I am on my way back from Black Hat and Defcon 16 in Las Vegas with a three hour delayed flight so this is probably a good time to talk about Black Hat and Defcon 16.

To start off...this was one busy and eventful week! I met so many people this week it was crazy. I am officially overflowed with business cards! I got lots of opportunities to not only meet some of the people that I admire in the security industry but also had a chance to network with a great many others that I just met. There were some really good parties (umm..networking opportunities) at both Black Hat and Defcon. Some worth mentioning that I was at were Mozilla, Core Impact, Ethical Hacker, and I-Hacked. I also attended a Security Twits meetup on Friday night at Sushi Roku and got to meet many of the Security Twits in person which was really cool. Thanks to @quine for organizing this event!

I attended several talks at both Black Hat and Defcon. I was able to attend everything that I wanted at Black Hat and even attempted to "live tweet" the Dan Kaminsky talk. You can see my updates through TweetScan or other Twitter search tools by searching for #blackhat and #defcon on my Twitter ID (agent0x0). Most of my time at Defcon was spent watching my wife win the Guitar Hero 3 Medium contest...(first woman to win this contest at Defcon) and improving my lock picking skills in the lock picking village. I have to say that I focused a lot of my time at Defcon just enjoying the contests and meeting new friends. I absolutely love Defcon. It's the greatest meetup of the good, bad, and everyone in between. One talk that was a highlight for me was Jay Beale's talk on "Owning the users with the Middler". I interviewed Jay on the Security Justice podcast about a week ago where he talked about the tool. Jay's talk was packed! Standing room only (goons were sent in to crowd control). He did a good job even though he couldn't finish his talk because time ran out. If you get an opportunity to see Jay speak, I highly recommend it! Speaking of goons...I have to hand it to the Defcon goons this year for doing a great job with crowd control! I overheard one goon say that he was doing crowd control for a "f***ton" of people! Oh, and the badges were pretty cool as well...once I waited in a long line for mine on day 2. The badge is actually a "tv-b-gone"...I could turn the TV on and off in my hotel room with the badge. Neat!

Speaking of podcasts...I was fortunate to participate in the live podcast at Defcon 16 right before the I-Hacked party in one of the Sky Boxes. I podcasted with Chris and Jay from Securabit, Larry from PaulDotCom, Matt from SploitCast and Martin McKeay from the Network Security Podcast. Rob Fuller (@mubix) coordinated and hosted the event. Hopefully some of you were able to tune into the live video and audio and chat via IRC. Not sure if the recording will be released or not. I'll post a link if it is.

Finally, lots of pictures were taken!! I will be posting mine to both my personal and the Security Justice podcast web site Flickr account soon.

It looks like my plane just arrived...I hope to post more stuff on Black Hat/Defcon in the coming days.

I thought I would throw my list into the mix of other Security Twits that are posting about talks they are either going to or wish they were going to at Black Hat this week. Most of my picks have a pentest perspective to them (a lot like CG's over at Carnal0wnage). Here is my tentative list of talks I plan on attending:

August 6th
10:00 to 11:00
Nmap: Scanning the Internet - Fyodor Vaskovich

If your a penetration tester, don't miss this one...Fyodor is a legend (heck, even some girl at sexyhacking.com (NSFW!) thinks so...the man has stalkers! ;-) ) and I'm looking forward to hear about new and unique ways to use Nmap.

11:15 to 12:30
Black Ops 2008: Its The End Of The Cache As We Know It - Dan Kaminsky

Unless you have been living under a rock for the last month then you should know about this one. It will be crowded (like all of Dan's talks) but well worth attending.

13:45 to 15:00
Client-side Security - Petko D. Petkov

Another not to miss talk in my book. Petko or better known as pdp heads up GNUCITIZEN which is one of the sites that I closely follow. GNUCITIZEN releases some amazing security research and are always on the cutting edge. As a bonus it looks like pdp will provide details of a QuickTime 0day for Windows Vista and XP.

15:15 to 16:30
Bluetooth v2.1 - a New Security Infrastructure and New Vulnerabilities - Andrew Lindell

This one should be different. I recently started gaining more of an interest in Bluetooth vulnerabilities. Andrew will "show that it is possible to pair with a device that uses a fixed (but unknown) password, even when the password is random and reasonably long". Sounds interesting.

16:45 to 18:00
MetaPost Exploitation - Val Smith

This is one I am really looking forward to. This is one just for penetration testers. I saw Val Smith and HD Moore present last year on "Tactical Exploitation" and it was outstanding.

After hours...
The Pwnie Awards 2008

If I'm not totally beat I plan on attending this. Should be fun to check out before hitting some of the parties.

August 7th
10:00 to 11:00
Satan is on My Friends List: Attacking Social Networks - Shawn Moyer and Nathan Hamiel

I was tossed between this one and "Encoded, Layered and Transcoded Syntax Attacks". However, I am really on a social network security kick as of late so I think I will attend this one. If it is lame, I'll jump in the other talk.

11:15 to 12:30
Threats to the 2008 Presidential Election (and more) - Oliver Friedrichs

While not pentest specific...this one looks pretty interesting. The synopsis notes the following: "...we will discuss domain name abuse, including typo squatting and domain speculation as it relates to candidate Internet domains. We will present and demonstrate how widespread this activity has already become. Secondly, we will discuss the potential impact of phishing on an election." Sounds cool!

13:45 to 15:00
Hacking and Injecting Federal Trojans - Lukas Grunwald

The "infection proxy" demo seems worth seeing! The other talk that sounds cool is the one Joanna Rutkowska is doing. I saw her talk at Black Hat last year. Joanna is a brilliant mind, but a *fast* talker...with the amount of technical detail she usually covers...it's tough to keep up.

15:15 to 16:30
...Continuing "Hacking and Injecting Federal Trojans". If it seems to suck, I'll be at the following:

The Internet is Broken: Beyond Document.Cookie - Extreme Client Side Exploitation - Nathan McFeters, John Heasman, Rob Carter

or...

Get Rich or Die Trying - Making Money on the Web, the Black Hat Way - Jeremiah Grossman, Arian Evans

I can't decide between these two, perhaps I will attempt to see a little of both! :-)

16:45 to 18:00
Methods for Understanding Targeted Attacks with Office Documents - Bruce Dang

We all have seen a rise in this type of attack over the last year. It's true...there isn't a ton of information about the technical details of these types of attacks. Hopefully this talk sheds some light on what's behind them and help with introducing some new prevention methods.

Wow. Packed schedule with lots of great talks! Looking forward to Las Vegas as well! Always a good time (if I can break even...it would be better). Oh, and hopefully I will be able to hook up with some of the other Security Twits during the week. I'll be at Defcon as well so if anyone wants to have a beer hit me up on Twitter...or, just stop by the Podcaster/Blogger Meetup at Defcon 16. I'll be there representing the Security Justice podcast.

Stay tuned for my Defcon 16 "talks to attend" post in the next few days.

Yes, it's true. Presidential candidate John McCain is just now learning to use a computer. He also has said that he doesn't use email (he has staff and consultants to do that for him). So what does this say about him and how he would handle technology issues? In particular, security issues related to technology and national security. As someone who has embraced technology and social media I have some mixed feelings about this.

I guess in a way it's good to be a bit "old fashioned" but if he was to become the president don't you think that he should at least be competent with basic computer technology (like reading and responding to at least some of his email)? Perhaps we should send him a copy of this book to help him along?

Wow...I'm really on this banking kick as of late...

So I was watching TV tonight and saw a commercial for WaMu (Washington Mutual Bank) advertising their "Online Banking Guarantee". What I found interesting was the whole scenario that played out in the commercial...

Woman: "Hey, I'm using WaMu Online Banking..."
Man: "Online Banking?? That's not safe!!"
Woman: "It's safe...I have WaMu's Online Banking Guarantee!"
Man: "Oh...cool."

(Note: this wasn't word for word but pretty close...you get the idea.)

As a security professional I find it disturbing that you would "guarantee" something (like online banking) is safe and secure without a ton of terms and conditions (I'll get to this in a minute). We all know that nothing is 100% secure. Sure, online banking in general is safe to use..we all know banks are regulated to provide customer safeguards...etc...So how does WaMu pull this off? Here's the deal:

"For any fraudulent or unauthorized transaction that has been initiated during an online banking session at wamu.com, WaMu will provide 100% reimbursement of the transaction amount plus any related account charges imposed by WaMu or lost account interest resulting from such transaction."

Sounds good right? Here is the kicker...you as the customer have responsibilities which if you don't live up to, you get no guarantee...check these out:

"You have protected your password by creating one that would be hard for others to guess and do not write down or share your password with anyone."

Customer: Hard to guess password? So my dog's name isn't hard to guess?

"If you suspect a fraudulent or unauthorized transaction has occurred, you must contact WaMu within 60 days..."

Customer: I'm on it...I never, ever procrastinate about anything!

"If you knowingly share your username and/or password information with others, we will consider any direct or indirect transaction initiated online by this person as an authorized transaction."

Customer: My wife knows my username/password does that count? Damn...I'm getting a ton of these pop-up's on my PC...weird.

and...buried deep in the Online Services Agreement & Disclosure:

"You are responsible for the installation, maintenance, and operation of the Computer and browser software. The risk of error, failure, or non-performance is your risk and includes the risk that you do not operate the Computer or software properly. The Bank is not responsible for any errors or failures from any malfunction of the Computer or the software nor is it responsible for any electronic virus, viruses, worms, or similar software that you may encounter. The Bank has no liability to you for any damage or other loss, direct or consequential, which you may suffer or incur by reason of your use of the Computer or the software."

Thus...no guarantee. Enjoy!

Lots of buzz on the net about Blizzard (creators of World of Warcraft) offering a $6.50 two-factor authentication token for customers that want an extra layer of protection for their account. Yes, if you didn't know account theft in WoW is on the rise! I commend Blizzard for taking this extra step to help protect their customers...sure two-factor authentication isn't perfect, but regardless it's a step in the right direction.

So why don't more banks and financial institutions set this up for their customers? PayPal was able to do it right (not perfectly, but close)? It comes down to customer support and cost. One of the many ways a bank or financial institution makes money is by offering products that are user friendly and can be used by just about anyone. For someone using a two-factor authentication token with some technical skill it's a cake walk...unfortunately, the average bank user (think about your mom or the person in your family with the least amount of technical skill...yes, the one that calls you to fix their computer...) will most likely be confused as how to use the device and that will be a call to the bank's customer support center (calls cost $$) and lets not forget about the back end infrastructure (servers and IT staff cost $$) and all the additional red tape the institution has in regards to advertising and putting a friendly spin on it to customers.

Martin McKeay and Michael Santarcangelo on the Network Security Podcast (Episode 110) had some good discussion about this. In a nut shell the conversation was about how banks offer many different easy to use services and tying a two-factor solution to all of these products is just not worth the cost, time and effort (except for high wealth customers). Also, what happens when you have multiple accounts at multiple banks? Do you carry around multiple tokens? My opinion? Until there is something easier to use and more secure, I don't see most banks or financial institutions going two-factor anytime soon.

Looks like GNUCITIZEN and Blogsecurity.net have joined forces to create a online Wordpress security scanner. From GNUCITIZEN:

"Blogsecurify was created to help individuals and organization to secure their blog infrastructures by testing them against a set of security tests. The project is still in alpha stage although I am quite happy with the actual framework which I believe is the only one of its kind. The same framework will be used for several other initiatives but I will talk about them when their time come."

I tested it out and it works as advertised. Just make sure you enable/disable the template plugin that is required. I used the old security scanner that was on Blogsecurity.net and didn't get a ton of value out of it in the past so this is great news! Actually, the old scanner told me that the Wordpress installation that I was scanning was out of date and vulnerable even though I had the latest version installed! Blogsecurity.net has some really good resources for hardening your Wordpress installation by the way. I recommend that if you have a Wordpress blog you download the paper they have on hardening your Wordpress installation. While some of these tips are easy (change the admin account name and use role based access) others are a bit complex and may break most of your plugins (.htaccess modifications) without significant testing. Either way, it's worth checking out to make your Wordpress installation more secure.

I am writing this blog post as part of the Black Hat Bloggers Network topic of interest #2.

I guess you could say I am somewhat of a Black Hat n00b! This will only be the second time I have attended Black Hat in my security career. I have been to quite a few security related conferences in the past (most of these involved training as well as conferences all integrated into one event like SANS Fire) but since coming back from Black Hat last year I discovered the value of attending a conference like Black Hat. Three things come to mind as to why someone should go to Black Hat:

1. Great speakers! Seriously, if you want to "be there" when new vulnerabilities and exploits are released to the security community by some of the greatest security researchers in the world...that's Black Hat! I liked how conference attendees were able to "vote" in advance for selection of the talks this year. I felt this added real value to the great speaker line up for this years conference!

2. Good mix of "black hat", "white hat", and everything in between (gray hat) attendees. With a little more on the side of "white hat". This adds to the whole energy of the conference and allows some good networking opportunities. Black Hat is probably the one security conference where your company won't think you are just going to another "hacker con". For example, you can say to your boss "Hey, they have a vendor show with XYZ company that will be there!" Lucky for you if you are using the security product of XYZ company. Not to mention XYZ company will get you a pass to one of the cool after parties (for more networking of course...). :-P

3. Free admittance to DefCon. As a paid Black Hat delegate you get into DefCon for free! How can you beat that? Stay at Caesars Palace in a luxury suite the whole week and attend one of the best hacker con's in the world! I could do a whole post on how great attending DefCon is but in short it's awesome to see even a more diverse crowd then Black Hat of the good, bad, and the plain ugly! Not to mention the "spot the fed" and all the other fun games and activities unique to DefCon.

Can't wait to go this year and to also network with some of the other bloggers in the Black Hat bloggers network! Hope to see some of you there (and at DefCon 16).

If you have been reading my blog and others in the Security Bloggers Network recently then hopefully you should know about the really cool alliance this year between Black Hat and the Security Bloggers Network. If not, here is a quick and dirty overview...

Basically, there will be a Black Hat topic of the week based on one of the scheduled briefings. The bloggers can then blog on that topic to hopefully generate some interesting conversation prior to the conference. Since there are about 150 different security blogs covering every angle of security in the network it should make for some interesting blog posts.

In addition the Security Bloggers Network will be linked on the Black Hat web site and in various conference paraphernalia. Personally, I am really looking forward to blogging about some of the hot topics that will be talked about at Black Hat this year!

Be sure to follow all the Black Hat updates on Twitter and if you haven't subscribed to the Security Bloggers Network OPML, check it out! You can also follow me on Twitter and FriendFeed as I will be at both Black Hat and Defcon 16 this year, hope to see some of you there...

Also, if you plan on attending this year don't forget to register for the Black Hat "sneak peek" webcast on June 26th!

Amazing that security breaches like the one I am about to tell you about are becoming more common...so common that the mainstream media like CNN doesn't even report it anymore. If you haven't read about this pretty significant security breach yet...let me briefly tell you about it...

Bank of New York (BNY) Mellon and People's United Bank of Bridgeport, CT may have Social Security numbers and bank account information lost when unencrypted backup tapes went "missing" from BNY Mellon. No big deal right? Only 4.5 million customers affected. From the Reuters article:

"...on February 27, Bank of New York Mellon was transferring back-up tapes with data, including names, addresses, birth dates and Social Security numbers, when it lost a box with six to 10 unencrypted tapes....an archiving vendor lost the tapes from its Shareowner Services unit, but there was no evidence any data had been inappropriately accessed or used."sic

Basically People's hired BNY Mellon Shareowner Services in 2007 to tabulate votes and process stock orders during its conversion from a mutual bank, which is owned by depositors, to one that is fully publicly traded.

Moving on...nothing to see here right?

The problem is that this data was not BNY Mellon's customer data but the customer data from People's United Bank, some Wachovia employees and some 64,000 MetLife shareholders...

"People's United claims this was a BNY Mellon security lapse, as People's United transmitted encrypted information to BNY Mellon who in turn created the unencrypted backup tape(s) that was lost."

Good for People's Bank for encrypting the data in the first place...but the problem lies with the vendor(s). It seems that more and more financial institutions are letting other financial institutions and other vendors process transactions and convert information for them. Trusting others with your sensitive data is not always the best idea (even though thats how business gets done these days), however, BNY Mellon should have encrypted these backup tapes in the first place! What about the vendor (Archive Systems Inc.) who actually lost the box of tapes? I would think that they are to blame as well. Sounds like a lot of vendor management issues here from many angles.

I would think that a large archive vendor like this would have some kind of policy stating some form of compensation for losing a box of tapes in transit. Almost how armored truck carriers transfer money from a bank branch to a financial processing center...if the armored car was compromised in transit and the bank lost all the money inside the car, it's not the bank's fault...thus the armored car carrier is responsible for the loss and would have to compensate the bank.

Looks like 4.5 million customers will get one year of crappy credit monitoring service as usual because of poorly managed vendor relationships. Nice.

I wrote an article some time ago about multiple platform password managers. At the time I talked about PasswordSafe and Password Gorilla. While both of these are really good password managers that work on Linux, Windows and OSX...Matt Neely talked about KeePass at the NEO InfoSec Forum last week and how KeePass is probably the best password manager available.

What is really cool about KeePass is that you can use it on just about anything including Blackberry and Windows Mobile devices. Having a password manager on the Blackberry just about sold me and I have yet to try it, however, what did sell me was the KeePass port called KeePassX for Linux and OSX! I downloaded and installed it on my Mac and it is way faster then the old Password Gorilla. The features are really great to with automatic clearing of your clipboard, a nice easy to navigate interface and a password expiration system. My only gripe was that I had to load up the Windows version to import my PasswordSafe formatted database file for use in the OSX version. The Windows version has a plugin you can download which will automatically import your database file from PasswordSafe. There is no PasswordSafe import plugin for OSX currently. Other then that, I am converted and love it!