and Martin McKeay from the Network Security Podcast. Rob Fuller (@mubix) coordinated and hosted the event. Hopefully some of you were able to tune into the live video and audio and chat via IRC. Not sure if the recording will be released or not. I'll post a link if it is.
Finally, lots of pictures were taken!! I will be posting mine to both my personal and the Security Justice podcast web site Flickr account soon.
It looks like my plane just arrived...I hope to post more stuff on Black Hat/Defcon in the coming days.
To start off...this was one busy and eventful week! I met so many people this week it was crazy. I am officially overflowed with business cards! I got lots of opportunities to not only meet some of the people that I admire in the security industry but also had a chance to network with a great many others that I just met. There were some really good parties (umm..networking opportunities) at both Black Hat and Defcon. Some worth mentioning that I was at were Mozilla, Core Impact, Ethical Hacker, and I-Hacked. I also attended a Security Twits meetup on Friday night at Sushi Roku and got to meet many of the Security Twits in person which was really cool. Thanks to @quine for organizing this event!
I attended several talks at both Black Hat and Defcon. I was able to attend everything that I wanted at Black Hat and even attempted to "live tweet" the Dan Kaminsky talk. You can see my updates through TweetScan or other Twitter search tools by searching for #blackhat and #defcon on my Twitter ID (agent0x0). Most of my time at Defcon was spent watching my wife win the Guitar Hero 3 Medium contest...(first woman to win this contest at Defcon) and improving my lock picking skills in the lock picking village. I have to say that I focused a lot of my time at Defcon just enjoying the contests and meeting new friends. I absolutely love Defcon. It's the greatest meetup of the good, bad, and everyone in between. One talk that was a highlight for me was Jay Beale's talk on "Owning the users with the Middler". I interviewed Jay on the Security Justice podcast about a week ago where he talked about the tool. Jay's talk was packed! Standing room only (goons were sent in to crowd control). He did a good job even though he couldn't finish his talk because time ran out. If you get an opportunity to see Jay speak, I highly recommend it! Speaking of goons...I have to hand it to the Defcon goons this year for doing a great job with crowd control! I overheard one goon say that he was doing crowd control for a "f***ton" of people! Oh, and the badges were pretty cool as well...once I waited in a long line for mine on day 2. The badge is actually a "tv-b-gone"...I could turn the TV on and off in my hotel room with the badge. Neat!
Speaking of podcasts...I was fortunate to participate in the live podcast at Defcon 16 right before the I-Hacked party in one of the Sky Boxes. I podcasted with Chris and Jay from Securabit, Larry from PaulDotCom, Matt from SploitCast and Martin McKeay from the Network Security Podcast. Rob Fuller (@mubix) coordinated and hosted the event. Hopefully some of you were able to tune into the live video and audio and chat via IRC. Not sure if the recording will be released or not. I'll post a link if it is.
Finally, lots of pictures were taken!! I will be posting mine to both my personal and the Security Justice podcast web site Flickr account soon.
It looks like my plane just arrived...I hope to post more stuff on Black Hat/Defcon in the coming days.
Talks to attend at Black Hat USA '08
Posted by: Tom
I thought I would throw my list into the mix of other Security Twits that are posting about talks they are either going to or wish they were going to at Black Hat this week. Most of my picks have a pentest perspective to them (a lot like CG's over at Carnal0wnage). Here is my tentative list of talks I plan on attending:
August 6th
10:00 to 11:00
Nmap: Scanning the Internet - Fyodor Vaskovich
If your a penetration tester, don't miss this one...Fyodor is a legend (heck, even some girl at sexyhacking.com (NSFW!) thinks so...the man has stalkers! ;-) ) and I'm looking forward to hear about new and unique ways to use Nmap.
11:15 to 12:30
Black Ops 2008: Its The End Of The Cache As We Know It - Dan Kaminsky
Unless you have been living under a rock for the last month then you should know about this one. It will be crowded (like all of Dan's talks) but well worth attending.
13:45 to 15:00
Client-side Security - Petko D. Petkov
Another not to miss talk in my book. Petko or better known as pdp heads up GNUCITIZEN which is one of the sites that I closely follow. GNUCITIZEN releases some amazing security research and are always on the cutting edge. As a bonus it looks like pdp will provide details of a QuickTime 0day for Windows Vista and XP.
15:15 to 16:30
Bluetooth v2.1 - a New Security Infrastructure and New Vulnerabilities - Andrew Lindell
This one should be different. I recently started gaining more of an interest in Bluetooth vulnerabilities. Andrew will "show that it is possible to pair with a device that uses a fixed (but unknown) password, even when the password is random and reasonably long". Sounds interesting.
16:45 to 18:00
MetaPost Exploitation - Val Smith
This is one I am really looking forward to. This is one just for penetration testers. I saw Val Smith and HD Moore present last year on "Tactical Exploitation" and it was outstanding.
After hours...
The Pwnie Awards 2008
If I'm not totally beat I plan on attending this. Should be fun to check out before hitting some of the parties.
August 7th
10:00 to 11:00
Satan is on My Friends List: Attacking Social Networks - Shawn Moyer and Nathan Hamiel
I was tossed between this one and "Encoded, Layered and Transcoded Syntax Attacks". However, I am really on a social network security kick as of late so I think I will attend this one. If it is lame, I'll jump in the other talk.
11:15 to 12:30
Threats to the 2008 Presidential Election (and more) - Oliver Friedrichs
While not pentest specific...this one looks pretty interesting. The synopsis notes the following: "...we will discuss domain name abuse, including typo squatting and domain speculation as it relates to candidate Internet domains. We will present and demonstrate how widespread this activity has already become. Secondly, we will discuss the potential impact of phishing on an election." Sounds cool!
13:45 to 15:00
Hacking and Injecting Federal Trojans - Lukas Grunwald
The "infection proxy" demo seems worth seeing! The other talk that sounds cool is the one Joanna Rutkowska is doing. I saw her talk at Black Hat last year. Joanna is a brilliant mind, but a *fast* talker...with the amount of technical detail she usually covers...it's tough to keep up.
15:15 to 16:30
...Continuing "Hacking and Injecting Federal Trojans". If it seems to suck, I'll be at the following:
The Internet is Broken: Beyond Document.Cookie - Extreme Client Side Exploitation - Nathan McFeters, John Heasman, Rob Carter
or...
Get Rich or Die Trying - Making Money on the Web, the Black Hat Way - Jeremiah Grossman, Arian Evans
I can't decide between these two, perhaps I will attempt to see a little of both! :-)
16:45 to 18:00
Methods for Understanding Targeted Attacks with Office Documents - Bruce Dang
We all have seen a rise in this type of attack over the last year. It's true...there isn't a ton of information about the technical details of these types of attacks. Hopefully this talk sheds some light on what's behind them and help with introducing some new prevention methods.
Wow. Packed schedule with lots of great talks! Looking forward to Las Vegas as well! Always a good time (if I can break even...it would be better). Oh, and hopefully I will be able to hook up with some of the other Security Twits during the week. I'll be at Defcon as well so if anyone wants to have a beer hit me up on Twitter...or, just stop by the Podcaster/Blogger Meetup at Defcon 16. I'll be there representing the Security Justice podcast.
Stay tuned for my Defcon 16 "talks to attend" post in the next few days.
August 6th
10:00 to 11:00
Nmap: Scanning the Internet - Fyodor Vaskovich
If your a penetration tester, don't miss this one...Fyodor is a legend (heck, even some girl at sexyhacking.com (NSFW!) thinks so...the man has stalkers! ;-) ) and I'm looking forward to hear about new and unique ways to use Nmap.
11:15 to 12:30
Black Ops 2008: Its The End Of The Cache As We Know It - Dan Kaminsky
Unless you have been living under a rock for the last month then you should know about this one. It will be crowded (like all of Dan's talks) but well worth attending.
13:45 to 15:00
Client-side Security - Petko D. Petkov
Another not to miss talk in my book. Petko or better known as pdp heads up GNUCITIZEN which is one of the sites that I closely follow. GNUCITIZEN releases some amazing security research and are always on the cutting edge. As a bonus it looks like pdp will provide details of a QuickTime 0day for Windows Vista and XP.
15:15 to 16:30
Bluetooth v2.1 - a New Security Infrastructure and New Vulnerabilities - Andrew Lindell
This one should be different. I recently started gaining more of an interest in Bluetooth vulnerabilities. Andrew will "show that it is possible to pair with a device that uses a fixed (but unknown) password, even when the password is random and reasonably long". Sounds interesting.
16:45 to 18:00
MetaPost Exploitation - Val Smith
This is one I am really looking forward to. This is one just for penetration testers. I saw Val Smith and HD Moore present last year on "Tactical Exploitation" and it was outstanding.
After hours...
The Pwnie Awards 2008
If I'm not totally beat I plan on attending this. Should be fun to check out before hitting some of the parties.
August 7th
10:00 to 11:00
Satan is on My Friends List: Attacking Social Networks - Shawn Moyer and Nathan Hamiel
I was tossed between this one and "Encoded, Layered and Transcoded Syntax Attacks". However, I am really on a social network security kick as of late so I think I will attend this one. If it is lame, I'll jump in the other talk.
11:15 to 12:30
Threats to the 2008 Presidential Election (and more) - Oliver Friedrichs
While not pentest specific...this one looks pretty interesting. The synopsis notes the following: "...we will discuss domain name abuse, including typo squatting and domain speculation as it relates to candidate Internet domains. We will present and demonstrate how widespread this activity has already become. Secondly, we will discuss the potential impact of phishing on an election." Sounds cool!
13:45 to 15:00
Hacking and Injecting Federal Trojans - Lukas Grunwald
The "infection proxy" demo seems worth seeing! The other talk that sounds cool is the one Joanna Rutkowska is doing. I saw her talk at Black Hat last year. Joanna is a brilliant mind, but a *fast* talker...with the amount of technical detail she usually covers...it's tough to keep up.
15:15 to 16:30
...Continuing "Hacking and Injecting Federal Trojans". If it seems to suck, I'll be at the following:
The Internet is Broken: Beyond Document.Cookie - Extreme Client Side Exploitation - Nathan McFeters, John Heasman, Rob Carter
or...
Get Rich or Die Trying - Making Money on the Web, the Black Hat Way - Jeremiah Grossman, Arian Evans
I can't decide between these two, perhaps I will attempt to see a little of both! :-)
16:45 to 18:00
Methods for Understanding Targeted Attacks with Office Documents - Bruce Dang
We all have seen a rise in this type of attack over the last year. It's true...there isn't a ton of information about the technical details of these types of attacks. Hopefully this talk sheds some light on what's behind them and help with introducing some new prevention methods.
Wow. Packed schedule with lots of great talks! Looking forward to Las Vegas as well! Always a good time (if I can break even...it would be better). Oh, and hopefully I will be able to hook up with some of the other Security Twits during the week. I'll be at Defcon as well so if anyone wants to have a beer hit me up on Twitter...or, just stop by the Podcaster/Blogger Meetup at Defcon 16. I'll be there representing the Security Justice podcast.
Stay tuned for my Defcon 16 "talks to attend" post in the next few days.