We all know that very few people read the fine print before clicking the “I accept button”. It turns out that 12% of people do read it. I’m surprised it’s that high.

Bank of America recently discovered that one of its employees had planted malware on some ATMs and had stolen a little over $300,000. Two very obvious countermeasures come to mind – use embedded devices instead of COTS, and whitelisting. There is really no reason that arbitrary code should be run on an ATM, and therefore there’s no reason to allow it.

If you hire a criminal…

Convicted TJX hacker Albert Gonzalez earned $75,000 a year working undercover for the U.S. Secret Service, informing on bank card thieves before he was arrested in 2008 for running his own multimillion-dollar card-hacking operation.

Since the terrorist attacks of September 11 2001, a lot of money has been spent on fighting terrorism. People who want money, whether for their department budgets, federal grants, or to fund startups, have been casting themselves as terrorist fighters. It has simply become to word du-jour. In the information security field, one of the outgrowths of this is the complete and utter overuse of the phrase cyber-terrorism. Admittedly I saw a lot more of this when I was in government circles than I do now in the private sector, so I suppose this is a “leftover rant”, but it is also intermittently popular in the media. Let me say loud and clear: cyber-terrorism does not exist – now, or ever. (Cyber-warfare is a more complex issue which I’ll deal with in another post).

I remember one government run conference I was at where almost half the talks focused on cyber-terrorism in some way. About halfway through the conference I cornered an academic friend of mine and asked him if he had ever, in his entire life, heard of even a single case of cyber-terrorism. After a few moments of thought the best he could come up with was that if a terrorist was very good, they would have infiltrated something and would be biding their time and waiting. Although this is a popular story amongst fear-mongers, it is not how terrorists work. The goal of terrorism is to wage a campaign of terror. To do so you take credit for everything you do in order to make your targets feel like you control the situation and not them. In fact, terrorists frequently try to take credit for things they didn’t do, just to assert themselves as being in control. Their goal is to gain attention – not avoid it. A terrorist wants to get on the front page of every newspaper in the world – they don’t even care if they killed anyone or blew anything up. (See for example the fact that Umar Abdulmutallab, better known as the Christmas day bomber, is being hailed as a hero even though his plan failed!) For the terrorists the Abdulmutallab attempt was a success not because it killed people or caused damage, but simply because it got us Americans to panic – they inflicted terror. Computer hacking simply doesn’t elicit the same response. The Chinese-Google hacking case arguably caused more damage, but it did not elicit the same fearful response from the American population. It was also almost certainly a much larger expenditure of resources. Why would any terrorist group expend ten times the resources for one-tenth the result? (Again, using their definition of the word result). Cyber-terrorists may make good movies, but they simply don’t exist in real life.

A friend of mine dropped me a note to point out that Google has released an open source web application security scanner called skipfish. I haven’t used it yet (installing as I type), and will hopefully have some thought on it soon.

Another random Windows 7 fact I learned today – if you disable the Windows 7 firewall, it will also disable IPV6 and Service Hardening. Microsoft’s logic appears to be simply that if a system doesn’t have the Windows firewall enabled, then it should be treated as an insecure machine and not trusted to connect with an IPV6 IPSec tunnel. The obvious flaw in this logic is that many enterprises use other firewalls, which Windows will not account for. Those people will then have ot enable the Microsoft firewall and just put it into a completely accepting state if they want to use IPV6.

I’ve been reading up on new Windows 7 security features (more on them perhaps later), but one caught my eye – SmartScreen. It’s a web filter (like the one Firefox has) that checks the websites you visit against a list of known bad websites. If it’s on the list, you get a red nasty warning screen telling you not to visit. What I was thinking about though was the privacy aspect – whenever you visit a new website your browser automatically sends the URL to Microsoft. Not just the domain, but the entire URL. They do of courser have a privacy policy, but nowhere in that policy do they actually say how they will or won’t use the data collected (we can of course, always assume the worst).  They also do other data collection:

From time-to-time, information about your usage of SmartScreen Filter will also be sent to Microsoft such as the time and total number of websites browsed since an address was sent to Microsoft for analysis. Some information about files that you download from the web such as name and file path may also be sent to Microsoft. Some website addresses that are sent to Microsoft may be stored along with additional information including web browser version, operating system version, SmartScreen Filter version, the browser language, and information about whether Compatibility View was enabled for the website.

I don’t know about this one – sounds more like a marketing tool masquerading as a security tool.

I was clearing out my bookmark file on an old machine this morning and stumbled across something I’d bookmarked and completely forgotten about – the best default password list I think I’ve ever seen. Also, it’s actually maintained! I just figured I’d share it.

According to a series of news accounts today, it looks like twitter was either hacked or not hacked, depending on who you listen to. The bottom line seems to be that Twitter’s DNS servers were hijacked. How this was done has not been revealed. Twitter seems to be dodging the brunt of the blame because their provider runs their DNS servers. (Confirmed by a quick nslookup below). While this may be true, that only reflects how twitter should react internally. The risk to twitter’s users is still the same. If the hackers had wanted to do damage instead of showing off by putting up a “look at me I’m so cool” type of page, then they would have forwarded users to a phishing page that intercepted authentication credentials. (While this has fairly trivial implications for twitter, imagine if they did this for a bank).

C:\>nslookup

> set type=ns
> twitter.com
Server:  UnKnown
Address:  x.x.x.x

(root)
primary name server = trafficdns1.ddc.com
responsible mail addr = hostmaster.jettissystems.com
serial  = 2009072301
refresh = 43200 (12 hours)
retry   = 3600 (1 hour)
expire  = 1209600 (14 days)
default TTL = 3600 (1 hour)

Update: more details on the DNS records can be found at SANS’ incident handler diary.

Apparently the drones that the US has been using in Iraq and Afghanistan have no encrypted their video feeds, and pentagon officials have revealed that insurgents have been eavesdropping on the video transmissions. According to the WSJ:

Senior defense and intelligence officials said Iranian-backed insurgents intercepted the video feeds by taking advantage of an unprotected communications link in some of the remotely flown planes’ systems. Shiite fighters in Iraq used software programs such as SkyGrabber — available for as little as $25.95 on the Internet — to regularly capture drone video feeds, according to a person familiar with reports on the matter.

U.S. military personnel in Iraq discovered the problem late last year when they apprehended a Shiite militant whose laptop contained files of intercepted drone video feeds. In July, the U.S. military found pirated drone video feeds on other militant laptops, leading some officials to conclude that militant groups trained and funded by Iran were regularly intercepting feeds.

Think that’s astounding? Wait till you see this:

The potential drone vulnerability lies in an unencrypted downlink between the unmanned craft and ground control. The U.S. government has known about the flaw since the U.S. campaign in Bosnia in the 1990s, current and former officials said. But the Pentagon assumed local adversaries wouldn’t know how to exploit it, the officials said.

They’ve known about this for nearly two decades and haven’t done anything? C’mon guys – encryption isn’t exactly a new technology. As for assuming that insurgents wouldn’t know how to take advantage of the flaw, don’t even get me started. You should never underestimate your adversary, especially in war. In the modern information age knowledge is easy to come by, so assuming any large group of people will not have certain knowledge is a perilous assumption.