I was clearing out my bookmark file on an old machine this morning and stumbled across something I’d bookmarked and completely forgotten about – the best default password list I think I’ve ever seen. Also, it’s actually maintained! I just figured I’d share it.

According to a series of news accounts today, it looks like twitter was either hacked or not hacked, depending on who you listen to. The bottom line seems to be that Twitter’s DNS servers were hijacked. How this was done has not been revealed. Twitter seems to be dodging the brunt of the blame because their provider runs their DNS servers. (Confirmed by a quick nslookup below). While this may be true, that only reflects how twitter should react internally. The risk to twitter’s users is still the same. If the hackers had wanted to do damage instead of showing off by putting up a “look at me I’m so cool” type of page, then they would have forwarded users to a phishing page that intercepted authentication credentials. (While this has fairly trivial implications for twitter, imagine if they did this for a bank).

C:\>nslookup

> set type=ns
> twitter.com
Server:  UnKnown
Address:  x.x.x.x

(root)
primary name server = trafficdns1.ddc.com
responsible mail addr = hostmaster.jettissystems.com
serial  = 2009072301
refresh = 43200 (12 hours)
retry   = 3600 (1 hour)
expire  = 1209600 (14 days)
default TTL = 3600 (1 hour)

Update: more details on the DNS records can be found at SANS’ incident handler diary.

Apparently the drones that the US has been using in Iraq and Afghanistan have no encrypted their video feeds, and pentagon officials have revealed that insurgents have been eavesdropping on the video transmissions. According to the WSJ:

Senior defense and intelligence officials said Iranian-backed insurgents intercepted the video feeds by taking advantage of an unprotected communications link in some of the remotely flown planes’ systems. Shiite fighters in Iraq used software programs such as SkyGrabber — available for as little as $25.95 on the Internet — to regularly capture drone video feeds, according to a person familiar with reports on the matter.

U.S. military personnel in Iraq discovered the problem late last year when they apprehended a Shiite militant whose laptop contained files of intercepted drone video feeds. In July, the U.S. military found pirated drone video feeds on other militant laptops, leading some officials to conclude that militant groups trained and funded by Iran were regularly intercepting feeds.

Think that’s astounding? Wait till you see this:

The potential drone vulnerability lies in an unencrypted downlink between the unmanned craft and ground control. The U.S. government has known about the flaw since the U.S. campaign in Bosnia in the 1990s, current and former officials said. But the Pentagon assumed local adversaries wouldn’t know how to exploit it, the officials said.

They’ve known about this for nearly two decades and haven’t done anything? C’mon guys – encryption isn’t exactly a new technology. As for assuming that insurgents wouldn’t know how to take advantage of the flaw, don’t even get me started. You should never underestimate your adversary, especially in war. In the modern information age knowledge is easy to come by, so assuming any large group of people will not have certain knowledge is a perilous assumption.

I was thinking some more about the RAM skimmers mentioned in the last post. I wasn’t really paying attention the first time I read the report, but I later noticed that Verizon mentions that the RAM scraper was found on a P.O.S.  (point of sale – the system a cashier will use to check out a customer in a store) system. A P.O.S. system would seem to be a system which could be very well defined in terms of what should be running on it, and would seem to be an ideal candidate for whitelisting software. Getting rid of the AV on P.O.S. systems and replacing them with whitelisting software which only allows specific applications to run would seem to be an ideal way to greatly increase the security of these systems, and make them future-proof against whatever the next generation of malware is.

In Verizon Business’ most recent data breach investigation report they mentioned a new class of malware which I’d never heard of before but found interesting – RAM scrapers. The basic idea is that they grab data straight from RAM. Verizon goes on the conclude that the recent increase in the use of encryption and limitations on what data can be permanently stored (mostly thanks to PCI), scammers have had to start looking to other areas to gain access to unencrypted data. I guess this shouldn’t really surprise anyone too much – we already know that for every measure there is another countermeasure. This is also another good example of Shamir’s third law of cryptography – “Cryptography is typically bypassed, not penetrated”.

Secure wireless

Originally uploaded by bachrach44

I noticed this on the wall at a recent ISSA meeting. In addition to the obvious security issue I’m trying to bring attention to, there is a bonus security issue being illustrated here – you can see my reflection!

According to Symantec, Cybercrime is now the number 1 crime in terms of profit, having recently passed Illegal drug trafficking.

I’ve been using Windows 7 fairly regularly on one of my machines for the past month or so. One thing I noticed is that the default password settings for Windows 7 include the fact that password expire after 42 days. Since most home users will never change their default settings, this setting will likely become a de-facto standard. However, the default settings also have a password history of zero (no remembered passwords), and a minimum age of zero as well. This means that every home user, when prompted to change their password, will simply change it to the password they had initially, making this setting useless.

It always amazes me that:

1 – people assume that because something is written down it must be true.

2 – disreputable people will always find new and creative ways to take advantage of the above.

Courtesy of Emails from crazy people (and further variants on snopes) comes the newest evolution of the Nigerian 419 scam. Absolutely astounding.

I want you to read this message very carefully, and keep its content secret till further notice, you have no need of knowing who I am, where am from, till I make out a space for us to see, I have been paid $50,000.00 in advance to terminate your existence with some reasons not listed in my contract by my employer, this employer is one you may call family, I have been in close surveillance for one week and three days now and have seen that you may be innocent, which really is not for me to decide.

Note that for your safety do not think of contacting the police or F.B.I or try to send a copy of the message to them, because seeing an alert on this massage will force me to do what I do not intend doing (Believe me it will seem like an accident to even the F.B.I forensics) As this is the first time am betraying a client.I will be needing a retirement fee from you to return to my country ASAP as I can not stay any longer in your country after this.

Now, listen very carefully I will arrange a location for you to pick up tapes and pics of me and my employer for court evidence, and also meet with you face to face if you promise you won’t involve the police or F.B.I. Contact this email within 48hrs as I do not have much time. *****@yahoo.

Be careful of who you think you are showing this massage to, we are watching and listening to every move you make.

You don’t need my phone contact for now till am assured you are ready to comply good.

Every so often I make a post whose main purpose is to get indexed by google and provide people with (what I think is) some nugget of useful information. Although googling for 8Ry2YjIyt7RRXU24 will yield a lot of results, none of them mention that this is the hash for a blank password on a pix firewall. (In other words, if you found this post because you have a Pix that has enable password 8Ry2YjIyt7RRXU24 encrypted set, that means the enable password is blank).