So the hard drive on my wife's one year old MacBook has officially started to kick the bucket. Random crashes, slow performance and lots of errors like this in the system log:

disk0s2: 0xe0030005 (UNDEFINED).

Yup, we have bad blocks..all indicating imminent drive "FAIL". I have AppleCare on the MacBook so I call them up and explained the situation. Surprisingly, they didn't give me a hard time. In the past I have had problems with other computer manufacturers (ummm...Dell) in which I would have to argue with the guy/gal on the other end of the phone that the drive was "really bad" and I didn't need to spend hours on the phone with them troubleshooting. So far so good with Apple right?

So I am finishing up the call and the tech is explaining how Apple will ship me a box to send the MacBook back to them for repair. Apparently, they don't do self service hard drive swaps anymore. Weird since it's easy to replace a hard drive on a MacBook. Anyway, the rest of the conversation went something like this...

Apple guy: "Sir, do you have a password set on your MacBook"?
Me: "Yes. Why do you need that?"
Apple guy: "The tech's need it to replace your hard drive"
Me: "Huh? Why do you need my password to replace a bad hard drive? Just pull the old drive out and put the new one in."
Apple guy: "Sorry sir. That's the procedure."
Me: "What if I don't give you the password?"
Apple guy: "Then we can't repair your laptop"
Me: "grrrr...fine...here is my password..ready? a-p-p-l-e-s-e-c-u-r-i-t-y-F-A-I-L"
Apple guy: "Thank you sir. You will have your shipment box in 24 hours."

So for every bad hard drive that comes into the Apple repair center they log in to verify that the drive is bad? What do they do with all the drives like mine that are still functional but have bad blocks? Can Apple guarantee that there are no shady people working in the repair center wanting to steal my personal information? What happens to the data? The sad mac fact (note the "sad mac" picture above) is that no one knows!

I did some research on this and apparently Apple doesn't care too much about your personal data. Dave Winer wrote about this extensively and notes the same problem. The Apple repair "terms and conditions" only states that your information is protected in accordance with the "Apple Customer Privacy Policy" and that you agree that Apple can use your data to perform the "service obligations". Interesting to also note that on the Apple privacy web site under the AppleCare Repair Agreement it also states the following:

"You agree and understand that it is necessary for Apple to collect, process and use your data in order to perform the service and support obligations under the Plan. This may include the necessity to transfer your data to affiliated companies or service providers located in Europe, India, Japan, Canada, People’s Republic of China or the U.S."

Huh? People's Republic of China? That's nice. I couldn't find any reference noting what Apple does with your personal "hard drive" data. They only mention your name, address, things you purchased, etc...

So what am I going to do about this? I'm going to completely wipe the drive (Darik's Boot And Nuke is my favorite disk destruction utility) before sending it back to Apple just to see what happens. I have my doubts that they will actually log in to the MacBook to see if the drive is bad. Let's see if I get the drive replaced or not...I'm betting it will be replaced, no problem.

Sure, Apple is not the only company doing this with hard drives. This is a problem that needs to be addressed by all computer vendors. What they do with your data should at least be disclosed in their repair and/or privacy policy (at a minimum). In the meantime, encrypt your sensitive data (TrueCrypt works well) and securely remove any data you don't want people servicing your computer to see. I'll keep you updated on the repair status... :-)

I have been following several stories of recent targeted attacks against a few high profile security professionals. Two that I was made aware of were pdp from GNUCITIZEN and Alan Shimel from StillSecure, After All These Years. pdp had his Gmail account compromised and his entire mailbox mirrored all over BitTorrent. Alan's, was far worse with his mailbox compromised, personal info released and his blog domain hijacked. Both pdp and Alan have returned to blogging after the attacks and I commend them for making such a quick come back.

While these types of attacks are not new...it goes to show that this can happen to anyone, even high profile security professionals. Not much is known yet on how these attacks happened but I am willing to bet that common and/or weak passwords were part of the attacks in some way. Think about all the passwords you have...do you have the same one for everything? If you are a blogger or manage a web site think about the last time you changed the password you use for your domain registration (yeah..that was a long time ago right?)! Add to the fact that these passwords may not be very complex and you have a potentially dangerous situation.

Close to two years ago I started using a password manager and it has been one of the best things I have done to help sort out the password mess. Password managers are great...but you can still get lazy. We all have the lazy bug...especially with online forums and web sites. One idea that I learned to help combat this was to have a "throw away" password that you can easily remember (yet still somewhat complex) for things on the web that you wouldn't care if they were compromised. Everything else...use the password manager and make sure you use a long (> 20 character) randomly generated password for each application. Keep in mind that 20 characters may be too long for certain web sites or applications. Case in point...LinkedIn has a limitation of 16 (I found this out the hard way). Sure, it's a pain in the ass to use a password manager but in the end...it's well worth the extra work.

So what password manager to use? I did a few posts a long time ago about two of them. However, over the years I have migrated everything over to KeePass and KeePassX (for OS X). Since I use multiple computers with different OS's (and a Blackberry)...KeyPass is the only one that I found that can be easily used on multiple platforms. There are also a TON of great plugins. Add to the fact that it's free...it's tough to find a more robust solution.

So yes, go for it! These targeted attacks should remind you that it's a good time to change those passwords to something complex and unique. Don't forget to use a password manager to help you out!

I am on my way back from Black Hat and Defcon 16 in Las Vegas with a three hour delayed flight so this is probably a good time to talk about Black Hat and Defcon 16.

To start off...this was one busy and eventful week! I met so many people this week it was crazy. I am officially overflowed with business cards! I got lots of opportunities to not only meet some of the people that I admire in the security industry but also had a chance to network with a great many others that I just met. There were some really good parties (umm..networking opportunities) at both Black Hat and Defcon. Some worth mentioning that I was at were Mozilla, Core Impact, Ethical Hacker, and I-Hacked. I also attended a Security Twits meetup on Friday night at Sushi Roku and got to meet many of the Security Twits in person which was really cool. Thanks to @quine for organizing this event!

I attended several talks at both Black Hat and Defcon. I was able to attend everything that I wanted at Black Hat and even attempted to "live tweet" the Dan Kaminsky talk. You can see my updates through TweetScan or other Twitter search tools by searching for #blackhat and #defcon on my Twitter ID (agent0x0). Most of my time at Defcon was spent watching my wife win the Guitar Hero 3 Medium contest...(first woman to win this contest at Defcon) and improving my lock picking skills in the lock picking village. I have to say that I focused a lot of my time at Defcon just enjoying the contests and meeting new friends. I absolutely love Defcon. It's the greatest meetup of the good, bad, and everyone in between. One talk that was a highlight for me was Jay Beale's talk on "Owning the users with the Middler". I interviewed Jay on the Security Justice podcast about a week ago where he talked about the tool. Jay's talk was packed! Standing room only (goons were sent in to crowd control). He did a good job even though he couldn't finish his talk because time ran out. If you get an opportunity to see Jay speak, I highly recommend it! Speaking of goons...I have to hand it to the Defcon goons this year for doing a great job with crowd control! I overheard one goon say that he was doing crowd control for a "f***ton" of people! Oh, and the badges were pretty cool as well...once I waited in a long line for mine on day 2. The badge is actually a "tv-b-gone"...I could turn the TV on and off in my hotel room with the badge. Neat!

Speaking of podcasts...I was fortunate to participate in the live podcast at Defcon 16 right before the I-Hacked party in one of the Sky Boxes. I podcasted with Chris and Jay from Securabit, Larry from PaulDotCom, Matt from SploitCast and Martin McKeay from the Network Security Podcast. Rob Fuller (@mubix) coordinated and hosted the event. Hopefully some of you were able to tune into the live video and audio and chat via IRC. Not sure if the recording will be released or not. I'll post a link if it is.

Finally, lots of pictures were taken!! I will be posting mine to both my personal and the Security Justice podcast web site Flickr account soon.

It looks like my plane just arrived...I hope to post more stuff on Black Hat/Defcon in the coming days.

I thought I would throw my list into the mix of other Security Twits that are posting about talks they are either going to or wish they were going to at Black Hat this week. Most of my picks have a pentest perspective to them (a lot like CG's over at Carnal0wnage). Here is my tentative list of talks I plan on attending:

August 6th
10:00 to 11:00
Nmap: Scanning the Internet - Fyodor Vaskovich

If your a penetration tester, don't miss this one...Fyodor is a legend (heck, even some girl at sexyhacking.com (NSFW!) thinks so...the man has stalkers! ;-) ) and I'm looking forward to hear about new and unique ways to use Nmap.

11:15 to 12:30
Black Ops 2008: Its The End Of The Cache As We Know It - Dan Kaminsky

Unless you have been living under a rock for the last month then you should know about this one. It will be crowded (like all of Dan's talks) but well worth attending.

13:45 to 15:00
Client-side Security - Petko D. Petkov

Another not to miss talk in my book. Petko or better known as pdp heads up GNUCITIZEN which is one of the sites that I closely follow. GNUCITIZEN releases some amazing security research and are always on the cutting edge. As a bonus it looks like pdp will provide details of a QuickTime 0day for Windows Vista and XP.

15:15 to 16:30
Bluetooth v2.1 - a New Security Infrastructure and New Vulnerabilities - Andrew Lindell

This one should be different. I recently started gaining more of an interest in Bluetooth vulnerabilities. Andrew will "show that it is possible to pair with a device that uses a fixed (but unknown) password, even when the password is random and reasonably long". Sounds interesting.

16:45 to 18:00
MetaPost Exploitation - Val Smith

This is one I am really looking forward to. This is one just for penetration testers. I saw Val Smith and HD Moore present last year on "Tactical Exploitation" and it was outstanding.

After hours...
The Pwnie Awards 2008

If I'm not totally beat I plan on attending this. Should be fun to check out before hitting some of the parties.

August 7th
10:00 to 11:00
Satan is on My Friends List: Attacking Social Networks - Shawn Moyer and Nathan Hamiel

I was tossed between this one and "Encoded, Layered and Transcoded Syntax Attacks". However, I am really on a social network security kick as of late so I think I will attend this one. If it is lame, I'll jump in the other talk.

11:15 to 12:30
Threats to the 2008 Presidential Election (and more) - Oliver Friedrichs

While not pentest specific...this one looks pretty interesting. The synopsis notes the following: "...we will discuss domain name abuse, including typo squatting and domain speculation as it relates to candidate Internet domains. We will present and demonstrate how widespread this activity has already become. Secondly, we will discuss the potential impact of phishing on an election." Sounds cool!

13:45 to 15:00
Hacking and Injecting Federal Trojans - Lukas Grunwald

The "infection proxy" demo seems worth seeing! The other talk that sounds cool is the one Joanna Rutkowska is doing. I saw her talk at Black Hat last year. Joanna is a brilliant mind, but a *fast* talker...with the amount of technical detail she usually covers...it's tough to keep up.

15:15 to 16:30
...Continuing "Hacking and Injecting Federal Trojans". If it seems to suck, I'll be at the following:

The Internet is Broken: Beyond Document.Cookie - Extreme Client Side Exploitation - Nathan McFeters, John Heasman, Rob Carter

or...

Get Rich or Die Trying - Making Money on the Web, the Black Hat Way - Jeremiah Grossman, Arian Evans

I can't decide between these two, perhaps I will attempt to see a little of both! :-)

16:45 to 18:00
Methods for Understanding Targeted Attacks with Office Documents - Bruce Dang

We all have seen a rise in this type of attack over the last year. It's true...there isn't a ton of information about the technical details of these types of attacks. Hopefully this talk sheds some light on what's behind them and help with introducing some new prevention methods.

Wow. Packed schedule with lots of great talks! Looking forward to Las Vegas as well! Always a good time (if I can break even...it would be better). Oh, and hopefully I will be able to hook up with some of the other Security Twits during the week. I'll be at Defcon as well so if anyone wants to have a beer hit me up on Twitter...or, just stop by the Podcaster/Blogger Meetup at Defcon 16. I'll be there representing the Security Justice podcast.

Stay tuned for my Defcon 16 "talks to attend" post in the next few days.

I saw this post on Hexesec the other day that made me think about all the skill's that when you put them together could make one kick ass penetration testing team. Note that this is a pretty large list of skills that would be difficult if not impossible for one person to master. However, it gives you an idea of the various skill sets that should be required for a robust, high caliber team.

As a pentester you should be familiar with most of these areas, meaning, you should have working knowledge at a minimum. Of course, reverse engineering and vulnerability development may not be everyone's forte...but take for example the web application pentester. Reverse engineering and vulnerability development is a skill that can be learned (especially if you have a deep programming and development background). Same goes for wireless penetration testing as someone with a networking background can easily pick this up. Everyone will still have their own specialty but you can still expand on your existing skills to learn new ones.

What's the point? The more you and your team learn the more valuable you become to your organization, clients and your own career.

Looks like the exploit code has been released by HD Moore as a Metasploit module. Hope everyone took the DNS patching requests seriously since we all know Metasploit is really easy to use (yes, especially for script kiddies!).

If you haven't patched your DNS yet...do it now! Check here for more information and here to check your DNS servers to see if they are vulnerable. If your ISP's DNS is still vulnerable...change your DNS servers to use OpenDNS!

Perhaps someone has figured it out or just decided to announce it but the big DNS vulnerability that Dan Kaminsky told the world about may have been revealed. Apparently a reverse engineer named Halver Flake was pretty close to figuring out how the vulnerability works. Then someone at Matasano apparently posted the details and then pulled them. Something is going on in the blogosphere...you can find details about the vulnerability on Slashdot and other blogs regarding the post that was on Matasano then removed:

Via McGrew Security:

"Let’s try again to convince Bob that WWW.VICTIM.COM is 6.6.6.0.

This time though, instead of getting Bob to look up WWW.VICTIM.COM and then beating Alice in the race, or getting Bob to look up WWW.EVIL.COM and slipping strychnine into his ham sandwich, we’re going to be clever (sneaky).

Get Bob to look up AAAAA.VICTIM.COM. Race Alice. Alice’s answer is NXDOMAIN, because there’s no such name as AAAAA.VICTIM.COM. Mallory has an answer. We’ll come back to it. Alice has an advantage in the race, and so she likely beats Mallory. NXDOMAIN for AAAAA.VICTIM.COM.

Alice’s advantage is not insurmountable. Mallory repeats with AAAAB.VICTIM.COM. Then AAAAC.VICTIM.COM. And so on. Sometime, perhaps around CXOPQ.VICTIM.COM, Mallory wins! Bob believes CXOPQ.VICTIM.COM is 6.6.6.0!

Poisoning CXOPQ.VICTIM.COM is not super valuable to Mallory. But Mallory has another trick up her sleeve. Because her response didn’t just say CXOPQ.VICTIM.COM was 6.6.6.0. It also contained Additional RRs pointing WWW.VICTIM.COM to 6.6.6.0. Those records are in-bailiwick: Bob is in fact interested in VICTIM.COM for this query. Mallory has combined attack #1 with attack #2, defeating fix #1 and fix #2. Mallory can conduct this attack in less than 10 seconds on a fast Internet link."

Meanwhile, Dan Kaminsky posted the following on his blog:

"Patch. Today. Now. Yes, stay late. Yes, forward to OpenDNS if you have to. (They’re ready for your traffic.) Thank you to the many of you who already have."

This might imply that Matasano has the goods...I hope everyone is patched out there! Things are about to get interesting!

EDIT: Thomas over at Matasano has issued a public apology about the post in question.

This is just a classic case of one administrator who managed to get all the "keys to the kingdom". From the San Francisco Chronicle:

"Terry Childs, a 43-year-old computer network administrator who lives in Pittsburg, has been charged with four counts of computer tampering and is scheduled to be arraigned today.

Prosecutors say Childs, who works in the Department of Technology at a base salary of just over $126,000, tampered with the city's new FiberWAN (Wide Area Network), where records such as officials' e-mails, city payroll files, confidential law enforcement documents and jail inmates' bookings are stored.

Childs created a password that granted him exclusive access to the system, authorities said. He initially gave pass codes to police, but they didn't work. When pressed, Childs refused to divulge the real code even when threatened with arrest, they said."

As part of his plan he also:

"...engineered a tracing system to monitor what other administrators were saying and doing related to his personnel case, law enforcement officials said. "

As of right now all other administrators are locked out of the system and he has the only password! I also saw on CNN today that he still won't give up the password when a judge asked him in court today. Awesome...so how does this happen? While exact details still are not clear...lack of proper controls, proper monitoring of privileged users, oversight, separation of duties...are just a few things that comes to mind.

This should be a reminder for the corporate world that all privileged users (network administrators in this case) should be held to a higher standard then other users on the network. Thus, need more oversight and monitoring. Hopefully the city can get the password cracked or the guy eventually gives it up.

Yes, it's true. Presidential candidate John McCain is just now learning to use a computer. He also has said that he doesn't use email (he has staff and consultants to do that for him). So what does this say about him and how he would handle technology issues? In particular, security issues related to technology and national security. As someone who has embraced technology and social media I have some mixed feelings about this.

I guess in a way it's good to be a bit "old fashioned" but if he was to become the president don't you think that he should at least be competent with basic computer technology (like reading and responding to at least some of his email)? Perhaps we should send him a copy of this book to help him along?

I saw this news article tonight and had to laugh...

"We all recognize that the Web site is important to the community," Mayor Roy Robinson said. "We've tried to save money to build our own Web site. We should be designating a certain amount of money to maintain and protect it in a professional manner."

Yeah, you get what you pay for guys! Basically, the local city web site got hacked. The article tried unsuccessfully to say that the main page was hacked and users were redirected to spyware/malware web sites. Trojan horse in a database...huh? Have to love the media interpretation of technical issues.

This is nothing new right? Think about this though...how many other local communities do the same thing to cut corners and save some cash? Sure it's expensive to build and maintain a web site with security in mind but these days, can you really afford not to? I found a local city web site with security issues (while the one I found was a bit more serious) several weeks ago as an example. Next time you get a chance to talk to your local community ward representative ask them when they last had a security assessment done on the city web site, especially if they are offering services vital to the community.