Resources updated

I finally got around to posting the first batch of links in the Resources section. There will be more to follow as I hope for that section to be somewhat exhaustive.

I’m also happily accepting recommendations for links, so if there’s any links I’ve missed that may be useful, feel free to comment or e-mail me (brad@eyeis.net).

Hello world!

It’s 12:30 a.m. and we are officially online. So hello and welcome. We hope you find us a useful resource in the years to come.

We still have some work to do on the site, but things are coming along, so please try to excuse any wayward links or vacant space. Hopefully in the next week or two we’ll be able to get more content online. In the meantime, feel free to register via the link on the bottom right and you can comment and contribute to our dialog on the latest news and happenings in computer security.

Mining google…

Cult of the Dead Cow (cDc, famous for the backdoor suite Back Orifice) enter the news again bringing attention this time to using Google as a tool for reconnaissance and assessment with the release of Gulag. While this hacking technique isn’t new – Google Hacking has been well documented by the likes of Johnny Long (http://johnny.ihackstuff.com) – the press is.

Some will be angry at a publicized release that simplifies a hacking technique and some will be pleased. Personally, I’m a little torn. I applaud the intent of such a tool; it draws attention to a serious security concern and provides another useful method of assessing your network. And lets face it, the bad guys are using this method already, so giving people a tool that makes it easier to see what is already known to the attackers is a good thing.

If I get around to checking it out any time soon, I’ll post an update.

Black boxes for everyone

ThinkProgress.org picked up on an article originally published in the Wall Street Journal noting that the Bush administration is pushing for their wiretapping black box sensors to be installed in private corporations. Three reasons why this isn’t very smart: 1) controls and regulations, 2) it would provide more points of exposure to those who want to hack the Bush administration’s wiretapping solution, and 3) it’s just plain illegal. Of course, the government is aware of the 1st and 3rd points and doesn’t seem to care, and are probably too overconfident to be concerned about the 2nd point.

Hard disk encryption not so secure?

Well, well, well. It will be interesting to see whether businesses will be backing away from desktop encryption. While the hard work of the folks at Princeton University showed nothing is impenetrable, disk based encryption methods can still provide a level of security that surpasses unencrypted filesystems. There is no silver bullet nor is there a single solution that will solve security problems. The only approach is one that involves layered technologies.

A beginning…a prediction

SANS was all over this right after Christmas. I’m glad to see it getting a bit more press and must admit that Deborah Gage’s write-up lacks the confusion we typically see in the media reporting of incidents. (Although I guess the media confusion applies to all subject matter.) If an infection subverts your anti-virus, you’re pretty much guaranteed to be screwed. In this case, you’ve been infected by some attackers that were willing to take more risks than normal in launching the attack; physical access is my greatest fear.

In short, several brands of digital picture frames were purchased in big name stores bearing an unexpected gift (read trojan horse). Simply connecting one of these fine products to your Windows computer would pretty much guarantee you a rootkit. We’ve heard this song before with hard drives and USB drives. This time, according to the article, we’re relatively lucky that the infection is only a keylogger that attempts to steal user names and passwords for select online games…for now.

Between downloaders, self-patching and self-healing malware, I won’t be surprised to see additional functionality from these infections in the coming months. And even if we don’t, we’re still looking at a source of attack that further damages the trust relationship we as consumers have with manufacturers. Lead in children’s toys? Poison in dog food? As much as they think they can, governments can’t effectively regulate everything and attack vectors like this are vulnerable. We have further proof of the need for awareness and caution.

I’m inclined to think this is a well-organized group behind this attack. The attack method is shrewd. You avoid the unreliability of social engineering and spam and eliminate the variables and risk of alluring someone to the infection. The attack is limited in that it will only initially infect consumers who purchase the tainted wares. The supply chain is fraught with opportunity to induce such an infection, from manufacturing to shipping/distribution to the reseller. But let’s imagine for a minute that the picture frame is wireless and displaying pictures of lattes and muffins at a Starbucks full of users enjoying the free wireless access. It starts to get a little scarier, doesn’t it?

So what better way to cap a new beginning than a prediction? In the not too distant future there is going to be another spate of attacks where the source of infection is a product tainted before it reaches the end-user and it will be a more malicious and effective attack than this one. Government will look to enforce some kind of regulation on any type of electronic device that interacts with another device and all the while we’ll be poisoning our animals and watching our kids chew on that shiny and colorful piece of lead.