07.04.08
Posted in IT, News at 2:43 am by Tyler Reguly
Sometimes we hear about dataloss via theft or loss of a computer. For the most part (assuming I don't hear about it happening to a company on a weekly basis), I can (eventually) forgive the company (even if my personal data has been lost). After all accidents (losing a computer) and burglaries are a fact of life. Does this excuse the practice of not encrypting data? Nope... but as I said... eventually I forgive the company, after all years ago when these were paper files, they weren't encrypted. At the same time, I do feel that there should be serious government fines handed out to companies that lose sensitive customer data (my forgiveness doesn't exclude the requirement for punishment of some sort).
What I can't forgive though is dataloss via stupidity... That is, throwing away sensitive data without making an effort to destroy it. I shred pretty much everything that comes to me in the mail at home... (everything I don't save anyways). I've worked in places where DBAN was utilized religiously before laptops were assigned from one individual to another or old desktops were sold off. I even took a bench grinder to a hard drive one time (although that was more for fun... but it did destroy the data).
I just read this blog post (via Consumerist) and it reminded me once again of the stupidity that sometimes happens. I can get replacing old computers... I even get throwing out the computer (although I'd think that there are plenty of places to donate the machine). I can't get leaving your employee and customer databases, along with letters to customers in place (screenshots on the original blog). This really does come down to Dataloss via Stupidity and I think that's how we need to start defining it.
Someone needs to go and put a big notice on the door of the offending Curves that mentions how poorly they treat customer data. We should start doing this to all companies that fall victim to Dataloss via Stupidity. This is a prime example of one of those unforgiveable acts.
Now I know someone is saying, "But you just said you can forgive accidents... maybe this was an accident." This isn't an accident... Throwing away a letter to a single customer without shredding it that contains personal information... That's an accident. Turning around to grab a drink from the vending machine and having your laptop stolen... That's an accident. Taking a used computer and just tossing it in the trash... that's not an accident... that's stupidity.
In Texas they've got a law requiring those that service computers to have a PI license. Perhaps it's time that we start thinking about licensing to use a computer... We could even have stages of licensing:
- Stage 1: Allowed use of a computer
- Stage 2: Allowed access to the internet
- Stage 3: Allowed use of a computer for business purposes
- Stage 4: Allowed to repair a computer
- Stage 5: Allowed to dispose of or destroy used computer equipment.
In reality that's going way overboard (just like the Texas law), but something needs to be done to prevent the stupid from using computers... and something really needs to be done to prevent Dataloss via Stupidity. Perhaps Curves should be slapped with a nice, big fine just to remind people to think first.
Permalink
Digg this post
Posted in IT, News at 1:54 am by Tyler Reguly
And I feel fine...
By morning most likely everyone will have blogged about the recent court ruling that Google hand over the YouTube logs to Viacom (MTV & Paramount Pictures parent company).
Oddly enough I saw a clip on BBC News that was mentioning popular articles on their website. The first thing my wife said was, "Does this mean I should stop going to YouTube?" My immediate response was, "Why?" To which she responded, "If I watch something that's copyrighted, can't I be sued or something?"
Now this was the way the short little news clip presented itself, and I'm definitely not a lawyer but my answer was, "No." Now maybe I'm wrong, and I'll probably be the only one to say this, but I don't see how this is a big deal. Viacom wants to compare the viewing habits on their copyrighted material vs non-copyrighted material. I actually think they have a right to do that. It comes down to this... find a way to keep the copyrighted material off the site or give people who's copyrights are violated access to statistics.
Based on the article, that's all Viacom wanted... statistics. Well at one point they wanted to YouTube source code but that's a ridiculous request. Google probably should have just granted them access to the statistics right away. I honestly don't care if Viacom figures out who I am and what I've watched on YouTube.
I do hope that Google gets the right to anonymize the logs before passing them on, but they should have been doing that all along... there was no real reason to store IP Addresses for any length of time.
Anyways... it'll be interesting to see what Viacom gets in the end, and how many people cry that this really is the end of the world.
Permalink
Digg this post
06.28.08
Posted in Personal at 2:31 pm by Tyler Reguly
There seems to be a Blackberry Outage in the GTA (Toronto, Ontario). Does anyone have any details?
Permalink
Digg this post
06.19.08
Posted in CDVT - Version Tracker, IT, Tools at 12:59 am by Tyler Reguly
Greetings All,
First... I'm definitely not dead... that first month of marriage kept me busier than I'm used to being, but I definitely plan on posting more.
This post is actually rather exciting for me. If you read back through my blog, my iniital posts (and the reason I registered a domain) were because I wanted an easy way to keep track of new versions of software. I happened to register this domain, so I wanted to call it the Computer Defense Version Tracker (CDVT). My plan was to develop a file scheme, where software authors could place a small cdvt file in their root and I would fetch and parse the file, creating an updated list of versions of software. A number of authors were on board with the idea, but it never built much steam.
Having progressed my development skills quite a bit in the past two and half years (or at least I like to think I have), I realized I could write a simple screen scraper to do the work. So here's the "new and improved" CDVT, which I'm currently calling version 0.1. The download consists of two files, cdvt.py and cdvt.xml. The XML file contains references to each piece of software that is being checked. The python does the work. You can provide a couple of inputs when you run the file, and if you provide incorrect input, you'll get this error:
htregz@securitysentience:~/cdvt$ python cdvt.py
CDVT 0.1 by Tyler Reguly (ht@computerdefense.org)
Error: Output Type not provided
Usage: cdvt.py <output type> <output interface>
output type: csv or text
output interface: stdout or file
This should be fairly straight forward, you can generate csv or plain text and either print to the screen or write to a file. The next version will parse proper arguments and allow you to specify a filename. Right now the filename will be either versions.csv or versions.txt (depending on the output type).
Output from the text mode looks like this:
htregz@securitysentience:~/cdvt$ python cdvt.py text stdout
2.4 Kernel: 2.4.36.6
2.6 Kernel: 2.6.25.7
Aircrack-ng: 1.0-rc1
Cain & Abel: 4.9.14
ettercap: NG-0.7.3
Kismet: Kismet-2008-05-R1
Metasploit Release: 3.1 Release
Metasploit SVN Revision: 5533
NetStumbler: Version Info Not Available
Nikto: 2.02
nmap: 4.65
Notepad++: 4.9.2
Pass the Hash: 1.3
PsTools: 2.44
PuTTy: 0.60
Snort: 2.8.2.1
TCPDump: 3.9.8
VMWare Server: 1.0.6
VMWare Workstation: 6.0.4
Wireshark: 1.0.0
Since I do perform screen scraping, it isn't the fastest process in the world, but it isn't overly slow either. When you see the message 'Version Info Not Available', that means that the page that's scraped wasn't available or the regex couldn't match. In the above case, the NetStumbler download page is currently returning a 404 error.
I would love feedback, suggestions of apps to add and anything else. Feel free to email me or leave a comment.
Permalink
Digg this post
05.23.08
Posted in IT, Security at 1:55 am by Tyler Reguly
I'm not back yet, but I wanted to link to a blog post I threw up over on the nCircle VERT blog before I left for my holidays.
XP IPv6 DoS & IPv6 Networking Issues with W2K3 and Ubuntu (Also a DoS)
This doesn't have a CVE (yet?), but it does have a BID.
Next week, I'll be back to posting regularly.
Permalink
Digg this post
05.09.08
Posted in Personal at 8:00 pm by Tyler Reguly
Hey All,
Time for a personal post... The next two weeks I probably won't be blogging much (or necessarily even acknowledging the blog exists).... then again maybe I will. Either way, I'm getting married on May 17th (back home in Sault Ste. Marie). Shortly after the wedding we'll be going on a brief honeymoon to Chicago and then it's back here to Toronto.
Anyways... Just wanted to share.
Permalink
Digg this post
05.08.08
Posted in IT, Security at 3:57 pm by Tyler Reguly
I read this today on a local news site and the only thought that went through my head was "wow"... Essentially a malicious individual hacked the Epilepsy Foundation's website and posted hundreds of rapidly flashing images. While I don't condone it... I can understand why people think they should target websites for profit or pride... but this? It's just plain mean... It makes me wonder what the world is coming to.
Update: Apparently this is old news and I'm a little slow finding out about it.
Permalink
Digg this post
Posted in IT, Security at 10:04 am by Tyler Reguly
There were a couple of random things that I wanted to comment on.
The first was a post by Dave Lewis of Liquidmatrix. The post in question is a discussion of a Wonderware advisory released by Core Security and the level of detail that they provided. Dave doesn't agree with the level of detail provided... as they had details on how to exploit the vulnerability and even showed the assembly from the vulnerable function. He also comments that this isn't responsible disclosure. I'm <sarcasm>really glad to see this debate is coming up again</sarcasm>... but really where's the lack of responsible disclosure? Core reported the vulnerability to the vendor (repeatedly) and went out of their way to ensure the vendor was aware, this is more than a lot of people / companies do. They then continually pushed their advisory release date to accommodate the company. These details are being released after the patch as well.
There's absolutely nothing wrong with this... it's really no different from the level of detail provided by other security vendors that release advisories. Once the patch is out there isn't much to stop malicious individuals from obtaining the assembly to the vulnerable function... a copy of IDA Pro and BinDiff is really all they need. Outside of the assembly... the level of detail provided is really the same as most other security vendors that release advisories. I've seen them include some sort of binary analysis in the past... and most of them contain a text write-up... here's an example with enough text to more than locate the vulnerability from TippingPoint / ZDI:
The specific flaw exists in the oninit.exe process that listens by default on TCP port 1526. During authentication, the process does not validate the length of the supplied user password. An attacker can provide a overly long password and overflow a stack based buffer resulting in arbitrary code execution.
Part of the problem with the InfoSec battle is that the bad guys have essentially unlimited time, where as IS employees have families and lives and work a set schedule. The Core advisory has set internal security teams on their way to developing their own exploits should they need to, without it they'd have had a lot more work to do and it would have taken them more time. Core did everything short of release the related Python and you can't really blame them, since then they'd be giving away their product for free. In the end, what they did was, in my opinion, beneficial to all.
It's one thing to simply release details, but as soon as someone works with the vendor you can't really cry foul when they publish the details. At least not on the 'responsible disclosure' front... because they've followed responsible disclosure and in this case Core Security hasn't done anything different then a number of vendors. Microsoft Tuesday is coming up and watch the mailing lists, each vendor that has reported a vuln usually sends out some sort of advisory and these range from brief overviews to full binary analysis and specific details on exploiting the vulnerability. We've seen it before and we'll see it again... but the patch is out, so they aren't helping the malicious individuals... just the good guys who have time constraints.
Permalink
Digg this post
05.06.08
Posted in IT at 3:46 am by Tyler Reguly
I found this blog post rather interesting today. It's an explanation of how SP3 and IE will work together. Essentially it comes down to the following:
If you have IE6: It's business as usual... you will be offered SP3 via Windows Update and you'll still be running IE6 after the update.
If you have IE7: You will be offered SP3 via Windows Update, however once you complete the install of SP3 you'll be unable to revert to IE6. Due to updates that are included for IE6 (which won't be installed since you have IE7), IE7 cannot be uninstalled.
If you have IE8 Beta: You will NOT be offered SP3 via Windows Update. As well, once you install SP3 you will NOT be able to uninstall IE8 Beta. Microsoft is recommending that you uninstall IE8 Beta, install SP3 and then reinstall IE8 Beta if you are using it.
Permalink
Digg this post
04.26.08
Posted in IT at 2:50 am by Tyler Reguly
One of my favourite things is Autocomplete. I'm sure plenty of security folks are cringing right now, but I enjoy it. It saves me a crapload of data entry every time I want to place an order (Name, Address, Phone number) or post a blog comment (Name, Email, Website)...
Anyways... what really bothers me is web developers that don't know about, or refuse to acknowledge the existence of, autocomplete. Let's compare two online ordering systems that I use frequently.
One contains a check box asking if you'd like it to remember your information (excluding credit card information). The entire order form is set to autocomplete=off and if I check the check box, my info is stored in a cookie with a very long expiry date.
The other doesn't save my info, I have to fill it out every time... This is where autocomplete is nice. Name, Address, Apartment Number, Buzzer Code, City, Postal Code, Phone, Email, etc.... Lots of info to provide but for me it's just first letter + tab. I like this feature... My problem is when I get to credit card information. This website hasn't seen the need to set the credit card related fields to autocomplete=off. Now I know that after I order I have to clear saved form data... this was once an issue though.
I ordered from this company via credit card, but then I moved over to cash orders... months later I happened to order via credit card again... this was when I discovered that the data was autocompleted. I find this very frightening for a number of reasons.
So I want to know... do web developers really have a hard time with autocomplete? I want to point out how important and how vital it is to your online form development. That's all... nothing really here, just a bit of a rant that I wanted to get out. Enjoy.
Permalink
Digg this post
« Previous entries