Monday, October 27, 2014

Banshee Chapter: Oculus Rift Edition

If your lucky enough to own an Oculus Rift, Jamwix announced a  free feature length movie you can download.  Wish I could say more but I don't own an Oculus Rift.


Wednesday, October 15, 2014

Quick Information About POODLE SSLv3 Attack

Information about this breaking SSL attack is coming in from a variety of sources.  I will share some better links.

A couple of articles to get you started sent to me via Jan Schaumann (Twitter: @jschauma).  The Errata article describes browser settings you can apply to stop POODLE's dead in their tracks.

Errata Security: Some POODLE Notes
Matthew Green: Attack of the Week, POODLE

Next, a link from Oona Räisänen (Twitter: @windyoona) for a POODLE test tool to check if your browser is vulnerable.


For OS X users who would like to run Chrome or Firefox with command line options from the desktop read-on.

To easily click an open from your desktop, create a bash script, like the following.  Use VI, TextEdit, TextMate, TextWrangler, or your favorite text editor.

open -a "Google Chrome" --args --ssl-version-min=tls1 &

Save the preceding to a file named, chrometls.command.  Open the directory where chrometls.command is stored, on my system I store scripts in ~/bin.   Next you need to make sure chometls.command is executable, run the following.

chmod +x chrometls.command

Now open up Finder and drop a copy of chrometls.command you created on your desktop.  Double-click this file on your desktop and OS X you will launch Chrome - bada bing, bada boom, your done!

If the terminated shell is messing with your OCD there is an option to automatically close shell windows once the command or script terminates.  Open a Terminal, from the Terminal preferences on the profile tab you will see a set of drop down options, "When the shell exits".  Change the value to be, "close if the shell exited cleanly".  After you launch the browse the shell will close automagically.  I write some shell scripts on occasion but not usually under OS X so I thought I would pass this along for those in need.

When I run Chrome in this way I see the Springfield Terrier, indicating I'm not vulnerable, the command line arguments from Errata work for me.


Friday, October 10, 2014

TED: Glenn Greenwald, Why Privacy Matters

At the TEDGlobal 2014 conference Glenn Greenwald (THE//INTERCEPT) provides his views on privacy in his session, VIDEO:Why Privacy Matters.  A focal point of Greenwald's session is a key viewpoint held by many Americans - privacy is only important for those with something to hide.

Post Edward Snowden revelations, we know that since the 9/11 terrorist attacks the government expanded the scope of it's warrantless surveillance operations to include average Americans (e.g., bulk surveillance).  When the news broke there were two sharply divided camps, those strongly opposed and a much larger group of the public generally apathetic.  Most of those who are apathetic believe privacy is only important for those with something to hide.  The hold, bad people, are people who plot terrorist attacks,  engage in criminal acts, and have a reason to hide their activities.  Good people, are people who go to work, raise children, watch television, use the Internet to read the news, find recipes, or plan kids Little League games, etc.  These good people, are doing nothing wrong and have nothing to hide and therefore no reason to fear government monitoring.  Greenwald explains most of these people have sharply defined world views and deprecate themselves.

"The people who say that, that privacy is not really important, they don't actually believe it", Glenn Greenwald

Greenwald continues to explain how noteworthy tech industry figures like Eric Schmidt (Google, Chief Executive Chairman) and Mark Zuckerberg (Facebook, CEO) tell the public privacy is only for those with something to hide yet they take strong personal measures to safeguard their own privacy, a seeming double standard.  Returning back to the apathetic point of view on privacy, Greenwald explains an approach to uncover how people truly feel about privacy.  To uncover these feelings, Greenwald tells people provide their user ids and passwords to all their email accounts, including the secret ones, and other applications.  Greenwald then says he will open each account to find information of interest that he may decide to publish later.  In all the people Greenwald has spoken with none have taken him up on his offer.  His point is that everyone has at least some information they don't want to share publicly.  While most of us say we don't have much to hide, we don't desire to be completely open either.  Since we have always had the expectation of privacy (4th Amendment) it's difficult to know how privacy could be valuable when we no longer have it.

Greenwald goes on to explain a design for prisons called the Panopticon.  The salient point of the panopticon design is that it's not possible for prison inmates to know when those in control are observing inmates and when they are not.  The effect is that, behavior options are reduced, and inmate behavior is altered.  A virtual prison within the mind of the inmate.  Greenwald says a similar situation has occurred on the Internet.  A combination of the lack of anonymity and constant surveillance create an environment where the public self-censors or polices their own Internet online behavior, a powerful virtual prison, like inmates in a panopticon.


Thursday, October 9, 2014

PIN Number Analysis

Interesting article by Data Genetics on PIN Analysis sent via Bruno Borges (Twitter: @brunoborges).  I included one of their tables (photo to left).  As an example,  if an adversary chooses pin "1234" they will be correct about about 11% of the time.  This implies, if they steal 100 ATM cards and try 1234 for the pin number they will likely be successful on 11 cards.  Furthermore, 26.83% of all pins could be guessed choosing only numbers from the table - better odds than Vegas.  Readers will also learn how to choose better pin numbers among other interesting pin factoids.


Wednesday, October 8, 2014

Admin: Testing out a Wider Format

Looks like everyone is using higher resolution these days so I'm experimenting with a wider format.  Send me a ping if the wider format is causing you some trouble.

Rare Footage of The 1914 Martian Conflict

Great martian war from PLAZMA on Vimeo.

I don't want to set off any War of Worlds hysteria, this video is total fabrication but entertaining and realistic looking.  Rare footage of the 1914 Marian conflict, from the History Channel, via Cory Doctorow and Boing Boing.  See Doctorow's article for background.  Enjoy!


Book: Spam Nation by Brian Krebs

Brian Krebs (Twitter: @briankrebs) of releases a new cyber security book, Spam Nation, on November 18, 2014 .  Bloomberg Businessweek provides an interesting teaser on the book's Amazon page.  I don't have the inside track or advanced copy on this book but Krebs is an talented writer, investigator, and presenter.  I'm sure it will make a great security book.  I have already pre-ordered my copy.


Tuesday, October 7, 2014

CBS 60 Minutes: FBI Director On Threat of ISIS, Cybercrime

FBI Director James Comey goes on the record with Scott Pelley of CBS 60 Minutes show in a  video interview.  I gathered a few of Comey's remarks and provide some of my own commentary.  Security is like religion or politics, everyone has an opinion and if you would like to share yours leave a comment at the bottom of the article.

"Cyber crime is becoming everything in crime"
Strongly agree, why?  Severity and tempo of security incidents continues to build momentum, Target 40 million credit cards stolen, Home Depot 56 million cards, and finally JP Morgan Chase ringing the bell at 76 million customers.  Cyber crime is where the money is, is the saying.  Large as these heists are the largest to my knowledge is Heartland at around 100 million cards in 2009.

"Chinese hackers are like drunk burglars"
The point made is that Chinese hackers are not necessarily the best hackers but they are pervasive and invading businesses with significant intellectual property to loose.  Considering security from the attacker perspective, why spend $100 million dollars to develop a product, technology, or service when you can steal it for $1 million or maybe even far less?  The goals and funding for businesses and nation states are far different.  Corporate budgeting is a profit and loss game and there are constraints around what a security program can achieve.  Whereas funding for nation state security programs almost certainly exceeds most software engineering budgets for an entire company.  Few corporate cyber defenses can withstand a direct assault by even moderately funded state programs.

"Cost of cyber crime in the billions"
I'm sure this is true but since the cost is spread over an entire economy it's difficult to justify funding the war on data by individual businesses or organizations.  Governments must protect our cyber boarders as well as our physical borders since businesses are poorly equipped to do so.  We don't expect businesses to defend their properties with armed guards against invasion by other nations.  We should not expect business to defend their cyber boarders from foreign invaders.  It's simply too much to expect from companies trying to make a profit and it's not their job anyway.  National defense is a government responsibility, it always has been.

(security is in a) "much better place than 13 years ago"
I don't believe popular news reports support this conclusion.  In Comey's own words, cyber crime is now the only crime and  I doubt 13 years ago he would have made this same claim.  I agree, everyone has learned much more about security in the last 13 years but so too have our adversaries.  Comey mentioned we are not perfect and we have more work to do which I can not agree more.  There is a need to be encouraging but declaring the past 13 years a security victory is redonkulous.  Attackers are more emboldened and motivated then ever before.

"Apple's iPhone may be a threat to national security"
Don't believe it.  Washington is quick to sacrifice individual privacy rights in the name of business revenues or national security but they are unwilling to demonstrate the tiniest shred of transparency in the name of their own credibility.  Complete secrecy around information security programs is so important to the government they are willing to sacrifice revenues of American businesses.  For instance, post Snowden era revelations it's now well-known that the NSA tampered with Cisco Internet hardware to achieve their electronic surveillance objectives.  Further, government surveillance activities impacts confidence in American businesses in other countries and ultimately harmed revenues according to Cisco.  Other company's have reported similar impacts but precise industry impact figures are elusive.  It's also known that the NSA pressured Yahoo with a $250,000 per day fine for it's refusal to release user data in 2007.  Now Yahoo and other tech giants are taking proactive measures like securing data between data centers to discourage warrantless searches and improve confidence abroad.  Most large companies complete in a global market place so confidence and integrity of American products in other nations is very important to revenues.  Now Apple continues a similar trend to lock down warrantless iPhone searches in a bold move that accompanies some scrutiny by Washington.  Most US companies would rather not take sides on personal privacy issues but they do so since lack of public confidence in product and service offerings impacts revenues.  American companies learned a valuable lesson, acquiescing to government demands may or may not be in the best interest of the people but it's certainly not good for businesses competing in a global marketplace.


TinyScreen .96" 16-Bit Color OLED Display on Kickstarter

.96" OLED project display with 16-bit color on Kickstarter, TinyScreen.   Makes a great screen for your next Ninja hardware security project.


Movie: Blackhat

Official site for the Blackhat movie,, sent via Twitter: @DonaldOJDK.  Trailer is available on the movie site.  Please send any security or privacy movies to me.


Monday, October 6, 2014

JavaOne 2014 USA, Security Track Amazeballs!

JavaOne 2014 USA concluded October 2, 2014 in San Francisco, California.  The war on security is sometimes takes it toll on all of us.  This year, whenever I feel depressed I pull out my Nerf Duke, give him a squeeze, and reflect upon what we all did at JavaOne 2014.  The JavaOne security track was, hands down, amazeballs!

"JavaOne is the first developer conference to dedicate an entire track to security." Frank Kim SANS Institute

During the Call for Proposals (CFP) the submissions for the security track stalled until the very last week.  I was really wondering if I would have to give up on the security track.  Teammates told me not to worry since it's normal for submissions to come in late.  The idea of throwing in the towel on the security track was depressing.  According to Frank Kim of SANS Institute, "JavaOne is the first developer conference to dedicate an entire track to security".  The last week of the CFP more than three quarters of the submissions for the security track rolled in.  The moral of the story?  Unless you want this track leader to have a heart attack get your submissions in early ;o)
Photo: JavaOne 2014 keynote

Photo: Oracle Customer Appreciation Event
This year security was highlighted early at JavaOne.  In fact, security made it to the JavaOne keynote presentation provided by Georges Saab (Twitter: @gsaab).  In his slides (photo on right) Georges is noting facts about the security track at JavaOne.  In particular, my security track opening presentation and the new web appsec book I finished with Manico (Twitter: @manicode) and Detlefsen (Twitter: @codemagi).  A little birdie told me, Georges was surprised how many comments and retweets he received on all this security stuff, lol.  Well it's because me, all my friends, and many others live, breath, and eat security day and night.  A slide or two on security at a developer keynote is a huge positive and just the right level of attention on web application security.  Sorry we Tweet slammed you Georges but much appreciated!

On Wednesday Oracle held the Customer Appreciation Event.  How was it?  Fan-freaking-tastic, is the word that comes immediately to mind.  Employees are not generally invited to customer event.  I received two tickets in a odd quirk of fate.  A quick call to my wife and she arrived a few hours later and we were off to see the event.

Photo: book signing event at Oracle book store
The appreciation event was incredible.  Aerosmith was great.  I checked Wikipedia and it reported Steve Tyler's age as 66.  Phew, I hope I could perform at such levels at age 66.  Likewise, Macklemore was great.  I recognized a few of their songs and enjoyed their music.

The appreciation event left me with about 3hrs of sleep and there was lots happening on Thursday.  I had to arrive at the conference early, lots to do.  No sleeping in for me.  I downed a Starbucks Venti Pike Place, a Red Bull, and another Starbucks coffee when I arrived at the hotel.  I would do it all over again the event was great.
Photo: NEC biometrics at Open World
This month was the release of our new web application security book Iron-Clad Java.  The Iron-Clad Java team, Manico, Detlefsen, and Me, had a book signing over at the Moscone center.  Unfortunately, it was a bit of a bust for book signing.  The book signing was scheduled in the wrong venue at Oracle Open World.  We signed a few books but honestly everyone who would like our book was attending JavaOne, two blocks away.  Oracle reminds me of my Marine Corps days, requisition 1000 roles of toilet paper and receive 1000 lightbulbs.  As long as you receive 1000 of something delivered on time then the Logistics organization never cared.  I wanted to rest on the couches and chat with friends anyway.

While over in the Open World vicinity, I later headed to the vendor floor to visit my friend Beau Broker at NEC.  Beau showed me some pretty interesting facial recognition software by his company.  In the photo (on left) you can see how it recognizes Beau's face after he's registered with the system.  It's pretty interesting technology.  It's also available on mobile and tablet devices.  The technology is multi-purpose and may be used to unlock a desktop or recognize unauthorized individuals in a crowd.

Finally, I will finish up with a selfie photo of the crowd at my security track opening session.  This is my view from the podium.  It's amazing in a short time how far the security track has come.  My first year I presented at JavaOne there was no security track and something like 47 people attended my session and most found their way to my session purely by accident.  No credit to me attendees are interested to learn security.  Now we are filling security sessions with developers cross across the security track.  All these bright minds eager to learn about Java security gives me hope.  Message to Me and Oracle, developers care about security.  Hat tip to Oracle for taking a chance on a security track like in one of the world most expensive conference venues in the world.  Bringing a security track directly to a developers conference is innovative, has a tremendous impact on developers, and I challenge more developers conferences to do the same.


Saturday, October 4, 2014

Worlds Most Interesting Java Developer on Web Application Security

Yes, indeed, I know this is totally a shameless plug for friends but I did make you laugh, right?  Iron-Clad Java


Share It!