Do you remember the “Pass The Bomb” game? All kids played this game at least once. The principle is simple and funny. There is bomb which is programmed to explode after a random time. Players must pass the bomb from hand to hand and say a new word which must contain letters from a chosen card. The player who has the bomb when it explodes loses. [Note to the NSA: The term "bomb" refers to a game - I'm not a terrorist!]
Today, I had the feeling to see a new kind of “Pass The Bomb” game at acme.org [The names have been changed to protect the innocents]. A mail reporting a security issue arrived in a generic mailbox (something like abuse) with a Cc: to a physical non-tech person. I’m pretty sure that the mail was too technical to be handled by the abuse team. The non-tech person read the message and forwarded it to a first person with more focus on security. Then the mail was forwarded to another person in the team where resides the security issue. Then this person forwarded the message to someone else in the same department. At all steps, the list of Cc: increased. Then, no news… I hope that the bomb did not explode in the mean time!
This story is a good example of a “Pass The Bomb” game in information security. Email is not a proper way to handle such issues. I don’t say that the communication channel is bad (depending on the type of incident) but all communications and actions should be logged into a stronger system (like a ticketing system, a Wiki, a notepad, …) with proper follow-up. Most people have a “FF” reflex (“Forward and Forget“, not “Follow Friday” for the Twitter addicts). I don’t blame them, that’s the human behavior. They have their regular business to be done. But, some people in the chain maybe already started their summer break. What if the mail was forwarded to an out-of-business contact? At the moment, I’m pretty sure that nobody took the lead on this security incident… Tip: have a proper incident handling procedure in place.
I'm now on the board of directors of the EFF.
schneierThe short answer is 'Yes'. The long answer is the rest of this post. So. Many. Presentations.
You probably want to go get your reading glasses. Or black-market cyber eyes. Eye strain is a real possibility, and we care about your optic health.
Remember – take care of your eyes and they'll take care of you.
DragonLady: An Investigation of SMS Fraud Operations in Russia
Ryan W. Smith
The Government and UFOs: A Historical Analysis
Richard Thieme
Analyzing and Counter-Attacking Attacker Implanted Devices Case Study:Pwn Plug
Wesley McGrew
Business logic flaws in mobile operators services
Bogdan Alecu
A Password is Not Enough: Why Disk Encryption Is Broken And How We Might Fix It
Daniel Selifonov
PowerPwning: Post-Exploiting By Overpowering PowerShell
Joe Bialek
Doing Bad Things to 'Good' Security Appliances
Phorkus and Evilrob
Collaborative Penetration Testing with Lair
Tom Steele and Dan Kottman
Android WebLogin: Google's Skeleton Key
Craig Young
BoutiqueKit: Playing WarGames with Expensive Rootkits and Malware
Josh "m0nk" Thomas
Hardware Hacking with Microcontrollers: A Panel Discussion
Joe Grand, RenderMan, FirmWarez, LosT and Mark 'Smitty' Smith
This Presentation Will Self-destruct in 45 Minutes: A Forensic Deep Dive into Self-destructing Message Apps
Drea London and Kyle O'Meara
10000 Yen into the Sea
Flipper
Fear the Evil FOCA: IPv6 Attacks in Internet Connections
Chema Alonso
Let's Screw with nmap
Gregory Pickett
Revealing Embedded Fingerprints: Deriving Intelligence from USB Stack Interactions
Andy Davis
The Bluetooth Device Database
Ryan Holeman
C.R.E.A.M. Cache Rules Evidently Ambiguous, Misunderstood
Jacob Thompson
Suicide Risk Assessment and Intervention Tactics
Amber Baldet
Conducting Massive Attacks with Open Source Distributed Computing
Alejandro Caceres
Resting on Your Laurels Will Get You Pwned: Effectively Code Reviewing REST Applications to Avoid Getting Powned
Abraham Kang and Dinis Cruz
Fast Forensics Using Simple Statistics and Cool Tools
John Ortiz
Forensic Fails - Shift + Delete Won't Help You Here
Eric Robi and Michael Perklin
EDS: Exploitation Detection System
Amr Thabet
HiveMind: Distributed File Storage Using JavaScript Botnets
Sean Malone
OTP, It won't save you from free rides!
bughardy and Eagle1753
Utilizing Popular Websites for Malicious Purposes Using RDI
Daniel Chechik and Anat (Fox) Davidi
gitDigger: Creating Useful Wordlists From Public GitHub Repositories
Jaime Filson (WiK) and Rob Fuller (Mubix)
Evolving Exploits Through Genetic Algorithms
soen
Proliferation
Ambassador Joseph DeTrani
The Growing Irrelevance of US Government Cybersecurity Intelligence Information
Mark Weatherford
Meet the VCs
Ping Li, Matt Ocko, Phil Paul, Eileen Burbridge
From Nukes to Cyber - Alternative Approaches for Proactive Defense and Mission Assurance
Lt Gen Robert Elder, USAF (Retired
An Open Letter - The White Hat's Dilemma: Professional Ethics
Alex Stamos
The Policy Wonk Lounge
Sameer Bhalotra, Robert Brese, Lt. Gen. Robert Elder, Bruce McConnell, Mark Weatherford
Two weeks ago, the Guardian published two new Snowden documents. These outline how the NSA's data-collection procedures allow it to collect lots of data on Americans, and how the FISA court fails to provide oversight over these procedures.
The documents are complicated, but I strongly recommend that people read both the Guardian analysis and the EFF analysis -- and possibly the USA Today story.
Frustratingly, this has not become a major news story. It isn't being widely reported in the media, and most people don't know about it. At this point, the only aspect of the Snowden story that is in the news is the personal story. The press seems to have had its fill of the far more important policy issues.
I don't know what there is that can be done about this, but it's how we all lose.
schneierResources
Tools
Techniques
Vendor/Software Patches
The NSA has published some new symmetric algorithms:
Abstract: In this paper we propose two families of block ciphers, SIMON and SPECK, each of which comes in a variety of widths and key sizes. While many lightweight block ciphers exist, most were designed to perform well on a single platform and were not meant to provide high performance across a range of devices. The aim of SIMON and SPECK is to fill the need for secure, flexible, and analyzable lightweight block ciphers. Each offers excellent performance on hardware and software platforms, is flexible enough to admit a variety of implementations on a given platform, and is amenable to analysis using existing techniques. Both perform exceptionally well across the full spectrum of lightweight applications, but SIMON is tuned for optimal performance in hardware, and SPECK for optimal performance in software.It's always fascinating to study NSA-designed ciphers. I was particularly interested in the algorithms' similarity to Threefish, and how they improved on what we did. I was most impressed with their key schedule. I am always impressed with how the NSA does key schedules. And I enjoyed the discussion of requirements. Missing, of course, is any cryptanalytic analysis.
I don't know anything about the context of this paper. Why was the work done, and why is it being made public? I'm curious.
schneierSearch queries involving Malaysian domain names were poisoned this morning, leading visitors to temporary sites with a message from what appears to be a hacker protesting against the treatment of Bangladeshi workers in the country.
Affected sites included Dell Malaysia (.com.my), all Microsoft sites on the .my suffix -- notably MSN Malaysia (.com.my), Skype Malaysia (.com.my) and Bing Malaysia (.com.my) -- as well as antivirus site Kaspersky (.com.my). Google Malaysia (.com.my), YouTube Malaysia (.com.my) and a few other .my domain sites.
A security update issued by Microsoft on Tuesday isn't playing nicely with other software, prompting Microsoft to pull it from its download center.
Dustin Childs, group manager of Microsoft Trustworthy Computing, revealed the problem in a blog post late yesterday:
Tags: MicrosoftSecurityl33tdawg