Buffer overflow attack on YouTube! TGIF!

Happy Friday everyone!

Just when you think the "Awareness vs. Policy" debate can't get any more entertaining, I saw a great example of security awareness in the wild that shows people are really starting to get the message.

In The Cleveland Show, Season 1 Episode 16, Cleveland Jr. uses a buffer overflow to hack into the YouTube file system, and then a backdoor to bypass the criminal investigation database authentication. Pretty sweet.

New threat to physical security

If you're like me, then today your Google Alert set to "invisibility cloaks" finally paid off.

This promising new research on ways to become invisible is completely awesome, but I can't help but wonder what security threats loom on our horizon. Perhaps in the future, there will have to be some kind of "clothes line" device that swoops down after each person that uses an access badge to enter a building. Better learn how to move quickly folks. And if you hear a massive *thud* after you enter, you can assume you've either thwarted a highly backed criminal mastermind or a plucky young wizard.

And now, something new...

In homage to xkcd of course...

The continuing saga of McAfee malware

Almost a week after my humours post about McAfee, I looked at my task list today and its still running. This really upsets me. I tried to uninstall it, it stays. I tweak my registry, it stays. I spent an hour today trying to figure out how to get rid of it. It came down to simply deleting a link in the \\Windows\Startup folder. I know spyware thats easier to get rid of than this.

Blizzard

http://eu.blizzard.com/en/press/080626-ba.html

Blizzard is going to sell a One Time Password device. I suppose I should comment about security adoption or something like that but every time I see WoW now I just can't stop thinking about that South Park episode.

Isn't it kind of funny when an online game has better security than most banks?

Aren't PHDs put in cages...err..classrooms...

http://www.securityfocus.com/brief/764?ref=rss

The failure of this program is all but assured with it being handled by "academic researchers".

You cannot believe what you see...

While reading Gizmodo this morning I came across an article about a project in Germany that allows modifications of photos in real time. The example in the video is a sign that has text overlayed when a picture is taken but is not visible to the human eye.

The immediate security/prankster portion of my personality thinks this technology would be widely useful at red carpet style events. Could you imagine if every picture taken at the Olympics had “Free Tibet” superimposed on the athletes? This could lead to a completely new kind of hacktivism.

On the flipslide how long until a company markets a product that will superimpose “This object’s likeness is protected by copyright” on landmarks.

Here is the video:

Telecommuting spies?

http://www.af.mil/news/story.asp?id=123104128

Maybe I am wrong but it sounds like this is a press release that announces that AFCYBER is all for telecommuting.

Recently overheard at Panera: "Hey could you get me an oatmeal cookie, I have to watch this cruise missile strike its target".

70's Redux, finding pools

http://blog.wired.com/underwire/2008/06/brit-teens-pool.html

Anybody remember Dogtown? Stacy Peralta, Tony Alva, Jay Adams? They use to do this with a small aircraft to find pools to skate in. Here is an interview of Alva talking about it.

This is also a chance for people in the UK to do so out of the box thinking when it comes to security. If you can find your pool on Google Maps, do something interesting like fill it with Jello before heading off on your vacation. Nothing says party like a trespasser stuck waist deep in Jello.

Funny article

http://www.iht.com/articles/2008/06/24/america/engineer.php

The best part of the article is:

The task force identified several programs that, hobbled by poor
engineering management, have run up billions of dollars in cost overruns while
falling far behind schedule.
Among them:
A military satellite system designed to detect foreign missile launches that Kaminski said was inexplicably designed with two sensors that cannot operate simultaneously on the same spacecraft without extensive, costly shielding to prevent electromagnetic interference generated by one from disabling the other.

I once tested an IPS that would stop passing traffic every time the rules were updated. I later talked to a customer that had it deployed in a mission critical environment. A worm was spreading and they had a dilemma between updating the rules from the vendor and killing the traffic for 15 minutes, or not updating and taking the risk of infection.

Big week

There is a lot going on in information security this week. A rootkit for IOS is set for demonstration at EUSecWest. The Carlyle group is in the process of purchasing a part of Booze-Allen, which means they now have more offensive security ability than the NSA. All this pales in comparison to one big question: which order will you watch the Indian Jones movies in this week?

You could be a dork and do it in the production order of Raiders of the Lost Ark, Temple of Doom, Last Crusade. Don’t get me wrong, there is nothing wrong with that strategy, its time honored and it is also Steven Spielberg’s favorite order [no reference needed]. I am just pointing out that you could dare to be different. Personally, I am going to do Temple, Crusade, and end with Raiders. At first glance, it does not appear to be that bold a selection as I pretty much just moved Raiders from firs to last but there is a method to the madness. You remember in Crusade when Indy and side kick are in the tunnels under Venice and a reference to the Ark of the Covenant is mentioned? Indy replies with something like “yup, already found that.” If you wait to watch Raiders last you can feign ignorance:

“Did Indy find the Ark? I don’t remember, I sure hope there aren’t snakes, I hate snakes. Lets watch Raiders of the Lost Ark. Holy crap Indy is looking for the Ark of the Coveneat just like mentioned in the last movie.”

See, it’s a great strategy.

Thats it...

Today can't get any better, I am going back to bed.

Hrm...GTA4 seems to not like Linux...

Hrm...I laughed until I cried.

Thank god, I thought I was the only person this had happened to...

I wonder how that system got QAed, it seems like it would be prone to false postives.

http://www.cnn.com/2008/CRIME/03/06/bum.bot/index.html?eref=rss_topstories

You have to love what happens when geeks get bored.

A quick chumby post.

I am the proud owner of a chumby. If you do not know what a chumby is where have you been? When I first heard about chumbys my first thought was that, they would be perfect in a bathroom. So luckily, I had a few chili cheese dogs with extra kraut earlier that day so I could test out my theory. I found that with a chumby I tend to stay in a bathroom 10 to 20 minutes longer than normal. Because of this the chumby now resides on my bedside table and allows me to wake up every morning to basketball scores and Dave Letterman’s top 10 list. The thing I like the most about the chumby is how configurable it is. There are tons of widgets and it looks easy to add your own content.

Un...umm...traceable...understandable...battery acid...

So…in an Errata Security field trip today Rob and I saw Untraceable(A whopping 13% on the Tomatometer). While I did not cringe as much as I did in other movies like Live Free or Die Hard (Who could ever forget that whole "reroute all the gas in the country" bit) I could not help but notice how mainstream botnets have become. I do not want to give any plot points away but if you do not have adequate botnet protection you could end up sitting in a giant vat of battery acid. That is right, forget any compliancy or regulatory problems you may have, a vat of battery acid awaits people who cannot shutdown botnets. Battery acid. I mean it is not like a vat of chocolate or Vaseline, freaking battery acid. This movie taught me that battery acid and the human skin do not mix well. In fact amid a odd plot where a badguy is killing people in some twisted way user Google adsense, err, viewer involvement on a website the only really take away I have is that I do not want to end up in a vat of battery acid...and I should learn how to blink Morse code under very bad conditions.

Aside from the battery acid bath penalty for the lack of botnet protection, I found the movie to be a weird combination of “The Net” and Saw. There was a lot of techno jargon and pretty technical looking screens including what could be the first look at the “FBI rootkit” that made headlines last year. I doubt it though as it seems to use the Metasploit reverse VNC shellcode to show exactly what the bad guy seeson his screen. But you have to wonder what’s going on when fake FBI agents seem to know more about actual cybercrime than real ones.

My last gripe about this movie is the FBI instantly declares someone must be guilty because he has 3 handguns and 2 rifles registered. It seems to me that a person who legally bought the weapons has less of a chance of being guilty than people who did not. After deciding the absolute guilt of an individual because of firearms ownership our intrepid FBI cyberheros are able to get an FBI SWAT team to kick in a door in less than 10 minutes. I could not get over how streamlined the ability to get a no-knock warrant is these days in movie land.

The entire movie I was hungry for pasta and I could not figure out why till I realized that Diane Lane, the FBI cyber-heroine, starred as Judge Hersey opposite Sylvester Stallone in the runaway 1995 blockbuster hit Judge Dredd. I know we are still waiting for the Academy to give that gem a nod.

In hindsight, I feel like I should have seen Rambo or Meet the Spartans. Rob has a review as well, I can only imagine what he has to say about this movie.

A break for work...

Wow

I mean...wow...

Me, the office, a green laser

I blame Thinkgeek.