Unfortunately, I couldn't attend DefCon this week, but was pleased to see this announcement.
The Internetworked Security Information Service (ISIS) brings together four independent projects--the Open Source Vulnerability Database, the Alldas.de defacement-tracking service, the PacketStorm software database and the vulnerability watchdog VulnWatch--into a loosely organized collaboration.
Round of applause
HP is backing down on its threat to use the DMCA against a group of security researchers who pointed out a bug in the Tru64 operating system. Nice to see HP responding positively to the community outcries.
"We can say emphatically that HP will not use the DMCA to stifle research or impede the flow of information that would benefit our customers and improve their system security," the statement said.
This is what I'm talking about. Yesterday, I pointed out the need for some sort of wi-fi hotspot security standard. Stories like this justify the cause. We have got to come up with something, or people will be too afraid to share the access. Let's get to work people!
The movie pirate lived next door to the subscriber, and was able to access his neighbor's Wi-Fi wireless network to send the movie out over his neighbor's AT&T Broadband high-speed Internet service, according to AT&T Broadband spokeswoman Sara Eder.
Sounds like AT&T was very understanding. Next time, there might not be a happy ending.
Lots of news
Where to begin? Nmap 3.0 is out - be nice kiddies. The feds are concerned with the growing number of their wireless networks - that's a good thing.
"The word is getting out...that we do have a wireless security problem," Richard Clarke, President Bush's cyberspace security adviser and chairman of the Critical Infrastructure Protection (CIP) Board, said at the conference...
CNN reports on the same topic. Clarke also spoke this week at the Black Hat Briefings in Vegas.
"The software industry has an obligation to do a better job producing software that works," he said. "It's no longer acceptable that we can buy software and run software on sensitive systems that is filled with glitches."
An ironic statement considering HP's recent shenanigans. Perhaps Mr. Clarke directed his comments at them? We can only hope they'll come around. And finally, Slashdot reports that OpenSSH has been trojaned - yikes.
HP DMCA Commentary
Rick Forno of infowarrior.org had this to say on Bugtraq today:
I believe system-level security is MUTUALLY-EXCLUSIVE from copyright protection -- or more accurately, the 'economic security' of the vendors. Taking reasonable steps - including public disclosure of exploits and their code - to protect a user's system from unauthorized compromise IN NO WAY impacts the copyright rights of HP, unless HP wrote the exploit code that's being publicly shared w/o permission....in which case it's truly their fault then. Regardless, either way you look at it, they're using DMCA to conceal their embarassment and duck responsibility.
And a little later in the post:
Bleeping idiots. Congress and Corporate America. When it comes to technology policy, neither has the first clue . No wonder we're in the state we're in.
Couldn't have said it any better. Profit must be more important to HP than image and honoring their products. The kicker is this - nobody would really knock HP for having a security flaw in their code. IT HAPPENS TO EVERYONE! Why they suddenly pull something like this is beyond me. They end up with insecure code and look ridiculous to the professional community.
Doc Searls points to Lisa Rein's commentary on wardriving. I'm one of the "security obsessives" he references, but wouldn't say that I smear wi-fi. Actually, it's the opposite - I love it. I have strategic spots all over town where I can pullover, use my Zaurus to grab mail and hit the web.
But here's the problem. Corporate networks cannot risk exposing their innards to the public. And individuals? Maybe. But soon, if not already, someone's kindness will be taken advantage of. They will get their door kicked down by the feds because some sort of nefarious activity originated from their network. It's bound to happen. That's a shame because these wi-fi hotspots are bringing us closer to the dream of blanket, broadband coverage.
How do we solve the problem? I don't really know. If we put our heads together, we can figure it out. Obviously your machines need to be secure. Patches, minimal services, encrypted data et cetera. But the real issue is how to police the activity taking place on a hotspot? A firewall/filter allowing certain types of traffic - maybe. An IDS monitoring outbound traffic - perhaps. Other ideas? Let's get a project/document/blog/site going which explains how to setup a public hotspot while protecting yourself. Send me your thoughts.
Tim Mullen of Security Focus brings up a controversial topic in computer security - the right to defend. I think it would create more problems instead of solving them.
At Blackhat this week I'll be describing what some would call a "hack-back" against an attacking box. I am proposing that it be considered legal. The main threat to the Internet is the prospect of a multi-faceted worm with attack vectors that not only seek out different services, but that do so against multiple operating systems. A measured strike-back technology could mitigate such a worm.
One, two, three...
Aren't you supposed to count when you're angry? Every security engineer, programmer, computer scientist and hacker (the good kind) should be boiling over this.
Invoking both the controversial 1998 DMCA and computer crime laws, HP has threatened to sue a team of researchers who publicized a vulnerability in the company's Tru64 Unix operating system.
Unbelievable. HP writes flawed code, then get's mad when someone points it out? Maybe Tru64 owners should sue HP when their boxes gets cracked. Way to go HP. Bury your head in the sand, that will solve the problem. If no one discusses the exploit, it doesn't really exist!
I am a professional. This is the type of thing I'm paid to protect networks against. So why does this story make me grin with delight?
"Don't they have something better to do during the summer than hack our site?" asked the RIAA representative, who asked not to be identified. "Perhaps it at least took 10 minutes away from stealing music."
Remember the Yale-Princeton incident? My guess is that it's about to become serious. The NYTimes claims that one of the names "examined" was Lauren Bush, niece of President Bush. Hello Secret Service.
The White House said yesterday that it would not comment on the news, which was reported in The Washington Post yesterday. Lauren Bush, a fashion model, is the daughter of the president's brother Neil. President Bush himself is a Yale graduate.
Security Focus examines the nations first wi-fi honeypot. Cool idea - wardrivers beware.
The network has five Cisco access points, a handful of deliberately vulnerable computers as bait, and two omni directional high-gain antennas for added reach to the nearby streets and alleys. On the back-end, a logging host gathers detailed connection data from the access points, while a passive 802.11b sniffer with a customized intrusion detection system acts as a hypersensitive trip wire. Like conventional honeypots, the WISE network has no legitimate users, so anything that crosses it is closely scrutinized.
Wired reports on one of last year's well-known cracker groups - Fluffy Bunny. They had some rather grandiose, and damaging, plans for the Internet.
But Fluffy Bunny dropped the ball on its most outrageous plan -- an operation that members referred to as "The day the Internet stood still."
Secure seals worthless
Most of those tiny images and icons which claim a site is secure are worthless, according to Netcraft. I definitely wouldn't put much stock in them.
The survey said a recent dialogue between the two leading certificate authorities - Verisign and Geotrust has highlighted the fact that though the site seal and browser lock may look reassuring, there was no assurance at all that the site is not vulnerable to some well known exploit, and typically many are.
Couldn't have said it better myself. From the Mercury News:
If you or I asked Congress for permission to legally hack other people's computers, we'd be laughed off Capitol Hill. Then we'd be investigated by the FBI and every other agency concerned with criminal violations of privacy and security.
There's normally more to stories like this. If he didn't damage the computers or steal data - I'm not sure he did anything wrong.
A Houston computer security analyst has been charged with hacking after demonstrating the insecurity of a county courts wireless LAN.
Wireless insecurity is a major problem - and it's only going to get worse.